Topics created by Alex Patterson

It is possible to configure in this way.
You can customize the forgot password email template to display the generated changePasswordId rather than using it as part of the URL.

Two pages will need to be customized for the theme:

Forgot password sent - update this to forward the user to the “Change password form” page. One option to perform this redirect is to use a meta refresh tag Change password form - the default template uses a hidden element to submit the changePasswordId. You can use another form field that the user fills out to submit the code.

FusionAuth hosted pages will require the verification code and updated password to be submitted on the Change Password form page.
Please also note the potential security implications of shortening the verification code to 4 digits instead of the default 32 encoded bytes.

Here is a short video on what we covered.

https://youtube.com/shorts/PSGIYBlhBhs?si=fAAJLW7RhbAgRmHO

OpenSearch version 2.x will function properly with FusionAuth version >= 1.42.0.

Related GH Issue: https://github.com/FusionAuth/fusionauth-issues/issues/1558

If you run into issues please let us know or file an issue so we can take a look.

The hosted backend will check the Origin or Referer header on the request and validate that it comes from an origin that matches the domain of the host of the request to FusionAuth. If they do not then we return a 403 regardless of what the CORS configuration is set to.

Ideally to get this to work with the remote instance you may want to try setting a local proxy with "local.fusionauth.io" or similar set to localhost:4000 so that the browser sees this as the same apex domain as FusionAuth.

Utilizing a different port instead of route based paths tends to work better.

Below is an example using express / http-proxy-middleware.

const express = require("express"); const { createProxyMiddleware } = require("http-proxy-middleware"); const app = express(); app.use( "/", createProxyMiddleware({ target: [FUSION_AUTH_HOST_HERE], // example: https://example.fusionauth.io changeOrigin: true, headers: { "X-Forwarded-Proto": "http", "X-Forwarded-Host": "localhost:4001", "X-Forwarded-Port": "4001", "X-Forwarded-Server": "localhost:4001", }, }) ); app.listen(4001);

You can add the opentelemtry java agent as described here: https://fusionauth.io/docs/v1/tech/admin-guide/monitor#opentelemetry

We also have an open issue to better support open telemetry with spans. https://github.com/FusionAuth/fusionauth-issues/issues/1665

If you are looking for alerts you can checkout how to setup Prometheus
https://fusionauth.io/docs/v1/tech/tutorials/prometheus

It's also worth noting that we strongly recommend using the Authorization Code grant and redirecting to FusionAuth's hosted login pages, rather than using the Login API.

This has the following benefits:

you don't have to worry about any other architectural components handling credentials, which are highly valuable to an attacker this solution works across almost all mobile and web applications, whether custom or COTS or OSS, as opposed to being limited to React SPAs you get FusionAuth's app to app single sign-on when there is a new workflow added, implementing it is a matter of configuring FusionAuth correctly rather than modifying your code to add a new component; an example would be adding a social provider or magic links

We understand that this sometimes comes at a cost of UX complexity as you need to sync or at least align your UX between two different systems. This is why we offer the Login API as @Alex-Patterson mentioned; it's an escape hatch if redirecting just won't work.

We also have themes to support customizing the FusionAuth hosted login pages, including this example which uses Tailwind.

@alex-patterson It seems like you are experiencing issues with Fusionauth not hitting localhost:3000/webhooks but working correctly on webhook.site. There could be several reasons for this behavior:

Configuration: Double-check your Fusionauth configuration to ensure that the webhook URL is correctly set to "localhost:3000/webhooks" and that there are no typos or errors in the URL.
Firewall or Network Restrictions: Make sure that there are no firewall or network restrictions preventing Fusionauth from accessing localhost. Sometimes, security settings may block external services from accessing localhost.

When a user expires, login will fail with a 410 status code, but we do not treat this as a user deactivation. We do not yet have an event for user expiration, it really only keeps the user from logging in.

https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-deactivate

There are no hard limits as to the number of users you can add.

If you notice any load spikes, you can always batch the work into multiple API calls.

This is possible using the user API

https://fusionauth.io/docs/v1/tech/apis/users

First GET the current user, identify the two-factor method you want to disable. Below you can see where the twoFactor method has one called "authenticator"

Example:

{ "user": { ... "twoFactor": { "methods": [ { "authenticator": { "algorithm": "HmacSHA1", "codeLength": 6, "timeStep": 30 }, "id": "35VW", "method": "authenticator" }, ...

Remove the object for "authenticator" and then then make a PUT call against the same User object to update.

https://fusionauth.io/docs/v1/tech/apis/users#update-a-user

Please note:

This will allow you to administratively remove a 2FA method from a specific user, and it will leave the recovery codes intact if there is at least one remaining 2FA method configured for the user. If you only have one configured method, and you remove it, the recovery codes will be cleared, and then re-generated next time you enable 2FA on the user.

You can customize the message the user will be presented within the messages bundle of a theme (Themes > Your Theme > Edit > Messages). In this case, you will want to modify the following message key.

[UserLockedException]=Your account has been locked. Please contact your system administrator.

You can modify this message to your requirements

[UserLockedException]=FooBarBaz

Your modification will be displayed to the end user.

found variables for other messages displayed to the user as part of the Login Flow, but not for the Account Lockout Message.

I find exporting the entire message bundle first (by "selecting all" <CTRL + A> from the admin UI) and then pasting the result in a code editor to find a message key is sometimes easier. We do have some adjacent documentation here.

For reference only, our Theme API is also available here