@brad sounds super frustrating.
I'll send you a message.
Group Details
Private
Power User
Helpful folks who know a lot about FusionAuth
Member List
-
RE: Editing user data in the UIposted in Q&A
-
RE: Claims to check when using google as an idp for google workspaceposted in Q&A
You should start by checking the relevant google documentation.
As of writing, this is what their doc says:
Using the email, email_verified and hd fields, you can determine if Google hosts and is authoritative for an email address. In the cases where Google is authoritative, the user is known to be the legitimate account owner, and you may skip password or other challenge methods.
Cases where Google is authoritative:
email has a @gmail.com suffix, this is a Gmail account. email_verified is true and hd is set, this is a Google Workspace account.Users may register for Google Accounts without using Gmail or Google Workspace. When email does not contain a @gmail.com suffix and hd is absent, Google is not authoritative and password or other challenge methods are recommended to verify the user. email_verified can also be true as Google initially verified the user when the Google account was created, however ownership of the third party email account may have since changed.
So in this case, you want to check that
hdis set as well as thatemail_verifiedis true.With FusionAuth, you can check this using a reconcile lambda and looking at the
id_token: -
Claims to check when using google as an idp for google workspaceposted in Q&A
What claims should I check when using google as an identity provider when I'm interested in making sure it is a google workspace account?
-
Docs MCP serverposted in Release
We have a docs MCP server.
This lets your MCP compatible IDE or client ask questions of all the FusionAuth docs, YouTube videos, Terraform provider, OpenAPI spec and more.
More details: https://fusionauth.io/docs/get-started/download-and-install/development/docs-mcp-server
-
RE: How use mobile number for authenticationposted in Q&A
Note that this functionality (logging in with a phone number) was delivered in 1.59.
More details here: https://fusionauth.io/blog/announcing-fusionauth-1-59
-
FusionAuth MCP serverposted in Announcements
Hi FusionAuth community,
We just released a preview MCP server that allows you to control a FusionAuth instance from within any MCP client (Cursor, Claude Desktop, any agent that uses MCP, etc).
You can see the announcement blog post here: https://fusionauth.io/blog/fusionauth-mcp-server
And the GitHub repo, which includes installation instructions, is here: https://github.com/FusionAuth/fusionauth-mcp-api/
We'd love your feedback; feel free to leave it here.
-
RE: Implementing Phone Number Verification in FusionAuth Without Enabling 2FAposted in Frequently Asked Questions (FAQ)
Just an FYI, as of 1.59.0, phone number verification is now fully supported in FusionAuth.
Read more here: https://fusionauth.io/docs/lifecycle/manage-users/verification/gate-accounts-until-user-phone-verified
-
RE: How to deal with sign-up spam?posted in Q&A
@atakan @theogravity-sb Seems like two different issues here.
@theogravity-sb is talking about attackers using the Google identity provider to create accounts with malicious names. @atakan is talking about attackers using self-service registration to create accounts with malicious names. They seem related but not identical. When you are allowing people to create their own identity and/or delegate to another source of identity, you decrease friction but give up some control.
The bad news is that FusionAuth has nothing out of the box to stop this behavior.
The good news is that you can build an integration to stop it. There are email verification services that give you a risk factor for email addresses and you can check that before you allow for registration or login.
Here's a blog post I wrote about leveraging a third-party service to check the validity of emails provided during registration. This post uses a self-service registration validation lambda, but for the Google identity provider use case, you could use the login validation lambda and perform the same type of check.
While I used Fideo because it had a good API and I had a connection there, I have not done an extensive survey of the landscape of email verification services, so cannot recommend any particular service.
-
RE: OAuth Complete Registration functionality breaks the authorization flow after upgrading to version 1.59.1posted in Comments & Feedback
FYI, this was fixed in 1.60.0, per the release notes.
In version 1.59.0 the password is now optional when creating or updating a user.
When returning from a third-party login, a user may be prompted to complete registration by entering a password when self-service is enabled and is configured to require a password.
This was unintended and has been corrected.
https://fusionauth.io/docs/release-notes/
Tracking issue: https://github.com/FusionAuth/fusionauth-issues/issues/3159