Applications

Form Fields

Id Optional

An optional UUID. When this value is omitted a unique Id will be generated automatically. This will also be used as the Client Id in the OAuth configuration, so if you require a specific value for that, set it here.

Name Required

The name of the Application. This value is for display purposes only and can be changed at any time.

Tenant Required

The tenant in which to create this Application.

This field is only displayed once multiple tenants exist in FusionAuth. When only a single tenant exists, the Application will always be created in the default tenant.

Theme Optional Available since 1.27.0

When a theme is selected, it will be used for this application instead of the tenant theme.

Note: A paid edition of FusionAuth is required to utilize application themes.

Table Columns

Name Required

The name of the role. This value should be short and descriptive. Roles can only be created and deleted, only the role description may be modified.

Default Optional

One or more roles may be marked as default. A default role will be automatically added to new user registrations when no roles are explicitly provided on the API request.

Super Role Optional

A role may be optionally marked as a super user role. This indicator is just a marker to indicate to you that this role encompasses all other roles. It has no effect on the usage of the role.

Description Optional

An optional description to better describe the intended use of this role.

To manage Application Roles after you have added an Application, click the Manage Roles button on the index page. To edit an Application click the edit icon. The following sections will walk you through each panel for the edit action.

Form Fields

Client Id Read-only

The read only client Id for this Application. The client Id is used by OAuth2 / OpenID Connect to authenticate the grant request.

Client secret Read-only

The read only client secret used for client authentication. When you enable Require authentication, this client secret will be required to obtain an access token from the Token endpoint.

You may optionally regenerate the client secret if you think it has been compromised.

Client Authentication Optional

This selector allows you to set a rule for accessing the Token endpoint.

• Required - The client_secret parameter must be used. This is the default setting. In most cases you will not want to change this setting.

• Not required - Use of the client_secret parameter is optional.

• Not required when using PKCE - Requires the use of the client_secret parameter unless a valid PKCE code_verifier parameter is used. This is useful for scenarios where you have a requirement to make a request to the Token endpoint where you cannot safely secure a client secret such as native mobile applications and single page applications (SPAs) running in a browser. In these scenarios it is recommended you use PKCE.

  See the Token endpoint for more information.

PKCE Optional

This selector allows you to set a rule for Proof Key for Code Exchange (or PKCE) requirements when using the authorization code grant.

• Required - The code_verifier parameter must be used.

• Not required - Use of the code_verifier parameter is optional. This is the default setting.

• Not required when using client authentication - Requires the use of the code_verifier parameter unless a valid client_secret parameter is used.

Generate refresh tokens Optional

When enabled, FusionAuth will return a refresh token when the offline_access scope has been requested. When this setting is disabled refresh tokens will not be generated even if the offline_access scope is requested.

Debug enabled Optional

Enable debug to create an event log to assist you in debugging integration errors.

Authorized redirect URLs Optional

When OAuth grants, such as the authorization code grant, require a browser redirect to a URL found in the redirect_uri parameter, the destination URLs must be added to this list. URLs that are not authorized may not be utilized in the redirect_uri parameter or the post_logout_redirect_uri parameter.

You can add as many URLs as you’d like to this list. Only exact string matches with the provided redirect_uri will be allowed. No partial or wildcard matches will be accepted.

Authorized request origin URLs Optional

This optional configuration allows you to restrict the origin of an OAuth2 / OpenID Connect grant request. If no origins are registered for this Application, all origins are allowed.

By default FusionAuth will add the X-Frame-Options: DENY HTTP response header to the login pages to keep these pages from being rendered in an iframe. If the request comes from an authorized origin, however, FusionAuth will not add this header to the response. To load FusionAuth hosted login pages in an iframe, you will need to add the request origin to this configuration.

Logout URL Optional

The optional logout URL for this Application. When provided this logout URL should handle the logout of a user in your application.

