From 54eb087e4a608c4e0cf644f4f3d1ee38ceee4273 Mon Sep 17 00:00:00 2001
From: Tatenda <31291528+rideam@users.noreply.github.com>
Date: Wed, 18 Sep 2024 14:35:10 +0200
Subject: [PATCH 1/3] secure and monitor restructure
---
.../multi-factor-authentication.md | 2 +-
.../blog/announcing-fusionauth-1-47.mdx | 2 +-
.../blog/announcing-fusionauth-1-48.mdx | 2 +-
astro/src/content/blog/javascript-sdks.mdx | 2 +-
astro/src/content/blog/log4j-fusionauth.mdx | 2 +-
.../docs/_shared/_client-side-api-keys.mdx | 4 +-
.../content/docs/_shared/_update-key-note.mdx | 2 +-
.../apis/_reactor-status-response-body.mdx | 2 +-
.../src/content/docs/apis/hosted-backend.mdx | 4 +-
astro/src/content/docs/apis/login.mdx | 2 +-
astro/src/content/docs/apis/reactor.mdx | 2 +-
astro/src/content/docs/apis/system.mdx | 4 +-
.../docs/extend/events-and-webhooks/index.mdx | 2 +-
.../extend/events-and-webhooks/signing.mdx | 4 +-
.../core-concepts/integration-points.mdx | 2 +-
.../get-started/core-concepts/limitations.mdx | 2 +-
.../get-started/run-in-the-cloud/cloud.mdx | 4 +-
.../identity-providers/overview-samlv2.mdx | 2 +-
.../identity-providers/social/apple.mdx | 2 +-
.../login-api/json-web-tokens.mdx | 2 +-
.../setting-up-user-account-lockout.mdx | 2 +-
.../connectors/generic-connector.mdx | 4 +-
.../migrate-users/general-migration.mdx | 2 +-
.../docs/lifecycle/migrate-users/offboard.mdx | 2 +-
.../content/docs/operate/deploy/cluster.mdx | 4 +-
.../docs/operate/deploy/proxy-setup.mdx | 2 +-
.../cloudwatch.mdx | 8 ++--
.../datadog.mdx | 10 ++---
.../elastic.mdx | 4 +-
.../monitor.mdx | 8 ++--
.../opentelemetry.mdx | 4 +-
.../prometheus.mdx | 6 +--
.../{secure-and-monitor => monitor}/slack.mdx | 6 +--
.../splunk.mdx | 12 +++---
.../operate/roadmap/deprecation-policy.mdx | 2 +-
.../_key-master-import-form-fields.mdx | 0
.../advanced-threat-detection.mdx | 2 +-
.../breached-password-detection.mdx | 2 +-
.../{secure-and-monitor => secure}/cors.mdx | 2 +-
.../key-master.mdx | 6 +--
.../key-rotation.mdx | 2 +-
.../networking.mdx | 2 +-
.../securing.mdx | 2 +-
.../vulnerabilities.mdx | 2 +-
.../content/docs/release-notes/archive.mdx | 4 +-
astro/src/content/json/features.json | 4 +-
src/redirects.json | 41 +++++++++++++------
47 files changed, 106 insertions(+), 89 deletions(-)
rename astro/src/content/docs/operate/{secure-and-monitor => monitor}/cloudwatch.mdx (98%)
rename astro/src/content/docs/operate/{secure-and-monitor => monitor}/datadog.mdx (97%)
rename astro/src/content/docs/operate/{secure-and-monitor => monitor}/elastic.mdx (99%)
rename astro/src/content/docs/operate/{secure-and-monitor => monitor}/monitor.mdx (98%)
rename astro/src/content/docs/operate/{secure-and-monitor => monitor}/opentelemetry.mdx (97%)
rename astro/src/content/docs/operate/{secure-and-monitor => monitor}/prometheus.mdx (94%)
rename astro/src/content/docs/operate/{secure-and-monitor => monitor}/slack.mdx (96%)
rename astro/src/content/docs/operate/{secure-and-monitor => monitor}/splunk.mdx (97%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/_key-master-import-form-fields.mdx (100%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/advanced-threat-detection.mdx (99%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/breached-password-detection.mdx (99%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/cors.mdx (99%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/key-master.mdx (97%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/key-rotation.mdx (99%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/networking.mdx (98%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/securing.mdx (99%)
rename astro/src/content/docs/operate/{secure-and-monitor => secure}/vulnerabilities.mdx (97%)
diff --git a/astro/src/content/articles/authentication/multi-factor-authentication.md b/astro/src/content/articles/authentication/multi-factor-authentication.md
index ccae9b7441..c0e8d2146c 100644
--- a/astro/src/content/articles/authentication/multi-factor-authentication.md
+++ b/astro/src/content/articles/authentication/multi-factor-authentication.md
@@ -54,7 +54,7 @@ Imagine a security system that not only asks for your credentials but also reads
What's truly fascinating about adaptive MFA is its dynamic nature. It's not just about adding layers of security; it's about adding the right layers, at the right time. This approach minimizes friction for users, making security feel less like a series of hoops to jump through and more like a smart, responsive ally. It's a dance between convenience and caution, where security measures are tailored in real-time, based on the perceived level of risk. This not only enhances the user experience but also fortifies defenses, ensuring that the keys to the kingdom aren't handed over too easily, nor kept under lock and key unnecessarily.
-You can also use the same principles for initial authentication (for instance, requiring a CAPTCHA if a user logs in from a new device). Read more about adaptive approaches in our [Advanced Threat Detection](/docs/operate/secure-and-monitor/advanced-threat-detection) features.
