## FusionAuth.io Full Documentation # Migrate from Inversoft Passport to FusionAuth import Aside from 'src/components/Aside.astro'; import Breadcrumb from 'src/components/Breadcrumb.astro'; ## Overview If you are currently an Inversoft Passport customer and looking to move to FusionAuth you have come to the right place. Here you'll find important information on API changes, database upgrade procedures, etc. We have attempted to build an exhaustive list of changes you will need to be aware of, but please do plan to test your migration and ask for assistance from the FusionAuth team during your migration. The following sections are provided for you to review prior to upgrading to FusionAuth. ## Naming Changes In addition to the obvious change of Passport to FusionAuth, as you read through the documentation and update your integration be aware of the following name changes. _Name changes_ | Old name | New Name | Description | |------------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Passport | FusionAuth | Passport is now known as FusionAuth | | passport.properties | fusionauth.properties | The Passport configuration file is now named `fusionauth.properties`. | | Passport Backend | FusionAuth App | The Passport Backend which refers to the webservice that services APIs and provides the UI is now referred as FusionAuth or FusionAuth App. | | passport-backend | fusionauth-app | The passport-backend which was the name of the package or bundle which contained the Passport Backend service will now be called fusionauth-app. | | Passport Search | FusionAuth Search | The Passport Search which refers to the webservice that provides search capability to FusionAuth is now referred to FusionAuth Search. | | passport-search-engine | fusionauth-search | The `passport-search-engine` which was the name of the package or bundle which contained the Passport Search Engine service will now be called `fusionauth-search`. | | X-Passport-TenantId | X-FusionAuth-TenantId | The `X-Passport-TenantId` which was used if you had configured more than one tenant to scope an API request to a particular tenant should be changed to `X-FusionAuth-TenantId`. | ## License Changes Because FusionAuth is no longer licensed in a traditional way, no license is required and no license checks are performed during a User create or Registration process. In Passport it was possible to receive a `402` status code indicating the license was expired or had exceeded the allocated usage, this response code will no longer be returned. ## Breaking Changes Review the following breaking changes when moving from Passport to FusionAuth. A breaking change means that compatibility has been broken and if your integration will break if you do not review the following changes and update your integration accordingly. ### API Changes * When the Search Engine service is down or un-reachable a new status code of `503` will be returned. Previously this error condition would have returned a `500` status code. * If you were passing the Tenant Id in an HTTP header, this header `X-Passport-TenantId` should now be provided as `X-FusionAuth-TenantId`. * Application API * Free form data is now available on the Application object, see `application.data` * Audit Log API * `auditLog.data.attributes` moved to `auditLog.data` * `auditLog.data.newValue` moved to `auditLog.newValue` * `auditLog.data.oldValue` moved to `auditLog.oldValue` * `auditLog.data.reason` moved to `auditLog.reason` * Group API * `group.data.attributes` moved to `group.data` * Group Member API * `groupMember.data.attributes` moved to `groupMember.data` * SystemConfiguration API * `systemConfiguration.failedAuthenticationUserActionId` moved to `systemConfiguration.failedAuthenticationConfiguration.userActionId` * `systemConfiguration.forgotEmailTemplateId` moved to `systemConfiguration.emailConfiguration.forgotPasswordEmailTemplateId` * `systemConfiguration.setPasswordEmailTemplateId` moved to `systemConfiguration.emailConfiguration.setPasswordEmailTemplateId` * `systemConfiguration.verificationEmailTemplateId` moved to `systemConfiguration.emailConfiguration.verificationEmailTemplateId` * `systemConfiguration.verifyEmail` moved to `systemConfiguration.emailConfiguration.verifyEmail` * `systemConfiguration.verifyEmailWhenChanged` moved to `systemConfiguration.emailConfiguration.verifyEmailWhenChanged` * Tenant API * `tenant.data.attributes` moved to `tenant.data` * `tenant.forgotEmailTemplateId` moved to `tenant.data` * `tenant.setPasswordEmailTemplateId` moved to `tenant.emailConfiguration.forgotPasswordEmailTemplateId` * `tenant.verificationEmailTemplateId` moved to `tenant.emailConfiguration.verificationEmailTemplateId` * `tenant.verifyEmail` moved to `tenant.emailConfiguration.verifyEmail` * `tenant.verifyEmailWhenChanged` moved to `tenant.emailConfiguration.verifyEmailWhenChanged` * User API * `user.data.attributes` moved to `user.data` * `user.data.preferredLanguages` moved to `user.preferredLanguages` * Removed `childIds` and `parentId` * User Registration API * `userRegistration.data.attributes` moved to `userRegistration.data` * `userRegistration.data.timezone` moved to `userRegistration.timezone` * `userRegistration.data.preferredLanguages` moved to `userRegistration.preferredLanguages` ### Email Templates The Forgot Email and Setup Password templates no longer support the `verificationId` replacement parameter. The `verificationId` replacement parameter was provided for backwards compatibility with older versions of Passport and has been removed in FusionAuth. Review your Forgot Password and Setup Password email templates and if you are using the replacement value `${verificationId}` in either the HTML or Text version of the template, replace it with `${changePasswordId}`. See [Email Templates](/docs/customize/email-and-messages/email-templates) for additional information. ### Client Libraries If you were using a Passport Client library please upgrade to the FusionAuth version. See [Client Libraries](/docs/sdks/) ### Removed Features * Parent and Child relationships between users was removed in FusionAuth. This feature is planned to be re-introduced with better support for a family structure and a more flexible relationship model. If you currently utilize this feature please contact the FusionAuth team for assistance. ## Database Migration Due to the data model changes that were made in FusionAuth your database schema will need to be updated. Please be aware that you Passport database MUST be upgraded to the latest version prior to migrating to FusionAuth. The latest Passport version is `1.22.4`, the easiest way to upgrade your schema is to install the latest version of Passport and start up the service and allow Maintenance Mode to upgrade your database for you. Once this is complete you may then run the migration script. ### MySQL The following is the MySQL database migration. Please ensure you fully test this migration or contact the FusionAuth team for assistance. ```sql -- Passport to FusionAuth -- Update the version. UPDATE version SET version = '1.0.0'; CREATE TABLE instance ( id BINARY(16) NOT NULL, support_id BINARY(16) NULL ) ENGINE = innodb CHARACTER SET utf8mb4 COLLATE utf8mb4_bin; -- Insert instance INSERT INTO instance(id) VALUES (random_bytes(16)); -- Rename the forgot password ALTER TABLE system_configuration CHANGE COLUMN forgot_email_templates_id forgot_password_email_templates_id BINARY(16) NULL; ALTER TABLE tenants CHANGE COLUMN forgot_email_templates_id forgot_password_email_templates_id BINARY(16) NULL; -- Delete the system_configuration columns (verify_email and verify_email_when_changed didn't make it through and need to be manually updated) UPDATE system_configuration SET data = JSON_INSERT(data, '$.data', CAST('{}' AS JSON)); UPDATE system_configuration SET data = JSON_INSERT(data, '$.emailConfiguration', CAST(email_configuration AS JSON)); UPDATE system_configuration SET data = JSON_INSERT(data, '$.emailConfiguration.verifyEmail', IF(verify_email = 1, TRUE, FALSE) IS TRUE); UPDATE system_configuration SET data = JSON_INSERT(data, '$.emailConfiguration.verifyEmailWhenChanged', IF(verify_email_when_changed = 1, TRUE, FALSE) IS TRUE); UPDATE system_configuration SET data = JSON_INSERT(data, '$.passwordValidationRules', CAST(password_validation_rules AS JSON)); ALTER TABLE system_configuration DROP COLUMN email_configuration, DROP COLUMN password_expiration_days, DROP COLUMN password_validation_rules, DROP COLUMN verify_email, DROP COLUMN verify_email_when_changed; -- Add timezone to registration ALTER TABLE user_registrations ADD COLUMN timezone VARCHAR(255) NULL; -- Delete parent/child relationships ALTER TABLE users DROP COLUMN parent_id, DROP COLUMN parental_consent_type; -- Clean up application (two cases because some old Applications might have a data column with the value '{}' only) UPDATE applications SET data = JSON_INSERT(data, '$.data', CAST('{}' AS JSON)); UPDATE applications SET data = JSON_INSERT(data, '$.cleanSpeakConfiguration', CAST(clean_speak_configuration AS JSON)); UPDATE applications SET data = JSON_INSERT(data, '$.oauthConfiguration', CAST(oauth_configuration AS JSON)); ALTER TABLE applications DROP COLUMN clean_speak_configuration, DROP COLUMN oauth_configuration; -- Fix the data column for audit_logs UPDATE audit_logs SET data = JSON_REMOVE(JSON_INSERT(data, '$.data', CAST(COALESCE(JSON_EXTRACT(data, '$.attributes'), '{}') AS JSON)), '$.attributes'); -- Fix the data column for groups UPDATE groups SET data = JSON_REMOVE(JSON_INSERT(data, '$.data', CAST(COALESCE(JSON_EXTRACT(data, '$.attributes'), '{}') AS JSON)), '$.attributes'); -- Fix the data column for group_members UPDATE group_members SET data = JSON_REMOVE(JSON_INSERT(data, '$.data', CAST(COALESCE(JSON_EXTRACT(data, '$.attributes'), '{}') AS JSON)), '$.attributes'); -- Fix the data column for users UPDATE users SET data = JSON_REMOVE(JSON_INSERT(data, '$.data', CAST(COALESCE(JSON_EXTRACT(data, '$.attributes'), '{}') AS JSON)), '$.attributes'); -- Fix the data column for user_registrations UPDATE user_registrations SET data = JSON_REMOVE(JSON_INSERT(data, '$.data', CAST(COALESCE(JSON_EXTRACT(data, '$.attributes'), '{}') AS JSON)), '$.attributes'); -- Fix the data column for tenants UPDATE tenants SET data = JSON_REMOVE(JSON_INSERT(data, '$.data', CAST(COALESCE(JSON_EXTRACT(data, '$.attributes'), '{}') AS JSON)), '$.attributes'); UPDATE tenants SET data = JSON_INSERT(data, '$.emailConfiguration.verifyEmail', COALESCE(JSON_EXTRACT(data, '$.verifyEmail'), FALSE)); UPDATE tenants SET data = JSON_INSERT(data, '$.emailConfiguration.verifyEmailWhenChanged', COALESCE(JSON_EXTRACT(data, '$.verifyEmailWhenChanged'), FALSE)); -- Fix the internal API key DELETE FROM authentication_keys WHERE id LIKE '__internal_%' AND meta_data LIKE '%"cacheReloader"%'; INSERT INTO authentication_keys(id, permissions, meta_data, tenants_id) VALUES (concat('__internal_', replace(to_base64(random_bytes(64)), '\n', '')), '{"endpoints": {"/api/cache/reload": ["POST"]}}', '{"attributes": {"internalCacheReloader": "true"}}', NULL); ``` ### PostgreSQL The following is the PostgreSQL database migration. Please ensure you fully test this migration or contact the FusionAuth team for assistance. ```sql \set ON_ERROR_STOP true -- Passport to FusionAuth -- Update the version. UPDATE version SET version = '1.0.0'; CREATE TABLE instance ( id UUID NOT NULL, support_id UUID NULL ); -- Insert instance INSERT INTO instance(id) VALUES (md5(random() :: TEXT || clock_timestamp() :: TEXT) :: UUID); -- Rename the forgot password ALTER TABLE system_configuration RENAME COLUMN forgot_email_templates_id TO forgot_password_email_templates_id; ALTER TABLE tenants RENAME COLUMN forgot_email_templates_id TO forgot_password_email_templates_id; -- Delete the system_configuration columns -- Delete the system_configuration columns (verify_email and verify_email_when_changed didn't make it through and need to be manually updated) UPDATE system_configuration SET data = JSONB_SET(data::JSONB, '{data}', '{}', TRUE); UPDATE system_configuration SET data = JSONB_SET(data::JSONB, '{emailConfiguration}', email_configuration::JSONB, TRUE); UPDATE system_configuration SET data = JSONB_SET(data::JSONB, '{emailConfiguration,verifyEmail}', TO_JSONB(verify_email), TRUE); UPDATE system_configuration SET data = JSONB_SET(data::JSONB, '{emailConfiguration,verifyEmailWhenChanged}', TO_JSONB(verify_email_when_changed), TRUE); UPDATE system_configuration SET data = JSONB_SET(data::JSONB, '{passwordValidationRules}', password_validation_rules::JSONB, TRUE); ALTER TABLE system_configuration DROP COLUMN email_configuration, DROP COLUMN password_expiration_days, DROP COLUMN password_validation_rules, DROP COLUMN verify_email, DROP COLUMN verify_email_when_changed; -- Add timezone to registration ALTER TABLE user_registrations ADD COLUMN timezone VARCHAR(255) NULL; -- Delete parent/child relationships ALTER TABLE users DROP COLUMN parent_id, DROP COLUMN parental_consent_type; -- Clean up application (two cases because some old Applications might have a data column with the value '{}' only) UPDATE applications SET data = JSONB_SET(data::JSONB, '{data}', '{}', TRUE); UPDATE applications SET data = JSONB_SET(data::JSONB, '{cleanSpeakConfiguration}', COALESCE(clean_speak_configuration, '{}')::JSONB, TRUE); UPDATE applications SET data = JSONB_SET(data::JSONB, '{oauthConfiguration}', COALESCE(oauth_configuration, '{}')::JSONB, TRUE); ALTER TABLE applications DROP COLUMN clean_speak_configuration, DROP COLUMN oauth_configuration; -- Fix the data column for audit_logs UPDATE audit_logs SET data = JSONB_SET(data::JSONB, '{data}', COALESCE(data::JSONB -> 'attributes', '{}')::JSONB, TRUE) - 'attributes'; -- Fix the data column for groups UPDATE groups SET data = JSONB_SET(data::JSONB, '{data}', COALESCE(data::JSONB -> 'attributes', '{}')::JSONB, TRUE) - 'attributes'; -- Fix the data column for group_members UPDATE group_members SET data = JSONB_SET(data::JSONB, '{data}', COALESCE(data::JSONB -> 'attributes', '{}')::JSONB, TRUE) - 'attributes'; -- Fix the data column for users UPDATE users SET data = JSONB_SET(data::JSONB, '{data}', COALESCE(data::JSONB -> 'attributes', '{}')::JSONB, TRUE) - 'attributes'; -- Fix the data column for user_registrations UPDATE user_registrations SET data = JSONB_SET(data::JSONB, '{data}', COALESCE(data::JSONB -> 'attributes', '{}')::JSONB, TRUE) - 'attributes'; -- Fix the data column for tenants UPDATE tenants SET data = JSONB_SET(data::JSONB, '{data}', COALESCE(data::JSONB -> 'data' -> 'attributes', '{}')::JSONB, TRUE) #- '{data,attributes}'; UPDATE tenants SET data = JSONB_SET(data::JSONB, '{emailConfiguration,verifyEmail}', COALESCE(data::JSONB -> 'verifyEmail', TO_JSONB(FALSE)), TRUE); UPDATE tenants SET data = JSONB_SET(data::JSONB, '{emailConfiguration,verifyEmailWhenChanged}', COALESCE(data::JSONB -> 'verifyEmailWhenChanged', TO_JSONB(FALSE)), TRUE); -- Fix the internal API key DELETE FROM authentication_keys WHERE id LIKE '__internal_%' AND meta_data LIKE '%"cacheReloader"%'; INSERT INTO authentication_keys(id, permissions, meta_data, tenants_id) VALUES ('__internal_' || replace( encode(md5(random()::TEXT || clock_timestamp()::TEXT)::BYTEA || md5(random()::TEXT || clock_timestamp()::TEXT)::BYTEA, 'base64'), E'\n', ''), '{"endpoints": {"/api/cache/reload": ["POST"]}}', '{"attributes": {"internalCacheReloader": "true"}}', NULL); ``` ## Migration Summary The following is a summary of the steps required to migration to FusionAuth and is provided as a guidelines to assist you in performing the migration steps in the correct order. 1. Review all documented changes in this guide 2. Make a backup of your database 3. Upgrade Passport to the latest version. 4. Install the latest version of FusionAuth 5. Review and migrate settings from `passport.properties` to `fusionauth.properties`. You may have other settings that require migration in addition to the following. - `database.url` - `database.username` - `database.password` - `passport-search-engine.memory` is now `fusionauth-search.memory` - `passport-backend.memory` is now `fusionauth-app.memory` 6. Run the SQL migration found above 7. Start FusionAuth and bring up the UI and complete maintenance mode, you will be prompted to do the following steps: - Upgrade the db schema - Create search index 8. Once logged into FusionAuth rebuild the Elasticsearch index - Navigate to System -> Reindex. 9. Review your configuration in FusionAuth for accuracy. # FusionAuth CLI import InlineField from 'src/components/InlineField.astro'; The FusionAuth command line interface (CLI) tool allows you to manipulate FusionAuth from the command line. The focus of the CLI is on allowing easy management of commonly modified customization code and markup, such as emails, themes or lambdas. It is not a full featured replacement for any of the [client libraries](/docs/sdks/), which wrap all of the API. ## Prerequisites The CLI tool requires node. It's tested with version 19 but should work with modern versions of node. ## Installation You can install this tool using `npm`. ``` npm i -g @fusionauth/cli ``` ## Functionality This tool allows you to easily retrieve and publish FusionAuth configurations from the command line. This includes: * emails * lambdas * themes The CLI is designed to work with complex version controlled configuration and includes support for localized content. ## Usage Currently, the CLI supports the following commands: - Emails - `fusionauth email:download` - Download a specific template or all email templates from a FusionAuth server. - `fusionauth email:duplicate` - Duplicate an email template locally. - `fusionauth email:html-to-text` - Convert HTML email templates to text, where the text template is missing. - `fusionauth email:upload` - Upload a specific template or all email templates to a FusionAuth server. - `fusionauth email:watch` - Watch the email template directory and upload changes to a FusionAuth server. - `fusionauth email:create` - Create a new email template locally. - Lambdas - `fusionauth lambda:create` - Upload a lambda to a FusionAuth server. - `fusionauth lambda:delete` - Delete a lambda from a FusionAuth server. - `fusionauth lambda:retrieve` - Download a lambda from a FusionAuth server. - Themes - `fusionauth theme:download` - Download a theme from a FusionAuth server. - `fusionauth theme:upload` - Upload a theme to a FusionAuth server. - `fusionauth theme:watch` - Watch a theme directory and upload changes to a FusionAuth server. ## Examples ``` fusionauth theme:download -k # modify your theme fusionauth theme:upload -k ``` To learn more about the commands, use the `--help` switch. ``` fusionauth --help ``` ## Updating To update to the most recent version, use `npm update`. ``` npm update -g @fusionauth/cli ``` ## Source Code The FusionAuth CLI is open source and we welcome pull requests. You can [view the source code](https://github.com/FusionAuth/fusionauth-node-cli) and [the npm package](https://www.npmjs.com/package/@fusionauth/cli). # Getting Started import LoginBefore from 'src/diagrams/quickstarts/login-before.astro'; import LoginAfter from 'src/diagrams/quickstarts/login-after.astro'; import Aside from 'src/components/Aside.astro'; ## Introduction FusionAuth is a modern platform for Customer Identity and Access Management (CIAM). FusionAuth provides APIs and a responsive web user interface to support login, registration, localized email, multi-factor authentication, reporting and much more. If you're looking for employee login or a replacement for Active Directory - you may be in the wrong place. While FusionAuth can be used for nearly any application, we do not offer native desktop integration and replacing Active Directory is not on our roadmap. However, if you're looking for a solution to manage end users that can perform at scale, then keep reading. Here's a typical application login flow before FusionAuth. And here's the same application login flow when FusionAuth is introduced. ## Core Concepts Legacy identity technologies have complex hierarchy and cryptic terminology like realms, principals, subjects and distinguished names. In order to simplify something perceived to be complex, the best approach is to go back to the basics, to the atomic elements and throw everything else away. When we built FusionAuth we took the back to basics approach. We identified two atomic elements of identify, Users and Applications. Everyone has Users, and Users need to be authenticated to Applications. For this reason FusionAuth is built upon four core elements: * Users - someone that can log into things * Applications - things that Users log into * Registrations - the connection between a User and an Application they have access to * Tenants - A way to logically isolate Applications, Users and Registrations ### Users A user is uniquely identified in any particular tenant by an email address or username. [Learn more.](/docs/get-started/core-concepts/users) ### Applications A FusionAuth Application represents an authenticated resource such as a web application, mobile application or any other application that requires authenticated users. A FusionAuth Application is defined by a name and a set of Roles. [Learn more.](/docs/get-started/core-concepts/applications) ### Registrations A User can be registered to one or more FusionAuth Applications. A User Registration can define one to many Application Roles. [Learn more.](/docs/get-started/core-concepts/registrations) ### Tenants Tenants are way to separate Users, Applications and Registrations into separate containers. Inside a Tenant, you can define any number of Users, Applications and Registrations. Across Tenants, you can define duplicate Applications, Users and Registrations. For example, you might have two Tenants and inside both Tenants you might have an Application named `Web Based Payroll` and a User with the email address `john@piedpiper.com`. Each of these Users might have a Registration to the `Web Based Payroll` Application. And finally, each of these Users might have different passwords and data. [Learn more.](/docs/get-started/core-concepts/tenants) ## Getting Started First you will need to install and configure FusionAuth before starting your integration. Here are some links to get you started: ### Quick Start * [5-Minute Setup Guide](/docs/quickstarts/5-minute-setup-guide) * [Register a User and Login](/docs/lifecycle/register-users/register-user-login-api) * [Self-service Registration](/docs/lifecycle/register-users/basic-registration-forms) * [Common Configuration](/docs/get-started/run-in-the-cloud/common-configuration) ### Install Options * [FastPath Install](/docs/get-started/download-and-install/fast-path) * [Docker](/docs/get-started/download-and-install/docker) * [Package Installation](/docs/get-started/download-and-install/fusionauth-app) * [All Options](/docs/get-started/download-and-install) ### Create a User and call an API * [Register a User and Login](/docs/lifecycle/register-users/register-user-login-api) * [API Docs](/docs/apis/) # Lifecycle Overview There's a lifecycle for CIAM users: * Users must get into your identity store somehow. You can [migrate them to the new system](/docs/lifecycle/migrate-users) if they exist elsewhere, you can create them via APIs or federation, or they must [self-register](/docs/lifecycle/register-users). * After users are in the CIAM system, they need to [authenticate, log in or sign in](/docs/lifecycle/authenticate-users) (these all mean the same thing). This includes all manner of authentication methods: * passwordless options such as passkeys and magic links * Identity Providers such as Google or Facebook * SAML and OIDC federation * and more * User profile data also needs to be [managed over time](/docs/lifecycle/manage-users). Functionality for this part of the lifecycle includes forms used by customer service reps, self-service account/profile management, searching to extract user data in bulk, and verifying users. * Finally, users are sometimes deprovisioned. In FusionAuth this is done by locking user accounts by [deactivating or deleting users](/docs/apis/users#delete-a-user). The documentation in this section explain FusionAuth's functionality and how it can help with each of these parts of the lifecycle. # Authentication Types import AuthenticationTypes from 'src/content/docs/_shared/authentication-type-values.astro'; FusionAuth supports authentication in many different ways. These are the methods that are available. These authentication type values are available in [webhook payloads](/docs/extend/events-and-webhooks/events/user-login-success), [OAuth tokens](/docs/lifecycle/authenticate-users/oauth/tokens) and for use with a [login validation lambda](/docs/extend/code/lambdas/login-validation). # Archived Release Notes import Breadcrumb from 'src/components/Breadcrumb.astro'; import DatabaseMigrationWarning from 'src/components/docs/release-notes/DatabaseMigrationWarning.mdx'; import GeneralMigrationWarning from 'src/components/docs/release-notes/GeneralMigrationWarning.astro'; import GeneralUpgradeInfo from 'src/components/docs/release-notes/GeneralUpgradeInfo.mdx'; import InlineField from 'src/components/InlineField.astro'; import ReleaseNoteHeading from 'src/components/docs/release-notes/ReleaseNoteHeading.astro'; import ReleaseNotesSelector from 'src/components/docs/release-notes/ReleaseNotesSelector.astro'; import SearchIndexWarning from 'src/components/docs/release-notes/SearchIndexWarning.mdx'; Looking for release notes newer than 1.43.2? Look at the latest [release notes](/docs/release-notes/). ### Changed * The User and User Registration APIs will now restrict `user.preferredLanguages` and `registration.preferredLanguages` to a maximum of `20` values. Additionally each value can be no longer than `24` characters. This change is not expected to impact any existing integrations. Do let us know if you have a use case that is not compatible with this change. ### Fixed * When an event fails to be sent to a Kafka topic, do not attempt to send an `event-log.create` event that results from the failed