@adam-rahman I heard back from TikTok. Not a very detailed response, but pretty clear they are not going to change anything.

"
Thank you for reaching out to TikTok for Developers Support.

I'm sorry that this can't be changed at present.
"

For now, I will continue to push the issue internally. If there is progress, we will update the Github issue.

No perfect options, but a few workarounds possible

a connector-like proxy which would intercept Client Credentials requests from their customers and use business logic to validate the client secret against the stored Duende hash. stand up a simple proxy in front of the Duende that logs the plaintext client secrets for a period of time before migration (protect these logs of course) go to each client and ask them to use a new FusionAuth specific client secret (analogous to resetting user passwords)

More details on the first option. It requires these steps/prereqs:

FusionAuth Entities Setup The customer should create new FusionAuth Entities that correlate to the Client ID of all APIs and services currently associated with Duende. For now, let FusionAuth generate a random Client Secret. Custom Attribute for Migration: Store a custom attribute such as migration: false on entity.data for all newly created Entities. Migration Steps API/Service Requests Token: The API or service calls Duende's token endpoint. Proxy Interception: The customer's proxy intercepts the client credentials request and searches FusionAuth Entities to find the matching Entity by Client ID. Migration Check: Use an if/else logic to check if migration: false exists for this client ID. If so, the proxy service proceeds with the client credentials request to Duende using the Client ID and Secret (in plain text). JWT Validation: If Duende responds with a JWT, this confirms the Client Secret is correct. The proxy service discards Duende's JWT and then calls the Entity API to update the correct Client Secret and set migration: true on the entity.data object. Complete Migration: The proxy service calls FusionAuth's token endpoint to complete the Client Credentials grant. The proxy service then returns a JWT to the end customer’s API/service, migration is complete.

Which of these make sense depend on how many clients you have, your dev teams bandwidth, and your security posture.

While I have not tested it, this documentation shows how to use an SMTP integration to send an email with resend.

This should work fine with FusionAuth's email settings.

@joshua I believe one reason MFA cannot be supported for non-migrated users is that their details are overwritten with every login.

However, if the source application could retain these details and transmit them through a connector, could it be possible to support MFA?

It's a subtle difference, but one-time use refers to the value of the refresh token, which you use against the /oauth2/token endpoint to get a new access token via the refresh grant.

A sliding window refers to the refresh token itself, which has a unique id which stays the same, even as the value of the refresh token changes.

So if you had a refresh token with a lifetime of 4 hours, a sliding window and one time use configured, you might end up with something like this:

at creation: id 09cfb961-291a-420f-b5cf-48c5c87a67cc, value RNhY5yE39t1o2FXKxgyH, lifetime 4 hours when the RT is presented to the /oauth2/token endpoint 3 hours after creation: id 09cfb961-291a-420f-b5cf-48c5c87a67cc, value Fh95KZLfSMjMNxpR5B4c, lifetime 4 more hours when the RT is presented to the /oauth2/token endpoint 3 hours later: id 09cfb961-291a-420f-b5cf-48c5c87a67cc, value baHneP4s0hBHPEk88GPC, lifetime 4 more hours

More details here: https://github.com/FusionAuth/fusionauth-issues/issues/2925

@mark-robustelli it was my fault, it turned out someone in the team created a lambda operation that was running which changes the user's data as soon as the user signs up which overrides the initial data.

Thanks for your reply though.

Duplicate post

@mark-robustelli Sure,Thanks!
If you find anything please let me know

Here's the PR making the doc better:

https://github.com/FusionAuth/fusionauth-site/pull/3371

@celiaruby127

Also, sorry for my late reply, I saw just now that I had to activate notifications.

@aman-c Have you been able to follow the Next.js quickstart?

Another option that works as of today is to set up a tenant to tenant connector.

Add a connector to the new tenant. Point it at the /api/login endpoint of the old tenant, including an API key as a header.

Change your app to send everyone to a new application in the new tenant.

When the user logs in to the new application, if it is the first time they've been seen, the old tenant data, including password, will be queried. The password hash will be transparently migrated to the new tenant.

This slow migration takes time, but is another option.

@dan Thanks for this. I've tried your suggestion but the result isn't very pretty. Freemarker templates are a new one on me and once I dig into the default templates, when creating a new advanced theme, it's quite complex enough to begin with!

I am usually the type to prefer more customisation than less but maybe there could be a couple of "cookbooks" or example templates somewhere? It's nice to see some visual examples in the docs but without knowing how to get there, it's a little disheartening.

Hi @jamesbaxter . Sorry, just saw this now. I don't have the example app available. Sorry!

Oh, it's still an open bug - https://github.com/FusionAuth/fusionauth-issues/issues/2574. I'll ask there.

@tschlegel There are differences between the database search engine and using open search. Some of the searches are more limited with the database search engine.

"If you don’t need advanced searching capabilities, you may be able to use the database search engine for large installations. This is not a use case FusionAuth tests, so ensure you provision your database with enough resources and benchmark your typical use cases."

@rohit How often does this happen? Do the logs always state the same thing?

@lhatter, The FusionAuth recommendation is to leave all password hashing plugins in place once installed.

See Deleting Plugins on the Custom Password Hashing page.

I upgraded. I haven't tried a new install nor do I want to. I understand why it's happening. Is it something you can fix in a future update, without my having to start over with a whole new install?

@Alex-Patterson Can you please look into this one , thanks a lot in advance.