FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. Recent
    Log in to post
    Load new posts
    • All Topics
    • New Topics
    • Watched Topics
    • Unreplied Topics
    • All categories
    • W

      Solved Enabling MFA for All Users or Specific Projects in FusionAuth Essentials Plan

      Frequently Asked Questions (FAQ)
      • mfa • • wesley
      2
      0
      Votes
      2
      Posts
      141
      Views

      W

      With the Essentials plan, you do have MFA available to you on a Tenant level under Tenant>Multi-Factor. To have users set up MFA you either need to set MFA to Required, where users will need to set up MFA to complete a login or you will need to enable the “Self Service Account Management” page so users can visit it to set up MFA. So you can set up MFA for any Tenant to make it available to users.

      https://fusionauth.io/docs/lifecycle/authenticate-users/multi-factor-authentication

      https://fusionauth.io/docs/lifecycle/manage-users/account-management/

      In order to change MFA settings at the Application level for enabling MFA on a project by project basis, you would need to upgrade to the Enterprise plan.

    • W

      Solved Requiring MFA for FusionAuth Admin Portal Access

      Frequently Asked Questions (FAQ)
      • mfa • • wesley
      2
      0
      Votes
      2
      Posts
      235
      Views

      W

      Thanks for the question! If you navigate to Applications > Index View - FusionAuth > Multi-Factor Tab then you can see an option to require MFA for the FusionAuth Admin UI Application. You will likely want to enable application specific trust as well.

    • W

      Solved How to Block Logins Based on IdP Links in FusionAuth Without Storing API Keys in Lambdas

      Frequently Asked Questions (FAQ)
      • webhooks lambda webhook • • wesley
      2
      0
      Votes
      2
      Posts
      185
      Views

      W

      Currently, FusionAuth lambdas cannot call the API without including an API key in the code — there’s no built-in secret manager for this yet (feature request).

      Alternative approaches:

      Webhook filtering (recommended)
      Use the user.login.success webhook to check if the user is linked to an IdP, and reject the login by returning a non-200 response. This avoids storing API keys in lambdas, but adds an extra network call to each login.

      Store link data in user.data
      Push IdP linking info into a custom user.data.links[] field so it’s accessible in most lambdas without needing an API call. You’ll need a process to keep this data current.

    • W

      Solved How to Remove First and Last Name Claims from SAML Responses in FusionAuth

      Frequently Asked Questions (FAQ)
      • saml • • wesley
      2
      0
      Votes
      2
      Posts
      267
      Views

      W

      You can remove claims from the SAML response using a SAML v2 populate lambda. For example:

      samlResponse.assertion.attributes['firstName'] = null; samlResponse.assertion.attributes['lastName'] = null;

      Attach this lambda to your SAML Identity Provider configuration for that application.

      Documentation: SAMLv2 Response Populate Lambda

    • danD

      Solved Want to run FusionAuth and the backend app in Docker

      Q&A
      • docker dns • • dan
      2
      0
      Votes
      2
      Posts
      267
      Views

      danD

      You can create two values for the FusionAuth url:

      internalFusionAuthURL="http://fusionauth:9011" externalFusionAuthURL="http://localhost:9011"

      So basically whenever you are sending the redirect to the browser (pretty much just the authorize and logout URLs) you use externalFusionAuthURL which references localhost.

      When you are communicating with FusionAuth from the application backend (the express app) you use the internalFusionAuthURL which references the docker domain name.

      I tested that out and it seems to work fine.

      Give that a try.

    • J

      Unsolved Configure HTTPS with a custom certificate for our domain

      Q&A
      • • • john 0
      6
      0
      Votes
      6
      Posts
      448
      Views

      mark.robustelliM

      @john-0 Glad you got it figured out. 👍

    • F

      How to get all locked users

      General Discussion
      • • • francesgee836
      3
      0
      Votes
      3
      Posts
      299
      Views

      F

      Thanks for your answer. I got it.

    • N

      How to implement magic link login across devices

      General Discussion
      • • • njanaskie
      2
      0
      Votes
      2
      Posts
      127
      Views

      mark.robustelliM

      @njanaskie You are correct in that magic links are designed to be a one time use. I do not know of any work around for your situation.

