FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. Tags
    3. webhooks
    Log in to post
    • All categories
    • W

      Solved How to Track Entity Changes in FusionAuth Using the Audit Log API

      Frequently Asked Questions (FAQ)
      • webhook webhooks lambda • • wesley
      2
      0
      Votes
      2
      Posts
      613
      Views

      W

      Yes, you would need something on your end to poll the Audit Log to fetch changes made to the Entities. Currently. there's no way to enter a log into the system logs (fusionauth-app.log) or otherwise control what goes in there. We do have a similar example for Cloudwatch on exporting Login Records to Cloudwatch which should be helpful.

      https://fusionauth.io/docs/operate/monitor/cloudwatch

    • W

      Solved Assigning Roles in FusionAuth Based on Identity Provider Login Source

      Frequently Asked Questions (FAQ)
      • webhook webhooks lambda • • wesley
      2
      0
      Votes
      2
      Posts
      353
      Views

      W

      This is a little tricky since a user could log in from either provider at any given time. The JWT populate lambda only has access to the user object and the registration object so you would need something on either of those to reference in the lambda. Each time a user logs in from a Identity Provider, the user in FusionAuth gets updated with the user data from the IdP. So for the JWT populate to work, you would need both providers to have a custom data field that maps to the same user.data field in FusionAuth. Then have the JWT populate Lambda map this user.data to either a custom claim or to the roles claim in the JWT, whatever works to determine the internal role on your side. Essentially this field would get updated or overwritten every time the user logs in and which would means the JWT from that login should have the correct "role".

      https://fusionauth.io/docs/extend/code/lambdas/jwt-populate

      A JWT populate lambda runs whenever a JWT is minted and the reconcile lambda runs whenever a user logs in from an IdP. Which means there is a scenario if a user is logged in on both networks at the same time, it would not be accurate since the JWT from both sessions would be reading from user.data which got updated by the last IdP login. Something like the following feature would also likely be enough to solve this problem for you, we have a similar field on Webhooks but not in JWTs or Lambdas which would detail which IdP used to login.

      https://github.com/FusionAuth/fusionauth-issues/issues/1483

    • W

      Solved How to Block Logins Based on IdP Links in FusionAuth Without Storing API Keys in Lambdas

      Frequently Asked Questions (FAQ)
      • webhooks lambda webhook • • wesley
      2
      0
      Votes
      2
      Posts
      124
      Views

      W

      Currently, FusionAuth lambdas cannot call the API without including an API key in the code — there’s no built-in secret manager for this yet (feature request).

      Alternative approaches:

      Webhook filtering (recommended)
      Use the user.login.success webhook to check if the user is linked to an IdP, and reject the login by returning a non-200 response. This avoids storing API keys in lambdas, but adds an extra network call to each login.

      Store link data in user.data
      Push IdP linking info into a custom user.data.links[] field so it’s accessible in most lambdas without needing an API call. You’ll need a process to keep this data current.

    • W

      Solved Why FusionAuth Webhooks Show ONE_TIME_PASSWORD Authentication Type for Logins

      Frequently Asked Questions (FAQ)
      • webhooks webhook lambda • • wesley
      2
      0
      Votes
      2
      Posts
      1.2k
      Views

      W

      Great question—this often causes confusion.

      In FusionAuth, logging in after a Forgot Password flow is tracked as ONE_TIME_PASSWORD. That’s because, technically, FusionAuth uses a one-time password during that process. For example, if you look at the Change a User’s Password API, it returns a one-time password token. On the hosted pages, FusionAuth automatically consumes this token to sign the user in immediately after they reset their password via the forgot password link in their email.

      So even without traditional OTP or MFA configured, these login events can appear as ONE_TIME_PASSWORD due to password reset flows.

    • W

      Solved How to Retrieve and Replay Failed Webhook Events in FusionAuth

      Frequently Asked Questions (FAQ)
      • webhooks lambda webhook • • wesley
      2
      0
      Votes
      2
      Posts
      363
      Views

      W

      FusionAuth provides an API to search for webhook event logs, including failed events. For example, you can use this endpoint:

      /api/system/webhook-event-log/search?start=<timestamp>&end=<timestamp>&eventResult=Failed

      This will return all webhook events in the specified time frame that failed. More details are here:
      Search Webhook Event Logs

      In the API response, the event section contains the original payload that was sent. While FusionAuth doesn’t currently have a built-in replay feature, you can extract this event data and manually re-send it to the webhook URL using your own REST calls.

      A native replay feature is on the roadmap, but there’s no confirmed timeline for its release yet.

