I can't say that we have an out-of-box solution for you on this directly. If you would like to submit a feature request fully outlining your use case, we could have our dev team review it.

I have a couple of other thoughts:

we want to send email from our marketing platform for consistent tracking

Remember that you have the ability to augment the user object with custom data (User API -- user.data field). Some of this data could be a tracking code that links back to your marketing platform, for instance.

we want a consistent look and feel in the password setting UI (simulating Material UI in a FA theme seems infeasible),

FreeMarker templating does accept HTML and other modern inputs to allow you to custom craft a landing page that meets your brand requirements (You can check out some examples of exactly this, here). Anecdotally, I have heard of some customers that use services such as MailChimp/ContantContact/Drip to create templates and then import them into FreeMarker. It is outside of my domain expertise, but it seems this is done often enough.

c) FusionAuth doesn't seem to have a way to send the user into our app after they set a password.

This is possible but would require some additional javascript code. See Here

Webhooks are also a powerful tool within FusionAuth to notify when certain other user actions occur. API documentation here

If anything else comes to mind, I will post back here! I hope this helps!

Thanks,
Josh

Re: state, additional key value pairs will be stored, however if our front end is consuming the URL, you won’t have access to the API response which will contain that state information.

If you have not let the user set their password, then passwordless will implicitly be the only path that will work for them (assuming you don’t offer them social login buttons).

If you pass the user’s email on the redirect to FusionAuth as &loginId=test@example.com, that value will be available to you in the template and you can then key off, parse the domain, or whatever - and use that to hide or show whatever you like.

It sounds like you're looking for a way to pass the timezone of the user into the passwordless call so it is available in the email template. I agree that the current timezone is more useful than the possibly stale value in the user profile.

I don't know of any way to do this currently. So my suggestion would be to file a feature request: https://github.com/fusionauth/fusionauth-issues

The default is 180 seconds, but it is customizable in the tenant settings: https://fusionauth.io/docs/v1/tech/guides/passwordless#one-time-code-customization