      It will be interesting to see if others chime in.

    • danD

      Changing the fusionauth logging format

      Q&A
      • logging json logback • • dan
      3
      0
      Votes
      3
      Posts
      3.2k
      Views

      danD

      Worth re-emphasizing that this voids any warranty you might have from FusionAuth, per the license, exhibit A section 5.1.

      You can't get support from FusionAuth if you modify the software.

    • F

      Step-up authentication trustChallenge/trustToken binding and validation for custom APIs

      General Discussion
      • • • fernando.hellwig
      3
      0
      Votes
      3
      Posts
      1.4k
      Views

      F

      @mark-robustelli hi Mark! thanks for sharing the link. Yes, I've seen that and in general it should fit. I'm just looking for more details as my use-case is quite specific.

      execute a step-up auth flow before a sensitive operation (e.g. transfer of funds), use that specific step-up auth flow to validate and then execute an specific operation (like a step-up ID binding to the operation the user started)

      I need a way of validating that a specific step-up auth is bound to a specific operation. I have seen the description of a use case of using trustChallenge and trustToken to validate a FusionAuth change password request. This is kind of what I need to do, but on my API endpoints. I'm wondering if it's possible to validate trustToken using a trustChallenge on my own API.

      e.g.
      a. call a sensitive request triggering step-up with trustChallenge=1234
      b. bind operation with trustChallenge
      c. complete step up and receive trustToken
      d. validate trustToken using the trustChallenge (this is what I would need to know) and confirm/finalize sensitive operation.

    • E

      Unsolved Unable to Obtain Tenant-Signed Access Token for Data-Plane Apps in a Multi-Client, Multi-Application FusionAuth Architecture

      Q&A
      • • • ezequiel.rebasa
      6
      0
      Votes
      6
      Posts
      1.2k
      Views

      mark.robustelliM

      @ezequiel-rebasa If you are just talking about testing, you could just add some data to the Lambda's to see if it works for your needs. This would allow you to test without having to spin up a second Docker instance. If it does work, then you may need to upgrade or figure out if you can use APIs to update the lambdas in the instances with the data you need.

    • P

      Webhook Error

      General Discussion
      • • • paul 1
      4
      0
      Votes
      4
      Posts
      9.1k
      Views

      J

      FusionAuth is expecting a timely response. If any part of your code reads the body slowly or delays responding, it might exceed FusionAuth's internal timeout (usually around 5–10 seconds).

    • N

      Unsolved Send email to set up password - This feature is currently not enabled, see the tenant email configuration

      Q&A
      • • • nate
      2
      0
      Votes
      2
      Posts
      1.2k
      Views

      mark.robustelliM

      @nate Can you successfully Send test email from Tenants -> Select Edit from desired Tenant -> Email in the AdminUI? This will test if your SMTP settings are correct.

    • J

      Unsolved SAML CSRF token issue

      Q&A
      • • • joseantonio
      5
      0
      Votes
      5
      Posts
      7.3k
      Views

      J

      @mark-robustelli
      Thanks I just did that.
      https://github.com/FusionAuth/fusionauth-issues/issues/3113

    • D

      Customizing FusionAuth User Invitation Flow

      General Discussion
      • • • davidhaven1246
      3
      0
      Votes
      3
      Posts
      3.4k
      Views

      D

      @mark-robustelli thanks

    • P

      Unsolved Email verification fails in new incognito mode

      Q&A
      • • • pocfused
      4
      0
      Votes
      4
      Posts
      1.9k
      Views

      mark.robustelliM

      @pocfused said in Email verification fails in new incognito mode:

      https://fusionauth.io/community/forum/topic/1406/link-in-email-verification-not-working-first-time

      Glad you were able to solve your issue.

      As far as the automatically verify the email part. What settings do you have for Applications -> Your Application -> Registration -> Verification strategy? There is a setting Clickable link. Is that what you are after?

      Another thought would simply turning off Verify registrations in the Applications -> Your Application -> Registation tab work for you or do you still want the user to actually have to click on a link? (It would make sense to ensure the user owns the email address.)

