1. Home
  2. Groups
  3. Staff
Group Details Private

Staff

FusionAuth Employees

Member List
  • RE: Receiving 502 errors when using Cloudflare in front of FusionAuth

    This is due to non-ASCII characters in headers causing an issue in the FusionAuth parsing code. Cloudflare sends headers with non-ASCII characters (such as cf-region: São Paulo) which triggers this issue.

    This is a java-http bug that was fixed in 2024, and released in FusionAuth version 1.51.2.

    So, two options:

    • upgrade to a version of FusionAuth 1.51.2 or newer. This is the recommended approach, but may require some work.
    • as an interim workaround, you can disable the "Add visitor location headers" option from your CloudFlare console. This should not have any negative impact, since we do not inspect those headers.
    posted in Q&A
    danD
    dan
  • Receiving 502 errors when using Cloudflare in front of FusionAuth

    We were using a FusionAuth cloud deployment directly but now want to use Cloudflare in front of it.

    We are now seeing intermittent, infrequent 502 errors.

    We see errors like this in the logs

    2025-06-24 14:05:09.345 PM ERROR io.fusionauth.http.server.HTTPServerThread - An exception was thrown during processing
java.lang.IllegalArgumentException: Not a valid Unicode code point: 0xFFFFFFC3

    How can we resolve this?

    posted in Q&A 502 proxy cloudflare error
    danD
    dan
  • RE: Getting custom information from the hosted login pages into the JWT

    This is not available today without some glue code.

    Currently our suggestion is to use Javascript on the Login page to jam the claim into a meta field that is shown on a Webhook payload, like jamming stuff into event.info.deviceDescription .

    Then you create user.login.success webhook, making sure it is transactional. On login, the event is fired that off to your system and then you extract the claim off the event.info.deviceDescription field and make a PATCH call to FusionAuth. In that PATCH call, you add this to a field on user.data.x.

    Then once that PATCH is successful, the 200 response back to the user.login.success event which completes the login and triggers the JWT populate lambda. That lambda extracts the claim off the user.data.x field and puts it into the JWT.

    It's not pretty but it is the only way to have this work for now. (For self-service registration you can use a custom hidden field, much easier.)

    Relevant docs:

    posted in Q&A
    danD
    dan
  • Getting custom information from the hosted login pages into the JWT

    How can I add in custom claims in to the JWT based on a custom login field or other parameters on the login form?

    I have a parameter/variable that can change between each login (like a device id) and want it to be in the access token.

    posted in Q&A jwt custom claims
    danD
    dan
  • RE: allow users to register for any application but not create user accounts

    This is possible in a couple of ways.

    First, to allow users to register for an application on login, you need to turn on self-service registration. From the docs:

    When you enable self-service registration for an application and a user who does not have a registration for that application successfully logs in to that application, the user will automatically be registered for that application, and have a registration added.

    Then the question becomes, how can you disable the hosted login pages self-service registration form?

    To do so, take the following steps:

    • update your theme to remove the link to the "Don't have an account? Create one" link from any pages, including the login page. You can also remove all the content from the registration themed page and replace it with not implemented or similar. However, a sinister user may still be able to post to the register endpoint and create a user
    • if you are self-hosting, block access to the /register endpoint using a proxy
    • if you are not self-hosting, prevent self-service registration by adding an encrypted secret value to all user accounts you create via the API. Then, create self-service registration validation lambda which will examine the user object. If the user object comes through without the secret value, fail the registration. Otherwise allow it through because it is a user who has logged in.

    The self-service lambda may not fire unless there are required fields on the registration form, but that behavior is undocumented and may change.

    posted in Q&A
    danD
    dan
  • allow users to register for any application but not create user accounts

    I want to allow users to freely be registered to any number of applications simply by logging in, but not be able to use the self-service registration form to create user accounts (so I don't want them to be able to use the self-service registration form provided by the hosted login pages).

    I'll create all user accounts using the User API.

    Is there any way to do this?

    inspired by this github issue

    posted in Q&A registration application
    danD
    dan
  • Docs now fully downloadable in LLM friendly format

    If you go look at https://fusionauth.io/docs/ and scroll to the bottom, you'll see a new section called 'Download docs'.

    Screenshot 2025-05-19 at 9.19.23 AM.png

    This takes you to fusionauth.io/docs/llms-full.txt which is all of our documentation (5MB!) in one file so you can upload it to your favorite LLM and query it.

    Hope you all find it useful.

    posted in Announcements llms docs
    danD
    dan
  • RE: Does FusionAuth support mutual TLS?

    By using a proxy or gateway that supports mutual TLS, you can use it with FusionAuth.

    For example, AWS ALB supports Mutual TLS verify where the ALB does client certificate verification. Nginx has similar functionality.

    If you are running FusionAuth 'bare' and terminating TLS directly at the FusionAuth server, mutual TLS is not supported.

    posted in Q&A
    danD
    dan
  • Does FusionAuth support mutual TLS?

    Hiya,

    Does FusionAuth support mutual TLS where the client and server both have certificates?

    (I'm not talking about mTLS token binding; I understand that is not implemented per https://github.com/FusionAuth/fusionauth-issues/issues/1025 .)

    posted in Q&A
    danD
    dan
  • RE: Does FusionAuth support mTLS token binding?

    Hiya,

    There are currently no plans to support the full mTLS spec. We are discussing DPoP (tracking issue) internally.

    However, depending on your needs, there may be a workaround.

    Since the client credentials grant depends on Entities, you can leverage this to inject a client certificate hash into an access token obtained through the client credentials grant.

    How this works at a high level:

    • Client Certificate Registration
      During onboarding, your customer (e.g., a bank) registers their client certificate. A hashed value of that certificate is securely stored in FusionAuth (entity.data). The hashing process is outlined in the RFC.
    • Client Credentials Request
      When the bank requests an access token using the Client Credentials grant, a FusionAuth Lambda is invoked before the JWT is signed.
    • Augment Custom Claims
      The Lambda code looks up the stored certificate hash and injects it as a claim in the JWT. For maximum compatibility with RFC 8705, it is recommended to add this hash to the cnf object in the JWT, like so:
    "cnf":{
  "x5t#S256": "bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2"
}
    • Accessing the Resource Server or API
      The customer presents both the access token and presents their client certificate when calling your API.
    • Validation Flow
      Your API:
      • verifies the JWT signature
      • computes a hash of the presented client certificate
      • compares it to the x5t#S256 claim in the token
    • Decision Logic
      If the hashes match, the request is bound to the correct client and access is granted to the protected resource.
    posted in Q&A
    danD
    dan