request. Correct an edge case that exists where an `event-log.create` event fails to be sent to a Kafka topic, and this error causes another `event-log.create` event to be triggered. * Resolves [GitHub Issue #2362](https://github.com/FusionAuth/fusionauth-issues/issues/2362) * Limit the length of a valid value for `user.preferredLanguages` and `registration.preferredLanguages` to a maximum of `24` characters, and restrict the total number of values to `20` or less. * Resolves [GitHub Issue #2363](https://github.com/FusionAuth/fusionauth-issues/issues/2363) ### Internal * Reduce Kafka logging to make it much less noisy at runtime * Resolves [GitHub Issue #2359](https://github.com/FusionAuth/fusionauth-issues/issues/2359) ### Fixed * Correct a potential FreeMarker render error caused by a missing CSRF token when performing an SAML v2 IdP initiated login to the FusionAuth admin UI. This error is a side effect of the caller not requesting the `scope=offline_access` parameter. With this fix, you should no longer encounter the error, and the `offline_access` scope is now optional on the request. A workaround is to request the `offline_access` scope. * Resolves [GitHub Issue #2125](https://github.com/FusionAuth/fusionauth-issues/issues/2125) ### Known Issues * Creating a new application from another application with `sourceApplicationId` returns a `500` error when the source application has SAML v2 enabled and configured. If you have not configured SAML v2, you will not be affected by this issue. Workaround is to call Create Application API without the `sourceApplicationId` parameter and supply all the parameters copied from the source application. * Resolved in `1.44.0` via [GitHub Issue #2118](https://github.com/FusionAuth/fusionauth-issues/issues/2118). ### Fixed * Support importing an x.509 certificate with a private key into KeyMaster in the admin UI. * Resolves [GitHub Issue #1805](https://github.com/FusionAuth/fusionauth-issues/issues/1805), thanks to [@konvergence](https://github.com/konvergence) for reporting! * When using the Forgot Password workflow on the FusionAuth login page with a user without an email address, the page would refresh instead of redirecting to the success screen indicating an email had been sent. * Resolves [GitHub Issue #1809](https://github.com/FusionAuth/fusionauth-issues/issues/1809), thanks to one of our MVPs [@epbensimpson](https://github.com/epbensimpson) for letting us know. * The Change Password API was incorrectly failing indicating a Trust Token was required even when provided if the user has MFA enabled. * Resolves [GitHub Issue #1909](https://github.com/FusionAuth/fusionauth-issues/issues/1909), thanks to [@timyourivh](https://github.com/timyourivh) for the report! * Ensure that we correctly terminate an SSO session when beginning a new passwordless login flow with a different user in the same browser. * Resolves [GitHub Issue #1912](https://github.com/FusionAuth/fusionauth-issues/issues/1912) * Fix various limitations with adding a consent to a self-service account form. * Resolves [GitHub Issue #1920](https://github.com/FusionAuth/fusionauth-issues/issues/1920) * An error may occur when logging into the FusionAuth admin UI with an IdP initiated request from a SAML v2 IdP. * Resolves [GitHub Issue #1941](https://github.com/FusionAuth/fusionauth-issues/issues/1941), thanks to [@jon-at-advarra](https://github.com/jon-at-advarra) for filing the bug! * An error may occur when logging into the FusionAuth admin UI with an IdP initiated request from a SAML v2 IdP and then navigating to your own profile page. * Resolves [GitHub Issue #1976](https://github.com/FusionAuth/fusionauth-issues/issues/1976), thanks to [@jon-at-advarra](https://github.com/jon-at-advarra), this was a great edge case. * When taking a User Action, the duration is localized for the event. The localization is only available for a fixed number of locales. When an un-supported locale, such as Serbian is requested, an exception will occur. This has been fixed to avoid the exception, and if an un-supported Locale is requested, English will be used as the default. * Resolves [GitHub Issue #1978](https://github.com/FusionAuth/fusionauth-issues/issues/1978) * When sending a test event to verify the Kafka configuration, the topic was not being validated as required. * Resolves [GitHub Issue #1985](https://github.com/FusionAuth/fusionauth-issues/issues/1985), thanks to [@sixhobbits](https://github.com/sixhobbits), nice catch! * When completing the forgot password workflow using the FusionAuth themed pages outside of an OAuth context, you may receive an error that says `Oops. It looks like you've gotten here by accident.`. * Resolves [GitHub Issue #1989](https://github.com/FusionAuth/fusionauth-issues/issues/1989) * Update the Email Template preview in the view dialog to be consistent with the preview in the edit page. * Resolves [GitHub Issue #2007](https://github.com/FusionAuth/fusionauth-issues/issues/2007), thanks to [@lancegliser](https://github.com/lancegliser) for pointing this out! * Restrict the Two Factor Trust during a Change Password request to be used for the workflow that started the request. * Resolves [GitHub Issue #2010](https://github.com/FusionAuth/fusionauth-issues/issues/2010) * Fix the edit Form Field in the FusionAuth admin UI for a consent field. * Resolves [GitHub Issue #2026](https://github.com/FusionAuth/fusionauth-issues/issues/2026) * Using password reset to unlock account may not work when MFA is enabled for the user. This is a bug in this new feature that was added in version `1.42.0`. * Resolves [GitHub Issue #2032](https://github.com/FusionAuth/fusionauth-issues/issues/2032) ### Enhancements * Additional configuration for the Apple IdP to support login from Mobile and Desktop. * Resolves [GitHub Issue #778](https://github.com/FusionAuth/fusionauth-issues/issues/778), thanks to [@johnmaia](https://github.com/johnmaia) for his persistence! * Resolves [GitHub Issue #1248](https://github.com/FusionAuth/fusionauth-issues/issues/1248), thanks to [@Brunom50](https://github.com/Brunom50) to documenting this limitation. * Update the System Log viewer in the FusionAuth admin UI to order logs for easier viewing pleasure. * Resolves [GitHub Issue #1612](https://github.com/FusionAuth/fusionauth-issues/issues/1612) * Allow Forgot Password API usage when the Forgot Password Email template is not configured if `sendForgotPasswordEmail` is `false`. * Resolves [GitHub Issue #1735](https://github.com/FusionAuth/fusionauth-issues/issues/1735), thanks to [@epbensimpson](https://github.com/epbensimpson) for the suggestion. * Provide better developer feedback on the Change Password API when using an API key. * Resolves [GitHub Issue #1897](https://github.com/FusionAuth/fusionauth-issues/issues/1897), thanks to [@sujkattimani](https://github.com/sujkattimani) for the feedback! * Allow the SAML v2 IdP to be used for both SP and IdP initiated login. Previously to utilize SP and IdP initiated login for the same SAML v2 IdP, you would have to create two separate configurations. It is still recommended to use the separate SAML v2 IdP initiated configuration if you will not be using an SP initiated login. * Resolves [GitHub Issue #1900](https://github.com/FusionAuth/fusionauth-issues/issues/1900), thanks to [@leesmith110](https://github.com/leesmith110) for opening the issue and providing us so much valuable feedback. * Support for PostgreSQL 15 * Resolves [GitHub Issue #1944](https://github.com/FusionAuth/fusionauth-issues/issues/1944) * Resolves [GitHub Issue #2015](https://github.com/FusionAuth/fusionauth-issues/issues/2015) * Add an option to include archived logs in gzip format on the System Log Download API. This will be the default when downloading the logs in the FusionAuth admin UI. * Resolves [GitHub Issue #1942](https://github.com/FusionAuth/fusionauth-issues/issues/1942) * Allow the login hint that is passed to a 3rd Party SAML v2 IdP to be configured. Previously this was always `login_hint`, but Azure will expect `username`, this can now be configured. * Resolves [GitHub Issue #1946](https://github.com/FusionAuth/fusionauth-issues/issues/1946) * Add `sourceApplicationId` to the Application API to create an app from an existing Application to copy settings. This allows you to more easily use a single Application as a template, or to just make a copy. * Resolves [GitHub Issue #1957](https://github.com/FusionAuth/fusionauth-issues/issues/1957) * Ship default email templates for Add and Remove Multi-Factor methods. * Resolves [GitHub Issue #1993](https://github.com/FusionAuth/fusionauth-issues/issues/1993) * Add additional SAML IdP config to allow advanced assertion capabilities such as allow any destination, or alternate values. This is sort of a dangerous power user feature, but can be useful when migrating IdP configurations into FusionAuth w/out requiring each IdP to update their ACS. * Resolves [GitHub Issue #1995](https://github.com/FusionAuth/fusionauth-issues/issues/1995) * Add additional detail to the edit registration form in the FusionAuth admin UI so you know which user you are editing. Seemed like a good idea. * Resolves [GitHub Issue #2045](https://github.com/FusionAuth/fusionauth-issues/issues/2045) * Do not validate `Content-Type` when a payload has not been provided. * Resolves [GitHub Issue #2085](https://github.com/FusionAuth/fusionauth-issues/issues/2085) ### New * Support for wild cards in OAuth2 Authorized Origin and Authorized Redirect URL configurations. Use with caution - but have fun with it! * Resolves [GitHub Issue #437](https://github.com/FusionAuth/fusionauth-issues/issues/437). This one has been a long time coming, and we really appreciate all of the feedback and suggestions on this issue. In chronological order, thank you to [@SeanStayn](https://github.com/SeanStayn), [@Jank1310](https://github.com/Jank1310), [@JuliusPC](https://github.com/JuliusPC), [@dystopiandev](https://github.com/dystopiandev), [@alessandrojcm](https://github.com/alessandrojcm), [@sjmog](https://github.com/sjmog), [@huysentruitw](https://github.com/huysentruitw) and [@mdnadm](https://github.com/mdnadm). * Support for native TLS configuration in the FusionAuth HTTP server without the requirement to use a proxy with TLS termination. * Resolves [GitHub Issue #1996](https://github.com/FusionAuth/fusionauth-issues/issues/1996) * Add support for `salted-pbkdf2-hmac-sha512-512` password hash algorithm. * See [Salted PBKDF2 HMAC SHA-512](/docs/reference/password-hashes#salted-pbkdf2-hmac-sha-512) for additional details. * Resolves [GitHub Issue #2054](https://github.com/FusionAuth/fusionauth-issues/issues/2054) ### Fixed * A regression error in version `1.42.0` may cause a user to no longer be able to login after a successful login. In order to encounter this bug, you must have your tenant configured to re-hash passwords on login, and have a user login when their password encryption scheme or factor that does not match the configured tenant defaults. If you may have this type of configuration, please do not upgrade to version `1.42.0` and instead upgrade directly to this version. * Resolves [GitHub Issue #2043](https://github.com/FusionAuth/fusionauth-issues/issues/2043) ### Known Issues * In this release, you may now create a policy to allow a user to unlock their account after too many failed login attempts by completing a forgot password workflow. A bug was identified in this new feature that may cause this workflow to fail if the user also has 2FA enabled. * Resolved in `1.43.0` via [GitHub Issue #2032](https://github.com/FusionAuth/fusionauth-issues/issues/2032) * An error was introduced that may, after one successful login, cause subsequent logins to fail for a user. In order to encounter this bug, you must have your tenant configured to re-hash passwords on login, and have a user login when their password encryption scheme or factor that does not match the configured tenant defaults. If you may have this type of configuration, please do not upgrade to version `1.42.0` and instead upgrade directly to version `1.42.1`. * Resolved in `1.42.1` via [GitHub Issue #2043](https://github.com/FusionAuth/fusionauth-issues/issues/2043) ### Changed * When building a WebAuthn credential, the user's current email address or username will now be used as the credential name. Previously this value was generated to be unique to help the user identify multiple credentials. However, Safari on macOS and Edge on Windows may display this value to the end user, so this will no longer be generated but set to a value the user should recognize. * Resolves [GitHub Issue #1929](https://github.com/FusionAuth/fusionauth-issues/issues/1929) * New themed templates for enabling two-factor authentication during login. Please review your themes to ensure the new templates and localized messages are added. * `theme.templates.oauth2TwoFactorEnable -> /oauth2/two-factor-enable` * `theme.templates.oauth2TwoFactorEnableComplete -> /oauth2/two-factor-enable-complete` * Related [GitHub Issue #197](https://github.com/FusionAuth/fusionauth-issues/issues/197) ### Fixed * Minor WebAuthn related fixes. * Resolves [GitHub Issue #1979](https://github.com/FusionAuth/fusionauth-issues/issues/1979) * Resolves [GitHub Issue #1986](https://github.com/FusionAuth/fusionauth-issues/issues/1986) * When providing both the `entityId` and `userId` on the Entity Search API, an exception will occur. * Resolves [GitHub Issue #1883](https://github.com/FusionAuth/fusionauth-issues/issues/1883) * Remove SCIM endpoints from the API key configuration in the admin UI, these endpoints do not use API keys. * Resolves [GitHub Issue #1987](https://github.com/FusionAuth/fusionauth-issues/issues/1987) * Fix various rendering issues with the Theme preview in the admin UI * Resolves [GitHub Issue #1755](https://github.com/FusionAuth/fusionauth-issues/issues/1755), thanks to [Steve-MP](https://github.com/Steve-MP) for reporting! ### Enhancements * Allow a user to unlock their account after being locked due to too many failed authentication attempts by completing a password reset workflow. See the `Cancel action on password reset` in the Tenant configuration. `Tenants > Edit > Password > Failed authentication settings`. * Resolves [GitHub Issue #383](https://github.com/FusionAuth/fusionauth-issues/issues/383), thanks [@colingm](https://github.com/colingm) for the request, and [@davidmw](https://github.com/davidmw) and [@Jlintonjr](https://github.com/Jlintonjr) for the advice and feedback! * Use the existing tenant configuration for `modifyEncryptionSchemeOnLogin` to also update the hash when changed. * Resolves [GitHub Issue #1062](https://github.com/FusionAuth/fusionauth-issues/issues/1062) * Add additional configuration to the `Failed authentication settings` in the tenant configuration to optionally email the user when the configured action is also configured to allow emailing. * Resolves [GitHub Issue #1823](https://github.com/FusionAuth/fusionauth-issues/issues/1823) * Update the `System > About` panel in the admin UI to report OpenSearch when using OpenSearch instead of Elasticsearch. * Resolves [GitHub Issue #1982](https://github.com/FusionAuth/fusionauth-issues/issues/1982) ### New * Additional Multi-Factor policy option to require a user to enable multi-factor during login if not yet configured. See `Tenants > Edit > MFA > Policies > On login > Required.`. Application specific configuration can also be configured, see `Applications > Edit > MFA > Policies > On login > Required.`, using the application configuration requires an Enterprise plan. * Resolves [GitHub Issue #197](https://github.com/FusionAuth/fusionauth-issues/issues/197) * Allow refresh tokens to be revoked for a user when enabling two-factor authentication. See `Tenants > Edit > JWT > Refresh token settings > Refresh token revocation > On multi-factor enable`. * Resolves [GitHub Issue #1794](https://github.com/FusionAuth/fusionauth-issues/issues/1794) * A new lambda function can be assigned to perform custom validation for any step during a self-service registration. This feature is only available when using a custom form, and is not available when using basic self-service registration. This may be useful to perform advanced field validation, or to call a 3rd party API to perform additional identity verification. * Resolves [GitHub Issue #1833](https://github.com/FusionAuth/fusionauth-issues/issues/1833) ### Security * Mitigate a potential directory traversal attack. CloudFlare, AWS and similar cloud providers will generally block these requests by default. * Please note, FusionAuth Cloud customers are not vulnerable to this type of attack. ### Fixed * Allow licensed features such as SCIM or WebAuthn to be configured during kickstart. * Resolves [GitHub Issue #1969](https://github.com/FusionAuth/fusionauth-issues/issues/1969) ### Security * Remove the app template files from the classpath. * Resolves [GitHub Issue #1964](https://github.com/FusionAuth/fusionauth-issues/issues/1964), thanks to [@vtcdanh](https://github.com/vtcdanh) for reporting. ### Fixed * Improve synchronization of a user during a connector login. Specifically, allow previously obtained refresh tokens to be preserved during the user update procedures during a connector synchronization event. * Resolves [GitHub Issue #1907](https://github.com/FusionAuth/fusionauth-issues/issues/1907), thanks to [@yuezhou1998](https://github.com/yuezhou1998) for letting us know. * Allow for invalid language values to be provided in the `Accept-Language` HTTP request header. When an invalid language is provided, the `Accept-Language` header will be discarded. * Resolves [GitHub Issue #1958](https://github.com/FusionAuth/fusionauth-issues/issues/1958) * Better support for beginning a forgot password workflow using the API and completing the workflow in a themed page when a user also has 2FA enabled. * Resolves [GitHub Issue #1965](https://github.com/FusionAuth/fusionauth-issues/issues/1965) ### Known Issues * A change to the FusionAuth HTTP server may cause issues with reverse proxies that default upstream connections to `HTTP/1.0`. The HTTP server we are using no longer supports `HTTP/1.0`. We have identified that `nginx` defaults all upstream connections to `HTTP/1.0`, and the HTTP server we are using no longer supports `HTTP/1.0`. For `nginx` specifically, you will need to set the proxy version by adding `proxy_http_version 1.1;` to your proxy config. ### Security * Update `com.fasterxml.jackson.*` dependencies to version `2.14.0`. This update is proactive, there are no known exploits. See [CVE-2022-42003]([CVE-2022-42004](https://nvd.nist.gov/vuln/detail/CVE-2022-42003) and )(https://nvd.nist.gov/vuln/detail/CVE-2022-42004). * Resolves [GitHub Issue #1913](https://github.com/FusionAuth/fusionauth-issues/issues/1913) ### Changed * New themed pages added for WebAuthn. Please review your themes to ensure the new templates and localized messages are added. * See the [Theme](/docs/apis/themes) API and the [Theme](/docs/customize/look-and-feel/) documentation for additional details. Review the [Upgrading](/docs/customize/look-and-feel/advanced-theme-editor#upgrading) section for information on how to resolve potential breaking changes. * WebAuthn re-authentication requires a new hidden form field named `userVerifyingPlatformAuthenticatorAvailable` to detect compatible devices/browsers and prompt the user to register a passkey. You can view the default templates to determine in which form to insert this field into any customized templates. This field must be present on the following pages: * OAuth authorize * OAuth complete registration * OAuth passwordless * OAuth register * OAuth two-factor * OAuth WebAuthn (new) ### Fixed * Correct signature verification of a SAML v2 AuthN response after the certificate has been removed from Key Master. * Resolves [GitHub #1906](https://github.com/FusionAuth/fusionauth-issues/issues/1906) * An exception may be thrown when there are no keys to be returned from the `/api/jwt/public-key` when requesting keys by an `applicationId`. * Resolves [GitHub Issue #1918](https://github.com/FusionAuth/fusionauth-issues/issues/1918) * When using Firefox, using the SSO logout a zero byte file may be downloaded. * Resolves [GitHub Issue #1934](https://github.com/FusionAuth/fusionauth-issues/issues/1934) * When multiple webhooks are configured, and more than one webhook is configured to receive the `event-log.create` event, a failed webhook may cause an event loop. * Resolves [GitHub Issue #1945](https://github.com/FusionAuth/fusionauth-issues/issues/1945) * Correct deserialization of the `userType` and `title` fields in a SCIM resource. * Resolves [GitHub Issue #1954](https://github.com/FusionAuth/fusionauth-issues/issues/1954) ### Enhancements * Support passing the Assertion Consumer Service (ACS) in the `RelayState` query parameter. * Resolves [GitHub Issue #1785](https://github.com/FusionAuth/fusionauth-issues/issues/1785) * Support using an `appId` and `sessionTicket` to complete login with the Steam Identity Provider. * Resolves [GitHub Issue #1873](https://github.com/FusionAuth/fusionauth-issues/issues/1873) * Add back support for some legacy HTTP Servlet Request methods for use in themed templates. * Resolves [GitHub Issue #1904](https://github.com/FusionAuth/fusionauth-issues/issues/1904) ### New * WebAuthn! Passkeys, Touch ID, Face ID, Android fingerprint, Windows Hello! * Resolves [GitHub Issue #77](https://github.com/FusionAuth/fusionauth-issues/issues/77) * Allow users to be provisioned into the FusionAuth app using an IdP * Resolves [GitHub Issue #1915](https://github.com/FusionAuth/fusionauth-issues/issues/1915) * Allow FusionAuth to initiate a SAML v2 login request to a SAML v2 Service Provider. * Resolves [GitHub Issue #1927](https://github.com/FusionAuth/fusionauth-issues/issues/1927) ### Internal * Update the docker image to `ubuntu:jammy`. * Resolves [GitHub Issue #1936](https://github.com/FusionAuth/fusionauth-issues/issues/1936) * New HTTP server ### Fixed * A two-factor trust may expire early causing a user to be prompted to complete two-factor during login. This issue was introduced in version `1.37.0`. * Resolves [GitHub Issue #1905](https://github.com/FusionAuth/fusionauth-issues/issues/1905) ### Fixed * A SAML v2 IdP Initiated login request will fail if PKCE is configured as required. * Resolves [GitHub Issue #1800](https://github.com/FusionAuth/fusionauth-issues/issues/1800) * The path attribute in some cookies may be set to the request path instead of `/` which may affect a SAML v2 IdP initiated login request. * Resolves [GitHub Issue #1891](https://github.com/FusionAuth/fusionauth-issues/issues/1891) ### Enhancements * Support `Content-Type` in Kickstart when using `PATCH` request to support `application/json-patch+json` and `application/merge-patch+json`. * Resolves [GitHub Issue #1885](https://github.com/FusionAuth/fusionauth-issues/issues/1885) * Remove un-necessary logging when the `Content-Type` request header is invalid or unset. * Resolves [GitHub Issue #1895](https://github.com/FusionAuth/fusionauth-issues/issues/1895) ### Changed * If you are using MySQL or plan to use MySQL you will need to manually download the JDBC connector to allow FusionAuth to connect to a MySQL database. If you are using PostgreSQL, this change will not affect you. See the installation guide for additional information. We apologize in advance for the inconvenience this causes you, but the Oracle GPL licensing model makes it difficult for FusionAuth to easily delivery this capability. * Resolves [GitHub Issue #1862](https://github.com/FusionAuth/fusionauth-issues/issues/1862) ### Fixed * An exception may occur when you attempt to perform a `PATCH` request on a Group using a `roleId` that does not exist. * Resolves [GitHub Issue #1872](https://github.com/FusionAuth/fusionauth-issues/issues/1872) * URL escape the `identityProviderUser` in the admin UI to correctly build the View and Delete actions links. * Resolves [GitHub Issue #1882](https://github.com/FusionAuth/fusionauth-issues/issues/1882), thanks to one of our MVPs [@epbensimpson](https://github.com/epbensimpson) for letting us know and providing excellent recreation steps. ### Enhancements * Support changes to `user.active` for `PUT` or `PATCH` on the SCIM User or Enterprise User endpoints. * Resolves [GitHub Issue #1871](https://github.com/FusionAuth/fusionauth-issues/issues/1871) * Performance improvement for SAML v2 request parsing. * [GitHub Issue #1884](https://github.com/FusionAuth/fusionauth-issues/issues/1884) ### New * Native Windows support has been re-instated. We apologize for the gap in native Windows support, for those who have been waiting to upgrade since version `1.37.0` you may now upgrade with a native installer. Thank you for all of you who have voiced your opinions with how we are support a native Windows installation. * Resolves [GitHub Issue #1848](https://github.com/FusionAuth/fusionauth-issues/issues/1848) ### Fixed * When appending the `locale` request parameter on the Authorize request to pre-select the user's locale, the locale may still be incorrect for validation errors. For example, appending `locale=fr` will allow the initial render of the page to be localized in French when available. However, because the user did not manually modify the locale selector on the page, if the login fails due to a validation error, the error messages will be returned in the default locale which is generally English. * Resolves [GitHub Issue #1713](https://github.com/FusionAuth/fusionauth-issues/issues/1713) * Group application roles removed during a `PATCH` request to the Group API. * Resolves [GitHub Issue #1717](https://github.com/FusionAuth/fusionauth-issues/issues/1717), thank you to [@paul-fink-silvacom](https://github.com/paul-fink-silvacom) for raising the issue! * Corrections to the SAML v2 SP and IdP meta data. * The HTTP scheme was missing from the `entityID`. This issue was introduced in version `1.37.0`. * The `NameIdFormat` found in the SP meta data was always showing `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` regardless of the value configured in the SAML v2 IdP. * Resolves [GitHub Issue #1842](https://github.com/FusionAuth/fusionauth-issues/issues/1842) * The potential exists to see an exception in the FusionAuth system logs when the internal login record service runs. It is unlikely you will experience this error unless you have very large login volumes. * Resolves [GitHub Issue #1854](https://github.com/FusionAuth/fusionauth-issues/issues/1854) * There is the potential for the Elasticsearch index to become out of sync with respect to group memberships when groups are being deleted, or group members are being deleted from a group. * Resolves [GitHub Issue #1855](https://github.com/FusionAuth/fusionauth-issues/issues/1855) * Add missing support for `en_GB` time and data format support in the FusionAuth admin UI when setting your preferred locale to `en_GB`. * Resolves [GitHub Issue #1858](https://github.com/FusionAuth/fusionauth-issues/issues/1858), thanks to [@adambowen](https://github.com/adambowen) for bringing this to our attention. It wasn't our intention to force our friends in the United Kingdom 🇬🇧 to painfully read dates and times in the American 🇺🇸 format. Please accept our apologies. 