If you need to end an HTTP session, or delete cookies to logout a user from your application, these operations should be handled by this URL. When the /oauth2/logout endpoint is utilized, each Logout URL registered for Applications in this tenant will be called within an iframe to complete the SSO logout.

If the OAuth2 logout endpoint is used with this Client Id, this configured Logout URL will be also utilized as the redirect URL. This behavior only occurs when the post_logout_redirect_uri parameter is not provided.

If this Application has not defined a Logout URL, the value configured at the Tenant level will be used. If no Logout URL has been configured, a redirect to / will occur. A specific redirect URL may also be provided by using the post_logout_redirect_uri request parameter.

See the Logout endpoint for more information.

Logout behavior Optional

This selector allows you to modify the behavior when using the Logout endpoint with this Client Id.

• All applications - This is the default behavior. Logout out of the FusionAuth SSO, call each registered Logout URLs for the entire tenant and then redirect to the Logout URL registered for this application.

• Redirect only - Do not call each registered Logout URL in the tenant, instead logout out of the FusionAuth SSO and then only redirect to the Logout URL registered for this application.

See the Logout endpoint for more information.

Enabled grants Optional

The enabled OAuth2 grants. If a grant is not enabled and a client requests this grant during authentication an error will be returned to the caller indicating the grant is not enabled.

• Authorization Code

• Device

• Implicit

• Password

• Refresh Token

See The OAuth 2.0 & OpenID Connect Overview for additional information on each of these grants.

Require registration Optional Defaults to false

When enabled the user will be required to be registered, or complete registration before redirecting to the configured callback in the authorization code grant or the implicit grant. This configuration does not affect any other grant, and does not affect the API usage.

When you enable the Device grant you will be shown one additional configuration field:

Form Fields

Device verification URL Required

The URL to be returned during the Device Authorization request to be displayed to the end user. This URL will be where the end user navigates in order to complete the device authentication workflow.

Required when the Device grant has been enabled.

Form Fields

Email verification Optional Available since 1.19.0

When a template is selected this will be used instead of the template configured by the tenant. This template can only be used when a user is created and registered at the same time. If a user is created without a User Registration the tenant configured template will be used because there is no application context available.

Forgot password Optional Available since 1.19.0

When a template is selected this will be used instead of the template configured by the tenant if an application context is available.

Passwordless login Optional Available since 1.19.0

When a template is selected this will be used instead of the template configured by the tenant.

Setup password Optional Available since 1.19.0

When a template is selected this will be used instead of the template configured by the tenant. This template can only be used when a user is created and registered at the same time. If a user is created without a User Registration the tenant configured template will be used because there is no application context available.

Lambda Settings

The application specific lambda settings are available even if you choose not to enable additional application specific JWT configuration by leaving the Enable field off.

Access token populate lambda Optional

The lambda to be invoked during the generation of an Access Token (JWT) when a user authenticates against this Application.

Id token populate lambda Optional

The lambda to be invoked during the generation of an Id Token (JWT) when a user authenticates against this Application.

Once you have enabled JWT configuration for this Application you will be provided with additional configuration options.

JWT Settings

Issuer Read-only

The issuer used in the iss claim when building the Access Token and Id Token. This is a read-only value in this configuration. It can be modified in the Tenant configuration.

JWT duration Required

The duration in seconds for which a JWT will be valid after creation. After this time has passed the JWT will expire and can no longer be used.

Access token signing key Optional

The signing key used to sign the Access Token (which is a JWT) when a user authenticates against this Application. When this value is not selected, FusionAuth will generate a new key pair and assign it to this configuration.

Id token signing key Optional

The signing key used to sign the Id Token (which is a JWT) when a user authenticates against this Application. When this value is not selected, FusionAuth will generate a new key pair and assign it to this configuration.

Refresh Token Settings

Refresh token duration Required

The duration in minutes the refresh token will be valid after creation. After this time has passed the refresh token will no longer be able to be used to receive a new Access Token (JWT).

