RE: Interpreting FusionAuth's Prometheus metrics

@fabio-venturi I am not familiar with Prometheus, but I asked the AI on the FusionAuth site and it came back with.

Database_primary_pool_Usage is a Prometheus metric exposed by FusionAuth which reports how much of the primary database connection pool is currently in use. It lets you see whether your HikariCP pool is close to exhaustion and is useful for capacity and health monitoring. [Monitor Prometheus]

In the Prometheus UI you can graph it by entering Database_primary_pool_Usage in the expression box and executing the query. [Monitor Prometheus]

It said it based the answer on the page you found, but I don't know enough to say for certain. Does this make sense to you?

@marcel-beutner If you have found a bug, you may want to report it using the FusionAuth Issues.

I just did a search on 1.61.0 in the Admin UI and my results were sortable by the name. Can you give us the exact query you used to use the search API and the search you used in the search bar? I am curious to see if that returns something different.

@rachel-flatt There are a couple of settings you can take a look at. If you go to Applications -> FusionAuth and look at the OAuth tab, you should see the Session timeout. Is this what you are looking for? The other is the Applications -> FusionAuth -> Edit -> JWT -> Refresh Token Settings -> Refresh Token duration. This is set to 60 minutes, for a 3600 second duration.

I found this post that may help as well.

You should start by checking the relevant google documentation.

As of writing, this is what their doc says:

Using the email, email_verified and hd fields, you can determine if Google hosts and is authoritative for an email address. In the cases where Google is authoritative, the user is known to be the legitimate account owner, and you may skip password or other challenge methods.

Cases where Google is authoritative:

email has a @gmail.com suffix, this is a Gmail account.
email_verified is true and hd is set, this is a Google Workspace account.

Users may register for Google Accounts without using Gmail or Google Workspace. When email does not contain a @gmail.com suffix and hd is absent, Google is not authoritative and password or other challenge methods are recommended to verify the user. email_verified can also be true as Google initially verified the user when the Google account was created, however ownership of the third party email account may have since changed.

So in this case, you want to check that hd is set as well as that email_verified is true.

With FusionAuth, you can check this using a reconcile lambda and looking at the id_token:

• https://fusionauth.io/docs/extend/code/lambdas/google-reconcile
• https://fusionauth.io/docs/extend/code/lambdas/openid-connect-response-reconcile

What claims should I check when using google as an identity provider when I'm interested in making sure it is a google workspace account?

We have a docs MCP server.

This lets your MCP compatible IDE or client ask questions of all the FusionAuth docs, YouTube videos, Terraform provider, OpenAPI spec and more.

More details: https://fusionauth.io/docs/get-started/download-and-install/development/docs-mcp-server

@vijaysingh1784 Looks like you have done a bit of research your self and made a pretty good analysis. I am not very familiar with MojoAuth, but just to confirm a few things:

• FusionAuth is very customizable. You should check out things like Lambdas, Webhooks and other various options.

• FusionAuth can be self-hosted or can be hosted for you.

• FusionAuth handles SAML, SCIM and other various integrations.

• FusionAuth is very scalable and gives you great control with api acess and other mechanisms.

• Depending on your needs, FusionAuth can be as easy to self host as spinning up a docker image to a full blown complex K8s deployment. It should fit your needs there.

• While there is no direct migration guide for the product you are talking about, there are several other migration guides for you to look over that should give you an idea on how to do it.

@biwi It sounds like the keys may have gotten switched or something odd. Is it possible to wipe everything out at try again from scratch? Also, check out this blog post as it may be useful for you as well.

Note that this functionality (logging in with a phone number) was delivered in 1.59.

More details here: https://fusionauth.io/blog/announcing-fusionauth-1-59