+You can also use the same principles for initial authentication (for instance, requiring a CAPTCHA if a user logs in from a new device). Read more about adaptive approaches in our [Advanced Threat Detection](/docs/operate/secure/advanced-threat-detection) features.
## Why Use Multi-factor Authentication (MFA)?
diff --git a/astro/src/content/blog/announcing-fusionauth-1-47.mdx b/astro/src/content/blog/announcing-fusionauth-1-47.mdx
index 19ad2af821..c5f52ff0f6 100644
--- a/astro/src/content/blog/announcing-fusionauth-1-47.mdx
+++ b/astro/src/content/blog/announcing-fusionauth-1-47.mdx
@@ -23,7 +23,7 @@ All in all there are 21 issues, enhancements, and bug fixes included in the 1.47
There were a number of performance improvements in these releases, as the team focused on making FusionAuth even faster and more scalable.
-Some improvements are only applicable for Enterprise clients. This included lowering the memory overhead when downloading and storing the IP location database. This IP data is used by [Advanced Threat Detection](/docs/operate/secure-and-monitor/advanced-threat-detection).
+Some improvements are only applicable for Enterprise clients. This included lowering the memory overhead when downloading and storing the IP location database. This IP data is used by [Advanced Threat Detection](/docs/operate/secure/advanced-threat-detection).
Other improvements apply to all FusionAuth users. These include:
diff --git a/astro/src/content/blog/announcing-fusionauth-1-48.mdx b/astro/src/content/blog/announcing-fusionauth-1-48.mdx
index 74833a5dca..b31b1375ac 100644
--- a/astro/src/content/blog/announcing-fusionauth-1-48.mdx
+++ b/astro/src/content/blog/announcing-fusionauth-1-48.mdx
@@ -55,7 +55,7 @@ If they match, you can be certain the payload is unchanged.
But it's not just webhook signing. There were other webhook related improvements too, including:
* Webhook test messages now include more information if the webhook does not succeed.
-* You can use [key master](/docs/operate/secure-and-monitor/key-master) to manage webhook certificates. This is the recommended solution going forward.
+* You can use [key master](/docs/operate/secure/key-master) to manage webhook certificates. This is the recommended solution going forward.
* A bug was fixed. Previously tenant specific webhooks were removed when `PATCH`-ing a tenant, and now they are not.
* Test messages sent using the admin UI now preserve the body payload, making it easier to develop webhooks.
diff --git a/astro/src/content/blog/javascript-sdks.mdx b/astro/src/content/blog/javascript-sdks.mdx
index ac874a8d65..61197d44d4 100644
--- a/astro/src/content/blog/javascript-sdks.mdx
+++ b/astro/src/content/blog/javascript-sdks.mdx
@@ -58,7 +58,7 @@ A client library, in contrast, is a wrapper over [FusionAuth APIs](/docs/apis/).
If you want to compare a client library to a child's toy, it is like legos. Engineers build a script or program using a client library to extend or configure FusionAuth. Some examples of tasks well suited to a client library:
-* [rotating client secrets or API keys](/docs/operate/secure-and-monitor/key-rotation) to improve your security posture
+* [rotating client secrets or API keys](/docs/operate/secure/key-rotation) to improve your security posture
* pulling user data every night for data warehouse ingestion
* creating a new FusionAuth tenant every time a client signs up for your app
* offering a unique, custom login or registration experience not supported by the [FusionAuth hosted login pages](/docs/get-started/core-concepts/integration-points#hosted-login-pages)
diff --git a/astro/src/content/blog/log4j-fusionauth.mdx b/astro/src/content/blog/log4j-fusionauth.mdx
index 360b22e218..b250d12ce5 100644
--- a/astro/src/content/blog/log4j-fusionauth.mdx
+++ b/astro/src/content/blog/log4j-fusionauth.mdx
@@ -35,7 +35,7 @@ To learn more about the CVE, you can:
## What about Elasticsearch
-Elasticsearch is used by many FusionAuth installations. However, in general the Elasticsearch service is not publicly accessible, if [following the recommended security guidance](/docs/operate/secure-and-monitor/securing).
+Elasticsearch is used by many FusionAuth installations. However, in general the Elasticsearch service is not publicly accessible, if [following the recommended security guidance](/docs/operate/secure/securing).
-To do so, navigate to Tenants -> Webhooks to enable events and optionally modify the default transaction level for each event type.
+To do so, navigate to **Tenants -> Webhooks** to enable events and optionally modify the default transaction level for each event type.
-
+
### Webhooks
@@ -83,13 +83,13 @@ The response will be a JSON object with more details:
## Add Webhook
-After you have enabled the events that you will be using, create a webhook definition to indicate where FusionAuth should send the JSON events. Navigate to Settings -> Webhooks to create a new webhook.
+After you have enabled the events that you will be using, create a webhook definition to indicate where FusionAuth should send the JSON events. Navigate to **Settings -> Webhooks** to create a new webhook.
See the example screenshot below, at a minimum you will need to provide the URL the endpoint that will accept the FusionAuth JSON events. You can see in this screenshot that even though an event may be enabled globally you can still select which events will be sent to this webhook.
If you need to configure an Authorization header or other credentials to allow FusionAuth to make a request to your webhook, you may do so in the Security tab.
-
+
### Form Fields
@@ -135,7 +135,7 @@ If you need to configure an Authorization header or other credentials to allow F
The security settings may be used to require authentication in order to submit an event to the webhook.
-
+
#### Form Fields
@@ -149,7 +149,7 @@ The security settings may be used to require authentication in order to submit a
The [Key](/docs/operate/secure/key-master) containing an SSL certificate to be used when connecting to the webhook.
