FusionAuth version 1.46 shipped on June 19, 2023. This release improves the OIDC discovery endpoint when you have multiple tenants, enhances the Device grant, and includes a number of security fixes. And more!
All in all there are 26 issues, enhancements, and bug fixes included in the 1.46.0 release. As always, please see the release notes for a full breakdown of the changes between 1.45.3 and 1.46.0.
Security fixes
At FusionAuth, we take security very seriously. This release has a number of security improvements, including a fix for CAPTCHA bypass, mitigation of a potential directory traversal attack, and additional defensive validation on our self-service profile edit form.
We regularly obtain professional penetration testing and offer a bug bounty. Learn more about FusionAuth’s security programs.
FusionAuth discloses security findings to customers and users via email outreach with workarounds before publicizing the issue, as well as in our release notes. If you are already a FusionAuth customer and would like to be on the security announcement email list, log into account.fusionauth.io and ensure you have been assigned the security officer role.
Improvements to the OAuth2 Device grant
The Device grant allows you to authorize a device like a TV or a gaming console while entering credentials on a different device, such as a computer or phone. Learn more about the OAuth Device grant.
While FusionAuth has supported the Device grant since version 1.11.0, released on October 29th, 2019, this release improves the grant. In particular, you can bail out of our OAuth login flow and complete the grant later.
You now have more flexibility to create custom login flows but still use the Device grant. If you want to learn more about these new endpoints, please check out the Device grant documentation.
Tenants and the OIDC discovery endpoint
Oftentimes you can provide an OpenID Connect discovery endpoint to other software, such as oauth2-proxy. This endpoint, defined by the OpenID Connect specification, includes information about the OIDC server, including endpoints, supported claims, and supported signing algorithms.
Until this release, when there was a single FusionAuth tenant, the endpoint path was /.well-known/openid-configuration. The full URL would be something like https://auth.example.com/.well-known/openid-configuration.
Once you had two or more tenants, the path was appended with the tenant Id, so the path would look something like: /.well-known/openid-configuration/bafb4319-b7ca-ed27-fa2f-bbdba9d8ec06.
The tenant Id at the end of the path caused compatibility issues for some software. While you could work around this by not using discovery and instead manually entering the required metadata, automatic configurability is superior in the long-term.
With this release, the tenant Id can now be a prefix for the discovery endpoint, rather than a suffix as above. So the previous example, the OIDC discovery path would be /bafb4319-b7ca-ed27-fa2f-bbdba9d8ec06/.well-known/openid-configuration. Both locations for the tenant Id will continue to work, but you should prefer this one.
Each of the tenants listed below now has an improved OIDC endpoint:
The rest of it
As mentioned above, there were 26 issues, enhancements, and bug fixes included in this release. A selection of the included changes not covered above includes:
- Using the administrative user interface to update an Identity Provider with more than 6000 applications now works. Previously it could cause a database error.
- Tokens obtained using the Client Credentials grant can now be used with the OAuth2 Introspect endpoint.
- In order to make it easier to monitor, you can configure FusionAuth to allow unauthenticated access to
/api/statusand/api/prometheus/metricsAPIs from localhost. This will allow you to access these metrics via on-machine agents and roll them up to a tool such as Grafana.
Read more about all the changes in the release notes.
Upgrade at will
The release notes are a guide to the changes, fixes, and new features. Please read them carefully to see if any features you use have been modified or enhanced.
If you’d like to upgrade your self-hosted FusionAuth instance, see our upgrade guide.
If you have a FusionAuth Cloud deployment, proceed to the “Hosting” tab on your account dashboard and upgrade your instances. If you have any questions about the upgrade, please open a support ticket.
Or, if we’ve piqued your interest and you’d like to use FusionAuth, check out your options.
