Make sure you these 4 headers in your proxy

Forwarded-Proto: typically this will be https. This ensures any redirects are sent with the appropriate scheme. Forwarded-Host: The original host requested by the client in the Host HTTP request header. Forwarded-For: The originating IP address of the client. Forwarded-Server: The hostname of the proxy server.

@eric-vigiani please open a support ticket: https://account.fusionauth.io/account/support/

One option would be to use Events & Webhooks. Depeneding on what you want to track, you may be interested in the following events:
-[user.registration.create]
-[user.registration.complete]
-[user.registration.verified]

You could also enable the email verification gate. Then you could call your tracking event on this themed page which would only be fired when the user exits the Email Verification gate as the result of completing their email verification during registration.

Another option may be to add an UTM code to the redirect_uri used for self-service registration and consume that in your application as the result of a user completing registration.

It depends on how you setup the database. FusionAuth only needs compute nodes (easy to have in multiple regions) and a postgresql or mysql database (which supports foreign keys, so things like planetscale are out). If you set up an active-active db, it should work. Be sure to load test it and validate.

Yes, if you have API access. Please find the documentation here: Passwordless APIs

The process would go like this:

Call Start /api/passwordless/start, capture the code code. Call Login /api/passwordless/login with code Get a JWT and do with it what you normally would

For a Two Factor setup you would:

Call Start /api/two-factor/start consume code Call Login /api/two-factor/login with code Get a JWT

If the end user never needs to log themselves in, you may also consider:

Assign a random application password to a user. Use that known password to call the Login API Get a JWT! Optionally remove the application password if you want it to be a one time use password.

This does have the issue of not creating an SSO session for the user, but that may not be a problem. (If someone logs in this way, and then goes to another application which has a login page managed by the 'hosted login pages' of FusionAuth, they won't be automatically logged in.)

This should work, though this is not a common config.

Here are the suggested startup and liveness probes which worked for a community member:

I have configured the startup and liveness probes as follows, and they are working well: Startup probe http /api/status periodSeconds: 2s initialDelaySeconds: 0s timeoutSeconds: 1s failureThreshold: 10 Liveness probe http /api/status periodSeconds: 10s initialDelaySeconds: 0s timeoutSeconds: 1s failureThreshold: 3

More details and discussion on the GH issue: https://github.com/FusionAuth/fusionauth-issues/issues/1980

You will have to add the key to your FusionAuth instance as in this post.

In the FusionAuth admin page, got to Settings --> Key Master
e1482d56-5555-4d96-9c6a-1eeef98f87d2-image.png

Click "Generate EC key pair"
90f479ab-302c-4660-8157-03e3a8bfe58e-image.png

Fill in the information - I used JWT Signature - Asymmetric RSA Key Pari (RS256) for the name
5b7ddb83-c764-4000-87f8-cc3384d05429-image.png

Go to to Applications in FusionAuth admin and select edit on your application.

Select the JWT tab

Select Enabled
b6505e8e-1e2b-46c1-bfa6-56d7bfa0a5ba-image.png

In the JSON web token settings select the key you created in the above step.
becb03a2-81bf-4f1e-be82-34526e8c410f-image.png

@iwky You're spot on. My only suggestion would be to script the application configuration so that it is easy to create and update the FusionAuth configuration as you add new tenants.

You'll receive an error in both scenarios.

If you are using the web interface, you'll get a red message saying "Already exists".

forum-edit-user-email.png

And if you are trying to use the Update User API endpoint, you'll receive a HTTP 400 Bad Request error:

forum-edit-user-email-api.png

Even though we don't have specific SDKs for mobile apps, we do have a Flutter quickstart which uses our Dart client library.

If you want to develop natively, we recommend using AppAuth, which has iOS and Android SDKs and is maintained by the OpenId Foundation:

https://github.com/openid/AppAuth-iOS https://github.com/openid/AppAuth-Android

There's also a FusionAuth Swift Client maintained by the community.

Hi there!

Please make sure that you have selected that Lambda in your Application by navigating to its edit page, going to the JWT tab and choosing it on Access Token populate lambda.