- If you need to add a certificate for use with this webhook, navigate to Settings -> Key Master and import a certificate. The certificate will then be shown as an option in this form control.
+ If you need to add a certificate for use with this webhook, navigate to **Settings -> Key Master** and import a certificate. The certificate will then be shown as an option in this form control.
You can also select the `Manually enter certificate in the textarea.` option to manually specify the SSL certificate in PEM format on the webhook configuration.
@@ -165,11 +165,11 @@ Available since 1.37.0
Here's the configuration when a webhook will be sent for all tenants.
-
+
Here's the configuration when a webhook should be sent for certain tenants.
-
+
#### Form Fields
@@ -196,7 +196,7 @@ These events are configured at the system level and cannot be scoped to a certai
### Headers
-
+
#### Form Fields
@@ -213,9 +213,9 @@ These events are configured at the system level and cannot be scoped to a certai
### Applications
-
+
-
+
#### Form Fields
@@ -246,9 +246,9 @@ These events are configured at the system level and cannot be scoped to a certai
Once you have a webhook up and running and configured to receive JSON events from FusionAuth you may wish to test it by sending different events. FusionAuth has built in a test capability to allow you to construct any event and send it to your webhook.
-Navigate to Settings -> Webhooks and select the purple icon for the webhook you wish to test. Select the event type to test, optionally modify the JSON to test a specific scenario and then use the send button in the top right to send the event to the webhook.
+Navigate to **Settings -> Webhooks** and select the purple icon for the webhook you wish to test. Select the event type to test, optionally modify the JSON to test a specific scenario and then use the send button in the top right to send the event to the webhook.
-
+
Modifications to event JSON will be preserved across tests. If you want to reset the JSON for a given event, select that event and click the Reset button.
@@ -274,8 +274,8 @@ Modifications to event JSON will be preserved across tests. If you want to reset
**A:** In order to receive events to your webhook endpoint, ensure the following items are configured:
-* Set up the Tenant events. Navigate to Tenants -> Webhooks and enable the specific events.
-* Set up Webhook tenants. Navigate to Settings -> Webhooks -> Tenants and ensure the Webhook is configured either for All tenants or your desired tenant or tenants.
-* Set up the Webhook events. Navigate to Settings -> Webhooks -> Events and ensure the specific events are enabled for the Webhook.
+* Set up the Tenant events. Navigate to **Tenants -> Webhooks** and enable the specific events.
+* Set up Webhook tenants. Navigate to **Settings -> Webhooks -> Tenants** and ensure the Webhook is configured either for All tenants or your desired tenant or tenants.
+* Set up the Webhook events. Navigate to **Settings -> Webhooks -> Events** and ensure the specific events are enabled for the Webhook.
Unless all three of these configurations are correct, you won't receive events to your configured endpoint.
diff --git a/astro/src/content/docs/extend/events-and-webhooks/signing.mdx b/astro/src/content/docs/extend/events-and-webhooks/signing.mdx
index 3ee5697815..c85c5d7067 100644
--- a/astro/src/content/docs/extend/events-and-webhooks/signing.mdx
+++ b/astro/src/content/docs/extend/events-and-webhooks/signing.mdx
@@ -23,9 +23,9 @@ This document covers configuring webhook signatures, verifying signatures in you
Configuring webhook signatures in FusionAuth consists of generating a key and configuring your webhook to sign using that key.
-
+
-Keys are generated or imported from Settings -> Key Master. Webhooks can be signed with three types of keys
+Keys are generated or imported from **Settings -> Key Master**. Webhooks can be signed with three types of keys
* EC key - strongest cryptography, public key can be available
* RSA key - strong cryptography, public key can be available
@@ -35,9 +35,9 @@ EC and RSA keys allow you to make public keys available through the `/.well-know
For this example, we'll use an RSA key pair. More information on keys is available in the [Key Master Guide](/docs/operate/secure/key-master).
-Next, you configure your webhook to sign the event with this key. From Settings -> Webhooks, click on the Edit button for your webhook (or create a new webhook). Select the Security tab panel. Once you enable Sign events, a Signing key select dropdown allows you to choose the generated key. Be sure to click Save in the upper right corner.
+Next, you configure your webhook to sign the event with this key. From **Settings -> Webhooks**, click on the Edit button for your webhook (or create a new webhook). Select the **Security** tab panel. Once you enable Sign events, a Signing key select dropdown allows you to choose the generated key. Be sure to click Save in the upper right corner.
-
+
### Signature Verification
diff --git a/astro/src/content/docs/get-started/run-in-the-cloud/cloud.mdx b/astro/src/content/docs/get-started/run-in-the-cloud/cloud.mdx
index 6aafe5f35a..5aa73a0c02 100644
--- a/astro/src/content/docs/get-started/run-in-the-cloud/cloud.mdx
+++ b/astro/src/content/docs/get-started/run-in-the-cloud/cloud.mdx
@@ -74,13 +74,11 @@ You can also self-host FusionAuth if you need data residency in a country not li
Unlike other installation options, **FusionAuth Cloud costs money**.
You cannot create a FusionAuth Cloud deployment without a credit card or invoicing agreement.
-{/* eslint-disable-next-line */}
-For full pricing information as well as different deployment architectures, visit the pricing page.
+For full pricing information as well as different deployment architectures, visit the pricing page. {/* eslint-disable-line */}
### The Pricing Calculator
-{/* eslint-disable-next-line */}
-You can also find the expected cost without creating an account by using the pricing calculator.
+You can also find the expected cost without creating an account by using the pricing calculator. {/* eslint-disable-line */}
You can choose the cloud option, the deployment region, and the number of monthly active users.
By clicking Add Service and then Add Deployment you can add a deployment.