😎 ### Enhancements * Better support for JSON Patch. Now supporting RFC 7386 `application/merge-patch+json` and RFC 6902 `application/json-patch+json`. Note that you may still make a request using the `PATCH` HTTP method using `application/json` and the current behavior should not be changed. All `patch*` methods found in the FusionAuth client libraries will still be using `application/json` for backwards compatibility. However, now that support for these new content types exists, we will be working to build support into our client libraries. * Resolves [GitHub Issue #441](https://github.com/FusionAuth/fusionauth-issues/issues/441) * Better developer feedback when the `Content-Type` request header is missing or incorrect. * Resolves [GitHub Issue #604](https://github.com/FusionAuth/fusionauth-issues/issues/604) * Additional SCIM support for the `PATCH` HTTP request method, and `filter` and `excludedAttributes` request attributes. The addition of these features allow the FusionAuth SCIM server to be compatible with Azure AD SCIM client and Okta SCIM client. The Group filter support has some limitations, see the [SCIM Group](/docs/apis/scim/scim-group#retrieve-a-group) API doc for additional details. * Resolves [GitHub Issue #1761](https://github.com/FusionAuth/fusionauth-issues/issues/1761) * Resolves [GitHub Issue #1791](https://github.com/FusionAuth/fusionauth-issues/issues/1791) * Add some missing message keys to default Theme message bundle. * Resolves [GitHub Issue #1839](https://github.com/FusionAuth/fusionauth-issues/issues/1839) * Remove an un-necessary db request when validating the user security scheme for a user in the FusionAuth admin UI. * Resolves [GitHub Issue #1856](https://github.com/FusionAuth/fusionauth-issues/issues/1856) ### Fixed * Static resources such as CSS and JS may be missing a `Content-Type` header which may cause a proxy using `X-Content-Type-Options: nosniff` to fail to load the resource. This issue was introduced in version `1.37.0`. * Resolves [GitHub Issue #1831](https://github.com/FusionAuth/fusionauth-issues/issues/1831), thanks to [@sinqinc](https://github.com/sinqinc) for reporting. * Resolves [GitHub Issue #1834](https://github.com/FusionAuth/fusionauth-issues/issues/1834), thanks to [@Aaron-Ritter](https://github.com/Aaron-Ritter) for reporting. * Fix a potential error issue caused by a webhook handler calling back to FusionAuth which may trigger another webhook event. This fix should also improve the performance when sending many events for webhooks. * Resolves [GitHub Issue #1836](https://github.com/FusionAuth/fusionauth-issues/issues/1836) * Correct behavior during login when both self-service registration and require registration features are enabled. This configuration may cause a user to be directed to the registration required page during login instead of being registered automatically. If you encounter this error, you may either upgrade or disable the require registration configuration. This appears to be a regression introduced in version `1.36.5`. * Resolves [GitHub Issue #1837](https://github.com/FusionAuth/fusionauth-issues/issues/1837) ### Fixed * Remove dead Tomcat files from Docker image * Resolves [GitHub Issue #1820](https://github.com/FusionAuth/fusionauth-issues/issues/1820), thanks to [@kevcube](https://github.com/kevcube) for letting us know! ### New * Group and Group Membership Webhooks * Resolves [GitHub Issue #633](https://github.com/FusionAuth/fusionauth-issues/issues/633), thanks to [@JLyne](https://github.com/JLyne), [@ric-sapasap](https://github.com/ric-sapasap) and [@rabshire](https://github.com/rabshire) for the feedback! * Resolves [GitHub Issue #1803](https://github.com/FusionAuth/fusionauth-issues/issues/1803), thanks to [@matthew-jump](https://github.com/matthew-jump) for making the request. ### Fixed * A regression error was introduced in version `1.37.0` that causes HTTP request headers to be malformed when being sent to a Webhook, Generic Messenger or a Generic Connector. * Resolves [GitHub Issue #1818](https://github.com/FusionAuth/fusionauth-issues/issues/1818) ### Enhancements * In version `1.37.0` you may now create a user in the FusionAuth admin UI optionally performing email verification. The UI controls and messaging have been enhanced to remove potential confusion. * Resolves [GitHub Issue #1819](https://github.com/FusionAuth/fusionauth-issues/issues/1819) ### Fixed * An exception may occur while trying to capture the debug log event during an authentication request using a Connector. * Resolves [GitHub Issue #1799](https://github.com/FusionAuth/fusionauth-issues/issues/1799) * When configuring a User Action to prevent login and using that event with the Failed Login configuration, if you configure the User Action to email the user, the email will not be sent. * Resolves [GitHub Issue #1801](https://github.com/FusionAuth/fusionauth-issues/issues/1801) * Kickstart fails because it does not wait for FusionAuth to complete startup. * Resolves [GitHub Issue #1816](https://github.com/FusionAuth/fusionauth-issues/issues/1816) * Creating an application in the FusionAuth admin UI may fail due to a licensing error if you do not have an Enterprise license. * Resolves [GitHub Issue #1817](https://github.com/FusionAuth/fusionauth-issues/issues/1817) ### Known Issues * Kickstart fails because it does not wait for FusionAuth to complete startup. * Resolved in version `1.37.1` via [GitHub Issue #1816](https://github.com/FusionAuth/fusionauth-issues/issues/1816) * Creating an application in the FusionAuth admin UI may fail due to a licensing error if you do not have an Enterprise license. * Resolved in version `1.37.1` via [GitHub Issue #1817](https://github.com/FusionAuth/fusionauth-issues/issues/1817) * A regression error was introduced in version `1.37.0` that causes HTTP request headers to be malformed when being sent to a Webhook, Generic Messenger or a Generic Connector. * Resolved in version `1.37.2` via [GitHub Issue #1818](https://github.com/FusionAuth/fusionauth-issues/issues/1818) * Static resources such as CSS and JS may be missing a `Content-Type` header which may cause a proxy using `X-Content-Type-Options: nosniff` to fail to load the resource. * Resolved in version `1.38.1` via [GitHub Issue #1831](https://github.com/FusionAuth/fusionauth-issues/issues/1831) * A two-factor trust may expire early causing a user to be prompted to complete two-factor during login. * Resolved in version `1.40.2` via [GitHub Issue #1905](https://github.com/FusionAuth/fusionauth-issues/issues/1905) * A theme issue may exist on a form action and may cause breaking changes when upgrading to this version. * If you are upgrading, please verify your theme files accurately create a form action. The following themes should be updated as follows: * OAuth authorize -> `action="/oauth2/authorize"` * Child registration not allowed -> `action="/oauth2/child-registration-not-allowed"` * OAuth passwordless -> `action="/oauth2/passwordless"` * OAuth register -> `action="/oauth2/register"` * OAuth two factor -> `action="/oauth2/two-factor"` * Change password form -> `action="/password/change"` * Forgot password -> `action="/password/forgot"` ### Security * Allow deprecated XML signature algorithms that were removed in Java 17. It is still not recommended that you use any of these legacy SHA1 algorithms, but if you are unable to utilize a modern algorithm, they will be allowed. * Resolves [GitHub Issue #1814](https://github.com/FusionAuth/fusionauth-issues/issues/1814) ### Changed * Windows install has been removed. Our strategy is to support Windows using [WSL 2](https://docs.microsoft.com/en-us/windows/wsl/about) with our provided Debian package. Please plan to utilize this strategy, and open a GitHub issue if you encounter issues with the installation. * Due to customer feedback, a native Windows installation option has been restored as of version `1.40.0`. * Webhooks are no longer configured as "All applications" or limited to a single Application. They are now scoped to one or more tenants. If you previously had multiple webhooks configured within the same tenant, but scoped to separate Applications you will want to review your configuration and filter events in your own Webhook handler by the `applicationId`. * Resolves [GitHub Issue #1812](https://github.com/FusionAuth/fusionauth-issues/issues/1812) * Deprecate Apache Tomcat specific configuration. See the [Configuration](/docs/reference/configuration) reference for additional detail. * `fusionauth-app.http.max-header-size` The default maximum size is now `64k`. * `fusionauth-app.http.cookie-same-site-policy` In most cases, cookies will be written using `SameSite=Lax`, and cookies used by the FusionAuth admin UI utilize `SameSite=Strict`. If you think there would be value in further customizing cookies by name, or security settings such as `SameSite`, please upvote [GitHub Issue #1414](https://github.com/FusionAuth/fusionauth-issues/issues/1414) and describe your intended use-case. * `fusionauth-app.management.port` This was an Apache Tomcat specific port that is no longer required. * `fusionauth-app.ajp.port` is now deprecated, this was an Apache Tomcat specific binary protocol used by Java applications. * `fusionauth-app.http.relaxed-path-chars` This option was not likely documented or in-use by anyone. * `fusionauth-app.http.relaxed-query-chars` This option was not likely documented or in-use by anyone. * FastPath and normal startup commands have changed. For example, starting FusionAuth based upon Apache Tomcat used `catalina.sh` or `catalina.bat`, the startup process will now use `start.sh`. See install documentation for more details. * When using the FusionAuth Docker image with MySQL, you will need to bundle the MySQL connector jar in the image, or add a layer to the stock FusionAuth image to ensure that `curl` is installed so that the MySQL connector jar can be downloaded it during startup. It is recommended that you build the connector into the image. See our example [Dockerfile](https://github.com/FusionAuth/fusionauth-containers/tree/main/docker/fusionauth/fusionauth-app-mysql) on GitHub for an example. ### Fixed * Add the appropriate feedback to the users when attempting to change an email during a gated email verification that is already in-use. * Resolves [GitHub Issue #1547](https://github.com/FusionAuth/fusionauth-issues/issues/1547) * Correct the validation when deleting a key from Key Master when in use by a de-activated application. * Resolves [GitHub Issue #1676](https://github.com/FusionAuth/fusionauth-issues/issues/1676) * Perform implicit email verification when enabled and a setup password email request is completed. * Resolves [GitHub Issue #1705](https://github.com/FusionAuth/fusionauth-issues/issues/1705) * Handle URL encoded characters in the user-information part of the URL when connecting to Elasticsearch. This allows a username or password to be provided in the URL that have been URL encoded. * Resolves [GitHub Issue #1745](https://github.com/FusionAuth/fusionauth-issues/issues/1745) * When using the Change Password workflow in the hosted login pages for a user that has enabled 2FA, if you are not adding the OAuth2 parameters found in the `state` on the Change Password link built in the email template an error may occur when the user tries to complete the workflow. * Resolves [GitHub Issue #1764](https://github.com/FusionAuth/fusionauth-issues/issues/1764) * The Refresh Token retrieve API and the Session tab in admin UI will no longer show expired refresh tokens. While the previous behavior was working as designed, it was confusing to some clients, and an admin was not able to manually remove expired tokens. * Resolves [GitHub Issue #1772](https://github.com/FusionAuth/fusionauth-issues/issues/1772) * Fix Lambda JS validation when using ES6 features with the GraalJS engine. * Resolves [GitHub Issue #1790](https://github.com/FusionAuth/fusionauth-issues/issues/1790), thanks to [@theogravity](https://github.com/theogravity) for reporting the issue! ### Enhancements * Administrative Email Verification using the API or FusionAuth admin UI. When creating a user in the admin UI, you may now optionally create the user with an un-verified email when Email verification is enabled. See the [Verify Email](/docs/apis/users#verify-a-users-email) API for additional details. * Resolves [GitHub Issue #1319](https://github.com/FusionAuth/fusionauth-issues/issues/1319) * The Oauth2 Logout does not log a user out of FusionAuth app if logging out of another application in the same default tenant. * Resolves [GitHub Issue #1699](https://github.com/FusionAuth/fusionauth-issues/issues/1699) * Updates to our initial SCIM Server implementation released in version `1.36.0`. * Resolves [GitHub Issue #1702](https://github.com/FusionAuth/fusionauth-issues/issues/1702) * Resolves [GitHub Issue #1703](https://github.com/FusionAuth/fusionauth-issues/issues/1703) * Better options to capture debug information when troubleshooting an SMTP connection issue. You no longer need to specify `mail.debug=true` in the advanced SMTP settings, and instead when enabling `debug` on the SMTP configuration a debug Event Log will be produced with the SMTP debug information. * Resolves [GitHub Issue #1743](https://github.com/FusionAuth/fusionauth-issues/issues/1743) * Support larger email templates on MySQL. Prior to this version the `TEXT` column data type was utilized which has a maximum size of `16k` in MySQL, now we are using `MEDIUMTEXT` which supports up to `16M`. * Resolves [GitHub #1788](https://github.com/FusionAuth/fusionauth-issues/issues/1788), thanks to [@darkeagle1337](https://github.com/darkeagle1337) for making the request! * Improvements to the OAuth2 Logout endpoint. This endpoint now correctly supports the `POST` method in addition to the `GET` method, and you may now use an expired `id_token` in the `id_token_hint` parameter. * Resolves [GitHub Issue #1792](https://github.com/FusionAuth/fusionauth-issues/issues/1792) * Webhooks are now scoped to one or more tenants. Webhooks will no longer receive all events, but only events for the configured tenants. There is still an option for "All tenants" if you still wish to preserve the previous behavior. * Resolves [GitHub Issue #1812](https://github.com/FusionAuth/fusionauth-issues/issues/1812) * Any API response that returns a Refresh Token will now also return a `refresh_token_id` when in OAuth2 or a `refreshTokenId` in all other APIs. This may be useful to identify a refresh token for revocation when using a one-time use Refresh Token. This identifier is the primary key of the Refresh Token and can be used by the Refresh Token API. * The Access Token will contain a new claim named `sid` which is the immutable identifier Refresh Token. This claim is not reserved, so it can be removed and will only be present when a refresh token is requested. This is different from the `sid` claim that is already returned in the `id_token`, that `sid` or Session Identifier is the SSO session identifier and is primarily used by FusionAuth to validate a logout request. * When available the Refresh Token is now returned in the `JWTRefreshTokenRevokeEvent` event in the `refreshToken` field. * The Login Ping API may now optionally take the request as a POST body. ### New * Application scoped Multi-Factor authentication. This feature allows an application choose to participate in Multi-Factor when enabled, and optionally specify a separate TTL for trust scoped to a single application. * Resolves [GitHub Issue #763](https://github.com/FusionAuth/fusionauth-issues/issues/763) * You may optionally disable the IdP linking strategy for an Identity Provider. This allows you to restrict any automatic linking and manage all IdP linking through the API. * Resolves [GitHub Issue #1551](https://github.com/FusionAuth/fusionauth-issues/issues/1551), thanks to [@epbensimpson](https://github.com/epbensimpson) for the suggestion. * Added `fusionauth-app.http.read-timeout` to the configuration to optionally set the maximum read timeout when making requests to FusionAuth. See the [Configuration](/docs/reference/configuration) reference for additional detail. ### Internal * Remove Apache Tomcat as the underlying application server, in favor of a more modern HTTP server based upon Netty. * Resolves [GitHub Issue #1671](https://github.com/FusionAuth/fusionauth-issues/issues/1671) ### Fixed * Fix the placeholder text in the entity grants search field. * Resolves [GitHub Issue #1774](https://github.com/FusionAuth/fusionauth-issues/issues/1774) * Correct the SCIM HTTP response code when a new resource is created to be `201`. * Resolves [GitHub Issue #1775](https://github.com/FusionAuth/fusionauth-issues/issues/1775) * Correct the SCIM HTTP response code when a duplicate resource is attempted to be created to be `409`. * Resolves [GitHub Issue #1776](https://github.com/FusionAuth/fusionauth-issues/issues/1776) ### Security * Ensure the provided `client_id` matches the Application represented by the Refresh Token when performing a Refresh grant. This is marked as a security fix because the intended design is to ensure the Refresh Token does indeed match the requested `client_id`. However, the risk is minimal due to the caller still being required to have a valid set of client credentials, and must still present a valid refresh token. * Resolves [GitHub Issue #1766](https://github.com/FusionAuth/fusionauth-issues/issues/1766) Thanks to [@gnarlium](https://github.com/gnarlium) for reporting the issue! ### Fixed * The initial "start" phase of a user action triggered by a failed login configuration is not sent. * Resolves [GitHub Issue #1654](https://github.com/FusionAuth/fusionauth-issues/issues/1654) * When a SAML v2 SP is using an HTTP redirect binding during the Logout request FusionAuth make fail to complete the logout request. * Resolves [GitHub Issue #1723](https://github.com/FusionAuth/fusionauth-issues/issues/1723) * A timing issue exists where under load of creating logins and then deleting applications programatically, a login record for a now deleted application may get stuck in the queue causing exceptions when attempting to write the record to the database. * Resolves [GitHub Issue #1765](https://github.com/FusionAuth/fusionauth-issues/issues/1765) * Correct the `Content-Type` HTTP response header returned from the SCIM endpoints. * Resolves [GitHub Issue #1769](https://github.com/FusionAuth/fusionauth-issues/issues/1769) ### Fixed * When using Rate Limiting for Failed logins, the user may be able to login successfully after being rate limited - but prior to the end of the configured time period. * Resolves [GitHub Issue #1758](https://github.com/FusionAuth/fusionauth-issues/issues/1758) * When using a JWT Populate lambda and modifying the default value of the `aud` claim to be an array instead of a string value, this token can no longer be used by the Introspect endpoint. This fix allows you to modify the `aud` claim to be an array, and it may be used with the Introspect endpoint as long as the requested `client_id` is contained in the `aud` claim. The OAuth2 Logout endpoint was also updated to allow this same `aud` modification to be using an `id_token` as the `id_token_hint`. When using this style of token as an `id_token_hint`, the first value in the `aud` claim that is equal to a FusionAuth application Id will be utilized. * Resolves [GitHub Issue #1759](https://github.com/FusionAuth/fusionauth-issues/issues/1759) ### Security * Upgrade Java to get the patch for [CVE-2022-21449](https://nvd.nist.gov/vuln/detail/CVE-2022-21449). Note that in version `1.36.4` FusionAuth manually patched this vulnerability. To ensure you are not vulnerable to this vulnerability, upgrade to FusionAuth version `1.36.4` or later, or discontinue use of the Elliptic Curve algorithm. * Resolves [GitHub Issue #1672](https://github.com/FusionAuth/fusionauth-issues/issues/1672) * Fix validation of the Oauth2 Logout endpoint when using the `post_logout_redirect` parameter. As [documented here](/docs/lifecycle/authenticate-users/oauth/endpoints#logout), you must ensure that any value for this parameter is in the Authorized URLs list for the application. This may be a breaking change if you do not. * Resolves [GitHub Issue #1750](https://github.com/FusionAuth/fusionauth-issues/issues/1750) ### Fixed * Fix a UI bug that caused the application column to show "Single sign-on" instead of the Application name in the Session tab of the user management panel. * Resolves [GitHub Issue #1706](https://github.com/FusionAuth/fusionauth-issues/issues/1706) * If you have enabled Two-Factor authentication and self-service registration, a user may not be routed to the Complete Registration step correctly after completing the Two-Factor challenge. * Resolves [GitHub Issue #1708](https://github.com/FusionAuth/fusionauth-issues/issues/1708), thanks to [@chimericdream](https://github.com/chimericdream) for reporting the issue! * The `displayName` property on the [Link a User](/docs/apis/identity-providers/links#link-a-user) API is ignored. This is a regression bug that was introduced in version `1.36.0`. * Resolves [GitHub Issue #1728](https://github.com/FusionAuth/fusionauth-issues/issues/1728) * A 3rd party Web Application Firewall such as CloudFlare may inject JavaScript into the `` element and this may cause a failure to properly initialize support for an Identity Provider such as Twitter. * Resolves [GitHub Issue #1731](https://github.com/FusionAuth/fusionauth-issues/issues/1731), thanks to [@atakane](https://github.com/atakane) for helping us track this one down! ### Internal * Upgrade to the latest Java 17 LTS. Upgraded from 17.0.1+12 to 17.0.3+7. * Resolves [GitHub Issue #1672](https://github.com/FusionAuth/fusionauth-issues/issues/1672) ### Security * Proactive patch for Java [CVE-2022-21449](https://nvd.nist.gov/vuln/detail/CVE-2022-21449). This release will patch the vulnerability described in the referenced CVE until we are able to release a version of FusionAuth using the upcoming patched release of Java. If you are not able to upgrade to this release, discontinue use of ECDSA keys in FusionAuth for JWT or SAML signing. * Resolves [GitHub Issue #1694](https://github.com/FusionAuth/fusionauth-issues/issues/1694) ### Fixed * An additional edge case was identified in the issue resolved by [GitHub Issue #1687](https://github.com/FusionAuth/fusionauth-issues/issues/1687). If you did encounter the issue resolved by [GitHub Issue #1687](https://github.com/FusionAuth/fusionauth-issues/issues/1687), you should plan to upgrade to this patch version so that you can fully utilize the new `auth_time` claim introduced in `1.36.0`. * Resolves [GitHub Issue #1688](https://github.com/FusionAuth/fusionauth-issues/issues/1688) ### Fixed * If you are using the `openid` scope which produces an `id_token`, and you utilize a 3rd party library that consumes the `id_token` to validate the signature, expiration or similar claims, the token may be incorrectly identified as expired. This is because after a refresh token is used to generate a new `id_token` the `auth_time` claim may have lost precision from the original value in the initial `id_token`. * Resolves [GitHub Issue #1687](https://github.com/FusionAuth/fusionauth-issues/issues/1687) ### Fixed * When building an entity grant in the UI for a user or other entity, the search results may contain entities from all tenants. If you attempt to select an entity in a tenant other than the tenant for which the user or entity belongs, an exception will occur. * Resolves [GitHub Issue #1579](https://github.com/FusionAuth/fusionauth-issues/issues/1579) * If you create an empty directory in the FusionAuth plugin directory, or create a directory that does not contain any FusionAuth plugin jars, and have other plugin jars in the root of the plugin directory, the legitimate plugin jar may not be loaded. If you encounter this problem, either remove the empty directories, or make the empty directories read only. * Resolves [GitHub Issue #1683](https://github.com/FusionAuth/fusionauth-issues/issues/1683) * If you are using the Client Credentials Grant and omit the permissions from the `target-entity:` scope, the expected permissions will not be returned as part of the access token claims. * Resolves [GitHub Issue #1686](https://github.com/FusionAuth/fusionauth-issues/issues/1686) ### Known Issues * If you create an empty directory in the FusionAuth plugin directory, or create a directory that does not contain any FusionAuth plugin jars, and have other plugin jars in the root of the plugin directory, the legitimate plugin jar may not be loaded. If you encounter this problem, either remove the empty directories, or make the empty directories read only. * This has been resolved in version `1.36.1`. * If you are using the