    • W

      Solved Determining User Authentication Method in FusionAuth

      Frequently Asked Questions (FAQ)
      • webhook webhooks lambda • • wesley
      2
      0
      Votes
      2
      Posts
      112
      Views

      W

      Yes, FusionAuth provides this information via the authenticationType claim in the JWT. This claim indicates the authentication method used, such as PASSWORD, GOOGLE, SAML, etc.

      How to Access Authentication Type:

      From the JWT: The authenticationType claim is included in the JWT access token. Documentation: JWT Access Token Claims From a Webhook Event (Alternative Approach): The same authenticationType value is included in the user.login.success webhook event. This may be useful if your system processes authentication events via webhooks instead of decoding JWTs. Documentation: User Login Success Webhook

      For additional details on JWT structure and claims, refer to: JWT Components Explained

    • W

      Unsolved Determining User Authentication Method in FusionAuth

      Q&A
      • webhook webhooks lambda • • wesley
      2
      0
      Votes
      2
      Posts
      6.2k
      Views

      W

      Yes, FusionAuth provides this information via the authenticationType claim in the JWT. This claim indicates the authentication method used, such as PASSWORD, GOOGLE, SAML, etc.

      How to Access Authentication Type:

      From the JWT: The authenticationType claim is included in the JWT access token. Documentation: JWT Access Token Claims From a Webhook Event (Alternative Approach): The same authenticationType value is included in the user.login.success webhook event. This may be useful if your system processes authentication events via webhooks instead of decoding JWTs. Documentation: User Login Success Webhook

      For additional details on JWT structure and claims, refer to: JWT Components Explained

    • danD

      Unsolved locked out of admin UI

      Q&A
      • webhooks admin ui transactional • • dan
      2
      0
      Votes
      2
      Posts
      1.2k
      Views

      danD

      You have a couple of options:

      you can update webhook so it always returns 200, regardless of the message it receives. This won't work if the webhook URL is incorrect. For example, if you set up the webhook to live at https://exmple.com when it really lives at https://example.com and you don't have access to https://exmple.com. if you have an API key, you can update the webhook to be non-transactional. Setting up such an API key is a critical part of common configuration. if someone has an active session in the admin UI, they can also modify the configuration to make the webhook non-transactional.
    • danD

      user.create webhook and bulk imports

      Q&A
      • import webhooks • • dan
      2
      0
      Votes
      2
      Posts
      2.1k
      Views

      danD

      No. But the user.bulk.create would. See https://fusionauth.io/docs/v1/tech/events-webhooks/events/#user-bulk-create for more details.

    • danD

      Facebook images missing

      Q&A
      • facebook images webhooks • • dan
      2
      0
      Votes
      2
      Posts
      1.6k
      Views

      danD

      So, this appears to be a limitation of Facebook. Here are the API docs from Facebook which have no mention of how long the image URL returned if you pass redirect=0 is good for.

      Looks like some Auth0 users also encountered this.

      So I think you are on the right path with downloading the user's Facebook images and updating them on your side every time a user logs in.

    • danD

      refresh_token grant webhook event?

      Q&A
      • refresh token webhooks • • dan
      2
      0
      Votes
      2
      Posts
      4.6k
      Views

      danD

      Is this what you are looking for? https://fusionauth.io/docs/v1/tech/events-webhooks/events#jwt-refresh

      Make sure you enable the webhook in the tenant as well as in the webhook definition.

    • danD

      webhook event ids

      Q&A
      • webhooks login • • dan
      2
      0
      Votes
      2
      Posts
      1.1k
      Views

      danD

      This is a unique Id field per event, we do not currently persist this event for later retrieval.

      If you want any persistent storage of the events, you would need to capture and store the event.

    • danD

      Logs for webhooks

      Q&A
      • webhooks logging • • dan
      2
      0
      Votes
      2
      Posts
      3.8k
      Views

      danD

      There is not any special logging for webhooks.

      If an exception occured that would cause it not to be fired, that will be in the log. If it is not being fired and there is no exception, then it is likely that the webhook is not configured to be sent for the particular tenant that you’re using.

      More about webhooks: https://fusionauth.io/docs/v1/tech/events-webhooks/

    • danD

      I'm seeing weirdness around timestamps and I use jackson

      Q&A
      • webhooks timestamps java data serialization • • dan
      2
      0
      Votes
      2
      Posts
      6.7k
      Views

      danD

      Apparently jackson + friends make assumptions when it comes to parsing raw -> ZonedDateTime. It appears that the ZonedDateTime for createInstant when deserializing timestamps are not being handled properly somehow, so you need custom code. We have our own Jackson serializer and deserializer for ZonedDateTime to ensure we always get milli in and milli out.

      Here's the code (Apache2 license) and the maven repository links if it's helpful.