@@ -94,8 +92,7 @@ You'll be able to see the total price before you are charged anything. Here's an
## The Account Portal
-{/* eslint-disable-next-line */}
-You can control all aspects of FusionAuth Cloud deployments by logging into the account portal.
+You can control all aspects of FusionAuth Cloud deployments by logging into the account portal.{/* eslint-disable-line */}
### Portal Areas
diff --git a/astro/src/content/docs/lifecycle/authenticate-users/login-api/json-web-tokens.mdx b/astro/src/content/docs/lifecycle/authenticate-users/login-api/json-web-tokens.mdx
index 3ac7a448f7..1495cffdf7 100644
--- a/astro/src/content/docs/lifecycle/authenticate-users/login-api/json-web-tokens.mdx
+++ b/astro/src/content/docs/lifecycle/authenticate-users/login-api/json-web-tokens.mdx
@@ -33,11 +33,11 @@ it to the caller. This JWT will be cryptographically signed to allow other appli
## Configuring JWTs in FusionAuth
-FusionAuth provides the ability to configure a couple of aspects of its JWT handling. By navigating to Settings -> Tenants in FusionAuth and selecting the JWT tab, you will see the tenant JWT configuration settings.
+FusionAuth provides the ability to configure a couple of aspects of its JWT handling. By navigating to **Settings -> Tenants** in FusionAuth and selecting the JWT tab, you will see the tenant JWT configuration settings.
The following is an example screenshot of the tenant JWT configuration.
-
+
### JSON Web Token Settings
@@ -49,17 +49,17 @@ The following is an example screenshot of the tenant JWT configuration.
## Application Specific Configuration
-If you navigate to Applications from the main menu, you can also configure the JWT parameters, including the signing algorithm, on a per application basis. If you don't select to enable Application specific JWT configuration, the tenant configuration will be used.
+If you navigate to **Applications** from the main menu, you can also configure the JWT parameters, including the signing algorithm, on a per application basis. If you don't select to enable Application specific JWT configuration, the tenant configuration will be used.
The following is an example screenshot of an Application specific JWT configuration.
-
+
### JSON Web Token Settings
-
+
### Refresh Token Settings
@@ -138,7 +138,7 @@ Here is an example JWT that might be returned from FusionAuth:
Refresh tokens are a method of allowing a User to stay logged into an Application for a long period of time without requiring them to type in their password. This method is often used by Applications that don't store sensitive data such as games and social networks.
-To receive a refresh token from the Login API, enable Refresh Tokens for the application. Using the FusionAuth UI, navigate to Settings -> Applications -> Security Tab. Here you will find the Login API settings. Ensure that both Generate Refresh Tokens and Enable JWT refresh fields are enabled.
+To receive a refresh token from the Login API, enable Refresh Tokens for the application. Using the FusionAuth UI, navigate to **Settings -> Applications -> Security Tab**. Here you will find the Login API settings. Ensure that both Generate Refresh Tokens and Enable JWT refresh fields are enabled.
FusionAuth provides refresh tokens in the response from the [Login API](/docs/apis/login) provided that you supply these elements:
diff --git a/astro/src/content/docs/lifecycle/authenticate-users/setting-up-user-account-lockout.mdx b/astro/src/content/docs/lifecycle/authenticate-users/setting-up-user-account-lockout.mdx
index 182d468c3c..eeb4aa0885 100644
--- a/astro/src/content/docs/lifecycle/authenticate-users/setting-up-user-account-lockout.mdx
+++ b/astro/src/content/docs/lifecycle/authenticate-users/setting-up-user-account-lockout.mdx
@@ -25,21 +25,21 @@ If you are interested in rate limiting other actions, such as forgot password re
### Creating the User Action
-The first step is to create a user action, under Settings -> User Actions. Give it a name of "Account Lock". Check the Time-based and Prevent login checkboxes.
+The first step is to create a user action, under **Settings -> User Actions**. Give it a name of "Account Lock". Check the Time-based and Prevent login checkboxes.
-
+
There are other configuration options available, including localization and user notification options; check out the [User Action APIs](/docs/apis/user-actions) for more information.
### Tenant Configuration
-Next, configure your tenant, under Tenants -> Default. Then navigate to the "Password" tab. Under the "Failed authentication settings" section, change the User action to your newly created user action, `Account Lock`.
+Next, configure your tenant, under **Tenants -> Default**. Then navigate to the "Password" tab. Under the "Failed authentication settings" section, change the User action to your newly created user action, `Account Lock`.
You can configure the number of failed attempts which will trigger the lockout, the time period during which the allotted failures must take place, and the duration of the lockout.
For example, the below settings will allow five failed attempts in sixty seconds. Once the fifth attempt fails, the account will be locked for three minutes. However, each additional failed attempt restarts the three minute lockout.
-
+
### What Happens When The Account is Locked
@@ -47,13 +47,13 @@ When a user account has been locked by this mechanism, they'll be able to sign i
This is what a user will see if the standard FusionAuth OAuth theme is used:
-
+
Since this is a temporary action, the user details screen in the administration user interface will not display a red lock. That is reserved for locks not applied by the user action rules, such as by users that have been [soft deleted](/docs/apis/users#delete-a-user).
An administrator can manually remove or extend this lock. You can also modify the action applied to a user by using the [Actioning Users API](/docs/apis/actioning-users). Administrators can see the action under the user's "Current actions" tab.
