@mark-robustelli Thanks for this. We don't have the setting Applications -> FusionAuth -> Edit -> JWT -> Refresh Token Settings -> Refresh Token duration , and I can't enable JWT on the FusionAuth application.

Did you mean the Oauth tab in the tennant? That is currently set to 3600 seconds, but I find I'm still logged in to the admin panel after well over an hour of inactivity.

@oliver-muthusami hmmm. I did some poking around Microsoft's documentation and found this.

The inclusion of the refresh token in the response can depend on several factors, including the specific configuration of your application and the scopes requested during the authorization process. If you expect to receive a refresh token in the response but fail to, consider the following factors: Scope requirements: Ensure that you're requesting the offline_access scopes along with any other necessary scopes. Authorization grant type: The refresh token is provided when using the authorization code grant type. If your flow differs, the response can be affected. Client configuration: Check your application's settings in the identity platform. Certain configurations may restrict the issuance of refresh_tokens.

Are you sure you have Entra configured correctly?

@dalamenona This error is coming from Prometheus right? Is there a way to get it to tell you which metric is being reported? If not, could you set up a network monitor and capture the traffic that is being sent to narrow down the metric being sent by FusionAuth that is causing the problem? Maybe then we can look into why FusionAuth is sending the conflicting data.

@dalamenona I see your point about the Database_primary_pool_MaxConnections being set to 20 on the value for usage being reported above that. Browsing around the web, I came across something that said Database_primary_pool_Usage is over the lifetime of the application, but can't seem to find the source now. You also make a valid point about around the other data defenitions. It may make sense to do a deeper dive into HikariCP sources in general. There may be some answers there.

Anyone here familiar with these numbers?

It may also make sense for you to open an issue with FusionAuth as it is not clear to me if these numbers are coming from FusionAuth or HikariCP.

@marcel-beutner If you have found a bug, you may want to report it using the FusionAuth Issues.

I just did a search on 1.61.0 in the Admin UI and my results were sortable by the name. Can you give us the exact query you used to use the search API and the search you used in the search bar? I am curious to see if that returns something different.

Hi there, I'm working on the same project. And since this forum post, the error did not occur again for about a month and has recently occurred 3 times in the last week.
The instance is a fusionauth instance.
(auth.*.ch is a CNAME (alias) for bnjmvfriojf0pzpzhtmmz6xf2sgl6b.durable.fusionauth.io)

The access where the error occurs was via browser (firefox to be exact if sentry is to be believed).

There are no recent changes to the CORS config.

For most of our users this does not seem to be an issue. It happens very isolated for a handful of users.

@Alex-Patterson said in Node Version Compatibility:

@max-0 our SDK package.json can be found here https://github.com/FusionAuth/fusionauth-typescript-client/blob/master/package.json

In reality, we don't impose any limitations on a client, if something doesn't work well with your setup you can always exit from the SDK strategy and call the API's directly.

Thanks for the clarification! Good to know we can always call the APIs directly if needed.

@dftz3966 said in Is there away to provide error message data from a webhook via either Webhook or Event logs?:

@mark-robustelli said in Is there away to provide error message data from a webhook via either Webhook or Event logs?:

@edschlough If you take a look at the example code from the webhook documentation, it shows how to return errors. Is this what you are after?

Thank you so much
Wow! This is what I need, thank you for sharing

@mark-robustelli Well, here are some screenshots:

at first I added a new IdP - via API POST /api/identity-provider - and the existing dummy/placeholder certificate is linked:
7ee96348-07c1-4845-8a9a-26998572d0e0-image.png
-> this is the only IdP

then I import - via API POST /api/key/import - the correct certificate:
ab51c6c5-1c2b-4939-a01d-2e045274400d-image.png

but I do not link this in the IdP, and so do not set the Verification key

Do I get it right, that the login should not work in that case? But I am able to login via this EntraID IdP.

You should start by checking the relevant google documentation.

As of writing, this is what their doc says:

Using the email, email_verified and hd fields, you can determine if Google hosts and is authoritative for an email address. In the cases where Google is authoritative, the user is known to be the legitimate account owner, and you may skip password or other challenge methods.

