RE: Unable to create application(s)

That seems to work. Thank you for the quick patch.

The reason for bulk deletion links to another question I asked recently. I imported 850K+ users recently, and given that I had not registered the users against all applications, I decided to delete all users and re-import.

Yes, I'm explicitly passing the client_id as a request parameter as part of every request---initial login request as well as subsequent refresh token grant requests.

Is this happening because I use the Login API as opposed to OAuth API?

Changing the JWT lifetime in the tenant reflects in the lifetime of the access_token obtained by exchanging refresh_token.
For example, with the following config, here's what I get in my logs:

Application Settings

Tenant Settings

Token expires in 28475 {aud: "faa64edb-ecca-4acb-a35e-d83f395ac04e", iat: 1607337214, exp: 1607337244}
Refreshing tokens to avoid expiry {aud: "faa64edb-ecca-4acb-a35e-d83f395ac04e", iat: 1607337214, exp: 1607337244}
Token expires in 35999195 {aud: "faa64edb-ecca-4acb-a35e-d83f395ac04e", iat: 1607337215, exp: 1607373215}

I'm running FusionAuth v1.18.8

The access_token that is first issued has the right expiry. Any access_token received via exchanging refresh_token has a 12 hour validity.
My tenant does have a 12 hour validity on the access_token. However, any tenant setting should be overridden by the application-specific setting, is it not?

When exchanging a refresh_token for an access_token, I expect the resulting access_token to have a validity as defined by the application.
However, this doesn't seem to be the case..

Currently, I'm not sure where the 12-hour duration for the JWT is coming from. Is this a default value? If so, how would I override it?

I think the difference between what you are doing and what I'm doing is that I'm creating accounts via APIs.

await fusionAuthClient.register({
  registration: {
    applicationId: clientId
  },
  user: {
    email,
    password,
    data: {
      hasPassword: true,
      loginsCount: 0
    }
  }
})

When I do this, FusionAuth sends out a verification email to the user. However, when the user verifies their email by clicking the link in the verification email, the user.email.verified webhook does not fire.
Also, the user.create webhook does not fire when I register the user (create+register) as shown above.

What version are you running? v1.18.8
Did you get the emails? No. However, I get an email when I perform the webhook test.
Did you configure webhooks in both locations (under settings and tenants)? Yes

When I call the relevant APIs to create a user account, FusionAuth sends them a verification email. However, when they verify their account, my configured user.email.verified webhook does not fire. I have also tried user.create webhook and that does not work either.
I'm quite certain that the webhook itself has been configured correctly, since the webkhook test works as expected. It's just that it never automatically triggers when a user verifies their email. What am I doing wrong?

From my (layman's) standpoint, that feels a bit arbitrary
Is a Facebook login different from OIDC? Is there a good reason as to why FusionAuth is preventing these users from being able to login?

I added the following lambda, but I'm quite confident that the lambda function never runs.

// Using the response from Facebook Me API, reconcile the User and User Registration.
function reconcile(user, registration, facebookUser) {
  user.firstName = facebookUser.first_name;
  user.middleName = facebookUser.middle_name;
  user.lastName = facebookUser.last_name;
  user.fullName = facebookUser.name;

  if (facebookUser.picture && !facebookUser.picture.data.is_silhouette) {
    user.imageUrl = facebookUser.picture.data.url;
  }

  if (facebookUser.birthday) {
    // Convert MM/dd/yyyy -> YYYY-MM-DD
    var parts = facebookUser.birthday.split('/');
    user.birthDate = parts[2] + '-' +  parts[0] + '-' +  parts[1];
  }

  if (!facebookUser.email) {
    user.email = facebookUser.sub + '@no-email.twoseven.xyz';
    console.info('Added missing email: \n' + JSON.stringify(facebookUser));
  }
}

Whenever I perform a login with a Facebook account that has no email registered, I see the following in the event log:

...
8/28/2020 05:05:45 AM EDT Call the [https://graph.facebook.com/oauth/access_token] endpoint.
8/28/2020 05:05:45 AM EDT Endpoint returned status code [200]
8/28/2020 05:05:45 AM EDT The identity provider was unable to reconcile the email address. An email address is required to complete this request.

Any chance we can do this for Facebook on the latest version?

Sadly, that isn't a viable option for me. I spent a considerable amount of time on setting up email templates.. I don't want to lose those.

It would be great if we could export these non-user settings, and later re-import them. This might be a good case for setting up a Github issue/feature-request. I will go ahead and create that.