-
+
### Webhooks
diff --git a/astro/src/content/docs/lifecycle/migrate-users/connectors/generic-connector.mdx b/astro/src/content/docs/lifecycle/migrate-users/connectors/generic-connector.mdx
index d07a58cb02..e949128294 100644
--- a/astro/src/content/docs/lifecycle/migrate-users/connectors/generic-connector.mdx
+++ b/astro/src/content/docs/lifecycle/migrate-users/connectors/generic-connector.mdx
@@ -22,7 +22,7 @@ Generic Connectors allow you to authenticate users against or migrate them from
## Configuration
-
+
### Form Fields
@@ -51,7 +51,7 @@ Generic Connectors allow you to authenticate users against or migrate them from
The security settings may be used to require authentication in order to make the POST request to the authentication endpoint.
-
+
#### Form Fields
@@ -65,7 +65,7 @@ The security settings may be used to require authentication in order to make the
The SSL certificate to be used when connecting to the POST endpoint.
- If you need to add a certificate for use with this connector, navigate to Settings -> Key Master and import a certificate. The certificate will then be shown as an option in this form control.
+ If you need to add a certificate for use with this connector, navigate to **Settings -> Key Master** and import a certificate. The certificate will then be shown as an option in this form control.
@@ -73,7 +73,7 @@ The security settings may be used to require authentication in order to make the
You can configure arbitrary headers to be added to the HTTP POST request when making a request to the configured authentication endpoint.
-
+
#### Form Fields
@@ -92,8 +92,8 @@ You can configure arbitrary headers to be added to the HTTP POST request when ma
To use a Generic Connector:
* Build a Generic Connector API endpoint in your application to expose your user data.
-* Configure the Connector in Settings -> Connectors, including securing the endpoint.
-* Add the Connector Policy in Tenants -> Your Tenant -> Connectors to configure to which domains the connector applies.
+* Configure the Connector in **Settings -> Connectors**, including securing the endpoint.
+* Add the Connector Policy in **Tenants -> Your Tenant -> Connectors** to configure to which domains the connector applies.
### Request
@@ -173,7 +173,7 @@ If you are querying a database to determine whether a user can authenticate, use
Turning on the Connector's Debug Enabled field during development is useful for troubleshooting.
However, once you deploy a Connector to production, enable debugging only when troubleshooting.
-Debugging writes to the System -> Event Log and this causes additional load on the database.
+Debugging writes to the **System -> Event Log** and this causes additional load on the database.
### Perform Optional Actions Out Of Band
diff --git a/astro/src/content/docs/lifecycle/migrate-users/general-migration.mdx b/astro/src/content/docs/lifecycle/migrate-users/general-migration.mdx
index 6e045f6e8b..9b96c1a623 100644
--- a/astro/src/content/docs/lifecycle/migrate-users/general-migration.mdx
+++ b/astro/src/content/docs/lifecycle/migrate-users/general-migration.mdx
@@ -239,13 +239,13 @@ Consider your change management strategy. How will you capture your FusionAuth s
Prepare FusionAuth for your users and applications; while the exact configuration depends on your application needs, the following items should be considered.
-Create one or more tenants. Multiple tenants are useful for allowing someone to have the same email but different passwords, or allowing different settings such as the theme or password rules. Add these via the API or navigating to Tenants and clicking the green plus sign.
+Create one or more tenants. Multiple tenants are useful for allowing someone to have the same email but different passwords, or allowing different settings such as the theme or password rules. Add these via the API or navigating to **Tenants** and clicking the green plus sign.
-
+
-Create one or many applications and add any roles needed for them. Create a FusionAuth application entity for each application whose users you are migrating. An application is anything a user can log in to, whether an API, a commercial product, or a custom web application. Add each of these via the API or navigating to Applications in the administrative user interface, then clicking the green plus sign to add the application.
+Create one or many applications and add any roles needed for them. Create a FusionAuth application entity for each application whose users you are migrating. An application is anything a user can log in to, whether an API, a commercial product, or a custom web application. Add each of these via the API or navigating to **Applications** in the administrative user interface, then clicking the green plus sign to add the application.
-
+
Map user attributes, as discussed above, into the FusionAuth `user` or `registration` objects. If some of your data doesn't fit into the FusionAuth model, add it to the appropriate `data` field.
@@ -269,7 +269,7 @@ To actually move the data, you'll build out a series of scripts and programs. To
You'll also want to [create an API key](/docs/apis/authentication#managing-api-keys). Make sure you give the key appropriate permissions. The minimum required are the `POST` method on the `/api/user/import` endpoint.
-
+
You can write the migration scripts in shell, any of the supported [client library languages](/docs/sdks/), or against the [REST API](/docs/apis/users) in any language supporting HTTP requests. Iterate over all the users in the old system or systems. Build the JSON files. Add a registration for each application to which a user should have access.
@@ -448,9 +448,9 @@ The JSON response above has a `user.data.migrated` value of `true`. This indicat
#### Configure Your Connector
-Navigate to Settings -> Connectors and add a Connector. You can also configure Connectors by using the API; consult the [Connector API documentation](/docs/apis/connectors/) for more details.
+Navigate to **Settings -> Connectors** and add a Connector. You can also configure Connectors by using the API; consult the [Connector API documentation](/docs/apis/connectors/) for more details.
-
+
Configuration varies depending on whether the original datasource is an HTTP API or an LDAP directory.
@@ -484,9 +484,9 @@ To test this, log some users in. If you have test users in your original auth sy
#### Proxying Authentication
-With FusionAuth, proxying authentication requests to the original datasource is easy. You've already set up the connection information when configuring the Connector. Now associate the Connector to the tenant. This is called a Connector policy. Navigate to Tenants -> Your Tenant -> Connectors and add a policy.
+With FusionAuth, proxying authentication requests to the original datasource is easy. You've already set up the connection information when configuring the Connector. Now associate the Connector to the tenant. This is called a Connector policy. Navigate to **Tenants -> Your Tenant -> Connectors** and add a policy.
