What is Reddit's opinion of
FusionAuth?
From 3.5 billion Reddit comments
➔ FusionAuth website
By popularity on Reddit, this Service is:
75 reviews of this app found across Reddit:
Thanks for posting! Author here.
I think that forums are superior to other community solutions. They share some of the aspects of StackOverflow, but you have more control over the data and the community. In particular this means you can be more welcoming to newbies.
I especially like the fact that questions on forums are, all other things equal, higher in quality and more discoverable than questions on slack. Google/duckduckgo/etc are definitely a major discovery interface; build your community to take advantage of that fact.
Of course, like the post says, it does depend on what your needs are. One thing to be aware of is you need to spend some time maintaining a forum or slack, but the higher SEO value of a forum means you'll get more spammers. That said, I'm off to do some maintenance on the forum that caused me to write this post.
Ah, fair. Well we don't make you talk to sales if you don't want to. I don't speak Albanian anyway :) .
Sales FAQ: https://fusionauth.io/enterprise-sales-faq/
Download the community edition for free: https://fusionauth.io/download/ (use it for as many users as you want)
Buy our paid editions with a credit card: https://fusionauth.io/pricing/editions/
Don't know if this counts as third-party, but I'd recommend checking out FusionAuth:
I too share your pain. Authenitcation in ASP.NET has always been a sore spot for me. IdentityServer was super complicated for me to get started with, but authentication in general is a complicated domain. It's been rock solid after we got it setup though.
This should give you a break down, look for "Full Feature Breakdown" on this page: https://fusionauth.io/pricing/editions/
SAML v2 and OIDC are both included in the community (Free), but you will need the Developer edition to use the LDAP connector.
There is a free trial period for the developer edition, if you don't require support and only need the dev edition to complete a POC or something like that - DM me and I can help you out.
Hiya,
Have you taken a look at FusionAuth? It can be self hosted and can be both a SAML SP and IdP: https://fusionauth.io/docs/v1/tech/samlv2/
Full disclosure: I work for FusionAuth.
>Full disclosure
Why hide the tracking in the URL?
Anyone can click 'source' on your post and see you're masking one URL behind another.
https://fusionauth.io/docs/v1/tech/release-notes#version-1-16-1
It's so silly, what was the point in trying to hide it?
It's possible that FusionAuth might be able to do this for you. Here's their post about Spring integration - maybe useful. https://fusionauth.io/blog/2018/10/24/easy-integration-of-fusionauth-and-spring
There are good resources and a possible solution to your problem at FusionAuth.io. Looks like it matches what you need, and their documentation and additional resources provide a lot of details.
These workflow diagrams might help you get an understanding of it: https://fusionauth.io/articles/logins/types-of-logins-authentication-workflows The FusionAuth documentation has good details as well. (and FusionAuth is free, too)
Yeah, there is a tutorial with some code examples in GitHub that may help.
https://fusionauth.io/blog/2018/10/24/easy-integration-of-fusionauth-and-spring
I'm about to give FusionAuth a try, they have a free tier which supports unlimited users. Looks like they should have the whole sign up flow, forgot password, social sign in, etc.
I'm about to give FusionAuth a try, they have a free tier which supports unlimited users. Looks like they should have the whole sign up flow, forgot password, social sign in, etc.
Check out FusionAuth, https://fusionauth.io/
They'll host an instance for you, but it's also free for you to run on your own hardware (or a cloud provider). You can work with them to replicate the hosted database (or restore backups) to an instance you're managing yourself as a fail-over / DR solution.
Look at https://fusionauth.io/ We too had the same problems with IdentityServer that you had as well as they switch to a fee. We ran across this and it works great. I think it is a lot easier to use as well and the interface that it comes with is good for setting up auth on a site.
https://fusionauth.io/learn/expert-advice/security/math-of-password-hashing-algorithms-entropy/
remember you have no decimals, integer math only.
Heya, I work for FusionAuth and it seems like it might be a good option for you to evaluate. We've had customers who've looked at Auth0 and Okta (the two 800lb gorillas in the space) and have chosen FusionAuth for cost, flexibility and developer ergonomics reasons.
Happy to answer any questions if you are still in the evaluation phase.
https://fusionauth.io/docs/v1/tech/installation-guide/docker
​
this guide has it as default, so I am trying to bind my /mnt/volume to this path as described in this guide. Can I change it to something else?