For instance, my (extremely simple) function looks like:

function populate(jwt, user, registration) { jwt.customClaim = 'gotcha'; console.debug(JSON.stringify(user)); }

And I received the following access token with that customClaim at the end:

235241bf-3086-4565-a424-a14398bdcafd-image.png

@beezerk I'd suggest modifying the theme and adding a link and a meta redirect. I don't think there's any way to specify a redirect.

This has been fixed in version 1.46.0, which should be released soon.

You can track it at the issue above.

Thanks for reporting, @ndiarmand !

Also, I added some documentation to help folks to find this easier: https://github.com/FusionAuth/fusionauth-site/pull/2219

Should be live in a few minutes.

Since the original post is from two years ago, it's important to consider that the technology landscape and integration options may have evolved since then.

@mangeshp16 The original question is over two years old. Since version 1.42, you can enforce MFA at the tenant level (or the application level if you have the enterprise plan). This means that any user who logs in is required to have MFA. If they do not, they are redirected to a page where they can set it up.

There are other ways to accomplish this. You could build your own MFA page which would call the APIs directly. When a user logs in, you can check to see if they have any twoFactor methods available and if they don't, you can send them to this page.

@dan said in How can I make sure FusionAuth is running when I start it via docker-compose?:

It's not responding at the port 9011, like it should.
Is there a way to test or ping the FusionAuth App to make sure its up and running other than using docker ps -a?

Yes, there are several ways to test or ping the FusionAuth App to check if it's up and running without relying on the docker ps -a command. Here are a few alternative methods:

Curl or wget: You can use the curl or wget command-line tools to send a request to the FusionAuth App's endpoint and check the response. For example, you can run curl http://localhost:9011 or wget http://localhost:9011 to send a GET request to the FusionAuth App running on port 9011. If you receive a valid response, it indicates that the app is up and running.

Telnet: You can use the telnet command to establish a connection to the FusionAuth App's port and check if it's open and responsive. Run telnet localhost 9011 to attempt a connection to the FusionAuth App on port 9011. If the connection is successful, it means the app is running and accepting connections.

Browser access: Simply open a web browser and enter the URL http://localhost:9011 to access the FusionAuth App. If the app is running correctly, you should be able to see the login or landing page.

API client: If the FusionAuth App provides an API, you can use an API client like Postman or cURL to send a request to the API endpoints and verify if you receive the expected responses.

These methods allow you to test the availability and responsiveness of the FusionAuth App without relying on the docker ps -a command or using Docker-specific tools.

Hello, Time unit difference: The timestamps may be stored or represented in different units. For example, one library might use seconds while the other uses milliseconds. This can result in significantly different values for the expiration date.

Timezone handling: The libraries may handle timezones differently, which can affect the calculated expiration date. Make sure that the libraries are using the same timezone or that any necessary conversions are being applied consistently.

Timestamp format: The libraries might use different formats to store or interpret timestamps. Check if the libraries expect timestamps in a specific format and ensure that they are being provided correctly when generating or validating the JWT.

To resolve the issue, you can try the following steps:

Review library documentation: Check the documentation of both the .NET Core and Java client libraries for any specific information regarding timestamp handling, timezone considerations, or timestamp formats.

Verify input values: Ensure that the input values provided to both libraries are consistent and correctly represent the expiration timestamp. Double-check any conversion or formatting steps involved.

Test with sample data: Create a test case with sample data and compare the outputs of both libraries to identify any discrepancies or patterns.

Consult library support or community: If the issue persists, consider reaching out to the library maintainers or their respective communities for further assistance. They may be able to provide insights or suggest specific solutions for your scenario.

@mart

Hmmm. Haven't seen this before.

https://www.jvt.me/posts/2020/08/16/globally-disable-tls-java-httpsurlconnection/ looks interesting.

The java client uses https://github.com/inversoft/restify/ under the covers, so maybe there's some setting in that library? The docs are sparse (some might say not there at all) but the code is reviewable.

Let us know what you find.

@jacksontrevan Yes, this is unfortunately a limitation of cookies.

You could work around that by setting up a DNS alias to local.example.com (assuming FusionAuth is running remotely at auth.example.com).

You can usually set that up by googling for local host in /etc/hosts <platform> which turns up:

https://www.hostinger.com/tutorials/how-to-edit-hosts-file-macos https://www.manageengine.com/network-monitoring/how-to/how-to-add-static-entry.html