-
+
Make sure to check the Migrate user checkbox. Then, each user will be authenticated against the original user datastore the first time they are seen. Their data will then be migrated to FusionAuth. On subsequent logins, they'll authenticate with FusionAuth. You can learn more about configuring Connector policies in the [Connector documentation](/docs/lifecycle/migrate-users/connectors/).
@@ -530,7 +530,7 @@ However you retrieve the number of users migrated, regularly compare it to the n
When it is time to stop the slow migration, remove the Connector policy. All future logins will take place against FusionAuth.
-
+
You may also optionally remove the Connector.
@@ -574,7 +574,7 @@ Make sure you provide a link to a form, phone number or other means of contactin
A customer service representative can trigger a password reset email from the appropriate user data store. You can do that from within the FusionAuth administrative user interface.
-
+
Alternatively, if the user has not been migrated, the customer service representative can look up the user and then reset their password in the legacy system.
@@ -691,7 +691,7 @@ In this scenario, you also pre-load the required certificates and notify upstrea
But, in addition you need to:
* Configure your applications to point to the FusionAuth hosted login pages. You may want to use an `idp_hint` to skip the hosted login pages and send users directly to the IdP.
-* Modify the FusionAuth destination assertion policy. You can do this via the API or the administrative user interface. In the administrative user interface, navigate to Identity Providers -> Your SAMLv2 Identity Provider. Then navigate to the Options tab, and find the Destination assertion policy field.
+* Modify the FusionAuth destination assertion policy. You can do this via the API or the administrative user interface. In the administrative user interface, navigate to **Identity Providers -> Your SAMLv2 Identity Provider**. Then navigate to the **Options** tab, and find the Destination assertion policy field.
* Set up an HTTP redirect from your existing ACS URL to the FusionAuth ACS URL. You can do this using a proxy such as nginx.
* You may disable or shut down the existing SAML SP at this time, since all traffic should be moving through FusionAuth.
diff --git a/astro/src/content/docs/lifecycle/migrate-users/offboard.mdx b/astro/src/content/docs/lifecycle/migrate-users/offboard.mdx
index f9aba37681..12c6917651 100644
--- a/astro/src/content/docs/lifecycle/migrate-users/offboard.mdx
+++ b/astro/src/content/docs/lifecycle/migrate-users/offboard.mdx
@@ -72,7 +72,7 @@ Some data types, like users, applications, and roles, are used in most authentic
To understand the user-related data tables in the database, please read the [FusionAuth core concepts](/docs/get-started/core-concepts) guide before continuing. Below is a visual summary of the organization.
-
+
In addition to the objects above, you may want to migrate identity providers like Google OAuth, user consents, and email templates.
diff --git a/astro/src/content/docs/operate/deploy/cluster.mdx b/astro/src/content/docs/operate/deploy/cluster.mdx
index 2b0f1974c1..91d1a0890c 100644
--- a/astro/src/content/docs/operate/deploy/cluster.mdx
+++ b/astro/src/content/docs/operate/deploy/cluster.mdx
@@ -87,9 +87,9 @@ If you have difficulty installing FusionAuth in a cluster, you can set up a clus
### Verification
-Verify that the installation is clustered by navigating to System -> About. You'll see multiple nodes listed:
+Verify that the installation is clustered by navigating to **System -> About**. You'll see multiple nodes listed:
-
+
The node which served the request you made has a checkmark in the This node field. `Node 1` served the above request.
@@ -121,7 +121,7 @@ See the [Monitoring documentation](/docs/operate/monitor/monitor) for more infor
Available since 1.16.0-RC1
-Should you need to review system log files in the administrative user interface, you can see those by navigating to System -> Logs. Logs for all nodes are displayed there.
+Should you need to review system log files in the administrative user interface, you can see those by navigating to **System -> Logs**. Logs for all nodes are displayed there.
See [the Troubleshooting documentation](/docs/operate/troubleshooting/troubleshooting) for more information about logs.
@@ -138,7 +138,7 @@ To remove nodes, simply:
* Update your load balancer configuration; remove the node that you'll be shutting down.
* Stop FusionAuth on the node to be removed.
-* Verify that the node disappears from the node list displayed at System -> About.
+* Verify that the node disappears from the node list displayed at **System -> About**.
Here's a video covering how to add and remove nodes from a FusionAuth cluster:
diff --git a/src/redirects.json b/src/redirects.json
index 16cc14e223..24884fee59 100644
--- a/src/redirects.json
+++ b/src/redirects.json
@@ -447,6 +447,7 @@
"/docs/operate/secure-and-monitor/key-rotation": "/docs/operate/secure/key-rotation",
"/docs/operate/secure-and-monitor/networking": "/docs/operate/secure/networking",
"/docs/operate/secure-and-monitor/securing": "/docs/operate/secure/securing",
+ "docs/operate/secure-and-monitor/token-storage": "/docs/operate/secure/token-storage",
"/docs/operate/secure-and-monitor/vulnerabilities": "/docs/operate/secure/vulnerabilities",
"/docs/operate/secure-and-monitor/cloudwatch": "/docs/operate/monitor/cloudwatch",
"/docs/operate/secure-and-monitor/datadog": "/docs/operate/monitor/datadog",
+
### Webhooks
@@ -83,13 +83,13 @@ The response will be a JSON object with more details:
## Add Webhook
-After you have enabled the events that you will be using, create a webhook definition to indicate where FusionAuth should send the JSON events. Navigate to Settings -> Webhooks to create a new webhook.
+After you have enabled the events that you will be using, create a webhook definition to indicate where FusionAuth should send the JSON events. Navigate to **Settings -> Webhooks** to create a new webhook.