Never heard of funsionauth before but their docs clearly tell you what to do:
https://fusionauth.io/docs/v1/tech/apis/jwt#validate-a-jwt
Whether you use a 3rd party service or a library, 99% of the time the docs have all the answers. Always start by reading the documentation.
You should be able to decode the token and see what the exp value is. If the exp value is less than the current time (in seconds) since the unix epoch, the JWT is no longer valid.
You can also post to the introspect endpoint and see if the token is valid: https://fusionauth.io/docs/v1/tech/oauth/endpoints#introspect
Yes req.session.destroy should delete the session in the proxy. At the same time you can call out to the /oauth2/logout endpoint to clean things up on the FusionAuth side.
Instead of res.redirect(http://localhost:${config.fusionAuthPort}/oauth2/logout?client_id=${config.clientID}`);` at step 3 of https://fusionauth.io/blog/2020/03/10/securely-implement-oauth-in-react make a remote API call to https://fusionauth.io/docs/v1/tech/oauth/endpoints#logout
Hard to know exactly what to suggest without more details of your setup. Are you using OAuth? Have you set up a logout url? Is the link in your in app browser pointing to the logout endpoint? https://fusionauth.io/docs/v1/tech/oauth/endpoints#logout
If you want to use PKCE, you can. As mentioned here: https://fusionauth.io/docs/v1/tech/oauth/#example-authorization-code-grant you should review the authorization and token endpoint docs for more details.
For anyone looking at this in the future, here's the relevant forum link as well: https://fusionauth.io/community/forum/topic/113/zoom-and-sso-lambda-writing
Heya.
I'm sorry. I shouldn't have done that and won't hide the url tracking in the future.
Here's the same link with the tracking removed: https://fusionauth.io/docs/v1/tech/release-notes#version-1-16-1
Other than the tracking (which again, sorry about that, I made a mistake), I'd love to hear why FusionAuth being closed source is a red flag for you.
Will this apply to the guide that I was using previously? Because I only set the Oath in applications in FusionAuth.
https://fusionauth.io/blog/2020/03/10/securely-implement-oauth-in-react
If I implemented this, how do I see how long the token will be valid? Do I still increase the valid time on token like how you mentioned earlier?
That is a setting in FusionAuth, either at the application or the tenant level:
See application.jwtConfiguration.timeToLiveInSeconds here for more: https://fusionauth.io/docs/v1/tech/apis/applications
It should be something similar to like Facebook, you have to log in to be able to do any actions actions with your account. And if you’re not logged in, you should actually not be able to do anything, since everything you do is account specific.
Is there any guide on how to implement Oauth and authorization code grant?
It’s Oauth2 you are referring to right? And this guide: https://fusionauth.io/blog/2020/03/10/securely-implement-oauth-in-react is also OAuth2?
> Do you have any suggestions if it is smart to redirect the user to the fusionauth login page right away to login if they don’t have a session token?
What can they do in your app if they aren't logged in? If there are valid anonymous use cases, then I'd allow those.
For mobile apps I'd suggest OAuth and the authorization code grant. However you don't have to do the authorization code grant, you could also do the resource owner password credentials grant. Here are three articles to help you choose: https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows#native-mobile-application-authentication
Here's a post from my employer about how to think about JWT revocation: https://fusionauth.io/learn/expert-advice/tokens/revoking-jwts
Hello. (I'm an employee of FusionAuth, a free (as in beer) identity management solution built from the ground up for developers.)
I wanted to share this post about the math of password algorithms.
I added some comments to the stack overflow question. I agree with u/dotsonjb14, don't put the tokens in local storage. In fact, if you can avoid it, don't use the implicit grant at all.
Also would suggest you check out some of the resources at FusionAuth (full disclosure, I'm an employee): https://fusionauth.io/learn/expert-advice/ for further reading. You might want to evaluate our offering. It's free (as in beer) and competitive with the other OAuth servers you're looking at.
If you are avoiding the cloud connection, FusionAuth.io might be an option. It runs locally and then all this is pretty simple. Their docs give a lot of details that may help also.
