How do you reset a user's password upon their first login?

Is it possible to set all users to have the passwordChangeRequired status set to true by default, so they are forced to reset their password upon their first login? Additionally, can we set a default password format as company{username}? For example, a user with the username 1234 would have the default password company1234.

Our FusionAuth instance only lists 11 Lambdas by default, and JWT Populate is not one of them. How can we create a JWT Populate Lambda?

Does FusionAuth provide an API to import roles for an application?

We are using the /api/user/forgot-password API for password resets, with sendForgotPasswordEmail set to false since we send our own email. However, users are now receiving two emails: our custom email and a password reset email from FusionAuth using our template. This issue occurs only in our pre-live and production environments, not in the local Dockerized version. What could be causing this?

Yes, this is expected behavior because access tokens cannot be revoked by default.

Why /oauth2/logout Doesn’t Invalidate Access Tokens:

• Access tokens are stateless and do not require real-time validation with FusionAuth after issuance.
• For this reason, access tokens are typically short-lived, reducing security risks.
• Logout via /oauth2/logout only removes the SSO cookie and does not affect issued tokens.

How to Handle Token Revocation:

1. Use Short-Lived Access Tokens
   • The recommended approach is to issue short expiration times for access tokens and rely on refresh tokens for continued access.
2. Implement a Token Revocation Strategy
   • If you need a way to invalidate access tokens, consider implementing a denylist-based revocation workflow.
   • FusionAuth provides guidance on how to do this: Revoking JWTs in FusionAuth
3. Ensure Full Logout by Removing All Session Identifiers
   • If the user is also authenticated via a refresh token or other session identifiers, these must be explicitly removed to fully log out the user.
   • FusionAuth provides more details in:
     Logout Endpoint Documentation
     User Sessions in FusionAuth

Summary

By default, access tokens remain valid until expiration, even after logging out. To ensure access is revoked immediately, you will need to either implement a denylist mechanism or rely on short-lived tokens with refresh token workflows.

It appears that calling the /oauth2/logout endpoint does not invalidate the access token.

Steps to Reproduce:

1. Complete the OIDC flow and retrieve an access token.
2. Validate the token using the /oauth2/introspect and /oauth2/userinfo endpoints.
3. Call /oauth2/logout, passing the tenant ID and client ID, with the access token included as a cookie or in the Authorization header.
4. After logout, call the /oauth2/userinfo or /oauth2/introspect endpoints again and observe that the access token still validates.

Is this expected behavior, and how can we fully revoke an access token on logout?

Yes, FusionAuth provides this information via the authenticationType claim in the JWT. This claim indicates the authentication method used, such as PASSWORD, GOOGLE, SAML, etc.

How to Access Authentication Type:

1. From the JWT:
   • The authenticationType claim is included in the JWT access token.
   • Documentation: JWT Access Token Claims
2. From a Webhook Event (Alternative Approach):
   • The same authenticationType value is included in the user.login.success webhook event.
   • This may be useful if your system processes authentication events via webhooks instead of decoding JWTs.
   • Documentation: User Login Success Webhook

For additional details on JWT structure and claims, refer to: JWT Components Explained

In our application, we want to determine how a user authenticated—whether via Google login, username/password, IDP, etc.

Questions:

1. Is this information already included in the JWT?
2. If not, is there a way to receive this data when a user logs in?

FusionAuth Cloud does not currently provide built-in analytics for MFA adoption. However, you can gather this data using the following approaches:

1. Retrieve Users with MFA Enabled

• Use the User Search API to retrieve all users for a specific application with MFA enabled.
• Here’s a sample queryString to retrieve all the users with an MFA configuration field. It may be empty, so you should check after retrieving them: _exists_:twoFactor
• Reference: Get All Users for an Application
• You should be able to combine these two queries to get what you want.

2. Track New MFA Setups Per Day

• Set up a Webhook to listen for the user.two-factor.method.add event.
• This event fires when a user adds a new two-factor authentication method.
• Your backend can record these events daily for reporting purposes.
• Webhook Guide: Writing a Webhook

Is there a way to retrieve user metrics from FusionAuth Cloud? Specifically, I’m looking for insights for our product team regarding MFA adoption, such as:

• The number of users with a configured MFA method.
• The number of new MFA setups per day.

FusionAuth's cloud-hosted HA deployments run on AWS, meaning webhook requests will originate from AWS infrastructure.

Please open a support ticket for guidance on setting up firewall rules.

Are there specific external IP addresses or IP ranges that our FusionAuth production HA deployment servers will use when connecting to an on-premise web server via webhooks?

We need to configure our firewall rules to restrict access to the on-premise server. What IPs or ranges should we expect requests to originate from?

FusionAuth does not currently support the UMA grant type or Token Exchange (RFC 8693).

However, we track feature requests and open issues on GitHub. Both have been requested features, and you can upvote the requests and/or add comments with your use cases to show interest:

• GitHub Issue: UMA Support
• GitHub Issue: Token Exchange RFC

At this time, there is no confirmed ETA for implementing these features, but community interest plays a role in prioritization. Here’s more on our roadmap process.

Does FusionAuth support the UMA (User-Managed Access) grant type? If so, where can we find documentation on resource definitions and configuration?

Additionally, does FusionAuth support Token Exchange (RFC 8693)?

If these features are not currently supported, are there any plans to introduce them in future releases? If so, is there an estimated timeline?