See the example screenshot below, at a minimum you will need to provide the URL the endpoint that will accept the FusionAuth JSON events. You can see in this screenshot that even though an event may be enabled globally you can still select which events will be sent to this webhook.
If you need to configure an Authorization header or other credentials to allow FusionAuth to make a request to your webhook, you may do so in the Security tab.
-
+
### Form Fields
@@ -135,7 +135,7 @@ If you need to configure an Authorization header or other credentials to allow F
The security settings may be used to require authentication in order to submit an event to the webhook.
-
+
#### Form Fields
@@ -149,7 +149,7 @@ The security settings may be used to require authentication in order to submit a
+
Here's the configuration when a webhook should be sent for certain tenants.
-
+
#### Form Fields
@@ -196,7 +196,7 @@ These events are configured at the system level and cannot be scoped to a certai
### Headers
-
+
#### Form Fields
@@ -213,9 +213,9 @@ These events are configured at the system level and cannot be scoped to a certai
### Applications
+
-
+
#### Form Fields
@@ -246,9 +246,9 @@ These events are configured at the system level and cannot be scoped to a certai
Once you have a webhook up and running and configured to receive JSON events from FusionAuth you may wish to test it by sending different events. FusionAuth has built in a test capability to allow you to construct any event and send it to your webhook.
-Navigate to Settings -> Webhooks and select the purple 
+
Modifications to event JSON will be preserved across tests. If you want to reset the JSON for a given event, select that event and click the 
+
-Keys are generated or imported from Settings -> Key Master. Webhooks can be signed with three types of keys
+Keys are generated or imported from **Settings -> Key Master**. Webhooks can be signed with three types of keys
* EC key - strongest cryptography, public key can be available
* RSA key - strong cryptography, public key can be available
@@ -35,9 +35,9 @@ EC and RSA keys allow you to make public keys available through the `/.well-know
For this example, we'll use an RSA key pair. More information on keys is available in the [Key Master Guide](/docs/operate/secure/key-master).
-Next, you configure your webhook to sign the event with this key. From Settings -> Webhooks, click on the Edit button for your webhook (or create a new webhook). Select the Security tab panel. Once you enable 
+
### Signature Verification
diff --git a/astro/src/content/docs/get-started/run-in-the-cloud/cloud.mdx b/astro/src/content/docs/get-started/run-in-the-cloud/cloud.mdx
index 6aafe5f35a..5aa73a0c02 100644
--- a/astro/src/content/docs/get-started/run-in-the-cloud/cloud.mdx
+++ b/astro/src/content/docs/get-started/run-in-the-cloud/cloud.mdx
@@ -74,13 +74,11 @@ You can also self-host FusionAuth if you need data residency in a country not li
Unlike other installation options, **FusionAuth Cloud costs money**.
You cannot create a FusionAuth Cloud deployment without a credit card or invoicing agreement.
-{/* eslint-disable-next-line */}
-For full pricing information as well as different deployment architectures, visit the pricing page.
+For full pricing information as well as different deployment architectures, visit the pricing page. {/* eslint-disable-line */}
### The Pricing Calculator
-{/* eslint-disable-next-line */}
-You can also find the expected cost without creating an account by using the pricing calculator.
+You can also find the expected cost without creating an account by using the pricing calculator. {/* eslint-disable-line */}
You can choose the cloud option, the deployment region, and the number of monthly active users.
By clicking 
+
### JSON Web Token Settings
@@ -49,17 +49,17 @@ The following is an example screenshot of the tenant JWT configuration.
## Application Specific Configuration
-If you navigate to Applications from the main menu, you can also configure the JWT parameters, including the signing algorithm, on a per application basis. If you don't select to enable Application specific JWT configuration, the tenant configuration will be used.
+If you navigate to **Applications** from the main menu, you can also configure the JWT parameters, including the signing algorithm, on a per application basis. If you don't select to enable Application specific JWT configuration, the tenant configuration will be used.
The following is an example screenshot of an Application specific JWT configuration.
-
+
### JSON Web Token Settings
+
### Refresh Token Settings
@@ -138,7 +138,7 @@ Here is an example JWT that might be returned from FusionAuth:
Refresh tokens are a method of allowing a User to stay logged into an Application for a long period of time without requiring them to type in their password. This method is often used by Applications that don't store sensitive data such as games and social networks.
-To receive a refresh token from the Login API, enable Refresh Tokens for the application. Using the FusionAuth UI, navigate to Settings -> Applications -> Security Tab. Here you will find the Login API settings. Ensure that both 
+
There are other configuration options available, including localization and user notification options; check out the [User Action APIs](/docs/apis/user-actions) for more information.
### Tenant Configuration
-Next, configure your tenant, under Tenants -> Default. Then navigate to the "Password" tab. Under the "Failed authentication settings" section, change the 
+
### What Happens When The Account is Locked
@@ -47,13 +47,13 @@ When a user account has been locked by this mechanism, they'll be able to sign i
This is what a user will see if the standard FusionAuth OAuth theme is used:
-
+
Since this is a temporary action, the user details screen in the administration user interface will not display a red lock. That is reserved for locks not applied by the user action rules, such as by users that have been [soft deleted](/docs/apis/users#delete-a-user).
An administrator can manually remove or extend this lock. You can also modify the action applied to a user by using the [Actioning Users API](/docs/apis/actioning-users). Administrators can see the action under the user's "Current actions" tab.