Client Credentials Grant and omit the permissions from the `target-entity:` scope, the expected permissions will not be returned as part of the access token claims. * This has been resolved in version `1.36.1`. * If you are using the `openid` scope which produces an `id_token`, and you utilize a 3rd party library that consumes the `id_token` to validate the signature, expiration or similar claims, the token may be incorrectly identified as expired. This is because after a refresh token is used to generate a new `id_token` the `auth_time` claim may have lost precision from the original value in the initial `id_token`. * This has been resolved in version `1.36.3`. ### Security * Ensure that the Change Password identifier is revoked if an API is used to change a user's password after the user has initiated a change password request. * Resolves [GitHub Issue #1632](https://github.com/FusionAuth/fusionauth-issues/issues/1632) ### Changed * The JWT authorization method is no longer supported when using the `GET` method on the [Retrieve Refresh Tokens](/docs/apis/jwt#retrieve-refresh-tokens) API. * The reason for this potentially breaking change is due to concern of potential abuse. If you were previously using a JWT to authorize the request to the `GET` HTTP method, you will need to modify your integration to utilize an API key. See the [Retrieve Refresh Tokens](/docs/apis/jwt#retrieve-refresh-tokens) API for additional details. * Resolves [GitHub Issue #1646](https://github.com/FusionAuth/fusionauth-issues/issues/1646) * Updated reserved JWT claims by grant type. The `amr` claims is marked as reserved, and will be available in a future release. * Reserved for authorization code and implicit grant, `amr`, `exp`, `iat`, `sub` and `tid`. Only `amr` and `tid` are new for this release. * Reserved for Vending API `amr`, `exp` and `iat`. Only the `amr` claim is new for this release. * Reserved for Client Credentials grant, `amr`, `aud`, `exp`, `iat`, `permissions`, `sub` and `tid`. * Resolves [GitHub Issue #1669](https://github.com/FusionAuth/fusionauth-issues/issues/1669) ### Fixed * The requested `AssertionConsumerServiceURL` in a SAML v2 `AuthNRequest` is ignored and the first URL configured is used instead. * Resolves [GitHub Issue #1278](https://github.com/FusionAuth/fusionauth-issues/issues/1278), thanks to [@pakomp](https://github.com/pakomp) for letting us know! * Entities don't support the use of `:` in the permission name, this limitation has been removed. * Resolves [GitHub Issue #1480](https://github.com/FusionAuth/fusionauth-issues/issues/1480), thanks to [@matthewhartstonge](https://github.com/matthewhartstonge) for the help! * An application role may not be immediately available to assign to a user after initial creation. This issue was due to some additional caching introduced in version `1.32.1`. * Resolves [GitHub Issue #1575](https://github.com/FusionAuth/fusionauth-issues/issues/1575) * The Password Grant response is missing the Two Factor Method Ids when a Two-Factor challenge is required. This issue was introduced in version `1.26.0` when Two-Factor Method Ids were added to the Login API response. * Resolves [GitHub Issue #1585](https://github.com/FusionAuth/fusionauth-issues/issues/1585) * The Tenant edit and add panel displays Webhook events that are not configured at the Tenant level. * Resolves [GitHub Issue #1593](https://github.com/FusionAuth/fusionauth-issues/issues/1593) * FusionAuth may fail to start on Windows when using the `startup.bat` script. See linked issue for a workaround. * Resolves [GitHub Issue #1624](https://github.com/FusionAuth/fusionauth-issues/issues/1624), thanks to [@James-M-Oswald](https://github.com/James-M-Oswald) for the assist! * Enhance email validation to keep obviously incorrect emails from being used during self-service user registration. * Resolves [GitHub Issue #1625](https://github.com/FusionAuth/fusionauth-issues/issues/1625), thanks to [@pablomadrigal](https://github.com/pablomadrigal) for letting us know! * When using the GraalJS Lambda engine, you cannot use ECMA 6 features such as `const` or `let`. * This only affects version `1.35.0` when using the new GraalJS engine, and does not represent a regression because prior to version `1.35.0` the only Lambda engine available was Nashorn which only supported ECMA 5.1. * Resolves [GitHub Issue #1630](https://github.com/FusionAuth/fusionauth-issues/issues/1630) * When using a Connector, a timing issue exists that could cause a login to fail. See the linked issue for an example exception that you may observe if you encounter this issue. * Resolves [GitHub Issue #1633](https://github.com/FusionAuth/fusionauth-issues/issues/1633) * The Tenant View dialog may show the incorrect Event transaction setting for a Tenant created via the API. * Resolves [GitHub Issue #1642](https://github.com/FusionAuth/fusionauth-issues/issues/1642) * When the `openid` scope is used along with the `offline_access` scope and then the resulting refresh token is used in a Refresh grant, the returned `id_token` may be signed with the key configured for the `access_token`. * Resolves [GitHub Issue #1643](https://github.com/FusionAuth/fusionauth-issues/issues/1643) * Ignore read-only directories inside of the configured plugin directory instead of throwing an exception. * Resolves [GitHub Issue #1655](https://github.com/FusionAuth/fusionauth-issues/issues/1655) ### Enhancements * Add a separate execute thread pool in the Apache Tomcat configuration to separate incoming requests from localhost callback requests to reduce thread contention. * Resolves [GitHub Issue #1659](https://github.com/FusionAuth/fusionauth-issues/issues/1659) * Allow for plugins that require dependent jars in their classpath. * To take advantage of this capability, create a sub-directory in the configured plugin directory. Place your plugin jar, and any dependant jars in the same directory or nested sub-directories. Each immediate sub-directory of the configured plugin directory will be considered a discrete classloader. Each of these class loaders will still share the parent classloader, so it is still advised to keep dependencies to a bare minimum such that you don't conflict with existing dependencies of FusionAuth. * Resolves [GitHub Issue #1663](https://github.com/FusionAuth/fusionauth-issues/issues/1663) * Minimize the duration of the database Transaction during authentication. This should improve login performance, especially when using an LDAP or Generic Connector. * Resolves [GitHub Issue #1666](https://github.com/FusionAuth/fusionauth-issues/issues/1666) (666 😱 yikes) * Alphabetize the Applications in Select form controls in the FusionAuth admin UI, this should make it easier for those are not robots to navigate when you have many applications. * [GitHub Issue #1668](https://github.com/FusionAuth/fusionauth-issues/issues/1668) * Allow a login using a 3rd party IdP such as Google to succeed even if an Elasticsearch exception occurs when attempting to re-index the user. * Resolves [GitHub Issue #1673](https://github.com/FusionAuth/fusionauth-issues/issues/1673) ### New * Initial technology preview for SCIM Server, this feature is available in the Enterprise plan. * Resolves [GitHub Issue #106](https://github.com/FusionAuth/fusionauth-issues/issues/106) * Nintendo Online Identity Provider, this feature is available with all licensed plans of FusionAuth. * Resolves [GitHub Issue #1206](https://github.com/FusionAuth/fusionauth-issues/issues/1206) * New Identity Provider Link & Unlink Events * Resolves [GitHub Issue #1589](https://github.com/FusionAuth/fusionauth-issues/issues/1589) * Default the Event Transaction Type in the Tenant configuration to `None` * Resolves [GitHub Issue #1644](https://github.com/FusionAuth/fusionauth-issues/issues/1644) * New JWT claims * The `tid` claim is now being set in all JWTs. This is the FusionAuth Tenant Id, and is marked as reserved. * The JWT header will also now contain a `gty` claim which will represent the grant types in order of use for this token. * Resolves [GitHub Issue #1669](https://github.com/FusionAuth/fusionauth-issues/issues/1669) ### Internal * Update Apache Tomcat from `8.5.72` to `8.5.77`. * Resolves [GitHub Issue #1620](https://github.com/FusionAuth/fusionauth-issues/issues/1620) ### Fixed * When using the FastPath installation for Windows, the startup may fail to download Java if you are using the `startup.bat` option for starting services. * Resolves [GitHub Issue #1597](https://github.com/FusionAuth/fusionauth-issues/issues/1597), thanks to [@gkrothammer](https://github.com/gkrothammer) for the help! * Using the Identity Provider Link API when more than one tenant is configured may fail unless you are specifying the tenant Id using the `X-FusionAuth-TenantId` HTTP request header. * Resolves [GitHub Issue #1609](https://github.com/FusionAuth/fusionauth-issues/issues/1609) * Self-service registration may fail to validate an email address beginning with `@`. * Resolves [GitHub Issue #1617](https://github.com/FusionAuth/fusionauth-issues/issues/1617), thanks to [@pablomadrigal](https://github.com/pablomadrigal) for letting us know! * Using the Passwordless API without passing the OAuth2 state parameters on the URL such as `client_id`, and the user is not registered for the Application, the request may fail. * Resolves [GitHub Issue #1623](https://github.com/FusionAuth/fusionauth-issues/issues/1623) ### New * Initial technology preview for HTTP requests within a lambda function, termed Lambda HTTP Connect. All previously configured lambdas will continue to run on the legacy JS engine. Starting in this release the default engine for newly created lambdas will be GraalJS, but you have the ability to select the preferred engine. When using the GraalJS engine, you will be able to begin making HTTP requests within the lambda function. At some point in the future we will deprecate and fully remove the legacy JS engine (Nashorn). For the time being, use the new engine if you are able, and provide us feedback if you find anything is not working. If you do encounter a problem open an issue, and switch the lambda back to the Nashorn engine. * HTTP requests (AJAX) in the lambda requires Essentials or Enterprise plans. * Resolves [GitHub Issue #267](https://github.com/FusionAuth/fusionauth-issues/issues/267) * Resolves [GitHub Issue #571](https://github.com/FusionAuth/fusionauth-issues/issues/571) ### Fixed * SAML v2 Login to FusionAuth may fail due to an exception. * Resolves [GitHub Issue #1606](https://github.com/FusionAuth/fusionauth-issues/issues/1606), thanks so much to [@kristianvld](https://github.com/kristianvld) for letting us know. ### Known Issues * SAML v2 Login to FusionAuth may fail due to an exception. Please upgrade directly to FusionAuth version >= 1.34.1 * See [GitHub Issue #1606](https://github.com/FusionAuth/fusionauth-issues/issues/1606) for additional details. ### Security * Resolve a potential vulnerability in the IdP Link API. If you are actively using any IdP configured to use the `CreatePendingLink` linking strategy, please upgrade at your earliest convenience. * Resolves [GitHub Issue #1600](https://github.com/FusionAuth/fusionauth-issues/issues/1600) ### Changed * When using the OpenID Connect identity provider, you have the option to select one of three client authentication options. You may select `none`, `client_secret_basic` or `client_secret_post`. Some 3rd party identity providers do not allow the `client_id` to be sent in the request body when using `client_secret_basic`. A strict reading of the OAuth2 and OpenID Connect specifications imply that the `client_id` should only be present in the request body when a client secret is not used, or you have selected `none` or `client_secret_post` for an authentication method. This change is to make FusionAuth more compliant with 3rd party IdPs that enforce this behavior. It is not expected that this change will have any negative impact on OpenID Connect configurations that have been working up until this release. However, please be aware of this change and verify existing OpenID Connect identity providers continue to behave as expected. * Resolves [GitHub Issue #1595](https://github.com/FusionAuth/fusionauth-issues/issues/1595) * Utilize PKCE anytime FusionAuth is initiating an Authorization Code grant to FusionAuth. While most of this will be transparent and should not affect any of your integrations, there is one use case in which it is important for FusionAuth to utilize PKCE when performing an Authorization Code grant to FusionAuth. This use case is when you are using an application with PKCE configured as required, and you then use the Device grant using the themed FusionAuth pages. In this case FusionAuth must utilize PKCE in order to pass PKCE validation during the request. * Resolves [GitHub Issue #1598](https://github.com/FusionAuth/fusionauth-issues/issues/1598) * When using the interactive Setup Wizard to perform initial setup of FusionAuth, the checkbox to sign up for the FusionAuth newsletter has been changed to be checked by default. This means that prior to this release you had to opt-in, and starting in this release, you will need to opt-out during this step. You also have the option to un-subscribe from the newsletter at any point in the future. * Resolves [GitHub Issue #1577](https://github.com/FusionAuth/fusionauth-issues/issues/1577) ### New * Native support for PBKDF2 using a 512-bit derived key length. The default PBKDF2 algorithm uses a 256-bit derived key length. Some IdPs such as KeyCloak use a 512-bit key, so this plugin should support an import from KeyCloak without using a custom plugin. This new algorithm is available using the value `salted-pbkdf2-hmac-sha256-512` during the User Import API. * Resolves [GitHub Issue #1604](https://github.com/FusionAuth/fusionauth-issues/issues/1604) ### Security * Add `-Dlog4j2.formatMsgNoLookups=true` to the `fusionauth-search` bundled version of Elasticsearch. * Please note, that if you are running a standalone version of Elasticsearch, this will not affect you, and you should still complete any suggested mitigation steps for your Elasticsearch instance. This VM argument added to the `fusionauth-search` bundle is only added to make people feel warm and fuzzy. FusionAuth Cloud users are not vulnerable to [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228), and even if you are self-hosting FusionAuth and utilizing the Elasticsearch bundled with `fusionauth-search` you are not vulnerable if you have followed our suggested securing steps. Also due to the version of Java we are using to run Elasticsearch, you are not vulnerable. But we all like to put on our tinfoil hats sometimes, so we are making this change for good measure. * Resolves [GitHub Issue #1520](https://github.com/FusionAuth/fusionauth-issues/issues/1520) * Updated PostgreSQL JDBC driver from version `42.2.22` to `42.3.2`. * This update is only pertinent to you if you are using a PostgreSQL database. If you are using MySQL, you are not vulnerable. * FusionAuth Cloud users are not affected. If you are self-hosting FusionAuth you are only vulnerable if you allow un-authorized modifications to your JDBC connection string used by FusionAuth to connect to the database. I hope you are not doing this. 😉 Please read the following CVE to better understand the vulnerability to see how it may or may not affect you. * [CVE-2022-21724](https://nvd.nist.gov/vuln/detail/CVE-2022-21724). * Resolves [GitHub Issue #1535](https://github.com/FusionAuth/fusionauth-issues/issues/1535) * Proactively upgrade Logback. Instead of Log4J, FusionAuth uses Logback. In response to the recent vulnerabilities in Log4J, the Logback team has proactively added some additional hardening to their library to ensure similar vulnerabilities are not found. * Resolves [GitHub Issue #1530](https://github.com/FusionAuth/fusionauth-issues/issues/1530) * Better protection against malicious actors that have access to configuring Themed templates. * Resolves [GitHub Issue #1549](https://github.com/FusionAuth/fusionauth-issues/issues/1549) * Ensure we enforce a Two-Factor challenge before changing a password using the Change Password API. * Resolves [GitHub Issue #1591](https://github.com/FusionAuth/fusionauth-issues/issues/1591) ### Changed * If you are using the Change Password API with users that have Two-Factor enabled you may need to adjust your integration. Beginning in this release, to use the Change Password API for a user with Two-Factor enabled, you will need to obtain a Trust Token from the Two Factor Login API in order to complete this request. This is potentially a breaking change, the decision was made to make this potentially breaking change due to the enhanced security provided by this change. * Resolves [GitHub Issue #1591](https://github.com/FusionAuth/fusionauth-issues/issues/1591) ### Fixed * The FastPath install may fail to download Java on versions `>= 1.32.0`. The issue was that the `curl` request needed to be configured to follow a redirect with the new URLs for the Java download. See the linked issue for a workaround if you want to use FastPath for an older version. * Resolves [GitHub Issue #1519](https://github.com/FusionAuth/fusionauth-issues/issues/1519) * Ensure we are able to handle Login records that may contain more than one IP address. When passing through a proxy, the `X-Forwarded-For` HTTP request header may contain more than one IP address. This fix ensures we parse this header correctly and handle existing Login records that may have been recorded with more than one value. * Resolves [GitHub Issue #1521](https://github.com/FusionAuth/fusionauth-issues/issues/1521) * Using the Login with Apple button on a themed login or registration page may fail when using Safari on iOS 12. A workaround is documented in the linked GitHub issue if you are unable to upgrade FusionAuth. * Resolves [GitHub Issue #1526](https://github.com/FusionAuth/fusionauth-issues/issues/1526) * The Event Log, Audit Log, Login Records search feature in the FusionAuth admin UI may not reset the pagination correctly when beginning a new search request. * Resolves [GitHub Issue #1501](https://github.com/FusionAuth/fusionauth-issues/issues/1501) * Group Membership may not be preserved after the first login request when using a Connector without migration. * Resolves [GitHub Issue #1432](https://github.com/FusionAuth/fusionauth-issues/issues/1432) * The `jwt.refresh-token.revoke` event may not be sent during a request to the Logout API (`/api/logout`). * Resolves [GitHub Issue #1522](https://github.com/FusionAuth/fusionauth-issues/issues/1522), thanks to [@TimVanHerwijnen](https://github.com/TimVanHerwijnen) for all the help! * A consent added to a self-service registration form may show up incorrectly during a complete registration step during login. * Resolves [GitHub Issue #1259](https://github.com/FusionAuth/fusionauth-issues/issues/1259) * Resolves [GitHub Issue #1261](https://github.com/FusionAuth/fusionauth-issues/issues/1261) * Better support for `user.birthDate` when using Advanced self-service registration when Family is enabled with child registration. * [GitHub Issue #1490](https://github.com/FusionAuth/fusionauth-issues/issues/1490) * When configuring more than one preferred language in the FusionAuth admin UI on the User or User Registration, the order may not be preserved. For example, if you configured `French, English` where `French` is the preferred languages, with a second option of `English`, when saving the form, the serialized value will become `English, French` and will not likely be saved in the order you expect. * [GitHub Issue #1131](https://github.com/FusionAuth/fusionauth-issues/issues/1131) * Fix a potential memory leak in the Email services. If you are sending a lot of email through FusionAuth, this error may cause your FusionAuth service to run out of memory. Restarting the service periodically can mitigate this potential if you are unable to upgrade. This issue was most likely introduced in version `1.30.1`. * Resolves [GitHub Issue #1548](https://github.com/FusionAuth/fusionauth-issues/issues/1548) * When completing a Family workflow where a parent joins a child to a family, the `parentEmail` field may not be properly updated in the search index. * Resolves [GitHub Issue #1550](https://github.com/FusionAuth/fusionauth-issues/issues/1550) * If you have previously configured Basic Self-Service registration, and then begin using Advanced Self-Service it is possible that a validation may occur that you did not expect. * Resolves [GitHub Issue #1560](https://github.com/FusionAuth/fusionauth-issues/issues/1560) * Some edge cases exist when using the Async Tenant Delete API or deleting a Tenant in the FusionAuth admin UI where a tenant may get stuck in the Pending Delete state. * Resolves [GitHub Issue #1559](https://github.com/FusionAuth/fusionauth-issues/issues/1559) ### Enhancements * Add the underlying host architecture and operating system name and version to the About panel in the FusionAuth admin UI. See System -> About. * Resolves [GitHub Issue #1531](https://github.com/FusionAuth/fusionauth-issues/issues/1531) * Add a tooltip to the Webhook Application configuration to help reduce some confusion until we deprecate this Application configuration. * Resolves [GitHub Issue #1542](https://github.com/FusionAuth/fusionauth-issues/issues/1542) * Support longer Refresh Tokens on the Refresh Tokens Import API. The previous limitation was that the refresh token was less than or equal to `191` characters. The assumption was made that this token was opaque and that `191` was very adequate. Some IdPs utilize JWTs for Refresh Tokens and in this case, the length is likely to exceed the previous limitation. This enhancements allows for longer refresh tokens. In particular this will provide better support for importing Refresh Tokens from KeyCloak. See the [Import Refresh Tokens](/docs/apis/users#import-refresh-tokens) API for additional details. * Resolves [GitHub Issue #1541](https://github.com/FusionAuth/fusionauth-issues/issues/1541) * Use a better thread pooling strategy for Webhooks to better support a very large volume of events where the event recipient may not respond quickly enough. This allows more events to be queued up if we cannot send them fast enough while waiting for a response from the webhook. * Resolves [GitHub Issue #1500](https://github.com/FusionAuth/fusionauth-issues/issues/1500) * Improve licensing errors on the API and FusionAuth admin UI to better differentiate between not licensed, and a feature that requires a specific licensed feature. In particular, some of the features introduced as part of the Threat Detection feature require an Enterprise License with this feature enabled. So you may have a licensed FusionAuth plan, and a feature may still not be available. This change should make it clearer why a particular feature cannot be enabled. * Resolves [GitHub Issue #1555](https://github.com/FusionAuth/fusionauth-issues/issues/1555) * Add `tokenExpirationInstant` to the Login Response similar to how the Token endpoint response returns `expires_in` to indicate when the access token returned in the response will expire. * Resolves [GitHub Issue #1309](https://github.com/FusionAuth/fusionauth-issues/issues/1309) * Additional User API validation in support of Family configuration with child registration restrictions. * Resolves [GitHub Issue #1561](https://github.com/FusionAuth/fusionauth-issues/issues/1561) * Support for ARM 64, the Apple M1, AWS Graviton, etc. Docker images are now published for Intel, and various ARM architectures, and FastPath and other installation paths have support for downloading Java for the correct architecture. * Resolves [GitHub Issue #1532](https://github.com/FusionAuth/fusionauth-issues/issues/1523), [GitHub Issue #49](https://github.com/FusionAuth/fusionauth-containers/issues/49). Thanks to many of our community superstars for the help with this one! [@rscheuermann](https://github.com/rscheuermann), [@jerryhopper](https://github.com/jerryhopper), [@ceefour](https://github.com/ceefour), [@dmitryzan](https://github.com/dmitryzan) * Add the option to use the `userId` on the Start Two-Factor API ** Resolves [GitHub Issue #1571](https://github.com/FusionAuth/fusionauth-issues/issues/1571) * Move the `changePasswordId` to the request body during a POST request. For backwards compatibility, the `changePasswordId` will also be accepted on the URL segment. * Resolves [GitHub Issue #1214](https://github.com/FusionAuth/fusionauth-issues/issues/1214) ### Fixed * If you are modifying the user email or username in an Identity Provider Reconcile Lambda, the lambda may be invoked more than once after the initial link has been established. This may cause User registration data to be modified, or lost. If you have not yet upgraded to this version, it is advised that you wait until you can update to version `1.32.1`. * Resolves [GitHub Issue #1517](https://github.com/FusionAuth/fusionauth-issues/issues/1517), thanks to [@Oceanswave](https://github.com/Oceanswave) for letting us know and for the fantastic bug write up! * The `1.32.0` version of the Docker image was initially released with a missing Java module that may cause the image to fail during startup. An updated version of the image has been released, if you encounter an issue, please delete your local version of the image and pull it again. The issue is also resolved in this version, so you may also pull the `latest` tag once this version is available. * Resolves [GitHub Issue #1518](https://github.com/FusionAuth/fusionauth-issues/issues/1518) ### Changed * This version of FusionAuth will now run on Java 17. If you are using any SAML v2 IdP configurations that still utilize a legacy XML signature algorithm, this upgrade may break that integration. * It is recommended to test your SAML v2 IdP logins with this version prior to upgrading, or confirm that all of your IdPs are not using any of the following restricted XML signature algorithms: * `http://www.w3.org/2000/09/xmldsig#sha1` * `http://www.w3.org/2000/09/xmldsig#dsa-sha1` * `http://www.w3.org/2000/09/xmldsig#rsa-sha1` * See [GitHub Issue #1202](https://github.com/FusionAuth/fusionauth-site/issues/1202) for additional details and an optional workaround if you are unable to discontinue use of these algorithms. ### Fixed * The global and application registration count rollup may fail when using PostgreSQL. This will cause the registration count reports to be incorrect. * Resolves [GitHub Issue #1498](https://github.com/FusionAuth/fusionauth-issues/issues/1498) * When using the Development Reset feature (technical preview) and the FusionAuth application is configured to use a specific theme, the reset will fail. * Resolves [GitHub Issue #1514](https://github.com/FusionAuth/fusionauth-issues/issues/1514) ### Enhancements * Identity provider linking that was introduced in version 1.28.0 can now optionally be configured to limit the number of unique links to an IdP for a particular user. * Resolves [GitHub Issue #1310](https://github.com/FusionAuth/fusionauth-issues/issues/1310) * Allow application URIs to be configured as an OAuth2 Authorized request origin URLs. For example, you may now configure `android-app://com.example` as a valid Authorized request origin. * Resolves [GitHub Issue #1443](https://github.com/FusionAuth/fusionauth-issues/issues/1443), thanks to [@bonify-b2b](https://github.com/bonify-b2b) for the request. * Add configuration to allow implicit email verification to be disabled. For example, prior to this release, email based workflows such as Passwordless login, email based registration verification, email based password change, and verifying a two-factor code during login through an email would implicitly mark a user's email as verified if email verification was enabled and the user had not yet completed email verification. In most cases this seems to be the best choice for the end user such that they do not perform redundant tasks to verify their email address once they have provided evidence they have access to the email address. This configuration allows this behavior to be disabled if you wish to require your end user to always go through a specific email verification process for legal or other similar reasons. * Resolves [GitHub Issue #1467](https://github.com/FusionAuth/fusionauth-issues/issues/1467), thanks to [@lliu-20200701](https://github.com/lliu-20200701) for the request. * Add a notice on the Device workflow panel when an existing SSO session exists to allow the user to optionally logout prior to continuing. * Resolves [GitHub Issue #1495](https://github.com/FusionAuth/fusionauth-issues/issues/1495) ### New * You may optionally specify custom SMTP headers in the Tenant email configuration. These configured headers will be added to all outbound messages. * Resolves [GitHub Issue #628](https://github.com/FusionAuth/fusionauth-issues/issues/628), thanks to [arni-inaba](https://github.com/arni-inaba) for the suggestion. ### Internal * Java 17 LTS. Upgrade from Java 14, to the latest long term support (LTS) version of Java which is 17. ### Known Issues * If you are modifying the user email or username in an Identity Provider Reconcile Lambda, the lambda may be invoked more than once after the initial link has been established. This may cause User registration data to be modified, or lost. If you have not yet upgraded to this version, it is advised that you wait until you can update to version `1.32.1`. * Resolved in `1.32.1` by [GitHub Issue #1517](https://github.com/FusionAuth/fusionauth-issues/issues/1517) ### Changed * You may now modify, or fabricate an email or username in the Identity Provider Reconcile Lambda regardless of the Identity Provider type. * Some of this capability has been provided in the past for the OpenID Connect Identity Provider. This capability was removed in version `1.28.0` when Identity Provider Linking was introduced due to the additional use cases now supported through linking strategies. Due to high demand, and many real world use-cases presented by our users, this decision has been reversed in favor of flexibility for the developer. Please use caution when using this capability, and note that if you create or modify a `username` or `email` in the Reconcile lambda, the lambda will be invoked twice during a single login request. * Resolves [GitHub Issue #1425](https://github.com/FusionAuth/fusionauth-issues/issues/1425) ### Fixed * Requiring a birthdate on a self-service registration form when also requiring a parent email may cause an exception. * Resolves [GitHub Issue #702](https://github.com/FusionAuth/fusionauth-issues/issues/702) * Improvements to locale handling to expand beyond ISO 639 support to support locales such as `es_419`, `aghem` and others. * Resolves [GitHub Issue #978](https://github.com/FusionAuth/fusionauth-issues/issues/978) * Resolves [GitHub Issue #1132](https://github.com/FusionAuth/fusionauth-issues/issues/1132) * Disabling webhooks on the tenant configuration by clicking on the Enabled table header doesn't work as expected. * Resolves [GitHub Issue #1123](https://github.com/FusionAuth/fusionauth-issues/issues/1123) * Fix general message template issues when using the preview action for a message template, or a localized version of the template. * Resolves [GitHub Issue #1171](https://github.com/FusionAuth/fusionauth-issues/issues/1171) * An API key created using Kickstart is not validated for length correctly. * Resolves [GitHub Issue #1397](https://github.com/FusionAuth/fusionauth-issues/issues/1397), thanks to [@miaucl](https://github.com/miaucl) for reporting! * The error message returned to the end user when a webhook fails during a Self-Service Registration is not able to be customized through a theme. * Resolves [GitHub Issue #1446](https://github.com/FusionAuth/fusionauth-issues/issues/1446) * The Theme preview may not render the Account Edit themed page when a Self-Service form is configured * Resolves [GitHub Issue #1448](https://github.com/FusionAuth/fusionauth-issues/issues/1448) * Unable to delete an email template when an email template is not assigned to a Consent. * Resolves [GitHub Issue #1449](https://github.com/FusionAuth/fusionauth-issues/issues/1449) * A timing issue exists when creating a new Application role, and then immediately attempting to register a user with that role. * This issue was introduced in version `1.30.2` * Resolves [GitHub Issue #1452](https://github.com/FusionAuth/fusionauth-issues/issues/1452), thanks to one of our MVPs [@johnmaia](https://github.com/johnmaia) for reporting! * Using an expired Passwordless link may result in an infinite redirect * This issue was introduced in version `1.27.0` when support for Microsoft Outlook Safe Links was added via [GitHub Issue #629](https://github.com/FusionAuth/fusionauth-issues/issues/629) * Resolves [GitHub Issue #1456](https://github.com/FusionAuth/fusionauth-issues/issues/1456), thanks to [@rscheuermann](https://github.com/rscheuermann) for the report! * Missing validation on the Registration API to ensure the User exists by Id when passing the `userId` on the HTTP request URL segment * Resolves [GitHub Issue #1457](https://github.com/FusionAuth/fusionauth-issues/issues/1457) * When copying a Tenant in the FusionAuth admin UI when the source Tenant has Blocked domain configuration present, the Blocked domain configuration is not copied to the new tenant. * Resolves [GitHub Issue #1459](https://github.com/FusionAuth/fusionauth-issues/issues/1459) * When using the OAuth2 Password grant (Resource Owner Credentials grant), and the `client_id` is provided in the HTTP Basic Authorization header, but not in the HTTP post body, the resulting JWT will not contain the `aud` claim. * Resolves [GitHub Issue #1462](https://github.com/FusionAuth/fusionauth-issues/issues/1462) * A database foreign key violation may occur in the Registration Count aggregation service if you delete a Tenant before the aggregator runs. * This issue was introduced in version `1.30.2`. * Resolves [GitHub Issue #1466](https://github.com/FusionAuth/fusionauth-issues/issues/1466) * Enabling Two-Factor in the Self-Service themed forms, or in the admin UI may fail to render the QR code if the encoded string used to build the QR code is between 192 and 220 characters in length. * Resolves [GitHub Issue #1470](https://github.com/FusionAuth/fusionauth-issues/issues/1470), thanks to [@jasonaowen](https://github.com/jasonaowen) for letting us know and helping us debug it! * When a user is assigned roles explicitly through a User Registration in addition to a Group membership, the roles assigned by the Group membership will not be returned. * This issue was introduced in version `1.30.2` vi [GitHub Issue #480](https://github.com/FusionAuth/fusionauth-issues/issues/480) * Resolves [GitHub Issue #1473](https://github.com/FusionAuth/fusionauth-issues/issues/1473) * When using the Setup Password email template provided by FusionAuth with the User Registration API to create a User and a Registration in a single API call the URL generated and sent to the user may not be usable. A `client_id` will have been added to the URL which will result in an error when the FusionAuth page is rendered. To work around the issue prior to this release, please remove the `client_id` from the Email template. * Resolves [GitHub Issue #1476](https://github.com/FusionAuth/fusionauth-issues/issues/1476) * A SAML v2 SP using an HTTP Redirect Binding that has URL encoded the query string using lower case percent encoding may cause FusionAuth to fail to validate the signature. * Resolves [GitHub Issue #1496](https://github.com/FusionAuth/fusionauth-issues/issues/1496), thanks to engineering team at [HAProxy](https://www.haproxy.com) for the assist! ### Enhancements * You may now access the `id_token` when available during an OpenID Connect Reconcile lambda * Resolves [GitHub Issue #323](https://github.com/FusionAuth/fusionauth-issues/issues/323), thanks to [@Thammada](https://github.com/Thammada) for opening the issue! * Add additional support for `idp_hint` for Apple and Twitter Identity Providers. * Resolves [GitHub Issue #1306](https://github.com/FusionAuth/fusionauth-issues/issues/1306) * Add an example use and changed user to the Audit Log Test event when using the Webhook Tester in the FusionAuth admin UI * Resolves [GitHub Issue #1360](https://github.com/FusionAuth/fusionauth-issues/issues/1360) * When FusionAuth is unable to discover OpenID endpoints using the configured Issuer during configuration of an OpenID Connect Identity Provider an Event Log will be produced to assist you in debugging the connection. * Resolves [GitHub Issue #1417](https://github.com/FusionAuth/fusionauth-issues/issues/1417) ### Internal * Update the internal scheduler library. * Resolves [GitHub Issue #1461](https://github.com/FusionAuth/fusionauth-issues/issues/1461) ### Fixed * When logging in with an anonymous user from an IdP that now has a linking strategy other than Anonymous an exception occurs. This can occur if you change your linking strategy from Anonymous to something else, and users that were created while configured as Anonymous log in again. * Resolves [GitHub Issue #1316](https://github.com/FusionAuth/fusionauth-issues/issues/1316) * The view dialog may not completely render for an SAML v2 IdP Initiated IdP configuration. The dialog fails to completely render due to a FreeMarker exception. * Resolves [GitHub Issue #1324](https://github.com/FusionAuth/fusionauth-issues/issues/1324) * If you are activating FusionAuth Reactor during initial startup via Kickstart, and you have CAPTCHA enabled for the FusionAuth admin application, you may not be able to login until the Threat Detection feature comes online. Depending upon your network connection, this may take a few seconds, or a few minutes. * Resolves [GitHub Issue #1358](https://github.com/FusionAuth/fusionauth-issues/issues/1358) * The .NET client library handled `exp` and other JWT timestamp values incorrectly. * Resolves [GitHub Issue #1362](https://github.com/FusionAuth/fusionauth-issues/issues/1362), thanks to [@RyanDennis2018](https://github.com/RyanDennis2018) for reporting. * When using the duplicate Application button in the admin UI, if the source Application has SAML v2 configured, but not enabled, the copy may fail with an exception. * Resolves [GitHub Issue #1366](https://github.com/FusionAuth/fusionauth-issues/issues/1366) * Updating a connector will add an additional `*` domain configuration. This is a regression issue introduced in version `1.28.0`. * Resolves [GitHub Issue #1367](https://github.com/FusionAuth/fusionauth-issues/issues/1367) * When generating an RSA Key, a user cannot specify a certain Id. * Resolves [GitHub Issue #1368](https://github.com/FusionAuth/fusionauth-issues/issues/1368) * If using kickstart to activate a licensed instance with advanced threat detection enabled, it is possible to get stuck in the Setup Wizard. * Resolves [GitHub Issue #1369](https://github.com/FusionAuth/fusionauth-issues/issues/1369) * A user can add new entries to an access control list, but can't delete them using the administrative user interface. * Resolves [GitHub Issue #1371](https://github.com/FusionAuth/fusionauth-issues/issues/1371) * Default lambdas are no longer available in Kickstart environment variables. This is a regression introduced in version `1.30.0`. * Resolves [GitHub Issue #1373](https://github.com/FusionAuth/fusionauth-issues/issues/1373) * The event payload for a user deactivation was not complete when the deactivation happened via the administrative user interface. It lacked some information such as the IP address of the request. * Resolves [GitHub Issue #1375](https://github.com/FusionAuth/fusionauth-issues/issues/1375) * When both Kickstart and maintenance mode occur during an upgrade, a NullPointerException could occur if the default tenant Id was being modified. * Resolves [GitHub Issue #1382](https://github.com/FusionAuth/fusionauth-issues/issues/1382) * The IP address can be missing from login records in certain circumstances. * Resolves [GitHub Issue #1391](https://github.com/FusionAuth/fusionauth-issues/issues/1391) * Requests with IPv6 addresses cause NumberFormatExceptions. * Resolves [GitHub Issue #1392](https://github.com/FusionAuth/fusionauth-issues/issues/1392) * CAPTCHA may not work on the email verification required page. * Resolves [GitHub Issue #1396](https://github.com/FusionAuth/fusionauth-issues/issues/1396) * Rendering the passwordValidationRules object on the register page in theme preview does not work. * Resolves [GitHub Issue #1398](https://github.com/FusionAuth/fusionauth-issues/issues/1398) * User search widget has an empty value if the user does not have a name. * Resolves [GitHub Issue #1399](https://github.com/FusionAuth/fusionauth-issues/issues/1399) * Filling out a CAPTCHA through self service registration or other paths does not save device trust; the user will be prompted a second time. * Resolves [GitHub Issue #1400](https://github.com/FusionAuth/fusionauth-issues/issues/1400) * Setup Wizard may be shown in a multi-node environment after it has completed. * Resolves [GitHub Issue #1402](https://github.com/FusionAuth/fusionauth-issues/issues/1402) * When using advanced threat detection rate limiting, users are unable to set the rate limit configuration to 1 to allow a limited action be performed only once. * Resolves [GitHub Issue #1407](https://github.com/FusionAuth/fusionauth-issues/issues/1407) * Custom data for webhooks not displayed in the admin UI. * Resolves [GitHub Issue #1422](https://github.com/FusionAuth/fusionauth-issues/issues/1422) * A truncated deflated SAML AuthN request was not handled as well as it should have been. * Resolves [GitHub Issue #1424](https://github.com/FusionAuth/fusionauth-issues/issues/1424) * Some key pairs capable of signing a SAML request are not eligible in the UI. * Resolves [GitHub Issue #1430](https://github.com/FusionAuth/fusionauth-issues/issues/1430) * Custom data for connectors not displayed in the admin UI. * Resolves [GitHub Issue #1435](https://github.com/FusionAuth/fusionauth-issues/issues/1435) ### Enhancements * When using MySQL with a large number of applications, and application roles, it may become slow to retrieve a user. This change should improve performance when using MySQL. * Resolves [GitHub Issue #480](https://github.com/FusionAuth/fusionauth-issues/issues/480), thanks to [@nikos](https://github.com/nikos) and David B. for the assist! * Improve the performance of using the Public Key API endpoint when you have a lot of applications and keys. * Resolves [GitHub Issue #1145](https://github.com/FusionAuth/fusionauth-issues/issues/1145), thanks to [@nulian](https://github.com/nulian) for reporting, and [@Johpie](https://github.com/Johpie) for the additional debug. * Display the database version and elastic search versions in the administrative user interface. * Resolves [GitHub Issue #1390](https://github.com/FusionAuth/fusionauth-issues/issues/1390) * Improve User and Registration API performance at scale. * Resolves [GitHub Issue #1415](https://github.com/FusionAuth/fusionauth-issues/issues/1415) * Try to support SAML POST bindings with SSO even when cookie `SameSite` policy is set to `SameSite=Lax`. * Resolves [GitHub Issue #1426](https://github.com/FusionAuth/fusionauth-issues/issues/1426) * Add a default NameID format when one is not provided on SAML AuthN or Logout requests. * Resolves [GitHub Issue #1428](https://github.com/FusionAuth/fusionauth-issues/issues/1428) ### Internal * Update Apache Tomcat from `8.5.63` to `8.5.72`. * Resolves [GitHub Issue #1433](https://github.com/FusionAuth/fusionauth-issues/issues/1433) ### Known Issues * Registration counts may fail to be rolled up into reports when using PostgreSQL. Updating to `1.30.2` should resolve the issue. * Resolved in `1.32.0` by [GitHub Issue #1498](https://github.com/FusionAuth/fusionauth-issues/issues/1498) * A potential memory leak was introduced in this version. Updating to `1.33.0` should resolve the issue, if you are unable to upgrade, restarting the service periodically can mitigate this potential issue. * Resolved in `1.33.0` by [GitHub Issue #1548](https://github.com/FusionAuth/fusionauth-issues/issues/1548) ### Fixed * The Text MIME type of an email may not render Unicode correctly when the host system does not have `UTF-8` set as the default character set. * Resolves [GitHub Issue #1122](https://github.com/FusionAuth/fusionauth-issues/issues/1122), thanks to [@soullivaneuh](https://github.com/soullivaneuh) for the report! * Unable to assign an IP ACL to an application if one is not already assigned to the tenant. * Resolves [GitHub Issue #1349](https://github.com/FusionAuth/fusionauth-issues/issues/1349) * Unable to delete an IP ACL in use by a tenant * Resolves [GitHub Issue #1350](https://github.com/FusionAuth/fusionauth-issues/issues/1350) ### Enhancements * General performance improvements for login, OAuth2 grants, and user create and registration. * Add the User Two Factor methods to the Elasticsearch index. * If you have existing users with Two-Factor enabled, you will want to perform a re-index in order to search on two-factor configuration. * Resolves [GitHub Issue #1352](https://github.com/FusionAuth/fusionauth-issues/issues/1352), thanks to one of our favorite FusionAuth users [@flangfeldt](https://github.com/flangfeldt) for making the request. ### Internal * Performance improvements Features that require the Threat Detection feature: - CAPTCHA - Domain blocking in registration - IP access control lists - IP location - Some of the new events and transactional emails - Rate limiting ### Known Issues * If you are referencing any Reconcile Lambda Ids using the syntax `FUSIONAUTH_LAMBDA{type}_ID` - this may no longer work due to a change in how these default lambdas are initialized. * The current work around is to modify your kickstart to build your own version of this lambda instead of using the FusionAuth default. * You will find a copy of the default lambdas shipped with FusionAuth in the [Lambda](/docs/extend/code/lambdas/) documentation that you may use to copy into your kickstart. * The issue is being tracked here [GitHub Issue #1373](https://github.com/FusionAuth/fusionauth-issues/issues/1373) ### Fixed * Unable to enable `user.action` event at the tenant using the UI. If you encounter this issue, you may work around it by using the Tenant API. * Resolves [GitHub Issue #1307](https://github.com/FusionAuth/fusionauth-issues/issues/1307) * If you make an API request to `/api/two-factor/login` with an empty JSON body, an exception will occur instead of a validation error being returned with a `400` status code. * Resolves [GitHub Issue #1330](https://github.com/FusionAuth/fusionauth-issues/issues/1330) * When using an IdP with a linking mode other than Create Pending Link, the token may not correctly be stored. If you previously had been using the token stored on the User Registration, and are now looking for it in the Identity Provider Link, you may not find it. This fix resolves the issue. * Resolves [GitHub Issue #1341](https://github.com/FusionAuth/fusionauth-issues/issues/1341) * When you are using FusionAuth as a SAML v2 IdP with Redirect bindings, you were unable to use idp_hint to bypass the login page to federate to another provider. * Resolves [GitHub Issue #1331](https://github.com/FusionAuth/fusionauth-issues/issues/1331) ### Changed * New themed page added for Unauthorized access. * See the [Theme](/docs/apis/themes) API and the [Theme](/docs/customize/look-and-feel/) documentation for additional details. * A macro available to themes named `[@helpers.input]` was modified to be able to build a checkbox. This change could affect you if you try to copy and paste the checkbox usage without modifying the macro definition in your Helper file. Review the [Upgrading](/docs/customize/look-and-feel/advanced-theme-editor#upgrading) section for information on how to resolve potential breaking changes. ### New * JWT Vending machine * This allows a JWT to be created for a not-yet-existing user with a payload defined by the API caller. * Resolves [GitHub Issue #525](https://github.com/FusionAuth/fusionauth-issues/issues/525) * FusionAuth wasn't awesome enough, so we added a robust Threat Detection feature for enterprise customers. This feature includes: * IP Access Control for API keys * This allows support for an API key to be further restricted by the origin IP address. * Resolves [GitHub Issue #933](https://github.com/FusionAuth/fusionauth-issues/issues/933) * IP Access Control for SSO and self service forms * This allows you to limit access to the FusionAuth SSO or a particular application login through SSO by IP address * Blocked domain configuration to limit registrations from specific email domains * Rate limiting per user for the following requests: * Failed login (only used if Failed Login configuration is not in use) * Forgot password * Send email verification * Send passwordless * Send registration verification * Send two-factor * CAPTCHA - add CAPTCHA to login and other end user forms to help ensure only humans are submitting forms. * This feature is in tech preview and is subject to change. * Support for Google ReCaptcha v2, Google ReCaptcha v3, HCaptcha and HCaptcha Enterprise * Resolves [GitHub Issue #278](https://github.com/FusionAuth/fusionauth-issues/issues/278) * IP location. * When possible, an IP address will be resolved to include city, country, region, zip code, longitude and latitude. * IP location will be included in login records and will be available in some email templates and webhook events * Used to calculate impossible travel between login locations * New Webhook events: * Audit Log Create `audit-log.create` * Event Log Create `event-log.create` * Kickstart Success `kickstart.success` * User Create Complete `user.create.complete` * User Delete Complete `user.delete.complete` * User Update Complete `user.update.complete` * User LoginId Duplicate On Create `user.loginId.duplicate.create` * User LoginId Duplicate Update `user.loginId.duplicate.update` * User Email Update `user.email.update` * User Login New Device `user.login.new-device` * User Login Suspicious `user.login.suspicious` * User Password Reset Success `user.password.reset.success` * User Password Reset Send `user.password.reset.send` * User Password Reset Start `user.password.reset.start` * User Password Update `user.password.update` * User Registration Create Complete `user.registration.create.complete` * User Registration Delete Complete `user.registration.delete.complete` * User Registration Update Complete `user.registration.update.complete` * User Two Factor Method Added `user.two-factor.method.add` * User Two Factor Method Removed `user.two-factor.method.remove` * See the [Event Webhooks](/docs/extend/events-and-webhooks/) documentation for additional details. * Resolves [GitHub Issue #1308](https://github.com/FusionAuth/fusionauth-issues/issues/1308), thanks to [@adoliver](https://github.com/adoliver) for the suggestion! * Resolves [GitHub Issue #1178](https://github.com/FusionAuth/fusionauth-issues/issues/1178) * Resolves [GitHub Issue #1128](https://github.com/FusionAuth/fusionauth-issues/issues/1128) * Resolves [GitHub Issue #1129](https://github.com/FusionAuth/fusionauth-issues/issues/1129) * New transactional emails: * Email update * Login Id duplicate on create * Login Id duplicate on update * Login with new device * Suspicious login * Password reset success * Password update * Two-factor method added * Two-factor method removed ### Enhancements * Search on `oldValue`, `newValue` and `reason` in the Audit Log. * See the [Audit Log Search](/docs/apis/audit-logs#search-the-audit-log) API for additional details on searching on `oldValue`, `newValue` and `reason` in the audit log. * When using IdP linking in conjunction with the Oauth2 Device grant, the recently completed links will be available on the Device complete themed page by using the `completedLinks` variable. * See the [Device