See also https://fusionauth.io/community/forum/topic/2749/can-you-turn-off-captcha-for-certain-applications-in-a-tenant which has some workarounds.

@mark-robustelli I don't believe you can do this. I think @muditshukla3 was asking about CAPTCHA, not MFA.

The easiest thing to do is to store the value on the user.data object in the reconcile lambda, and then pull it off in the JWT populate lambda.

The JWT populate lambda will only be called if the authorization code grant is completed and an access token is generated, but you should be doing that in your application.

So what it looks like is:

• user visits your application
• user clicks 'login'
• user clicks 'login with OIDC'
• user authenticates
• user returned to FusionAuth
• reconcile lambda runs, setting values on user.data
• user object is created
• JWT populate lambda runs, pulling values from user.data and calling FusionAuth APIs to add user to a group or grant them permissions on an entity
• user object is updated, user exists in FusionAuth

Suppose I have users who are going to federate into FusionAuth via another OIDC or SAML server. They are going to be created on demand. After they are created, I want to use Lambda HTTP Connect to call into FusionAuth to add them to a group, register them for an application or otherwise manipulate their account based on attributes from the remote identity store.

I tried to do that in the OIDC reconcile lambda, but the user isn't created yet, so I can't, for example, add them to a group or grant them permissions on an entity.

What is the best way to solve this?

For future readers, there's an open GH issue here to better support iframes: https://github.com/FusionAuth/fusionauth-issues/issues/2830

Please add your use cases, upvotes and comments there.

Yes. You can do this with the API:

curl -H 'Authorization: ...' https://yourinstance.fusionauth.io/api/webauthn\?userId=00000000-0000-0000-0000-000000000001  > out

Then remove the following:

• id
• insertInstant
• lastUsedInstant
• tenantId

update the userId

And use the import call:

 curl -H 'X-FusionAuth-TenantId: newtenantid' -H 'Authorization: ...' https://yourinstance.fusionauth.io/api/webauthn/import -H 'Content-type:application/json' -d '{...}'

I want to let a user log in to one tenant using passkeys.

Then, later, I want to move them to another tenant.

Can I migrate their passkey information as well?

Right now you cannot turn off CAPTCHA for certain applications to handle this use case.

There's an open GH issue to address this. Please upvote or share your use case on there if you have thoughts.

I want to turn off CAPTCHA for a given mobile application to make sure the app review process doesn't get impacted, but I want to retain CAPTCHA for the other applications in that tenant.

As of writing, there is no direct support for push notifications as an MFA method in FusionAuth. If you would like such support, please open a feature request with more details about your use case.

However, you should be able to build something that sends a code via a push notification. Here's how to do that. (This requires a Starter, Essentials or Enterprise plan.)

This illustrates how to do this using the hosted login pages; if you use the APIs, it's a slightly different workflow, as outlined in the MFA guide.

• configure FusionAuth to require a phone number when the user registers
• set up your android or ios device to send back the device id when the app is installed
• tie the device id to the user's phone number in your backend system
• set up a generic messenger. The messenger will send a phone number and a message when an MFA challenge occurs.
• look up the device id from the phone number in your system
• use the appropriate service to send a push notification with the code
• have the user enter the code in the MFA challenge screen