-
+
### Webhooks
diff --git a/astro/src/content/docs/lifecycle/migrate-users/connectors/generic-connector.mdx b/astro/src/content/docs/lifecycle/migrate-users/connectors/generic-connector.mdx
index d07a58cb02..e949128294 100644
--- a/astro/src/content/docs/lifecycle/migrate-users/connectors/generic-connector.mdx
+++ b/astro/src/content/docs/lifecycle/migrate-users/connectors/generic-connector.mdx
@@ -22,7 +22,7 @@ Generic Connectors allow you to authenticate users against or migrate them from
## Configuration
-
+
### Form Fields
@@ -51,7 +51,7 @@ Generic Connectors allow you to authenticate users against or migrate them from
The security settings may be used to require authentication in order to make the POST request to the authentication endpoint.
-
+
#### Form Fields
@@ -65,7 +65,7 @@ The security settings may be used to require authentication in order to make the
+
#### Form Fields
@@ -92,8 +92,8 @@ You can configure arbitrary headers to be added to the HTTP POST request when ma
To use a Generic Connector:
* Build a Generic Connector API endpoint in your application to expose your user data.
-* Configure the Connector in Settings -> Connectors, including securing the endpoint.
-* Add the Connector Policy in Tenants -> Your Tenant -> Connectors to configure to which domains the connector applies.
+* Configure the Connector in **Settings -> Connectors**, including securing the endpoint.
+* Add the Connector Policy in **Tenants -> Your Tenant -> Connectors** to configure to which domains the connector applies.
### Request
@@ -173,7 +173,7 @@ If you are querying a database to determine whether a user can authenticate, use
Turning on the Connector's 
+
-Create one or many applications and add any roles needed for them. Create a FusionAuth application entity for each application whose users you are migrating. An application is anything a user can log in to, whether an API, a commercial product, or a custom web application. Add each of these via the API or navigating to Applications in the administrative user interface, then clicking the green plus sign to add the application.
+Create one or many applications and add any roles needed for them. Create a FusionAuth application entity for each application whose users you are migrating. An application is anything a user can log in to, whether an API, a commercial product, or a custom web application. Add each of these via the API or navigating to **Applications** in the administrative user interface, then clicking the green plus sign to add the application.
-
+
Map user attributes, as discussed above, into the FusionAuth `user` or `registration` objects. If some of your data doesn't fit into the FusionAuth model, add it to the appropriate `data` field.
@@ -269,7 +269,7 @@ To actually move the data, you'll build out a series of scripts and programs. To
You'll also want to [create an API key](/docs/apis/authentication#managing-api-keys). Make sure you give the key appropriate permissions. The minimum required are the `POST` method on the `/api/user/import` endpoint.
-
+
You can write the migration scripts in shell, any of the supported [client library languages](/docs/sdks/), or against the [REST API](/docs/apis/users) in any language supporting HTTP requests. Iterate over all the users in the old system or systems. Build the JSON files. Add a registration for each application to which a user should have access.
@@ -448,9 +448,9 @@ The JSON response above has a `user.data.migrated` value of `true`. This indicat
#### Configure Your Connector
-Navigate to Settings -> Connectors and add a Connector. You can also configure Connectors by using the API; consult the [Connector API documentation](/docs/apis/connectors/) for more details.
+Navigate to **Settings -> Connectors** and add a Connector. You can also configure Connectors by using the API; consult the [Connector API documentation](/docs/apis/connectors/) for more details.
-
+
Configuration varies depending on whether the original datasource is an HTTP API or an LDAP directory.
@@ -484,9 +484,9 @@ To test this, log some users in. If you have test users in your original auth sy
#### Proxying Authentication
-With FusionAuth, proxying authentication requests to the original datasource is easy. You've already set up the connection information when configuring the Connector. Now associate the Connector to the tenant. This is called a Connector policy. Navigate to Tenants -> Your Tenant -> Connectors and add a policy.
+With FusionAuth, proxying authentication requests to the original datasource is easy. You've already set up the connection information when configuring the Connector. Now associate the Connector to the tenant. This is called a Connector policy. Navigate to **Tenants -> Your Tenant -> Connectors** and add a policy.
-
+
Make sure to check the 
+
You may also optionally remove the Connector.
@@ -574,7 +574,7 @@ Make sure you provide a link to a form, phone number or other means of contactin
A customer service representative can trigger a password reset email from the appropriate user data store. You can do that from within the FusionAuth administrative user interface.
-
+
Alternatively, if the user has not been migrated, the customer service representative can look up the user and then reset their password in the legacy system.
@@ -691,7 +691,7 @@ In this scenario, you also pre-load the required certificates and notify upstrea
But, in addition you need to:
* Configure your applications to point to the FusionAuth hosted login pages. You may want to use an `idp_hint` to skip the hosted login pages and send users directly to the IdP.
-* Modify the FusionAuth destination assertion policy. You can do this via the API or the administrative user interface. In the administrative user interface, navigate to Identity Providers -> Your SAMLv2 Identity Provider. Then navigate to the Options tab, and find the 
+
In addition to the objects above, you may want to migrate identity providers like Google OAuth, user consents, and email templates.
diff --git a/astro/src/content/docs/operate/deploy/cluster.mdx b/astro/src/content/docs/operate/deploy/cluster.mdx
index 2b0f1974c1..91d1a0890c 100644
--- a/astro/src/content/docs/operate/deploy/cluster.mdx
+++ b/astro/src/content/docs/operate/deploy/cluster.mdx
@@ -87,9 +87,9 @@ If you have difficulty installing FusionAuth in a cluster, you can set up a clus
### Verification
-Verify that the installation is clustered by navigating to System -> About. You'll see multiple nodes listed:
+Verify that the installation is clustered by navigating to **System -> About**. You'll see multiple nodes listed:
-
+
The node which served the request you made has a checkmark in the