Refresh token expiration Optional

The Refresh token expiration may be either a fixed or sliding window. By default the expiration of a refresh token is a fixed length of time from when it was originally issued. With a sliding window expiration, the expiration is calculated from the last time the refresh token was used.

For instance, if a refresh token is issued at 1:00pm and has a duration of 60 minutes, if the expiration is fixed, the token will expire at 2:00pm. If, instead, the expiration is a sliding window, then if the refresh token is used at 1:55pm, it would then expire at 2:55pm. If it were then used at 2:50pm, it would expire at 3:50 pm.

Refresh token usage Optional

The Refresh token usage may be reusable or one time use. By default, a token is reusable and the token does not change after it was issued. With a one time use token, the token value will be changed each time the token is used to refresh a JWT. This means the client must store the new value after each use.

Form Fields

Email template Optional

When a template is selected, it will be used to send a multi-factor authentication code when the email MFA method is used and a user is signing in to this application.

SMS template Optional

When a template is selected, it will be used to send a multi-factor authentication code when the SMS MFA method is used and a user is signing in to this application.

Form Fields

Verify registrations Optional

When enabled a registration can be verified using an email workflow. This is similar to the email verification process, which occurs when a user is first created. Verifying a registration allows you to send an email to an end user and allows them to confirm they registered for this specific application.

Verification template Required

The email template to be used when sending the Registration Verification email to the end user.

Required when Verify registrations field toggle has been enabled.

Delete unverified registrations Optional

When enabled, the system will delete registrations for users who have not verified their registration for this application after a configurable duration since the registration occured.

Delete after Required

The duration in days for which a user’s registration to this application must exist and remain unverified before being deleted.

Required when Delete unverified registrations field toggle has been enabled.

Self Service Registration

Self service registration allows users to register for this application themselves. If this is not enabled, users must be created using the APIs or the administrative user interface.

There are two types of self service registration, basic and advanced.

Form Fields

Enabled Optional

When enabled, a button on the login page will be rendered to allow users to create a new account.

Type Optional

Select Basic or Advanced self service registration forms.

A paid edition of FusionAuth is required to use the Advanced self service registration forms.

Basic Self Service Registration

Confirm password Optional

Toggle this field if you want FusionAuth to require a password confirmation during registration.

Login type Optional

This field indicates if the email address or username should be the user’s unique identifier.

Registration fields Optional

The optional fields to be displayed on the registration form.

Field Read-only

The user attribute that can be shown on the registration form. Each field can be Enabled and/or Required.

Enabled Optional

This field will be shown on the registration form.

Required Optional

This field will be required and the user will be unable to complete registration unless the field is provided. If this field is not also Enabled then it will not be required.

Advanced Self Service Registration

This feature is only available in paid editions of FusionAuth. Please visit our pricing page to learn more about paid editions.

Advanced self service registration allows you to create a custom registration form, including validation, custom form fields, and multiple steps. Learn more in the guide.

Enabled Optional

When enabled, a button on the login page will be rendered to allow users to create a new account.

Form Required

The selected form will be used to provide self service registration for this application.

Form Settings

This feature is only available in paid editions of FusionAuth. Please visit our pricing page to learn more about paid editions.

Admin Registration Optional Available since 1.20.0

The form that will be used in the FusionAuth UI for adding and editing user registrations.

User self-service Optional Available since 1.26.0

The form that will be used with the hosted login pages for user self-service account management.

Form Fields

Issuer Required

The issuer used by service providers (i.e. Google, Zendesk, etc.) to identify themselves to FusionAuth’s SAML identity provider. Often you cannot set this in the service provider and need to read their documentation or test the integration and use the error messages to determine the correct value.

Audience Optional

Some service providers require a different audience (such as Zendesk). You can leave this blank if the audience is the same as the issuer.

Authorized redirect URLs Required

One or more allowed URLs that FusionAuth may redirect to after the user has logged in via SAML v2, also known as the Assertion Consumer Service URL (ACS).

Logout URL Optional

The URL that the user is redirected to after they are logged out. Usually this is the starting location of the application.