      You could also do something like provide a custom template and direct them to your application and then automatically verify them using the APIs. Check out this blog post.

      Good luck.

    • danD

      Solved Can I offer "login with yahoo" using FusionAuth?

      Q&A
      • yahoo login federation social logins • • dan
      2
      0
      Votes
      2
      Posts
      12.4k
      Views

      danD

      Yes. You can use FusionAuth's OpenID Connect Identity Provider.

      I did this a few weeks ago, so am writing these instructions from memory.

      Prerequisites:

      A yahoo account A running FusionAuth instance (localhost is fine)

      Steps:

      Go to the Yahoo! developer network and create an app. The redirect URI for Yahoo is https://<your instance>/oauth2/callback Save off the provided Client ID (Consumer Key) and Client Secret (Consumer Secret). Then go to FusionAuth and create an OpenID Connect Identity Provider: <your instance>/admin/identity-provider/add/OpenIDConnect Put the Client ID (Consumer Key) and Client Secret (Consumer Secret) into the Client Id and Client secret fields, respectively. Uncheck Discover Endpoints. Manually configure the endpoints: Set the Authorization Endpoint to https://api.login.yahoo.com/oauth2/request_auth Set the Token Endpoint to https://api.login.yahoo.com/oauth2/get_token Set the Userinfo Endpoint to https://api.login.yahoo.com/openid/v1/userinfo Set the Scope to openid email profile and any other scopes you might need. (I was unable to find an authoritative list, but here's info about the mail scopes.) Update the Button text and Button image as needed. Enable it for applications as needed. Save the Identity Provider.
    • mark.robustelliM

      Solved Why is the kickstart not running when I spin up the docker container?

      Frequently Asked Questions (FAQ)
      • • • mark.robustelli
      2
      0
      Votes
      2
      Posts
      1.8k
      Views

      mark.robustelliM

      First check out the information you are getting from the docker log. Look at the log from the spin up and search for "kickstart." Was the container able to find the kickstart.json file? (In this case yes.)

      If the kickstart file was found, continue searching through the log for a potential error in the running of the kickstart. You might see something like.

      fusionauth-1 | 2025-07-02 05:14:05.177 PM ERROR io.fusionauth.api.service.system.kickstart.KickstartRunner - Failed to execute request to [PATCH][/api/user/registration/000000000001] Status [404] fusionauth-1 | Request body: fusionauth-1 | { fusionauth-1 | "registration" : { fusionauth-1 | "applicationId" : "e72dca1d-626c-4f4b-8f36-b7c8c2c0af33" fusionauth-1 | } fusionauth-1 | } fusionauth-1 | 2025-07-02 05:14:05.177 PM ERROR io.fusionauth.api.service.system.kickstart.KickstartRunner - Error response: fusionauth-1 | null

      This will let you know there was an error and you need to resolve it. In this specific case, The PATCH request should have been a POST. Once that was changed, the kickstart ran fine.

    • J

      Unsolved Populate the First Name and Last Name when logging in with Google.

      Q&A
      • • • jakub.hajto
      2
      0
      Votes
      2
      Posts
      1.8k
      Views

      mark.robustelliM

      @jakub-hajto , you may want to check out the Google Reconcile Lambda documentation. I also found this post that may be useful for you.

    • E

      Unsolved Logout with multiple subdomains

      Q&A
      • logout domains • • ext_figuvini
      6
      0
      Votes
      6
      Posts
      2.5k
      Views

      B

      @mark-robustelli said in Logout with multiple subdomains:

      @ext_figuvini after reading your post again, I think I read it differently. The way the SSO logout works is that on logout, FusionAuth calls all the logout urls for each applications. It would seem that you are correct in that creating an application for each subdomain makes sense and would work. (You can create applications through the API so you should be able to automate this.) Can you try this for a few domains and confirm it works?

      Your point is correct. Creating a separate application for each subdomain is a reasonable and correct solution.
      When a user logs out of the SSO system, FusionAuth will call the logout URLs defined in each configured application in turn. This allows each application to clean up its own session. Pretty good solution