Complete](/docs/customize/look-and-feel/template-variables#oauth-device-complete) themed page documentation for additional details. * More themed pages will have access to the currently logged in user using the `currentUser` variable. * See the [Theme](/docs/customize/look-and-feel/) documentation for additional details. ### Fixed * When a user is required to complete registration after login, the user may no longer be able to login w/out a password reset. This is a regression from version 1.28.0, and only affects those using self-service registration that will have existing users that do not have all required fields on their account. * Resolves [GitHub Issue #1344](https://github.com/FusionAuth/fusionauth-issues/issues/1344), thanks to [@flangfeldt](https://github.com/flangfeldt) for reporting the issue ### Fixed * A `404` may be returned when attempting to update a user with `PUT` or `PATCH` on the User API if the user has an unverified email and email verification has been disabled. * Resolves [GitHub Issue #1333](https://github.com/FusionAuth/fusionauth-issues/issues/1333) ### Fixed * When using a SAML v2 IdP that does not send back a `KeyInfo` element in the XML response, an exception may occur when attempting to parse the response. * Resolves [GitHub Issue #1332](https://github.com/FusionAuth/fusionauth-issues/issues/1332) ### Fixed * In a multi-tenant configuration, SSO sessions may be pre-maturely terminated if one tenant has a lower TTL configuration than the other tenants. To work around this issue prior to this release, ensure all SSO TTL configurations are equal. * Resolves [GitHub Issue #1262](https://github.com/FusionAuth/fusionauth-issues/issues/1262) * The arg names in the `LambdaType` enum were not all correct. * Resolves [GitHub Issue #1284](https://github.com/FusionAuth/fusionauth-issues/issues/1284) * An IdP Debug event log may not get produced when a unique Id could not be resolved. * Resolves [GitHub Issue #1315](https://github.com/FusionAuth/fusionauth-issues/issues/1315) * When enabling the SAML v2 IdP debug log an exception may be taken when attempting to produce the debug event log. The result is that the debug log will not be produced. * Resolves [GitHub Issue #1317](https://github.com/FusionAuth/fusionauth-issues/issues/1317) ### Fixed * When viewing the theme preview for the `oauth2/start-idp-link.ftl` template, and error may be logged. * Resolves [GitHub Issue #1276](https://github.com/FusionAuth/fusionauth-issues/issues/1276) * When a webhook transaction fails to create a user or registration on a themed page, a non-themed error page may be displayed * Resolves [GitHub Issue #1279](https://github.com/FusionAuth/fusionauth-issues/issues/1279) ### Enhancements * Enhance the Link API to retrieve a user by a 3rd party unique Id to identify a FusionAuth user is linked to the user. See the [Link](/docs/apis/identity-providers/links) API for additional details. * Resolves [GitHub Issue #1277](https://github.com/FusionAuth/fusionauth-issues/issues/1277) * During a device link request which contains a device linking token, show an intermediate page asking the user if they would like to sign in with an existing user or create a new user. * Resolves [GitHub Issue #1287](https://github.com/FusionAuth/fusionauth-issues/issues/1287) * Allow the IdP Login API to optionally be passed a request parameter to indicate a link should not be established and a `404` should be returned instead. This is useful if you wish to identify if a link exists first before starting an auxiliary workflow such as a device grant with a linking token. See the [Login](/docs/apis/identity-providers/) API for additional details. * Resolves [GitHub Issue #1288](https://github.com/FusionAuth/fusionauth-issues/issues/1288) * Add additional configuration to the unique username configuration to support always appending a suffix even when the username is not in use. See the [Tenant](/docs/apis/tenants) API for additional details. * Resolves [GitHub Issue #1290](https://github.com/FusionAuth/fusionauth-issues/issues/1290) * Add an additional debug event log when for the SAML IdP to debug the `AuthN` request sent to the SAML IdP * Resolves [GitHub Issue #1293](https://github.com/FusionAuth/fusionauth-issues/issues/1293) * In version `1.28.0` the resolution of the value returned by the SAML v2 IdP in the `NameID` was modified. If the IdP returns a format of `unspecified` with a value of `email` then after upgrading to version `1.28.0` your SAML IdP will not function properly. Ideally you would ask your IdP to return you a NameID format of `emailAddress`, but if that is not possible this enhancement will allow FusionAuth to accept the value returned in the `NameID` if the format is returned as `unspecified`. * Resolves [GitHub Issue #1294](https://github.com/FusionAuth/fusionauth-issues/issues/1294) * Instead of logging FreeMarker exceptions to the system log and producing a stack trace that may end up in the UI, an event log will be produced. The message in the UI will be condensed based upon the runtime mode. When in `development` mode some details will be provided to assist in debugging your themed template. If in `production` runtime mode only a message indicating an error occurred will be displayed to the user. * Resolves [GitHub Issue #1299](https://github.com/FusionAuth/fusionauth-issues/issues/1299) ### Internal * Update HikariCP from `3.4.1` to `4.0.3`, and update PostgreSQL JDBC driver from `42.2.14` to `42.2.22` * Resolves [GitHub Issue #1300](https://github.com/FusionAuth/fusionauth-issues/issues/1300) ### Fixed * Allow self-consent form field on a self-service form. * Resolves [GitHub Issue #1258](https://github.com/FusionAuth/fusionauth-issues/issues/1258) * Correct validation of a consent form field on edit. Control type was failing validation on edit. * Resolves [GitHub Issue #1260](https://github.com/FusionAuth/fusionauth-issues/issues/1260) * An imported user requiring password change, and email verification may fail to verify email verification with an email verification gate. * Resolves [GitHub Issue #1265](https://github.com/FusionAuth/fusionauth-issues/issues/1265) * Better parsing of the `X-Fowarded-For` HTTP request header. This header may contain one to many IP addresses, and only the first value should be preserved for the login record. Prior to this fix, it would be possible to see a login record that contained multiple IP addresses separated by a comma. * Resolves [GitHub Issue #1267](https://github.com/FusionAuth/fusionauth-issues/issues/1267) * Correctly show the Verification URL in the OAuth2 configuration when the `Device` grant is selected. This issue was introduced in `1.28.0`. * Resolves [GitHub Issue #1268](https://github.com/FusionAuth/fusionauth-issues/issues/1268) * Use the correct FusionAuth redirect URL when using the Sony PlayStation Network IdP. * Resolves [GitHub Issue #1269](https://github.com/FusionAuth/fusionauth-issues/issues/1269) * Use the correct FusionAuth redirect URL when using the Steam IdP. This IdP uses an Implicit grant and should be using the `/oauth2/callback/implicit` callback URL. * Resolves [GitHub Issue #1272](https://github.com/FusionAuth/fusionauth-issues/issues/1272) * Allow the Epic Games IdP to function properly when omitting the `scope` configuration property. * Resolves [GitHub Issue #1273](https://github.com/FusionAuth/fusionauth-issues/issues/1273) ### Tech Preview * You may optionally start an account link when beginning a Device grant. * Resolves [GitHub Issue #1274](https://github.com/FusionAuth/fusionauth-issues/issues/1274) ### Known Issues * If you are using self-service registration there is a possibility that a user may be required to complete registration by adding additional fields to their account after they login. In this scenario it is possible that they will no longer be able to login and will be required to reset their password. The fix for this was added in `1.29.4`. * Fixed in `1.29.4`, under [GitHub Issue #1344](https://github.com/FusionAuth/fusionauth-issues/issues/1344), thanks to [@flangfeldt](https://github.com/flangfeldt) for reporting the issue * If you are using the [SAML v2 Populate Lambda](/docs/extend/code/lambdas/samlv2-response-populate) or the [SAML v2 Reconcile Lambda](/docs/extend/code/lambdas/samlv2-response-reconcile) the `NameID` field has been changed to an array. You will need to update your lambda code if you are using this field. ### Changed * You may no longer build a synthetic email address using a lambda for an OpenID Connect identity provider. This has been removed because you may now link a user by username or create a link w/out a username or an email to an existing FusionAuth user. If you are using this feature, you may need to plan for a migration to this new behavior. If you have a support contract with FusionAuth, please reach out and ask for additional information. * When using FusionAuth as a SAML IdP, FusionAuth will now accept `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in addition to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. This should allow FusionAuth to work with SAML v2 service providers that only support the persistent NameID format. * Tokens returned by IdPs are no longer stored on the User Registration object in the `tokens` field. Each token is now stored with the IdP link for the User and the IdP. See the [Link](/docs/apis/identity-providers/links) API for additional details. ### New * Reindex API * Resolves [GitHub Issue #1232](https://github.com/FusionAuth/fusionauth-issues/issues/1232) * See the [Reindex](/docs/apis/system#rebuild-the-elasticsearch-index) API for usage. * Account Link API * This API will allow you to link and un-link users in 3rd party identity providers with a FusionAuth user. * See the [Link](/docs/apis/identity-providers/links) API for usage. * IdP Linking options * Each Identity Provider may now be configured with a linking strategy. The strategies will include linking by email, username, anonymous or a link to an existing user. * Linking by username is now supported. There is a higher risk of account takeover using this strategy, you should use caution when using this feature. * Tokens from identity providers should now be retrieved from the link, rather than the registration. More information can be found under `identityProviderLink.token` response value [here](/docs/apis/identity-providers/links#retrieve-a-link) * Email Send API allows an email address in the To field instead of only allowing FusionAuth userIds * See the [Email Send](/docs/apis/emails#send-an-email) API for additional details. * SAML Identity Provider can now be configured to use any NameID format. Previously only the Email NameID format was utilized. * This should allow the SAML identity provider configuration to be more flexible and work with additional SAML identity providers. ### Enhanced * When FusionAuth is acting as a SAML Identity Provider, you may now send a NameID format of Email or Persistent. * This should allow FusionAuth to work with additional SAML service providers such as Slack. * Resolves [GitHub Issue #522](https://github.com/FusionAuth/fusionauth-issues/issues/522) * The [Email Send](/docs/apis/emails#send-an-email) API now allows you to send to a user that does not yet exist in FusionAuth by allowing you to specify an email address for the `To:` field. * Resolves [GitHub Issue #743](https://github.com/FusionAuth/fusionauth-issues/issues/743) * See the [Email Send](/docs/apis/login) API for additional details. * The Facebook and Google Identity Providers will now default to using a redirect instead of a popup for login. All existing configurations will be migrated to use the popup dialog to remain consistent with the previous behavior. With this update you may now also use the `idp_hint` parameter to login with Facebook and Google. * Resolves [GitHub Issue #909](https://github.com/FusionAuth/fusionauth-issues/issues/909) * Additional PKCE and Client Authentication configuration * You may now optionally configure PKCE as required, not required, or required when not using a confidential client. This offers better compatibility when multiple client types (a webapp and a mobile app, for example) are authenticating against a single FusionAuth application. * Resolves [GitHub Issue #1152](https://github.com/FusionAuth/fusionauth-issues/issues/1152) * Add the currently selected Two Factor method object to the Themed Two Factor page `/oauth2/two-factor` * Resolves [GitHub Issue #1237](https://github.com/FusionAuth/fusionauth-issues/issues/1237), thanks to one of our MVPs - [@flangfeldt](https://github.com/flangfeldt) for the suggestion! * Allow using IdP buttons on the Themed registration page * Resolves [GitHub Issue #554](https://github.com/FusionAuth/fusionauth-issues/issues/554), thanks to [@gordody](https://github.com/gordody) for the request! * When using email verification required with the gated configuration, optionally send the user another email before entering the gated page if the user does not have an existing verification email that is not expired. * Resolves [GitHub Issue #1247](https://github.com/FusionAuth/fusionauth-issues/issues/1247), thanks to [@lliu-20200701](https://github.com/lliu-20200701) for the suggestion. ### Fixed * Do not add the `NotBefore` assertion on the SAML AuthN response on the subject confirmation. * Resolves [GitHub Issue #1215](https://github.com/FusionAuth/fusionauth-issues/issues/1215), thanks to [@pakomp](https://github.com/pakomp) for pointing out this issue! * When importing users with `passwordChangeRequired=true` w/out specifying the change reason an exception may occur during login. * Resolves [GitHub Issue #1245](https://github.com/FusionAuth/fusionauth-issues/issues/1245), thanks to [@lliu-20200701](https://github.com/lliu-20200701) for finding this bug. * When using the email verification gate and self-service registration if a user requires their email to be verified and is forced through the complete registration flow they will not be correctly gated. * Resolves [GitHub Issue #1246](https://github.com/FusionAuth/fusionauth-issues/issues/1246), thanks to [@lliu-20200701](https://github.com/lliu-20200701) for reporting! * Fix a JavaScript bug that may cause some of the themed pages to render incorrectly in the view window. * Resolves [GitHub Issue #1228](https://github.com/FusionAuth/fusionauth-issues/issues/1228), thanks to [@flangfeldt](https://github.com/flangfeldt) for reporting! ### Tech Preview * New IdPs for EpicGames, Nintendo, Sony PlayStation Network, Steam, Twitch, Xbox - see [link](/docs/get-started/core-concepts/identity-providers) for more information * Resolves [GitHub Issue #1205](https://github.com/FusionAuth/fusionauth-issues/issues/1205) - Sony PlayStation Network * Resolves [GitHub Issue #1206](https://github.com/FusionAuth/fusionauth-issues/issues/1206) - Nintendo ** Note, the Nintendo IdP is not yet fully functional. This will be completed in a patch release. * Resolves [GitHub Issue #1207](https://github.com/FusionAuth/fusionauth-issues/issues/1207) - Twitch * Resolves [GitHub Issue #1208](https://github.com/FusionAuth/fusionauth-issues/issues/1208) - Steam * Resolves [GitHub Issue #1209](https://github.com/FusionAuth/fusionauth-issues/issues/1209) - Epic Games * Resolves [GitHub Issue #1210](https://github.com/FusionAuth/fusionauth-issues/issues/1210) - Xbox * Development kickstart reset. When you are running in `development` runtime mode, you'll see a `Reset` menu item in the System navigation menu. * See System -> Reset * There is now a JWT populate lambda for the Client Credentials grant. See [link](/docs/extend/code/lambdas/client-credentials-jwt-populate) for more information. * Resolves [GitHub Issue #1233](https://github.com/FusionAuth/fusionauth-issues/issues/1233) ### Changed * In version `1.26.0` the ability to use `user.data.email` for Forgot Password and Passwordless login flows was removed. Support for this behavior has been restored in this patch. * Resolves [GitHub Issue #1204](https://github.com/FusionAuth/fusionauth-issues/issues/1204), thanks to [@mcs](https://github.com/mcs) for letting us know how this change impacted his usage. ### Fixed * When building a new theme starting with 1.27.0, you may encounter a JavaScript error during page render. This error should not cause any end user failures, but the login may not properly capture the browser type. * Resolves [GitHub Issue #1216](https://github.com/FusionAuth/fusionauth-issues/issues/1216) ### Fixed * When migrating from 1.26.0 or earlier to version 1.27.0 the initial render of the add Tenant panel in the admin UI may fail to render. If you encounter this issue, you may upgrade or edit the FusionAuth tenant first and then try the request again. * Resolves [GitHub Issue #1196](https://github.com/FusionAuth/fusionauth-issues/issues/1196) * Make the verification flow simpler when you enable both email and registration verification during self-service registration. * Resolves [GitHub Issue #1198](https://github.com/FusionAuth/fusionauth-issues/issues/1198) * The view dialog for the SAML v2 IdP Initiated configuration may not render correctly. * Resolves [GitHub Issue #1200](https://github.com/FusionAuth/fusionauth-issues/issues/1200) * When configuring the SAML v2 IdP Initiated Login configuration for an IdP that has a `issuer` that is not a URL the configuration will fail because we are expecting a URL for this field. * Resolves [GitHub Issue #1203](https://github.com/FusionAuth/fusionauth-issues/issues/1203) ### Changed * Login API now returns `213` for Registration Not Verified. * See the [Login](/docs/apis/login) API response for additional details. * The Login API and the User API may optionally return a `emailVerificationId` or `registrationVerificationId` to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long "clickable" link. * See the [Login](/docs/apis/login) API response for additional details. * The Verify Email API now takes the `verificationId` in the request body instead of a URL segment. See the [Verify Email](/docs/apis/users#verify-a-users-email) API for additional details. * This change is backwards compatible, but the deprecated use of the API may be removed in the future. * The client libraries methods have also been preserved, but a new method has been added to accept a request body. * The Verify Registration API now takes the `verificationId` in the request body instead of a URL segment. * This change is backwards compatible, but the deprecated use of the API may be removed in the future. * The client libraries methods have also been preserved, but a new method has been added to accept a request body. * When calling `PUT` on the Login API (ping) the response may optionally return an `emailVerificationId` or `registrationVerificationId` to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long "clickable" link. * See the Login API response for additional details. * The User API and Registration API may optionally return an `emailVerificationId` or a map of registration verification Ids to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long "clickable" link. * See the User and Registration API response examples for additional details. ### Fixed * CleanSpeak username filtering may not always work when using advanced self-service registration forms with only one step. * Resolves [GitHub Issue #1158](https://github.com/FusionAuth/fusionauth-issues/issues/1158) * Link to SAML v2 IdP Initiated Add in the admin UI was missing. See GH issue for a work around. * Resolves [GitHub Issue #1181](https://github.com/FusionAuth/fusionauth-issues/issues/1181) * Fixes for the new API Key API - usages in the admin UI. Allow the admin UI to upgrade and downgrade API keys for Key Manager. * Resolves [GitHub Issue #1174](https://github.com/FusionAuth/fusionauth-issues/issues/1174) ### Tech Preview * Application Themes. You may optionally assign a theme per application which will then be utilize instead of the tenant configuration. * [GitHub Issue #769](https://github.com/FusionAuth/fusionauth-issues/issues/769) * Email verification gate. When using the FusionAuth themed pages, you may force a user to verify their email address before being redirected back to your application. * [GitHub Issue #1191](https://github.com/FusionAuth/fusionauth-issues/issues/1191) * Configurable verification strategies to use an interactive form instead of a clickable link. * May require a change to your email template, see the updated Email Verification documentation for additional details. * [GitHub Issue #1191](https://github.com/FusionAuth/fusionauth-issues/issues/1191) * Unique usernames. Allow more than one user to select the same username and allow FusionAuth to manage a unique suffix. * Resolves [GitHub Issue #1190](https://github.com/FusionAuth/fusionauth-issues/issues/1190) ### New * Product Version API. * Resolves [GitHub Issue #1193](https://github.com/FusionAuth/fusionauth-issues/issues/1193) * Thanks to [@jegger](https://github.com/jegger) for the request! * See [Version](/docs/apis/system#retrieve-system-version) API for additional details or find `retrieveVersion` in your FusionAuth client library. ### Enhancements * Try to support Microsoft Outlook Safe Links * Hopefully 🤞 resolves [GitHub Issue #629](https://github.com/FusionAuth/fusionauth-issues/issues/629) * Support HTTP Basic Auth using an API key for the Prometheus Metrics endpoint added in 1.26.0. * See Prometheus endpoint documentation for additional details on authenticating this endpoint. * Resolves [GitHub Issue #1189](https://github.com/FusionAuth/fusionauth-issues/issues/1189) ### Fixed * If you use a non default theme for the FusionAuth default tenant, you may see an error when trying to log in to the admin UI after upgrading to version 1.25.0. You can workaround this by appending `?&bypassTheme=true` to your login URL, or append `/admin/` to your base FusionAuth URL to log into the admin UI. * Resolves [GitHub Issue #1175](https://github.com/FusionAuth/fusionauth-issues/issues/1175). ### Known Issues * You cannot create a "SAML v2 IdP Initiated" Identity Provider in the admin UI; it isn't present in the "Add Identity Providers" dropdown. You can workaround this by entering the URL to add an Identity Provider manually: `\[GitHub Issue #1181](https://auth.example.com/admin/identity-provider/add/SAMLv2IdPInitiated` (append `/admin/identity-provider/add/SAMLv2IdPInitiated` to your FusionAuth base URL). Tracking in https://github.com/FusionAuth/fusionauth-issues/issues/1181). Lots of changes ahead! Read carefully to see how this release may affect you. **Two Factor APIs** Breaking changes. If you use this functionality, please review the API changes and test before upgrading. The Two-Factor API, two-factor fields on the User and Import User APIs and the Integrations API have changed and are not backwards compatible. If you use this functionality, please review the API changes and test before upgrading. **Upgrading from < 1.7.0** If you are upgrading from a version less than 1.7.0, you must do a two stage upgrade. Upgrade to a version greater than or equal to 1.7.0 but less than 1.26.0, then upgrade from that version to 1.26.0. There were internal migration changes which necessitate this two stage process. **Accessing the admin Login after upgrading:** The `/` path of FusionAuth no longer automatically forwards to the admin login. To access the admin UI to complete this configuration append `/admin/` to the URL. Once the theme configuration is complete, this root page will contain links to login and instructions on how to utilize this root landing page. ### Known Issues * If you use a non default theme for the FusionAuth default tenant, you may see an error when trying to log in to the admin UI. You can workaround this by appending `?