@dan
I'm now on 1.61.2 and still unable to add the first_name field. Is there any workaround for this? Could you issue a temporary license so I can add the field, then revert back to the community license?

@mark-robustelli Thanks for this. We don't have the setting Applications -> FusionAuth -> Edit -> JWT -> Refresh Token Settings -> Refresh Token duration , and I can't enable JWT on the FusionAuth application.

Did you mean the Oauth tab in the tennant? That is currently set to 3600 seconds, but I find I'm still logged in to the admin panel after well over an hour of inactivity.

@oliver-muthusami hmmm. I did some poking around Microsoft's documentation and found this.

The inclusion of the refresh token in the response can depend on several factors, including the specific configuration of your application and the scopes requested during the authorization process. If you expect to receive a refresh token in the response but fail to, consider the following factors: Scope requirements: Ensure that you're requesting the offline_access scopes along with any other necessary scopes. Authorization grant type: The refresh token is provided when using the authorization code grant type. If your flow differs, the response can be affected. Client configuration: Check your application's settings in the identity platform. Certain configurations may restrict the issuance of refresh_tokens.

Are you sure you have Entra configured correctly?

@marcel-beutner If you have found a bug, you may want to report it using the FusionAuth Issues.

I just did a search on 1.61.0 in the Admin UI and my results were sortable by the name. Can you give us the exact query you used to use the search API and the search you used in the search bar? I am curious to see if that returns something different.

@mark-robustelli Well, here are some screenshots:

at first I added a new IdP - via API POST /api/identity-provider - and the existing dummy/placeholder certificate is linked:
7ee96348-07c1-4845-8a9a-26998572d0e0-image.png
-> this is the only IdP

then I import - via API POST /api/key/import - the correct certificate:
ab51c6c5-1c2b-4939-a01d-2e045274400d-image.png

but I do not link this in the IdP, and so do not set the Verification key

Do I get it right, that the login should not work in that case? But I am able to login via this EntraID IdP.

You should start by checking the relevant google documentation.

As of writing, this is what their doc says:

Using the email, email_verified and hd fields, you can determine if Google hosts and is authoritative for an email address. In the cases where Google is authoritative, the user is known to be the legitimate account owner, and you may skip password or other challenge methods.

Cases where Google is authoritative:

email has a @gmail.com suffix, this is a Gmail account. email_verified is true and hd is set, this is a Google Workspace account.

Users may register for Google Accounts without using Gmail or Google Workspace. When email does not contain a @gmail.com suffix and hd is absent, Google is not authoritative and password or other challenge methods are recommended to verify the user. email_verified can also be true as Google initially verified the user when the Google account was created, however ownership of the third party email account may have since changed.

So in this case, you want to check that hd is set as well as that email_verified is true.

With FusionAuth, you can check this using a reconcile lambda and looking at the id_token:

https://fusionauth.io/docs/extend/code/lambdas/google-reconcile https://fusionauth.io/docs/extend/code/lambdas/openid-connect-response-reconcile

Note that this functionality (logging in with a phone number) was delivered in 1.59.

More details here: https://fusionauth.io/blog/announcing-fusionauth-1-59

@manoj-patil said in We are getting ERROR org.primeframework.mvc.PrimeMVCRequestHandler - Error encountered:

t F ... 63 common frame

Under what circumstances and you receiving this error?

@mark-robustelli

We used Lambda to get audit and event logs from DB and put in CloudWatch

@chad-hurd Awesome that you got if figured out. Do you mind sharing what, specifically, was wrong with the setup? It may help others down the road.

@batmysta, Thanks for clearing that up. Unfortunately, there is no way I know of to configure federated authentication with the FusionAuth Account Portal.

@mark-robustelli Thanks for the anwser

The solution is to add [@hidden name="metaData.device.description"/] the below line to it within Advanced Theme within the Helpers file under

[#macro oauthHiddenFields] // here [@hidden name="metaData.device.description"/] ... [@hidden name="captcha_token"/] [@hidden name="client_id"/] [@hidden name="code_challenge"/] [@hidden name="code_challenge_method"/] [@hidden name="metaData.device.name"/] [@hidden name="metaData.device.type"/] [@hidden name="nonce"/] [@hidden name="oauth_context"/] [@hidden name="pendingIdPLinkId"/] [@hidden name="prompt"/] [@hidden name="redirect_uri"/] [@hidden name="response_mode"/] [@hidden name="response_type"/] [@hidden name="scope"/] [@hidden name="state"/] [@hidden name="tenantId"/] [@hidden name="timezone"/] [@hidden name="user_code"/] [/#macro]

See more details here: https://fusionauth.io/docs/get-started/download-and-install/docker#docker-tags

@jefferson-piscos, the debug enabled is under the OAuth tab. Go ahead and enable that and check the logs.

Screenshot 2025-09-25 at 7.48.42 AM.png

Also it is a little weird that you are redirected to a consent screen. Do you have any consents configured? You can go to Settings -> Consents in the Admin UI.

Screenshot 2025-09-25 at 7.55.20 AM.png

Then you can check the user and see if you have any set for the user you are testing.

Screenshot 2025-09-25 at 7.55.29 AM.png

Hopefully that will clear it up and you will be good to go. If not, let's see what those logs say.

@haziqt Sounds like FusionAuth is up and working except reporting the wrong IP address of the user on login. You may want to consider opening a issue.

@raymondcamden Ha, gald you got it working. Generally, the quickstarts come with a docker file that you can just run docker compose against and it will get you the instance. That instance would be configured to work with the sample code for that quickstart. The application and uses would be created and things like that. If you have it working the way you want, awesome. If you run into other issues, please just let us know.

@atakan @theogravity-sb Seems like two different issues here.

@theogravity-sb is talking about attackers using the Google identity provider to create accounts with malicious names. @atakan is talking about attackers using self-service registration to create accounts with malicious names. They seem related but not identical. When you are allowing people to create their own identity and/or delegate to another source of identity, you decrease friction but give up some control.

The bad news is that FusionAuth has nothing out of the box to stop this behavior.

The good news is that you can build an integration to stop it. There are email verification services that give you a risk factor for email addresses and you can check that before you allow for registration or login.

Here's a blog post I wrote about leveraging a third-party service to check the validity of emails provided during registration. This post uses a self-service registration validation lambda, but for the Google identity provider use case, you could use the login validation lambda and perform the same type of check.

While I used Fideo because it had a good API and I had a connection there, I have not done an extensive survey of the landscape of email verification services, so cannot recommend any particular service.