Debug enabled Optional

Enable debug to create an event log to assist you in debugging integration errors.

Authentication Request

Require signature Optional

When enabled, all unsigned requests will be rejected.

Default verification key Optional Available since 1.20.0

The verification key used to verify a signature when the SAML v2 Service Provider is using HTTP Redirect Bindings.

When HTTP POST Bindings are used, this is the default verification key used if a <KeyInfo> element is not found in the SAML AuthNRequest. If a <KeyInfo> element is found, Key Master will be used to resolve the key and this configuration will not be used to verify the request signature.

This field is required when Require signature is enabled.

Authentication Response

Signing key Optional

The signing key used to sign the SAML request. When this value is not selected the default selection will cause FusionAuth to generate a new key pair and assign it to this configuration.

Signature canonicalization method Optional defaults to Exclusive with comments

The XML signature canonicalization method. If you are unsure which method to select, leave the default and begin testing, or contact your service provider for configuration assistance.

Signature location Optional defaults to Assertion Available since 1.21.0

The location of the XML signature in the SAML response.

Populate lambda Optional

The lambda used to add additional values from the user and registration to the SAML response.

Logout Request

Require signature Optional Available since 1.25.0

When enabled the SAML service provider (SP) will be required to sign the Logout request. All unsigned Logout requests will be rejected.

Default verification key Optional Available since 1.25.0

The unique Id of the Key used to verify the signature if the public key cannot be determined by the KeyInfo element when using POST bindings, or the key used to verify the signature when using HTTP Redirect bindings.

This field is required when Require signature is enabled.

Logout behavior Optional Available since 1.25.0

This selector allows you to modify the behavior when logout occurs. There are two valid values:

• All session participants - This is the default behavior. Each session participant that has enabled single logout will be sent a Logout Request.

• Only logout request originator - no other session participants will be notified when a logout request is sent for this application.

Enable single logout Optional Available since 1.25.0

Enable this to receive a LogoutRequest as a session participant when any other SAML enabled application within the same tenant receives a LogoutRequest.

Logout URL Optional Available since 1.25.0

The URL where you want to receive the LogoutRequest from FusionAuth.

This field is required when Enable single logout is enabled.

Signing key Optional defaults to the value of the authentication response signing key Available since 1.25.0

The Key used to sign the SAML Single Logout response.

Signature canonicalization method Optional defaults to Exclusive with comments Available since 1.25.0

The XML signature canonicalization method. If you are unsure which method to select, leave the default and begin testing, or contact your service provider for configuration assistance.

Logout Response

Signing key Optional defaults to Assertion Available since 1.25.0

The signing key used to sign the SAML logout request. When this value is not selected the Authentication Response Signing key will be used.

Signature canonicalization method Optional defaults to Exclusive with comments Available since 1.25.0

The XML signature canonicalization method. If you are unsure which method to select, leave the default and begin testing, or contact your service provider for configuration assistance.

Login API Settings

Require an API key Optional

When enabled the Login API will require an API key. This is functionally equivalent to requiring client authentication during OAuth2.

Generate refresh tokens Optional

When enabled the Login API will return refresh tokens. This is functionally equivalent to requesting the offline_scope during an OAuth2 grant.

Allow token refresh Optional

When enabled a JWT may be refreshed using the JWT Refresh API. This is functionally equivalent to enabling the OAuth2 Refresh Grant.

Passwordless Login

Enabled Optional

When enabled, allow users to request login using a link sent via email. Enabling this feature will cause a button to be displayed on the FusionAuth login form and allow you to utilize the Passwordless Login API.

Authentication Tokens

Enabled Optional

When enabled, allow users to optionally authenticate using an Application specific token in place of their password. This should only be used when the security requirements are low and the user’s normal password is not a good option for authentication.

For example, if a password needs to be stored in an external configuration and the exposure risk is low, a token can be used in place of the user’s password. This token may only be used for authorization for this application.