&bypassTheme=true` to your login URL. * Resolved in `1.26.1`, see [GitHub Issue #1175](https://github.com/FusionAuth/fusionauth-issues/issues/1175) for additional details. ### Changed * The Two-Factor API has changed which allows you to enable and disable Two-Factor methods as well as send codes. * See the [Two-Factor](/docs/apis/two-factor) API for more details. * The Two-Factor Login API now returns `409` for too many attempts. This allows the Two-Factor Login API to provide the same locking capability as the Login API when too many failed attempts occur. * See the [Two-Factor Login](/docs/apis/login#complete-multi-factor-authentication) API for more details. * The Import API has changed for enabling Two-Factor. * See the [User Import](/docs/apis/users#import-users) API for changes. * The User API has changed for enabling and disabling Two-Factor. See the [User](/docs/apis/users) API for changes. * See the [User](/docs/apis/users) API for changes. * Email and SMS Two-Factor methods will now require a paid FusionAuth plan. [Learn more about paid plans](/pricing). * If you are only using Authenticator/TOTP for Two-Factor, this functionality will continue to work properly in the Community plan. * If you are upgrading from a version less than 1.7.0, you must do a two stage upgrade. Upgrade to a version greater than or equal to 1.7.0 but less than 1.26.0, then upgrade from that version to 1.26.0. There were internal migration changes which necessitate this two stage process. ### Fixed * You can now delete a user registration for an inactive application * Resolves [GitHub Issue #1148](https://github.com/FusionAuth/fusionauth-issues/issues/1148) * Spurious text '[object Object]' on FusionAuth admin UI screen when certain Chrome extensions present. * Resolves [GitHub Issue #1151](https://github.com/FusionAuth/fusionauth-issues/issues/887). Thanks to [@NikolayMetchev](https://github.com/NikolayMetchev) for filing this. ### Tech Preview * Entity Management * Resolves [GitHub Issue #881](https://github.com/FusionAuth/fusionauth-issues/issues/881) ### New * Prometheus Metrics endpoint * Resolves [GitHub Issue #362](https://github.com/FusionAuth/fusionauth-issues/issues/362) * IdP initiated SSO * Resolves [GitHub Issue #566](https://github.com/FusionAuth/fusionauth-issues/issues/566) * An API key to create API keys! * Resolves [GitHub Issue #887](https://github.com/FusionAuth/fusionauth-issues/issues/887). Thanks to [@Tintwo](https://github.com/Tintwo) for filing this. * Portions of [GitHub Issue #960](https://github.com/FusionAuth/fusionauth-issues/issues/960) were delivered, including features such as: * Two-Factor step-up API * SMS Two-Factor with configurable delivery methods * Localized Message Templates which can be used for SMS Two-Factor messages * Self service user profile page * Resolves [GitHub Issue #682](https://github.com/FusionAuth/fusionauth-issues/issues/682) * Themeable root page * Resolves [GitHub Issue #378](https://github.com/FusionAuth/fusionauth-issues/issues/378) * Messengers which are used to send SMS messages through Twilio, Kafka or a generic JSON REST API * Licensing now supports air-gapped deployments * Client Credentials grant * Resolves [GitHub Issue #155](https://github.com/FusionAuth/fusionauth-issues/issues/155) ### Enhancements * Add IP address to login success and failed events. * Resolves [GitHub Issue #1162](https://github.com/FusionAuth/fusionauth-issues/issues/1162) ### Changed * In support of the SAML v2 Logout feature, the following theme changes have been made. * New themed template `SAMLv2 logout template`. This template will be rendered when you utilize the SAML v2 Logout feature, it is nearly identical to the existing OAuth2 logout themed page. If you are using themes, please review your theme to ensure your user experience is not interrupted. ### Fixed * If you are using Elasticsearch version 6 you may encounter an error when using the Search API. This is due to a change in how we optionally request the document hit count in the search request to Elasticsearch. The change is not compatible with Elasticsearch version 6. As a work around, you can set `accurateTotal=true` in the API request. See the [User Search](/docs/apis/users#search-for-users) API for additional details on using this parameter. * Resolves [GitHub Issue #1135](https://github.com/FusionAuth/fusionauth-issues/issues/1135) * Using the HTTP `PATCH` method on the FusionAuth application may produce erroneous validation errors. * Resolves [GitHub Issue #1110](https://github.com/FusionAuth/fusionauth-issues/issues/1110) * Adding additional Java options in the configuration file when the value contains a space may not work correctly. * Resolves [GitHub Issue #1065](https://github.com/FusionAuth/fusionauth-issues/issues/1065) * A `NullPointerException` may occur when you have users registered for an application in a non default tenant and you create a login report for only that application. Thanks to [@NikolayMetchev](https://github.com/NikolayMetchev) for filing this. * Resolves [GitHub Issue #1115](https://github.com/FusionAuth/fusionauth-issues/issues/1115) * When you omit the `state` parameter on the Authorization request, you may receive a `state` parameter on the `redirect_uri` that you did not expect. * Resolves [GitHub Issue #1113](https://github.com/FusionAuth/fusionauth-issues/issues/1113) ### New * Add full support for SAML v2 Logout * Resolves [GitHub Issue #1137](https://github.com/FusionAuth/fusionauth-issues/issues/1137) ### Enhancements * Add a button to the Sessions tab in the FusionAuth admin UI to delete all user sessions at once, this action is also available from the drop down action list when managing a user. * Resolves [GitHub Issue #1094](https://github.com/FusionAuth/fusionauth-issues/issues/1094) * Add Debug to OAuth2 grants, this will primarily assist in debugging the Authorization Code grant auth code exchange with the Token endpoint. * Resolves [GitHub Issue #781](https://github.com/FusionAuth/fusionauth-issues/issues/781) * Add CORS Debug, this will assist you in debugging CORS related `403` HTTP status codes. * Resolves [GitHub Issue #1126](https://github.com/FusionAuth/fusionauth-issues/issues/1126) * Better SMTP debug for specific scenarios. This should assist with async connection issues and provide context to the tenant and template being rendered during the exception. * Resolves [GitHub Issue #1064](https://github.com/FusionAuth/fusionauth-issues/issues/1064) * Allow the Registration API to accept the `applicationId` as a URL segment * Resolves [GitHub Issue #1127](https://github.com/FusionAuth/fusionauth-issues/issues/1127) * Twitter IdP Login API can optionally accept an access token. When building your own login page, if you complete the initial step with Twitter and utilize the `oauth_verifier` to perform some initial processing of the Twitter user, you may now still send the access token in the form of `oauth_token` and `oauth_token_secret` to FusionAuth to complete the login. This is done by omitting the `oauth_verifier` on the Login request. See [Complete the Twitter Login](/docs/apis/identity-providers/twitter#complete-the-twitter-login) for additional information. * Resolves [GitHub Issue #1073](https://github.com/FusionAuth/fusionauth-issues/issues/1073) * When Key Master generates a `kid` because one is not provided on the request, if there is a public key, generate the `kid` as a JWK thumbprint instead of a randomly generated value. * Resolves [GitHub Issue #1136](https://github.com/FusionAuth/fusionauth-issues/issues/1136) * When using the Search feature in the FusionAuth admin UI, once you begin searching using a specific term or any of the advanced controls, the pagination result total will be an accurate representation of the number of matches returned by Elasticsearch. When no search criteria is provided, the number of matches will cap at the default value of 10,000 and the pagination results will indicate 10,000+ which means at least 10,000 users match the search criteria. ### Internal * Upgrade Tomcat from version `8.5.57` to `8.5.63`. * Resolves [GitHub Issue #1119](https://github.com/FusionAuth/fusionauth-issues/issues/1119) ### Known Issues * If you are using Elasticsearch version 6 you may encounter an error when using the Search API. This is due to a change in how we optionally request the document hit count in the search request to Elasticsearch. The change is not compatible with Elasticsearch version 6. As a work around, you can set `accurateTotal=true` in the API request. * Resolved in `1.25.0`, see [GitHub Issue #1135](https://github.com/FusionAuth/fusionauth-issues/issues/1135) for additional details. ### Security * More consistent usage of the `Cache-Control` HTTP response header. The default for all pages will be `Cache-Control: no-cache`, and some pages that may contain potentially sensitive information such as the API key add, edit or index pages will use a `Cache-Control: no-store`. No known vulnerability exists with the previous behavior, this is just a proactive change to limit the possible mis-use of cached pages in the FusionAuth admin UI. * Resolves [GitHub Issue #1103](https://github.com/FusionAuth/fusionauth-issues/issues/1103) * A vulnerability in an underlying SAML v2 library was resolved. If you are using SAML please upgrade FusionAuth to 1.24.0 or later as soon as possible. * [CVE-2021-27736](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27736) * [CSNC-2021-004](https://www.compass-security.com/fileadmin/Research/Advisories/2021-03_CSNC-2021-004_FusionAuth_SAML_Library_XML_External_Entity.txt) ### Changed * The `applicationId` and `roles` claims are no longer returned in the `id_token` issued when requesting the `openid` scope. The `id_token` should not be used for authorization, this change makes it less likely to mis-use this token. If you have a requirement for these claims (you shouldn't), you can add them back by using a JWT Populate lambda. See [Id Token claims](/docs/lifecycle/authenticate-users/oauth/tokens#id-token) for additional information. * Resolves [GitHub Issue #1102](https://github.com/FusionAuth/fusionauth-issues/issues/1102) ### Fixed * When using the Add or Edit Identity Provider forms in the admin UI, if you have ~2,000 or more applications it is possible for the form request to be truncated by the underlying application server. This error is caused by the maximum number of request parameters being exceeded. This form in particular, along with the Group Add/Edit and Webhook Add/Edit contains a number of fields that is a function of the number of applications configured. An informational error may be written to the system log indicating this truncation has occurred, but no hard error would have occurred. The symptom will be that depending upon your configuration, a portion of it may be lost during this form submit. The entry in the log will contain this message `org.apache.tomcat.util.http.Parameters.processParameters More than the maximum number of request parameters (GET plus POST) for a single request ([10,000]) were detected. Any parameters beyond this limit have been ignored.`. * Resolves [GitHub Issue #1057](https://github.com/FusionAuth/fusionauth-issues/issues/1057) * When you have registered a custom plugin for password hashing, using the View Tenant dialog may fail to render. * Resolves [GitHub Issue #1063](https://github.com/FusionAuth/fusionauth-issues/issues/1063) * Unable to remove a User from a Group using the admin UI dialog. This was a regression issue introduced in version 1.23.0. * Resolves [GitHub Issue #1081](https://github.com/FusionAuth/fusionauth-issues/issues/1081) * If a user was not currently in the Elasticsearch index, the user delete request may fail. * Resolves [GitHub Issue #1088](https://github.com/FusionAuth/fusionauth-issues/issues/1088) * The JWT returned from the Register API when you are creating a User and a Registration in one request may not contain the `roles` claim. This occurs when you do not assign the roles explicitly on the request, and instead are using default role assignment in the application configuration. * Resolves [GitHub Issue #1106](https://github.com/FusionAuth/fusionauth-issues/issues/1106) * Updating a User that has existing group memberships may no longer be searchable in Elasticsearch by their Group memberships until the next time the user logs into FusionAuth. * Resolves [GitHub Issue #1087](https://github.com/FusionAuth/fusionauth-issues/issues/1087) * A Kafka Producer configuration that contains an equals sign `=` in the property value will fail to parse. This was identified in attempting to configure credentials to connect to CloudKarafka. * Resolves [GitHub Issue #1107](https://github.com/FusionAuth/fusionauth-issues/issues/1107), thanks to [@chris-bridges](/community/forum/user/chris-bridges) for letting us know! ### Enhancements * Support a Kickstart file with only a `licenseId`. Previously at least one API key was required because the intent of Kickstart is to call one or more APIs. While there is not a very practical use case for only providing a `licenseId` and no API requests, this minimal configuration will no longer fail indicating an API key is required. See [Set your License Id](/docs/get-started/download-and-install/development/kickstart#set-your-license-id) in the [Kickstart](/docs/get-started/download-and-install/development/kickstart) documentation. * Resolves [GitHub Issue #1080](https://github.com/FusionAuth/fusionauth-issues/issues/1080) * You may now import an RSA certificate with a key bit length less than `2048` into Key Master. The minimum supported RSA key length for signing a JWT is `2048`, so this was previously the minimum requirement to import anything into Key Master. However, we have several configurations now that require a certificate that is only used to verify a signature from a third party. In these cases, we are not using the certificate to sign anything, and [@trevorr](https://github.com/trevorr) rightly pointed out that we should allow smaller keys to be imported to support these use cases. Thank you for the (now obvious) insight! We really appreciate our community members that provide us value for value. * Resolves [GitHub Issue #1085](https://github.com/FusionAuth/fusionauth-issues/issues/1085) & [GitHub Issue #1091](https://github.com/FusionAuth/fusionauth-issues/issues/1091) * Added an additional Search API parameter to allow you to obtain the actual hit count from Elasticsearch. For performance reasons, the default behavior of an Elasticsearch query is to limit the hit count to 10,000. This means that if your query matched more than 10,000 records, the API response will only indicate that at least 10,000 records matched. This is very adequate for pagination purposes, or general queries. There are times where you are building a very specific query and the intent is to identify an accurate number of matching records. You may now provide an additional parameter to the search request named `accurateTotal` which will then return an accurate hit count on the API response. See the [User Search](/docs/apis/users#search-for-users) API for additional details. * Resolves [GitHub Issue #1086](https://github.com/FusionAuth/fusionauth-issues/issues/1086) * Allow the user to click on the Enabled column in the Webhook event configuration in the Webhook and Tenant configurations to enable or disable all events at once. This is just a usability enhancement to save you from clicking over and over. You're welcome. * Resolves [GitHub Issue #1093](https://github.com/FusionAuth/fusionauth-issues/issues/1093) * For pages with potentially a lot of items such as Applications, Tenants, etc - that do not currently have pagination, add a count at the bottom of the panel. This allows you to look smart by knowing how many "things" you have without having to count them yourself. * Resolves [GitHub Issue #1104](https://github.com/FusionAuth/fusionauth-issues/issues/1104) ### Internal * Some enhancements to JavaScript event handlers to perform better on pages with 2-3k+ applications. Pretty boring. * Resolves [GitHub Issue #1105](https://github.com/FusionAuth/fusionauth-issues/issues/1105) ### Fixed * A tenant delete request may fail. See details in the linked GH issue for a work around. This issue was introduced in version 1.22.0. * Resolves [GitHub Issue #1075](https://github.com/FusionAuth/fusionauth-issues/issues/1075) ### Fixed * A bug in the PostgreSQL migration will cause you to lose your SAML v2 IdP configuration. If you are using MySQL or you are not using the SAML v2 IdP configuration, this bug will not affect you. The issue was introduced in version 1.21.0, so if you are upgrading from a version prior to 1.21.0 to 1.23.2 you will not be affected. If you have already upgraded to 1.21.0 or any version greater than 1.21.0 prior to this patch, you will have already encountered the issue. If you do encounter this issue, you will need to update the SAML v2 IdP configuration found in each affected Application configuration. * Resolves [GitHub Issue #1074](https://github.com/FusionAuth/fusionauth-issues/issues/1074) ### Fixed * When configured to sign the SAML v2 AuthN requests to the SAML v2 IdP, the SAML v2 SP metadata does not correctly reflect this settings. The attribute `AuthnRequestsSigned` should now reflect the signing configuration. * When configured to sign requests, the SP metadata response will now also contain the KeyDescriptor element to describe the X.509 certificate used to verify the signature. * Resolves [GitHub Issue #1067](https://github.com/FusionAuth/fusionauth-issues/issues/1067) ### Known Issues * If you are upgrading to this version, are using PostgreSQL, and you intend to use the provided LinkedIn Reconcile lambda, you will need to make a small adjustment prior to using it. * Navigate to Customizations -> Lambdas and edit the lambda named `Default LinkedIn Reconcile provided by FusionAuth` and click edit. You will see an error indicated by a red dot on line `23` of the function body. To fix this error, delete the two empty lines between the end of line `23` and `25`, once the error indicator is gone, save the lambda. * Unable to remove a User from a group using the admin UI dialog. * Fixed in version 1.24.0 via [GitHub Issue #1081](https://github.com/FusionAuth/fusionauth-issues/issues/1081) ### Fixed * A validation error may not be visible when selecting self service registration options when the FusionAuth license has not been activated. * Resolves [GitHub Issue #951](https://github.com/FusionAuth/fusionauth-issues/issues/951) * The User Action API was returning a `200` status code instead of a `404` when requesting an action by Id that did not exist. * Resolves [GitHub Issue #991](https://github.com/FusionAuth/fusionauth-issues/issues/991), thanks to [@hkolbeck-streem](https://github.com/hkolbeck-streem) for the report! * The IP address shown on the About panel may be the same for each node when viewed on a multi-node FusionAuth instance. This address is shown for informational purposes and was only a cosmetic defect w/out any functional issues. * Resolves [GitHub Issue #1030](https://github.com/FusionAuth/fusionauth-issues/issues/1030) * The SAML Response XML was failing XSD validation for the `Signature` element location when the request was not successful, or FusionAuth was configured to sign the response instead of the assertion. * Resolves [GitHub Issue #1047](https://github.com/FusionAuth/fusionauth-issues/issues/1047), thanks to [@MrChrisRodriguez](https://github.com/MrChrisRodriguez) for the excellent report! * Fix a possible NPE when making an Update request to a group in a multi-tenant environment. With this fix, the correct API response will be returned. * Resolves [GitHub Issue #1052](https://github.com/FusionAuth/fusionauth-issues/issues/1052), thanks to [@atrauzzi](https://github.com/atrauzzi) for the report! * When creating an IdP from the API for Google, Facebook, Twitter, or HYPR - the API was allowing an Id to be provided. Each of these IdP types of which only one are allowed, have a fixed Id that is managed by FusionAuth. The API should ignore the requested Id and set the correct Id instead. If you encounter this issue, the work around is to omit the Id on the API request. * Resolves [GitHub Issue #1058](https://github.com/FusionAuth/fusionauth-issues/issues/1058) * Kickstart fails when using a variable in the `tenantId` field for an API key. * Resolves [GitHub Issue #1060](https://github.com/FusionAuth/fusionauth-issues/issues/1060), thanks to [@rhofland](https://github.com/rhofland) for the report and the excellent recreate steps! ### New * Sign in with LinkedIn. A new identity provider type is available for LinkedIn. * Resolves [GitHub Issue #34](https://github.com/FusionAuth/fusionauth-issues/issues/34) * New FusionAuth roles oriented for Level 1 support personnel. These new roles are named `user_support_viewer` and `user_support_manager`, see FusionAuth application roles for additional detail. * Resolves [GitHub Issue #1027](https://github.com/FusionAuth/fusionauth-issues/issues/1027) ### Enhancements * Updates to the User and Import API to provide validation on the length of an email address. This will provide a developer a better error when the provided email address is too long. * Resolves [GitHub Issue #900](https://github.com/FusionAuth/fusionauth-issues/issues/900) ### Client libraries * Enhancements to the .NET Core client library to better support requests in a multi-tenant environment and to use the `IDictionary` reference instead of `Dictionary`. * Resolves [GitHub Issue #1049](https://github.com/FusionAuth/fusionauth-issues/issues/1049) and [GitHub Issue #1050](https://github.com/FusionAuth/fusionauth-issues/issues/1050), thanks to [@atrauzzi](https://github.com/atrauzzi) for sharing his .NET Core expertise! ### Fixed * When using a connector, if the provided password does not meet the configured password constraints the login attempt will fail. This is by design, however because FusionAuth is not the Source of Record (SoR) it should not be required that the password to meet the configured password constraints. The current SoR should enforce their own password constraints. If the connector is configured to migrate the user, and the tenant policy is configured to validate password constraints on login, the password will be validated according to this policy. * Resolves [GitHub Issue #1020](https://github.com/FusionAuth/fusionauth-issues/issues/1020), thanks to [@ckolbeck-streem](https://github.com/ckolbeck-streem) for the help! * Using the Verify Email workflow on the FusionAuth themed pages when the email address has a plus sign (`+`) in the local part of the address may fail to send the user an email. * Resolves [GitHub Issue #1034](https://github.com/FusionAuth/fusionauth-issues/issues/1034) ### Fixed * When endpoint discovery is disabled, OpenID Connect endpoint validation errors may be hidden when editing the OpenID Connect IdP configuration in the UI. * Resolves [GitHub Issue #794](https://github.com/FusionAuth/fusionauth-issues/issues/794) * The Manage User page may fail to render when the user has an action or comment made by a user without an email address. * Resolves [GitHub Issue #1012](https://github.com/FusionAuth/fusionauth-issues/issues/1012), nice catch by [@pamcpd](https://github.com/pamcpd)! * The `tenantId` parameter may not be preserved correctly in a multi-tenant configuration during the Device authorization grant. * Resolves [GitHub Issue #1016](https://github.com/FusionAuth/fusionauth-issues/issues/1016), thanks to [@JediSquirrel](https://github.com/JediSquirrel) and [@jerryhopper](https://github.com/jerryhopper) for reporting! ### Enhancements * Limit the origin validation during OAuth2 grants that occur as a result of a redirect from FusionAuth. * Resolves [GitHub Issue #1018](https://github.com/FusionAuth/fusionauth-issues/issues/1018), thanks to our Icelandic friend [@eirikur-grid](https://github.com/eirikur-grid) for reporting. * Expose the default signing key Id as a Kickstart variable. See the [Kickstart installation guide](/docs/get-started/download-and-install/development/kickstart#reference) for additional detail. * Resolves [GitHub Issue #1026](https://github.com/FusionAuth/fusionauth-issues/issues/1026), thanks to [@dan-barrett](https://github.com/dan-barrett) for the request! ### Changed * The Application and Tenant domain objects now contain a `state` field that will be returned on the API response. * This new `state` field replaces the `active` boolean on the Application object and API. The `active` field is now deprecated, and backwards compatibility will be preserved. ### Fixed * When viewing a form in the UI, the required column value may not be correct. * Resolves [GitHub Issue #975](https://github.com/FusionAuth/fusionauth-issues/issues/975) * Unable to request a second 2FA code on the themed login page during a 2FA login request. See the linked GitHub isssue for a work around. * Resolves [GitHub Issue #980](https://github.com/FusionAuth/fusionauth-issues/issues/980), thanks to [@DaviddH](https://github.com/DaviddH) for reporting the issue! * A missing message may cause an exception during a login attempt when using an LDAP connector. * Resolves [GitHub Issue #981](https://github.com/FusionAuth/fusionauth-issues/issues/981), thanks to [@ruckc](https://github.com/ruckc) for letting us know. * Incorrect message shown on a registration form when no fields have been added, this is purely a cosmetic issue. * Resolves [GitHub Issue #983](https://github.com/FusionAuth/fusionauth-issues/issues/983) * The view dialog for an a Google IdP incorrectly shows the client secret for both the Client Id and the Client secret fields. * Resolves [GitHub Issue #999](https://github.com/FusionAuth/fusionauth-issues/issues/999) * Selecting a preferred language during login may append this value to the user's configuration allowing for possible duplicate locales. * Resolves [GitHub Issue #1006](https://github.com/FusionAuth/fusionauth-issues/issues/1006), thanks to [@arni-inaba](https://github.com/arni-inaba) for reporting the issue. * Using the Import API to import users to a tenant other than the default tenant when more than one tenant is configured may fail validation. This issue was introduced in version 1.20.0 under [GitHub Issue #915](https://github.com/FusionAuth/fusionauth-issues/issues/915). * Resolves [GitHub Issue #1008](https://github.com/FusionAuth/fusionauth-issues/issues/1008) * Logging out of FusionAuth SSO when you have a webhook configured to receive the Refresh Token Revoke event, may cause an exception that will be found in an event log. * Resolves [GitHub Issue #1017](https://github.com/FusionAuth/fusionauth-issues/issues/1017) ### New * The Elasticsearch index name can now be configured. This may be helpful if you wish to run multiple instances of FusionAuth on the same Elasticsearch cluster. See `fusionauth-app.user-search-index.name` in the FusionAuth configuration for additional details. * Resolves [GitHub Issue #631](https://github.com/FusionAuth/fusionauth-issues/issues/631), thanks to [@chrishare08](https://github.com/chrishare08) for the suggestion. * Add async support for the Delete Tenant API. Deleting a tenant can take a very long time, so when deleting a tenant from the UI, FusionAuth will use the new async option. If you are making an API request to delete a tenant with many users, you may wish to use the async option. See the Tenant API for additional details. * Resolves [GitHub Issue #990](https://github.com/FusionAuth/fusionauth-issues/issues/990) ### Enhancements * The Elasticsearch reindex operation is now much faster, especially when re-indexing more than 1 million users. On a reasonably fast system, 1 million users can be re-indexed in approximately 3 minutes, this time is linear as you increase the user count. In general there is no need to re-index in production, but in a development phase or as part of a database migration it may be necessary to re-index the FusionAuth users. * Resolves [GitHub Issue #918](https://github.com/FusionAuth/fusionauth-issues/issues/918) * When configuring an IdP that requires additional CORS configuration to operate properly, FusionAuth will display a warning message in the UI. This message has been updated to make it clearer that additional user action isn't required to