Worth re-emphasizing that this voids any warranty you might have from FusionAuth, per the license, exhibit A section 5.1.
You can't get support from FusionAuth if you modify the software.
Worth re-emphasizing that this voids any warranty you might have from FusionAuth, per the license, exhibit A section 5.1.
You can't get support from FusionAuth if you modify the software.
Yes. You can use FusionAuth's OpenID Connect Identity Provider.
I did this a few weeks ago, so am writing these instructions from memory.
Prerequisites:
Steps:
https://<your instance>/oauth2/callback
Client ID (Consumer Key)
and Client Secret (Consumer Secret)
.Client ID (Consumer Key)
and Client Secret (Consumer Secret)
into the Client Id
and Client secret
fields, respectively.Discover Endpoints
. Manually configure the endpoints:
Authorization Endpoint
to https://api.login.yahoo.com/oauth2/request_auth
Token Endpoint
to https://api.login.yahoo.com/oauth2/get_token
Userinfo Endpoint
to https://api.login.yahoo.com/openid/v1/userinfo
Scope
to openid email profile
and any other scopes you might need. (I was unable to find an authoritative list, but here's info about the mail scopes.)Button text
and Button image
as needed.I'd like to off a "Login with Yahoo!" button. Can I use FusionAuth to do so?
This is due to non-ASCII characters in headers causing an issue in the FusionAuth parsing code. Cloudflare sends headers with non-ASCII characters (such as cf-region: São Paulo
) which triggers this issue.
This is a java-http bug that was fixed in 2024, and released in FusionAuth version 1.51.2.
So, two options:
We were using a FusionAuth cloud deployment directly but now want to use Cloudflare in front of it.
We are now seeing intermittent, infrequent 502 errors.
We see errors like this in the logs
2025-06-24 14:05:09.345 PM ERROR io.fusionauth.http.server.HTTPServerThread - An exception was thrown during processing
java.lang.IllegalArgumentException: Not a valid Unicode code point: 0xFFFFFFC3
How can we resolve this?
This is not available today without some glue code.
Currently our suggestion is to use Javascript on the Login page to jam the claim into a meta field that is shown on a Webhook payload, like jamming stuff into event.info.deviceDescription
.
Then you create user.login.success
webhook, making sure it is transactional. On login, the event is fired that off to your system and then you extract the claim off the event.info.deviceDescription
field and make a PATCH
call to FusionAuth. In that PATCH
call, you add this to a field on user.data.x
.
Then once that PATCH
is successful, the 200
response back to the user.login.success
event which completes the login and triggers the JWT populate lambda. That lambda extracts the claim off the user.data.x
field and puts it into the JWT.
It's not pretty but it is the only way to have this work for now. (For self-service registration you can use a custom hidden field, much easier.)
Relevant docs:
How can I add in custom claims in to the JWT based on a custom login field or other parameters on the login form?
I have a parameter/variable that can change between each login (like a device id) and want it to be in the access token.
This is possible in a couple of ways.
First, to allow users to register for an application on login, you need to turn on self-service registration. From the docs:
When you enable self-service registration for an application and a user who does not have a registration for that application successfully logs in to that application, the user will automatically be registered for that application, and have a registration added.
Then the question becomes, how can you disable the hosted login pages self-service registration form?
To do so, take the following steps:
not implemented
or similar. However, a sinister user may still be able to post to the register
endpoint and create a user/register
endpoint using a proxyuser
object. If the user object comes through without the secret value, fail the registration. Otherwise allow it through because it is a user who has logged in.The self-service lambda may not fire unless there are required fields on the registration form, but that behavior is undocumented and may change.
I want to allow users to freely be registered to any number of applications simply by logging in, but not be able to use the self-service registration form to create user accounts (so I don't want them to be able to use the self-service registration form provided by the hosted login pages).
I'll create all user accounts using the User API.
Is there any way to do this?
inspired by this github issue
If you go look at https://fusionauth.io/docs/ and scroll to the bottom, you'll see a new section called 'Download docs'.
This takes you to fusionauth.io/docs/llms-full.txt which is all of our documentation (5MB!) in one file so you can upload it to your favorite LLM and query it.
Hope you all find it useful.