Additional JWT headers, verification emails, and disappearing registrations

Top highlights from the FusionAuth forum in April.


Published: May 5, 2021

The FusionAuth community has an active online forum, and I wanted to highlight some of the recent topics.

Forum discussions vary in topic and depth, but focus on FusionAuth, how to solve problems with it, and how to integrate auth systems with other software packages.

If you want to participate, you have to sign up for a free account. Or, you can check out the forum anonymously to see current discussion topics.

I wanted to highlight and summarize a few of the most active forum posts of the last month.

Verification email

Post: Verification email

In this post, dtokarz1 is asking how email verification works in FusionAuth. This is a feature that is built into the community version. When you configure email verification, users are automatically sent an email when they sign up for your application. This email contains a link; after your users click it, their email is now considered verified. You can use the default template or create your own.

dtokarz1 had a question about how this functionality interacts with usernames. After all, if there’s no email address associated with a user, how can an email be sent? And that is exactly how things work. Your users don’t have to have an email address to login, but they must have one to verify their email.

At the end of the day, dtokarz1 determined that their custom requirements for login and their budget constraints meant having to build some functionality on their own using the Login API.

JKU in JWT Header

Post: JKU in JWT Header

In this post, amar has questions about how to modify the header of the JWT generated by FusionAuth. A 3rd party integration required the JKU header which, according to the RFC, should be:

a URI that refers to a resource for a set of JSON-encoded public keys, one of which corresponds to the key used to digitally sign the JWS.

After some investigation and suggestions by community members such as dtokarz1, it became clear that a mechanism to modify headers is available in the JWT library but not exposed in FusionAuth. The JWT populate lambda in particular doesn’t allow for any header modification.

There were a couple of alternate solutions mentioned, including rebuilding the JWT using another service and filing an issue to see if the community has needs to modify JWT headers.

My user registrations keep disappearing

Post: My user registrations keep disappearing

In this post, the registrations in orrett’s FusionAuth installation kept disappearing mysteriously. FusionAuth team member Joshua had some back and forth and they discovered that orrett had configured their self service registration such that unverified users were removed.

orrett also wondered: “However what I am wondering is if it would just delete the app registration but leave the user within the database?”

To which the answer was “no”.

Joshua, however, suggested several workarounds including setting a longer timeline, such as say, 90 days, and have a script/cron job that uses APIs to track/validate/process the unverified users. Or keeping unverified users in an application and periodically run a script to clean them out.

Deleting unverified users can be useful to keep your user database free of fake accounts, but especially during development can lead to mysterious deletion of accounts. Eventually orrett decided to disable that functionality, at least for now.

Join us in the forum

If you have a question about how to use FusionAuth, a comment on one of the blog posts, or want to chime in with some general feedback, please check out the FusionAuth forums.

More on forum

Subscribe to The FusionAuth Newsletter

A newsletter for developers covering techniques, technical guides, and the latest product innovations coming from FusionAuth.

Just dev stuff. No junk.