Hi, I have the same problem here. The tenant's SMTP setting are correct and test emails are successfully delivered. I'm evaluating the FusionAuth right now and often delete/re-register users with the same emails. Verification emails are delivered to all users but one. The only thing that distinguish the problem user from the others is the fact I initially registered him via Facebook identity provider, so his email was automatically verified. After that I deleted the user and trying to register with just email (not Facebook). And emails are not delivered. Manually sent SMTP test emails to that address also delivered successfully. I hope this help to investigate.

These are generated in the UI. So the values are not available from the API.

However you can derive them yourself as well. We just take the URL + /oauth2/authorize?... + redirect_uri etc.

Yea, that flexibility would be ideal IMO, although the registeredLogoutURLs should be workable for us at this point. FWIW that is actually the behavior I assumed before digging into the docs. I'll definitely add the issue to GitHub, as I think it's probably part of the path to getting OIDC Certification which appears to already have an issue.

Thanks!

From the user search docs, for the database search engine:

Regular expressions may not be used. A value of * will match all records.

For the elasticsearch search engine, you are limited to 10,000 records returned due to this bug: https://github.com/FusionAuth/fusionauth-issues/issues/494

Here's docs on how to switch between them: https://fusionauth.io/docs/v1/tech/tutorials/switch-search-engines

No hard limits, we have some clients running somewhere between 5-10k.

If you encounter any performance degradation, you can open a GitHub issue and we will take a look. We do have some work in plan to improve the UI for this type of scale.

I haven't implemented this identity provider myself, but from the documentation:

https://fusionauth.io/docs/v1/tech/identity-providers/facebook https://developers.facebook.com/docs/facebook-login/permissions/overview

It appears that 'permissions' are what facebook uses to mean 'scopes'. You ask for a permission of email or user_likes, for example.

Have you tried to put in the scope you want into the permissions field and tested it out?

For anyone reading this in the future, here's a list of the permissions that you can use: https://developers.facebook.com/docs/permissions/reference/

Note that it says:

Every permission below requires App Review, except: email, pages_show_list.

Hiya,

So here's what I did.

I made sure that email verification was enabled at the tenant level. "Tenants -> Your Tenant -> Email -> Email Verification Settings".

Then I ran the following curl scripts (where API_KEY is a valid FusionAuth API key) to mark the email of a user verified.

# create the user curl -XPOST -H'Content-type:application/json' -H "Authorization: $API_KEY" 'http://localhost:9011/api/user' -d '{"user" : { "email" : "testverify4@example.com" , "password" :"password", "verified" : false }}' # ask for a new verification id, but don't send the email--assume you send the email in some other way. curl -XPUT -H "Authorization: $API_KEY" 'http://localhost:9011/api/user/verify-email?email=testverify4@example.com&sendVerifyEmail=false' # This sends back: # {"verificationId":"nBm3HvfI1fAgilLk2Hj06gXeYuidhRM25tPECtbpqMM"} # GET the user to make sure they still have email verified of false curl -XGET -H "Authorization: $API_KEY" 'http://localhost:9011/api/user/552bdd9a-2655-433c-a91d-7002e730b385' # post to verify the user's email address curl -XPOST -H "Authorization: $API_KEY" 'http://localhost:9011/api/user/verify-email/nBm3HvfI1fAgilLk2Hj06gXeYuidhRM25tPECtbpqMM' # GET the user to verify that the email address has been marked verified. curl -XGET -H "Authorization: $API_KEY" 'http://localhost:9011/api/user/552bdd9a-2655-433c-a91d-7002e730b385'

Does this flow help?

Also, remember that there is registration email verification and user email verification, and the APIs are different. I believe, from what you wrote, that you are trying to get user email verification (that's the APIs you are using, except that the first post talks about verifying a registration); please correct me if I'm wrong.

They are globally unique, and they are deleted when a user is deleted. They must belong to a user.

The code is considered valid for n -1, n and n + 1 time steps. We use a 30s time step, so I think this would max out at 59s for a skew tolerance. In your case, if you have up to 70s of skew, this would plausibly break TOTP 2FA.

If you are on one of the editions that offer support with a guaranteed response time (more on those options here), the best way to file a ticket is to login to https://account.fusionauth.io and go to the support section. You'll see a way to submit a ticket, which will be routed to the appropriate team member.

Unfortunately the default tenant contains the FusionAuth application and so it cannot be deleted, short of dropping and recreating the entire FusionAuth database.

User ids need to be globally unique. You can either provide your own unique uuid or you can let FusionAuth provide them for you. But these values are not tenant scoped.

Ah, that's great! I've definitely made my share of mistakes, no worries!

Great. I've updated the documentation to reflect that google and facebook aren't supported; that'll be published next week. Sorry about that.

More details on the bug I filed above (and the doc change linked in the bug). If you try this with SAML/OIDC and it fails, please let me know.

Options:

You can drop the database. This will work if you want to start with a clean slate every time. You may want to look into kickstart or terraform to set default applications, accounts, and other items up every time. You can load all the users into a tenant (not the default one). Then, when you are done with loading up the users and want to clean up, you can delete the tenant, which will remove all users associated with that tenant. This option maintains all the other non tenant settings (IdPs, emails templates, themes, etc). You can use the bulk delete API. You can start deleting blocks of 5-10k users and increase the number deleted with each API call. This will be slower, but has the benefit of leaving the rest of the system untouched.

Added a feature request for this issue: https://github.com/FusionAuth/fusionauth-issues/issues/904

The rules apply only when they change their password in the future.

We don't have any way of knowing the user's current password.

You can, of course, force the user to change their password, and then the new password rules would apply. You can do this in the admin ui or via updating the passwordChangeRequired field in the user object via the API.

In 1.19.5, we handle most of these cases by configuring tomcat to allow certain characters to be unescaped in the URL.

https://github.com/FusionAuth/fusionauth-issues/issues/635

So an upgrade is the most straightforward way to handle this.

If you are proxying FusionAuth (behind something like nginx) you could also capture and hide any 500 errors: https://stackoverflow.com/questions/8715064/nginx-not-serving-my-error-page/8715597#8715597.

Ok, thanks @dan and @robotdan ! I think a combination of both your responses gets me what I need. Much appreciated!

I would do one of two things:

consult the google docs about what is returned create a lambda to write the idToken json object provided by google to the event log, then login and view the event log to see what is provided.

More on the google reconcile lambda here: https://fusionauth.io/docs/v1/tech/lambdas/google-reconcile