These login workflow diagrams may help, and they are having an open session to ask questions coming up on Feb. 18. If link doesn't help you can ask in person. https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows
This may help. It takes a broader approach but gets through the request_token also. https://fusionauth.io/learn/expert-advice/oauth/oauth-v1-signed-requests
These login workflows might help you make sense of it all: https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows
Not sure of the specific reasons, but these auth workflows might help you fix or revise your flow to work the way you expect. https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows
There's an option called FusionAuth that might work for you. FusionAuth.io More flexible and not as ecosystem dependent as Cognito. Here's a post on how it compares: https://fusionauth.io/blog/2018/09/18/amazon-cognito-and-fusionauth-comparison
Here is a list of descriptions and diagrams of authentication workflows that might help: https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows
Detailed resource of login and authentication workflows (descriptions and diagrams): https://fusionauth.io/learn/expert-advice/authentication/login-authentication-workflows
A good SSO setup is non trivial... If you want to buy it, some service like auth0 or others would make the process a lot simpler... If you want to build your own it gets more complicated. There's this omniauth-saml package that would do the job but you'd have to figure out saml and set up various bits to support it... Here's one that does jwt sso but it hasn't been touched in 6 years.
We implemented our own using JWT, a custom ruby gem for client apps to use, and another app that handles logins and validating/expiring tokens. Works out pretty well but it's a lot of custom code and setup.
Really if your budget allows it, IMO, auth0 is the way to go. If not you might look at self hosted open source alternatives like keycloak. There's also fusion auth which can be self hosted and looks promising though I really don't know much about it.
Otherwise, you're gonna have to roll your own which can be fun...
Here are some resources on login workflows that might be helpful https://fusionauth.io/articles/logins/types-of-logins-authentication-workflows - FusionAuth.io is a free solution you can experiment with, too. Good docs.
Respectfully, I would love if anyone could provide feedback on these Python tutorials for authentication (I work for the company). Have been looking at these for a while so hard to tell if they still make sense. This link goes to first one, and the second is linked in the first paragraph. Thanks for any input you can offer! https://fusionauth.io/blog/2019/10/01/implementing-fusionauth-python
Here is a comparison of Firebase and FusionAuth that covers some of the pros and cons of each - may be helpful - https://fusionauth.io/blog/2018/10/02/firebase-and-fusionauth-ciam-comparison
FusionAuth is another option that could work for you and compares well against Auth0 and Firebase - https://fusionauth.io/blog/2018/10/02/firebase-and-fusionauth-ciam-comparison
There's another solution similar to Auth0 and Okta called FusionAuth.io that you might want to try. Easy to download and install without having to sign up for any plans or accounts.
>https://www.reddit.com/r/selfhosted/comments/5w75yh/authentication\_server\_like\_auth0com/
Here's a quick comparison post from FusionAuth - https://fusionauth.io/blog/2019/07/16/gluu-fusionauth-compare-identity-management-solutions
Name: FusionAuth.io
Location: Denver, CO
Elevator Pitch: Auth for every app - Secure, complete, affordable auth and identity management for every app.
More details: Launched 9 months ago, already 100,000 downloads and IAM Product of the Year. https://fusionauth.io/blog/2019/06/17/iam-product-of-the-year
Looking for: People to try us out -
Discount: Free to download for /r/startups (and anyone else)
You may have already moved on this, but FusionAuth might do the trick for you. Just released SAML support, and a ton cheaper than OneLogin. https://fusionauth.io/blog/2019/05/01/fusionauth-update-saml
We've been trying to get devs away from SAML for a while with FusionAuth, but recently had to support it since it is so pervasive. (shameless plug https://fusionauth.io/blog/2019/05/01/fusionauth-update-saml) Not everyone implements it correctly to spec, so there are tons of issues. Wish people would migrate away, but know that's not always possible.
Some are suggesting Keycloak, so maybe FusionAuth would be a good option as well. Better documentation, and they just released SAML support https://fusionauth.io/blog/2019/05/01/fusionauth-update-saml
If you wanted to go further and manage the access of users instead of passwords, FusionAuth might be useful. https://fusionauth.io/blog/2019/05/01/fusionauth-update-saml I'm always scared of shared passwords. Been burned by end users not managing them safely, so always try to control access more centrally.
Not sure if FusionAuth would be useful for this case or not. Their 1.6 release just added SAML support, so possibly: https://fusionauth.io/blog/2019/05/01/fusionauth-update-saml
Not everyone implements SAML to spec, so it can get squirrely. FusionAuth just released SAML support, so take a look. Might be what you need. https://fusionauth.io/blog/2019/05/01/fusionauth-update-saml
Consider looking at FusionAuth - similar features to Okta and others mentioned in the thread, but much lower cost, and gives you more flexiblity on how and where to host. Here's a link to their newest release. https://fusionauth.io/blog/2019/05/01/fusionauth-update-saml
Something like FusionAuth.io might work for you, but you may need something more for your specific recs. MacTalker mentions about OneLogin being hacked, and that's always a concern when there is one be honeypot of user identities. Large platforms are a target to the most sophisticated hackers for the biggest payoff.
