@d-chinguun-0301 No problem. Glad you figured it out. No need for apologies, if you were confused others may be as well. Now when they search here, they will have an answer. Have a great one

This is possible in a couple of ways.

First, to allow users to register for an application on login, you need to turn on self-service registration. From the docs:

When you enable self-service registration for an application and a user who does not have a registration for that application successfully logs in to that application, the user will automatically be registered for that application, and have a registration added.

Then the question becomes, how can you disable the hosted login pages self-service registration form?

To do so, take the following steps:

update your theme to remove the link to the "Don't have an account? Create one" link from any pages, including the login page. You can also remove all the content from the registration themed page and replace it with not implemented or similar. However, a sinister user may still be able to post to the register endpoint and create a user if you are self-hosting, block access to the /register endpoint using a proxy if you are not self-hosting, prevent self-service registration by adding an encrypted secret value to all user accounts you create via the API. Then, create self-service registration validation lambda which will examine the user object. If the user object comes through without the secret value, fail the registration. Otherwise allow it through because it is a user who has logged in.

The self-service lambda may not fire unless there are required fields on the registration form, but that behavior is undocumented and may change.

@hamza-chouaibi Been having this same exact issue for the last one week. When I stumbled onto this and applied the suggestions here is when it now seems to work. I use the .dev TLD instead.

By using a proxy or gateway that supports mutual TLS, you can use it with FusionAuth.

For example, AWS ALB supports Mutual TLS verify where the ALB does client certificate verification. Nginx has similar functionality.

If you are running FusionAuth 'bare' and terminating TLS directly at the FusionAuth server, mutual TLS is not supported.

Hiya,

There are currently no plans to support the full mTLS spec. We are discussing DPoP (tracking issue) internally.

However, depending on your needs, there may be a workaround.

Since the client credentials grant depends on Entities, you can leverage this to inject a client certificate hash into an access token obtained through the client credentials grant.

How this works at a high level:

Client Certificate Registration
During onboarding, your customer (e.g., a bank) registers their client certificate. A hashed value of that certificate is securely stored in FusionAuth (entity.data). The hashing process is outlined in the RFC. Client Credentials Request
When the bank requests an access token using the Client Credentials grant, a FusionAuth Lambda is invoked before the JWT is signed. Augment Custom Claims
The Lambda code looks up the stored certificate hash and injects it as a claim in the JWT. For maximum compatibility with RFC 8705, it is recommended to add this hash to the cnf object in the JWT, like so: "cnf":{ "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2" } Accessing the Resource Server or API
The customer presents both the access token and presents their client certificate when calling your API. Validation Flow
Your API: verifies the JWT signature computes a hash of the presented client certificate compares it to the x5t#S256 claim in the token Decision Logic
If the hashes match, the request is bound to the correct client and access is granted to the protected resource.

@mark-robustelli

Hello, sorry for away from this topic for a week due to my other ad hoc job,

I've already solved this topic, it's not about setting on Fusionauth or google credential.

but it's because I used google's client id on Fusionauth callback and
after you told me to set applicationId in my Fusionauth admin then I used ApplicationId on google oauth's callback.

that's why it kept return me client id is invalid.

it was right under my nose, but I couldn't see it.

Thank you for reply me, that's very helpful, It would take more time if you didn't help me.

@joseantonio When you add the response_type=code. That should be literal 'response_type=code' not response_type={code} where {code} is some secret. Other than that, you can add additional parameters to the query string if needed. As long as you are not passing secrets in the query string you should be ok.

@cybermark0707 That is a bit of a loaded question. If you have something more specific in mind, please let me know but the following should be a good start.

Overall:
Getting Started

If you are a developer and want to get hands on with an example, check out:
Quickstarts

@dev I am not sure you can set that level of debugging in FusionAuth. You can change logging in the AdminUI for various things like Lambdas, CORS filter, and that sort of thing.

@mark-robustelli Before I move to this activity, I wanted to share an observation that I made just now

So turns out that the error that I posted doesn't turn up every time I open up one of those pages

It occurs when I open those pages consecutively and the CPU spikes to the "requests" range

So to give you an example:

Click on Users -> Takes around 20s to load -> CPU Spike observed but within request range -> No error in container logs

Click on Users -> Immediately click on Reports/Login -> Move to Reports/Registration -> CPU spikes above request range -> Error in Container logs

So could this be a performance tuning issue?

As for your query about the config

Users: 7061
Applications: 6700
Tenants: 8200

Fusionauth is running on GKE on an n2d-standard-8 (8 vCPU, 32 GB RAM) nodepool, I've already mentioned the resources allocated to the deployment via the helmchart in the original thread message^

@mark-robustelli

It's possible, I didn't really keep track of that per se

We eventually moved on from this version and jumped to 1.40.x and surprisingly there were no issues in that version so this post can be closed

That being said, I did face a similar issue in a newer version for which I might post another thread

Hello @cristian
I am kind if facing the same issue here, how did you go about solving it?

@maxime-aerts There may be a way to control the format the verification is sent.

Please:

Go into the Admin UI Select Tenants Select Edit for the Tenant you want to change Select the Advanced tab Scroll down to the External identifier generation section Find Email verification Choose Digits

There are other settings that may work for you as well depending on what you are trying to do. Please test it out and let me know if this works for you. Please keep in mind, you will be reducing the randomness and in turn the security of such identifiers.

Screenshot 2025-03-12 at 5.56.53 PM.png

@baptist-o Anyone out there have experience using .Net API with Angular front end? I have no problem using the .NET API with FusionAuth, but have not tried accessing using an Angular front end. If anyone has accomplished this, please speak up. I am currently pretty backed up, but will try to play with this a bit if I get some time.

@mark-robustelli This is great, didn't know it existed. We were on an older version of FusionAuth that didn't support the log. Thanks!

@valerii15298 If you follow the quickstart exactly, are you able to get it to run?

i like it

When upgrading FusionAuth, we recommend the following approach to ensure a smooth transition:

1. Review Release Notes

Each release may include breaking changes, bug fixes, and security updates. Be sure to check the release notes for any database migrations, template changes, or API modifications that may impact your environment. FusionAuth Release Notes

2. Choose an Upgrade Strategy

You can incrementally upgrade from 1.32.x → 1.42.x version-by-version or upgrade all at once. The recommended approach depends on your risk tolerance: Incremental Upgrades: Allows for testing each version before moving forward. Direct Upgrade: Faster but requires careful testing, especially if there are major changes.

3. Database Migrations & Maintenance Mode

FusionAuth automatically manages DB migrations in maintenance mode or silent mode. If you are using advanced configurations, refer to the manual upgrade process to apply database migrations carefully. FusionAuth Advanced Installation Guide

4. Testing in a Staging Environment

Before upgrading production, test the new version in a staging environment to verify that: All integrations (e.g., authentication flows, webhooks, APIs) function as expected. Templates render correctly (in case of UI or email template updates). Database migrations do not introduce issues.

5. Backup & Rollback Plan

Before upgrading, take full database and configuration backups in case a rollback is needed.

By following these best practices, you can minimize risks while upgrading to the latest version.