Hi @trevorr,

I can't say that we have an out-of-box solution for you on this directly. If you would like to submit a feature request fully outlining your use case, we could have our dev team review it.

I have a couple of other thoughts:

we want to send email from our marketing platform for consistent tracking

Remember that you have the ability to augment the user object with custom data (User API -- user.data field). Some of this data could be a tracking code that links back to your marketing platform, for instance.

we want a consistent look and feel in the password setting UI (simulating Material UI in a FA theme seems infeasible),

FreeMarker templating does accept HTML and other modern inputs to allow you to custom craft a landing page that meets your brand requirements (You can check out some examples of exactly this, here). Anecdotally, I have heard of some customers that use services such as MailChimp/ContantContact/Drip to create templates and then import them into FreeMarker. It is outside of my domain expertise, but it seems this is done often enough.

c) FusionAuth doesn't seem to have a way to send the user into our app after they set a password.

This is possible but would require some additional javascript code. See Here

Webhooks are also a powerful tool within FusionAuth to notify when certain other user actions occur. API documentation here

If anything else comes to mind, I will post back here! I hope this helps!

Thanks,
Josh

This is unfortunately a known issue. See https://github.com/FusionAuth/fusionauth-issues/issues/629 for some discussion. There are some workarounds in some situations (allow lists in Office 365) but no general workaround.

That should work ok. The only reason not to do it this way - is because you’re sort of emulating the OAuth frontend’s usage of this API which in theory is subject to change.

Re: state, additional key value pairs will be stored, however if our front end is consuming the URL, you won’t have access to the API response which will contain that state information.

This is possible. Doing so allows you to weave passwordless into the normal OAuth flow so you can use standard OAuth libraries but not have your user enter a password.

Start the passwordless login on the server side (using the API). Get the passwordless code. Send this url to the client: [FusionAuthURL]/oauth2/passwordless/[passwordlesscode]?redirect_uri=[redirect URI]&response_type=code&client_id=[client_id]. Have the client request this url. It'll be just as if the user had authenticated via the /oauth2/authorize endpoint and the user had entered their credentials. You'll get back an authorization code which can then be exchanged for an access token/JWT.

Not through a FusionAuth policy, but you can do that in the login template if you want to filter it by email domain or something like that.

If you have not let the user set their password, then passwordless will implicitly be the only path that will work for them (assuming you don’t offer them social login buttons).

If you pass the user’s email on the redirect to FusionAuth as &loginId=test@example.com, that value will be available to you in the template and you can then key off, parse the domain, or whatever - and use that to hide or show whatever you like.

Hi David,

It sounds like you're looking for a way to pass the timezone of the user into the passwordless call so it is available in the email template. I agree that the current timezone is more useful than the possibly stale value in the user profile.

I don't know of any way to do this currently. So my suggestion would be to file a feature request: https://github.com/fusionauth/fusionauth-issues

That's configurable at the tenant level.

The default is 180 seconds, but it is customizable in the tenant settings: https://fusionauth.io/docs/v1/tech/guides/passwordless#one-time-code-customization

See also https://github.com/FusionAuth/fusionauth-issues/issues/612