Cases where Google is authoritative:

email has a @gmail.com suffix, this is a Gmail account. email_verified is true and hd is set, this is a Google Workspace account.

Users may register for Google Accounts without using Gmail or Google Workspace. When email does not contain a @gmail.com suffix and hd is absent, Google is not authoritative and password or other challenge methods are recommended to verify the user. email_verified can also be true as Google initially verified the user when the Google account was created, however ownership of the third party email account may have since changed.

So in this case, you want to check that hd is set as well as that email_verified is true.

With FusionAuth, you can check this using a reconcile lambda and looking at the id_token:

https://fusionauth.io/docs/extend/code/lambdas/google-reconcile https://fusionauth.io/docs/extend/code/lambdas/openid-connect-response-reconcile

@vijaysingh1784 Looks like you have done a bit of research your self and made a pretty good analysis. I am not very familiar with MojoAuth, but just to confirm a few things:

FusionAuth is very customizable. You should check out things like Lambdas, Webhooks and other various options.

FusionAuth can be self-hosted or can be hosted for you.

FusionAuth handles SAML, SCIM and other various integrations.

FusionAuth is very scalable and gives you great control with api acess and other mechanisms.

Depending on your needs, FusionAuth can be as easy to self host as spinning up a docker image to a full blown complex K8s deployment. It should fit your needs there.

While there is no direct migration guide for the product you are talking about, there are several other migration guides for you to look over that should give you an idea on how to do it.

Note that this functionality (logging in with a phone number) was delivered in 1.59.

More details here: https://fusionauth.io/blog/announcing-fusionauth-1-59

@manoj-patil said in We are getting ERROR org.primeframework.mvc.PrimeMVCRequestHandler - Error encountered:

t F ... 63 common frame

Under what circumstances and you receiving this error?

@mark-robustelli

We used Lambda to get audit and event logs from DB and put in CloudWatch

@chad-hurd Awesome that you got if figured out. Do you mind sharing what, specifically, was wrong with the setup? It may help others down the road.

FusionAuth doesn’t support uploading a CSV to retrieve last-login timestamps. However, you can do this efficiently with the Search for Users API and return lastLoginInstant for many users at once.

How to do it (batch via API)

Use the User Search endpoint
POST /api/user/search (set your X-FusionAuth-TenantId and Authorization headers).

Send an Elasticsearch query using terms to match a batch of emails/usernames, and read lastLoginInstant from each returned user:

{ "search": { "query": "{\"terms\":{\"email\":[\"a@example.com\",\"b@example.com\",\"c@example.com\"]}}", "numberOfResults": 500, "startRow": 0 } } Swap email for username if that’s what you have. If your list is large, chunk it (e.g., 200–500 logins per request) and paginate with startRow / numberOfResults. (Optional) Filter by last-login date with a range query on lastLoginInstant: { "search": { "query": "{\"range\":{\"lastLoginInstant\":{\"gte\":\"2025-10-01T00:00:00Z\"}}}" } }

You can also query by epoch millis if you prefer.

Map results
Each user object includes lastLoginInstant (epoch millis). Convert to your desired timezone/format in your script and write out a CSV.

Tips

If you need all users in a tenant (not just your list), you can search with a wildcard or a match-all query and page through results, then filter locally. For ongoing metrics, consider subscribing to user.login.success webhooks and recording last logins as they happen.

Docs:

Search for Users API (Elasticsearch): https://fusionauth.io/docs/apis/users#elasticsearch-search-engine

You can work around this by passing the IDs directly in your request. Here’s an example of how to structure the request correctly:

from fusionauth.fusionauth_client import FusionAuthClient api_key = 'your-fusionauth-api-key' base_url = 'https://your-fusionauth-instance.com' group_id = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' user_ids_to_remove = [ 'yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy', 'zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz' ] client = FusionAuthClient(api_key, base_url) member_delete_request = {'members': {group_id: user_ids_to_remove}} response = client.delete_group_members(member_delete_request) if response.was_successful(): print("Successfully removed users from group!") else: print(f"Error: {response.error_response}")

This approach correctly formats the request for the API to process and delete the specified users from the group.