Hi @daniel-barrett ,

Great question! The short answer is that the TOTP/Google authenticator/authy 2FA will continue to be included in the community edition.

As we're revamping the SMS functionality entirely and making it a whole lot better, when this MFA project is released, using SMS 2FA will require a paid edition license.

Here's a lot more detail.

Please let me know if you have any questions or comments.

Hi @daniel-barrett ,

Sorry for the hassle!

All the hosted login pages that FusionAuth makes available are documented in the themes section.

That Integration Points doc is pretty new, but if you haven't seen it is worth a read. Would love any feedback on that.

You could maintain two user accounts, dan with MFA turned on and dan-api-access with MFA turned off and application tokens. You could then use webhooks to keep their permissions in sync.

Sorry, no kub expert here. I'm not sure how to teardown just the database, but I assume you could write a script to connect to the backing database and drop the tables/schema, etc. That might be quicker than dropping the entire cluster.

If you figure out a better way, please share!

@titogarrido said in I want my webhooks firing only when I use the web interface, how can I do that?:

Is there a way to fire webhooks only when the admin application executes an action

I'm not aware of any way to do this. The webhook actions for API calls are indistinguishable from the webhook actions caused by the admin UI because the admin UI uses the API.

I am trying to use the webhook to keep a local database synchronized, is it a correct usage? If not, how can I keep a local database sync?

I think you are on the right path. I'm not sure why it is timing out, but as @mgetka says, that's what I'd investigate.

One thing you could do is send them an email with a fresh login link. You could catch the 'login failed' and generate a new magic link (which you could build via the API). Then you'd send them an email with the new magic link.

You could also make sure you include when the link expires in the subject line of the email.

More on doing that here: https://fusionauth.io/community/forum/topic/220/can-i-customize-the-passwordless-link-email-subject-with-the-time-the-link-expires

Back to my issue with the page a user who presses the button after the session has expired (see above). Is there any way to tell FA where to redirect to when the link has expired.

From reading the passwordless guide, it looks like an Invalid login credentials message will be displayed in this case. That may be themeable, but I'd have to play around to know for sure. But that's where I'd start.

@richb201 said in Invalid redirect uri:

If not is there a suggestion box?

This is the suggestion box :). We also accept PRs against our documentation site: https://github.com/fusionauth/fusionauth-site/

However, it's best to open a new topic when there's a new question or issue. Otherwise things can sometimes get lost.

I'm glad you are making progress!

Is the user for which you are trying to generate a JWT refresh token associated with the application?

That is, have they "registered"?

You can do that in the user details screen.

I think this is a bug. For some reason the tenant settings are controlling on the refresh token exchange when the application config should take precedence.

Can you please file an issue here: https://github.com/fusionauth/fusionauth-issues/issues and reference this forum post?