Not sure if this would help or not: https://fusionauth.io/blog/2018/10/24/easy-integration-of-fusionauth-and-spring Lots of details in their docs on the specifics.
Here's a doc that lists a bunch of password policies, but doesn't go in to detail on custom words. https://fusionauth.io/blog/2019/04/11/password-security-compliance-checklist The goal is to increase the entropy of the password they choose, but it makes a lot of sense to prevent users from selecting the most common l33t substitutions and phrases.
Wow. It's amazing how people will resist better security, even after a breach. I'm sure you shared data on the % of hacks caused by stolen or weak passwords, but if you need it here is another resource. https://fusionauth.io/blog/2019/04/11/password-security-compliance-checklist
Here's a video that might help you. https://www.youtube.com/watch?v=SLc3cTlypwM Brian Pontarelli at Oracle Code One - Authentication as a Microservice. His company built FusionAuth.io, so he's got a lot of knowledge in this area.
Here's another free solution that might help you. This link is to their post about integrating with Node.js. https://fusionauth.io/blog/2019/02/19/easy-integration-fusionauth-nodejs but check out the docs and site for more details.
This isn't Keycloak specific, but has good code and tips on how to harden a server. You could possibly use these as starting points to check - https://fusionauth.io/resources/guide-to-user-data-security
According to the text, GDPR applies to the data of EU citizens, regardless of where the service is located. Technically the EU can request the US government to do something to get to you, but it would probably depend on how blatant a violation and what they could hope to fine you for. It could eventually become a trade issue similar to international copyright laws.
Something else to remember is that if you are sharing data with other services, every data partner along the way can be held responsible for non-compliance (with the same caveats as above.) This article covers questions to ask data partners, and the paper at the end of the article has an overview than cuts through a lot of the jargon and also has reference links if you want to read further. https://fusionauth.io/blog/2019/02/12/data-partners-gdpr-questions-to-ask
​
Not sure if it would be a solution for you, but FusionAuth.io has similar features as Auth0, deploys on-prem so can work offline, and is free, too. Take a look through the docs and see if could work for you.
Take a look at the API docs for FusionAuth.io - they have a solid structure for this. They also have a recent post about how to use JWTs to control and revoke access. https://fusionauth.io/blog/2019/01/31/revoking-jwts
Here's some info on controlling and revoking JWTs that might be useful. See what you think - https://fusionauth.io/blog/2019/01/31/revoking-jwts
This may help. Post about how to revoke JWTs in the scope of authentication. See what you think https://fusionauth.io/blog/2019/01/31/revoking-jwts This is how FusionAuth did it, but applies anywhere.
Here's soinfo on how to use and revoke JWTs for authentication. This is the way FusionAuth did it, but transfers to any solution. https://fusionauth.io/blog/2019/01/31/revoking-jwts
Not sure of an answer for you, but if it doesn't work out, take a look at FusionAuth.io - similar features, great documentation, and free. Could be worth a look before you get deep into Auth0 issues.
I'd suggest starting a detailed conversation with the third party. As the primary controller of the data chain, if they aren't compliant, neither are you and you can both get in trouble. Here's a post with a few questions to start with: https://fusionauth.io/blog/2018/05/17/data-partners-gdpr-questions-to-ask
Check out this paper. Good overview and lots of reference links at the end. GDPR covers EU citizens and their data, so it can still affect businesses regardless of their physical location. It's still a murky issue tho, and will almost assuredly be challenged in courts. https://fusionauth.io/blog/2018/03/23/white-paper-developers-guide-gdpr
This should help. https://fusionauth.io/blog/2018/03/23/white-paper-developers-guide-gdpr It gives a summary as well as a bunch of links to other resources.
There is a well documented API for FusionAuth that could help you get a good understanding of what you can and need to do. Here's a post that talks about a lot of the challenges that you'll need to addresss: https://fusionauth.io/challenges-of-ciam
This guide to user data security gives a lot of specific ways to secure both hardware and software for your app. Worth the view https://fusionauth.io/resources/guide-to-user-data-security
There is great info on authentication in these API docs that might help you. https://fusionauth.io/docs/v1/tech/ If you are looking at Auth0 and others, it could be a good free alternative for you as well.
You might find this info useful https://fusionauth.io/challenges-of-ciam as well as their API documentation. Covers many authentication challenges as well as how to address different issues.