RE: Why is the kickstart not running when I spin up the docker container?

First check out the information you are getting from the docker log. Look at the log from the spin up and search for "kickstart." Was the container able to find the kickstart.json file? (In this case yes.)

If the kickstart file was found, continue searching through the log for a potential error in the running of the kickstart. You might see something like.

fusionauth-1  | 2025-07-02 05:14:05.177 PM ERROR io.fusionauth.api.service.system.kickstart.KickstartRunner - Failed to execute request to [PATCH][/api/user/registration/000000000001] Status [404]
fusionauth-1  | Request body:
fusionauth-1  | {
fusionauth-1  |   "registration" : {
fusionauth-1  |     "applicationId" : "e72dca1d-626c-4f4b-8f36-b7c8c2c0af33"
fusionauth-1  |   }
fusionauth-1  | }
fusionauth-1  | 2025-07-02 05:14:05.177 PM ERROR io.fusionauth.api.service.system.kickstart.KickstartRunner - Error response:
fusionauth-1  | null

This will let you know there was an error and you need to resolve it. In this specific case, The PATCH request should have been a POST. Once that was changed, the kickstart ran fine.

When trying to create a kickstart, it's not getting used when i run docker compose. How can I fix it?

@jakub-hajto , you may want to check out the Google Reconcile Lambda documentation. I also found this post that may be useful for you.

@pocfused What versions of FusionAuth are you using? I saw this post that may account for this issue.

@sergey_smirnov OK. It doesn't seem like the webhook you are using would cause the duplicate logins. I came across this post stating that exchanging a refresh token counts as a login event. I'm wondering if something like the user logins in using a new tab, then goes back to the old tab that triggers a refresh. If that is the case, that could account for the delay between logins and the "Something doesn't seem right" message as that session is no longer valid because of the new login. You might be able to verify this by using a webhook. There is a JWT.Refresh event that you might be able to log somewhere to see if it fires around the time of the duplicate log ins.

@sergey_smirnov OK, I did some investigating and here is what I have found.

1. SSO, I saw a reference to a post that mentions using SSO will create multiple session records (but shouldn't necessarily cause multiple login events). Are you using SSO?

2. Are you using any Lambda's? In some versions (notably 1.31.0), a bug caused the OIDC reconcile lambda to be called twice during certain identity provider logins, which could result in duplicate processing and potentially duplicate events. This was patched in version 1.32.1.

3. Are you using any Webhooks?

4. Are you using an external IdP?

These are just a couple of things to consider.

@joseantonio Ah OK. That makes sense. I couldn't find much detail on how the saml.csrf cookie works. It does seem plausible that when a new window is open that a value could change that could be causing this problem. If it is causing you problems, it may be work opening a new issue.

@joseantonio said in SAML CSRF token issue:

also start the authorization process there

What do you mean by "Also start the authorization process there?" Manually open a new tab (tab B) and paste in the URL " /oauth2/authorize"?

If you enable debugging on the SAML tab for the Application in FusionAuth, do the logs indicate anything interesting?

@sergey_smirnov Hmm, the 10 sec between the logs does lead me to similar speculation that it is being caused by the user. I would think they would be closer together if it was something the application was doing on its own (although I am not entirely ready to rule that out either).

That being said, it seems like just guessing unless you can get the application logs and trace the users page views for sure. Is that possible?

There is a setting in the Tenants for the Session timeout.
Tenants -> Edit -> OAuth tab -> Session timeout

Let me know if you are able to log the users page views.

@sergey_smirnov You won't find the web requests in the FA dashboard, but you can enable debugging for Oauth in the application and see if that gives you more details in the System -> Even Log.

@davidhaven1246 Have you checked out the documentation on using the basic registration form? Will enabling the Self-service registration for the application what you are after? If not, a little more detail on your flow and how you have implemented may help.

This post may help provide some clarity as well for an invitation flow. Keep in mind, this flow utilizes some paid features of FusionAuth, but you may be able to figure out some work arounds with the community edition.

This post talks about passing some parameters in a link that may help as well.

@sergey_smirnov, I see you submitted the FusionAuth log. I didn't approve the post because I thought there might be some info in there you don't want public. I cut some out and will paste it here:

That is interesting. Would it be possible to get the web server logs and see if there were actual multiple requests.

@sergey_smirnov can you tell us a little about how you have FusionAuth set up? Can you look at your server logs and make sure the page is not being called multiple times? Also, can you share the details of the log entries (be sure to redact private information)?

@ext_figuvini after reading your post again, I think I read it differently. The way the SSO logout works is that on logout, FusionAuth calls all the logout urls for each applications. It would seem that you are correct in that creating an application for each subdomain makes sense and would work. (You can create applications through the API so you should be able to automate this.) Can you try this for a few domains and confirm it works?

@ext_figuvini this is an interesting use case. I would think the way you have it configured would work. I would have to recreate you situation to test. Unfortunately it may be a while before I can get that done. I should be able to take a look next week. If anyone has experience with this, please feel free to chime in.

@eakpan Awesome, thanks for posting. This may end up helping others. Glad you are able to configure FusionAuth to work for you.

@atakan thanks for sharing the information.

@jobclone20 I just took a look at the page for the FusionAuth Visual Studio Templates. It appears they are only for Visual Studio 2022.

@laurahernandez I hope you are able to achieve the look and feel you are going for. I understand you would like to be able to show and hide the password dialog in simple themes and you are not the only one. Please be sure to upvote the issue here.

I understand using advanced themes may require more work, but ultimately it is more flexible that simple themes. Good Luck.

@josephbeckley99 As far as I can tell, hiding the password input with an advance theme is the best workaround. Just be aware that with a little knowledge and some hacking a use may be able to expose the password field and use it if they are really focused on doing so.