complete the configuration. * Resolves [GitHub Issue #998](https://github.com/FusionAuth/fusionauth-issues/issues/998) * Increase the read timeout to third party identity providers. It has been reported that the Apple identity provider in particular may experience a read timeout for particular accounts. * Resolves [GitHub Issue #1010](https://github.com/FusionAuth/fusionauth-issues/issues/1010), thanks to [@thekoding](https://github.com/thekoding) for the suggestion. ## Known Issues * If you are using PostgreSQL and you are using FusionAuth as a SAML v2 IdP, upgrading to this version will break your SAML v2 IdP configuration. Resolved in 1.23.2. * If you are running FusionAuth prior to this version, skip to 1.23.2 to avoid the issue. If you need to update to this version or any version after this version but prior to 1.23.2, you will want to record your existing SAML v2 IdP configuration for each application with SAML v2 IdP enabled so that you can re-configure after the upgrade has completed. ### Fixed * Beginning in version 1.9.0, if you are using the SAML IdP configuration to connect to a third party SAML v2 IdP and you are not using the FusionAuth login pages, you must initiate this request with FusionAuth by using the [Start Login Request](/docs/apis/identity-providers/samlv2#start-a-saml-v2-login-request) API. When making this start request w/out any additional custom data on the API request, an exception may occur. Review the linked issue for a workaround if you are unable to update to this patch release. * Resolves [GitHub Issue #963](https://github.com/FusionAuth/fusionauth-issues/issues/963) * Using Bcrypt as the default hashing scheme may cause an exception to occur in some circumstances. * [GitHub Issue #966](https://github.com/FusionAuth/fusionauth-issues/issues/966), thanks to [@wasdennnoch](https://github.com/wasdennnoch) for reporting the issue and providing great debug info. * Add custom data on the Consent object to the view dialog in the UI, and fix some possible issues with editing Consent and other similar objects with custom data in the UI. In some cases, editing an object such as a Consent in the UI will cause you to lose any custom data you had previously stored. * Resolves [GitHub Issue #970](https://github.com/FusionAuth/fusionauth-issues/issues/970), thanks to [@mgetka](https://github.com/mgetka) for opening this issue. ### Enhancements * The location of the XML signature in the SAML response may be configured to be a child of the `Assertion` element, or the `Response`. The default location is `Assertion` which is the same as the previous behavior to ensure backwards compatibility. In most cases the default configuration is adequate, if you have a SAML v2 Service Provider that requires the signature as a child element of the Response use this configuration to satisify this requirement. * Resolves [GitHub Issue #365](https://github.com/FusionAuth/fusionauth-issues/issues/365), thanks to [@mikerees](https://github.com/mikerees) for requesting this feature. * The PKCE extension will now be used by the OpenID Connect IdP configuration that allows you to connect to third party OpenID Connect identity providers. This allows FusionAuth to be compatible with identity providers that may require PKCE. This change is compatible even if your identity provider does not require or does not support PKCE. * [GitHub Issue #968](https://github.com/FusionAuth/fusionauth-issues/issues/968), thanks to [@jandillmann](https://github.com/jandillmann) for the request! * Add the `application` domain object to email templates when available. This will allow you to use the Application name using `${application.name}` in your template. * Resolves [GitHub Issue #976](https://github.com/FusionAuth/fusionauth-issues/issues/976) ### Fixed * UI sorting preferences were not preserved after a page refresh * Resolves [GitHub Issue #461](https://github.com/FusionAuth/fusionauth-issues/issues/461), thanks to [@mreschke](https://github.com/mreschke) (a fellow Coloradan) for letting us know! * Update a tooltip to better describe the use of Require authentication in the OAuth settings * Resolves [GitHub Issue #654](https://github.com/FusionAuth/fusionauth-issues/issues/654), thanks to [@JuliusPC](https://github.com/JuliusPC) for the suggestion. * A exception may occur if you attempt to change your password immediately after installation before modifying the Tenant configuration to configure email, JWT settings etc. * Resolves [GitHub Issue #758](https://github.com/FusionAuth/fusionauth-issues/issues/758), thanks to [@srothery](https://github.com/srothery) for the report and debug assistance! * Providing duplicate connector policies on the Tenant API may cause an exception * Resolves [GitHub Issue #917](https://github.com/FusionAuth/fusionauth-issues/issues/917) * Set the Twitter tokens in the User Registration after logging in with Twitter * Resolves [GitHub Issue #937](https://github.com/FusionAuth/fusionauth-issues/issues/937), thanks to [@LohithBlaze](https://github.com/LohithBlaze) for reporting the bug. * Allow the Refresh Token meta data fields to be set during the Password Grant * Resolves [GitHub Issue #947](https://github.com/FusionAuth/fusionauth-issues/issues/947), thanks to [@ShayMoshe](https://github.com/ShayMoshe) for letting us know about this limitation. ### Enhancements * Add additional Kickstart settings to modify the default timeouts used to make API calls to FusionAuth. * Resolves [GitHub Issue #803](https://github.com/FusionAuth/fusionauth-issues/issues/803), thanks to [@seanadkinson](https://github.com/seanadkinson) for the suggestion! * Expose default Lambda and Form Ids to Kickstart so you can assign one of the default Lambdas to an identity provider configuration. * Resolves [GitHub Issue #836](https://github.com/FusionAuth/fusionauth-issues/issues/836), thanks to [@LohithBlaze](https://github.com/LohithBlaze) for letting us know about this limitation. * Return the `encryptionScheme` on the User API response when authenticated using an API key. * Resolves [GitHub Issue #955](https://github.com/FusionAuth/fusionauth-issues/issues/955) ### Changed - Updated base image for Docker from `alpine` to `ubuntu:focal`. This is a non-functional change, but please be aware of this change if you're building Docker images using ours as a base. In order to run on `alpine` without including the GNU C Library (`glibc`) we had to use a custom build of OpenJDK compiled using the `musl` C library. Due to some possible performance concerns, we have moved to an official build of JDK provide by AdoptOpenJDK compiled using `glibc`. The `ubuntu:focal` base image added ~ 30 MB in size compared to our previous (compressed) image size, but until we can obtain builds from AdoptOpenJDK based upon the `musl` C library, we will not likely ship an official image on `alpine`. * [`fusionauth-containers` / `docker` / `fusionauth` / `fusionauth-app` / `Dockerfile`](https://github.com/FusionAuth/fusionauth-containers/blob/main/docker/fusionauth/fusionauth-app/Dockerfile) * [`hub.docker.com` / `fusionauth` / `fusionauth-app`](https://hub.docker.com/r/fusionauth/fusionauth-app/tags) ### Fixed * Resolve a warning message about an upcoming deprecated use of reflection in a FusionAuth dependency. This warning message was not causing any failures, it was just noisy. * Resolves [GitHub Issue #721](https://github.com/FusionAuth/fusionauth-issues/issues/721) * A negative count may be displayed in the FusionAuth dashboard and other reports. This was primarily due to how the delete tenant was handled as it related to keeping track of total user counts. The delete tenant code path no longer utilizes the Elasticsearch index and takes a safer approach to deleting users and keeping track of total counts. * Resolves [GitHub Issue #799](https://github.com/FusionAuth/fusionauth-issues/issues/799), thanks to [@gurupras](https://github.com/gurupras) for helping us out with this one! * Better user experience for advanced self service forms once a license has been de-activated. * Resolves [GitHub Issue #861](https://github.com/FusionAuth/fusionauth-issues/issues/861) * Fix self service registration form validation when using custom options with a `select`, `radio` or `checkbox.` * Resolves [GitHub Issue #863](https://github.com/FusionAuth/fusionauth-issues/issues/863) * Resolves [GitHub Issue #865](https://github.com/FusionAuth/fusionauth-issues/issues/865) * Resolves [GitHub Issue #867](https://github.com/FusionAuth/fusionauth-issues/issues/867) * Fix UI form validation when adding and removing fields from an existing self service registration from. * Resolves [GitHub Issue #866](https://github.com/FusionAuth/fusionauth-issues/issues/866) * The `applicationId` was not validated on the Import User API, the import would still correctly fail, just not in a developer friendly way. * Resolves [GitHub Issue #915](https://github.com/FusionAuth/fusionauth-issues/issues/915) * Fix a typo the Activate Reactor page in the UI. * Resolves [GitHub Issue #945](https://github.com/FusionAuth/fusionauth-issues/issues/945) * When using self service registration, the `authenticationType` claim found in the resulting JWT was always `PASSWORD` even if the authentication was performed using Facebook, Google or other identity provider. * Resolves [GitHub Issue #948](https://github.com/FusionAuth/fusionauth-issues/issues/948) ### New - Support for SAML v2 POST bindings to a third party SAML v2 Identity Provider (IdP) when FusionAuth is acting as the SAML v2 Service Provider (SP). * Resolves [GitHub Issue #845](https://github.com/FusionAuth/fusionauth-issues/issues/845) - Add the SAML v2 `SessionIndex` in the SAML v2 AuthN request. * Resolves [GitHub Issue #896](https://github.com/FusionAuth/fusionauth-issues/issues/896) - You may now customize the Add and Edit form used to manage users in the FusionAuth admin UI. You may add or remove existing fields found on the User form, or add new fields to allow n admin to manage custom user data. This can be used with advanced self service registration, or as a standalone feature. * This feature requires a paid FusionAuth plan. * Resolves [GitHub Issue #753](https://github.com/FusionAuth/fusionauth-issues/issues/753) - You may now customize the Add and Edit User Registration form used to manage user registration in the FusionAuth admin UI. You may add or remove existing fields found on the User Registration form, or add new fields to allow an admin to manage custom registration data. This can be used with advanced self service registration, or as a standalone feature. * This feature requires a paid FusionAuth plan. * Resolves [GitHub Issue #753](https://github.com/FusionAuth/fusionauth-issues/issues/753) ### Enhancements * When configuring FusionAuth as the SAML v2 IdP, you may not configure one to many redirect URLs, also referred to as Assertion Consumer Service (ACS) URLs. This will allow you to support more than one redirect configuration per FusionAuth application. * Resolves [GitHub Issue #502](https://github.com/FusionAuth/fusionauth-issues/issues/502) * When using more then one tenant the `tenantId` is documented to be required when using the OAuth2 endpoints. However, in some cases it may not be provided, this enhancement allows the correct tenant to be identified during logout when only the `id_token_hint` is provided on the request to `/oauth2/logout` endpoint. This issue only affects FusionAuth versions `1.19.0` and greater due to the addition to multi-tenant SSO. Prior to version `1.19.0`, it was not possible to be logged into more than one tenant at once using FusionAuth SSO. * Resolves [GitHub Issue #925](https://github.com/FusionAuth/fusionauth-issues/issues/925) * Initial build support for multi-arch Docker images. FusionAuth is not yet publishing images for these additional arch types, but we are trying to better support these builds in our base image definition. This should help those running FusionAuth on IBM z(s390x), IBM Power(64 bit PowerPC) and various ARM platforms including AWS Graviton, Apple Bionic and embedded platforms such as Raspberry Pi. Thanks to a bunch of our FusionAuth MVPs including, but not limited to [@jerryhopper](https://github.com/jerryhopper), [@arslanakhtar61](https://github.com/arslanakhtar61), and [@ceefour](https://github.com/ceefour), for helping with this work through code, advice and domain knowledge that we don't have! * [`fusionauth-containers` / `docker` / `fusionauth` / `fusionauth-app` / Dockerfile](https://github.com/FusionAuth/fusionauth-containers/blob/main/docker/fusionauth/fusionauth-app/Dockerfile) * [Multi-Architecture Builds](https://github.com/FusionAuth/fusionauth-containers#multi-architecture-builds) * [GitHub \[fusionauth-containers\] Issue #49](https://github.com/FusionAuth/fusionauth-containers/issues/49) ### Fixed * The documented configuration parameter `fusionauth-app.http.port` is not picked up by FusionAuth. If you were to override the default value of `9011`, the server will properly bind to the correct port, but FusionAuth will not use this local port to connect to itself. * Resolves [GitHub Issue #891](https://github.com/FusionAuth/fusionauth-issues/issues/891) * When importing users using the Import API on PostgreSQL, if you have a wide distribution of values for the `insertInstant` on the User object, you may encounter a PostgreSQL exception. * Resolves [GitHub Issue #892](https://github.com/FusionAuth/fusionauth-issues/issues/892) * Disable Elasticsearch Sniffer by default. The Elasticsearch Sniffer was enabled in version 1.19.0 to allow a single connection to Elasticsearch discover the other nodes in the cluster by the Elasticsearch REST client. This causes problems for cloud managed services or Elasticsearch running within a container service such as k8s. Turn this off by default, and allow it to be enabled if desired. See new configuration property `search.sniffer`. * Resolves [GitHub Issue #893](https://github.com/FusionAuth/fusionauth-issues/issues/893) ### Enhancements * Add a `referrer` meta tag to provide a default policy for the browser. Most browsers are now providing a decent default value, but this will ensure a secure default value is utilized. New Themes will default to `strict-origin` but this can be modified in the Helper template, and can also be added to existing themes. * Resolves [GitHub Issue #894](https://github.com/FusionAuth/fusionauth-issues/issues/894) ### Fixed * The default exception handling in the Elasticsearch REST client allows for some expected exceptions to go un-handled which may fail the search request. Add an exception handler to keep these underlying HTTP exceptions from causing failures. * Resolves [GitHub Issue #868](https://github.com/FusionAuth/fusionauth-issues/issues/868), thanks to [@zbruhnke](https://github.com/zbruhnke) for reporting and helping us track this one down. * Some LDAP exception messages will include an embedded `null` in the message body. PostgreSQL does not allow for embedded `null` characters in a text field, so this may cause FusionAuth to exception when using PostgreSQL. * Resolves [GitHub Issue #879](https://github.com/FusionAuth/fusionauth-issues/issues/879) * When selecting Re-validate password on login when also restricting usage of previous passwords, the user may end up in a loop of being required to change their during login. * Resolves [GitHub Issue #880](https://github.com/FusionAuth/fusionauth-issues/issues/880) * In the 1.19.0 MySQL migration script, if you have many refresh tokens, it is possible that a duplicate key will be generated due to a poor random Id generator. * Resolves [GitHub Issue #890](https://github.com/FusionAuth/fusionauth-issues/issues/890) ### Enhancements * Add a helper for Active Directory LDAP to handle conversion of a base64-encoded Microsoft `objectGuid` to a Java UUID. See the [LDAP Connector Reconcile Lambda](/docs/extend/code/lambdas/ldap-connector-reconcile) for more information. * Resolves [GitHub Issue #822](https://github.com/FusionAuth/fusionauth-issues/issues/822), thanks to [@bradleykite](https://github.com/bradleykite) for the assistance on this one! ### Fixed * Startup may fail on version 1.19.5 of the FusionAuth docker image with the following error on the console `setenv.sh: line 91: : invalid variable name`. * Resolves [GitHub Issue #870](https://github.com/FusionAuth/fusionauth-issues/issues/870), thanks to [@virginijus-servicebridge](https://github.com/virginijus-servicebridge), [@arunmg007](https://github.com/arunmg007) and [@mao75](https://github.com/mao75) for reporting! ### Fixed * When deleting an application role that is in use by a Group, an exception occurs. * Resolves https://github.com/FusionAuth/fusionauth-issues/issues/831 * Fix possible errors when upgrading to version 1.19.0 on managed MySQL services such as Google Cloud SQL. * Resolves https://github.com/FusionAuth/fusionauth-issues/issues/859 ### Enhancements * Be more forgiving and allow for un-escaped URL path and query characters. * Resolves https://github.com/FusionAuth/fusionauth-issues/issues/635 ### Fixed * When using a JWT populate, the JWT returned during a combination User + Registration API request may not have the `registration` or `roles` arguments available in the lambda. This issue was introduced in version `1.16.0`. * [GitHub Issue #856](https://github.com/FusionAuth/fusionauth-issues/issues/856), thanks to [@calebfreeman](https://github.com/calebfreeman) for reporting. * When using MySQL and Silent Mode database configuration, you may encounter an error indicating `java.lang.IllegalStateException: Unable to capture database lock.` or `Caused by: java.sql.SQLException: No suitable driver found for jdbc:mysql://...`. This issue was introduced in version `1.19.0`, if you encounter this error, please upgrade. If you are unable to upgrade, attempt to startup w/out silent mode and go through maintenance mode interactively. * Resolves [GitHub Issue #857](https://github.com/FusionAuth/fusionauth-issues/issues/857), thanks to [@ceefour](https://github.com/ceefour) for letting us know. ### Security * Proactively upgrade third party dependency due to published CVEs. * Upgrade Apache Commons File Upload to `1.4.0` * https://www.cvedetails.com/cve/CVE-2016-1000031/ ### Changes * Upgraded Kafka client to `2.6.0` * Upgrade MySQL connector to `8.0.21` * If you are using MySQL, and are currently re-packaging the MySQL connector in a Docker image or similar strategy to keep this jar from being downloaded at runtime, you will need to update your version to match FusionAuth. * Upgrade your MySQL connector to 8.0.21, the `mysql-connector-java-8.0.21.jar` will be expected to be found here ` /usr/local/fusionauth/fusionauth-app/apache-tomcat/lib`. * Upgrade PostgreSQL connector to `42.2.14` ### Fixed * The clock skew calculation used then verifying a SAML AuthN response from a SAML v2 IdP may incorrectly cause a validation error. If you encounter this error you may see something like this `Unable to verify the [audience] attribute. The attribute cannot be confirmed until [2020-09-01T16:01:31+0000].` in the Debug or Error Event Log associated with the SAML v2 login request. ### Enhancements * Better email address validation to ensure the address will be deliverable. ### Fixed * Using the External JWT Identity Provider with the Lookup API may fail to validate a JWT * Resolves [GitHub Issue #850](https://github.com/FusionAuth/fusionauth-issues/issues/850) ### Fixed * If you are using the database search engine, FusionAuth may fail to start up correctly. * Resolves [GitHub Issue #846](https://github.com/FusionAuth/fusionauth-issues/issues/846), thanks to [@motzel](https://github.com/motzel) for reporting so quickly! * The legacy environment variable named `FUSIONAUTH_SEARCH_SERVERS` is not honored ahead of the named configuration file property. * Resolves [GitHub Issue #847](https://github.com/FusionAuth/fusionauth-issues/issues/847), thanks to [@soullivaneuh](https://github.com/soullivaneuh) for letting us know! Our development team works so hard to bring you cool features and enhancements. Many of the features we build, or the enhancements we make come from the feedback and bug reports we receive from our community. Thank you to each of you that has taken the time to open a GitHub issue, or raise a concern on our forum. All of this input and feedback is valued, and it makes FusionAuth better! ### Known Issues * When running MySQL and it is possible you may encounter an issue logging into the FusionAuth admin console after updating to version 1.19.0. The symptom is that upon login you are redirected to an empty page that asks you to return to login. * See [GitHub Issue #934](https://github.com/FusionAuth/fusionauth-issues/issues/934) for additional details and a work around. ### Changed There a few changes in this release that you will need to be aware of, please read these carefully. If you have a support contract, please reach out if you have questions or concerns. * If you using the [SAML v2 Identity Provider Login](/docs/apis/identity-providers/samlv2#complete-a-saml-v2-login) API directly you will need to update your integration. If you are using the SAML v2 Identity Provider configuration with the FusionAuth themed pages, there is no change required. * The [Start Identity Provider](/docs/apis/identity-providers/samlv2#start-a-saml-v2-login-request) API must now be used prior to sending the SAML v2 AuthN request to the SAML IdP. You may optionally build your own Request Id, or use one generated by FusionAuth. See the Start API for additional details. * The FusionAuth SSO and admin UI are now stateless and no longer require session pinning to maintain an HTTP session. Leaving existing session pinning in place should not cause any harm, but you may remove it at your earliest convenience. * Silent Mode may be used while in `production` runtime mode. This allows you to leverage the FusionAuth maintenance mode to upgrade the database schema for `production` and `development` runtime modes. * The Status API no longer returns a full JSON response unless the request is authenticated by an API key or a FusionAUth admin user. * The API also now returns several status codes to provide additional insight into possible issues. See [Status](/docs/apis/system#retrieve-system-status) API documentation for additional information. * When building customized field error messages for custom Registration forms, a field error such as `[missing]user.data.foo` may now be `[blank].user.data.foo`. Note the prefix may have changed from `[missing]` to `[blank]`. If you have created customized values for Registration Forms, please review your error messages and test your existing validation to ensure the correct text is displayed. * The Linux Debian and RPM packages now ship with a `systemd` service definition instead of the legacy Sys V init scripts. If the distribution of Linux you are using does not support `systemd` you will need to plan to upgrade. In most cases this should not affect anyone running FusionAuth on Linux using the provided RPM or Debian packages as bridge scripts generally allow you to start and stop the commands using a Sys V wrapper. See the Starting and Stopping documentation for additional information. * When using the python client library, the signature for the `exchange_o_auth_code_for_access_token` method which takes an authorization code has changed. The `client_id` and `redirect_uri` parameters flipped positions. This was done to make the signature consistent with the other client libraries. Instead of `exchange_o_auth_code_for_access_token(self, code, redirect_uri, client_id=None, client_secret=None)`, the method signature is now `exchange_o_auth_code_for_access_token(self, code, client_id, redirect_uri, client_secret=None)`. If you don't flip around the arguments, you'll receive a 401 error, similar to [this issue](https://github.com/FusionAuth/fusionauth-python-client/issues/7). ### Known Issues * If you are using the database search engine, FusionAuth may fail to start up correctly. Resolved in 1.19.1. * The legacy environment variable named `FUSIONAUTH_SEARCH_SERVERS` is not honored ahead of the named configuration file property. Resolved in 1.19.1. ### New * FusionAuth admin UI and FusionAuth pages are now stateless. As of this version you will no longer need to provide session pinning in a multi-node configuration. If you currently have session pinning configured, it should be ok to leave it, but you should plan to remove it at your earliest convenience. * Resolves [#GitHub #358](https://github.com/FusionAuth/fusionauth-issues/issues/358) * Multi-tenant SSO. This was a limitation prior to this released due to the way we managed the HTTP session. This limitation has been removed... and there was much rejoicing. With multi-tenant SSO you may now optionally use the same browser and utilize SSO for users within different tenants, this is often only a dev time issue, but there are some production use cases for this behavior. * Resolves [GitHub Issue #355](https://github.com/FusionAuth/fusionauth-issues/issues/355), thanks to [@unkis](https://github.com/unkis) for opening the issue to help us track this limitation. * Expanded and improved configuration options. All config options are not consistent and can be set using `fusionauth.properties`, environment variables or Java `-D` system properties. This will make life much easier for those running in Docker or Kubernetes. All previously named configuration options will be backwards compatible and you will receive warnings on how you can correct your naming of configuration values or environment variables, because that's how we roll. * IdP and Email hinting for the FusionAuth login pages. This feature will allow you to optionally bypass the login page and go directly to the third party IdP based upon the user's email address or a suggested Identity Provider Id. An Identity Provider Id may be provided on the URL using the `idp_hint` request parameter, and an email address or domain may be provided in the `login_hint` request parameter. * Resolves [GitHub Issue #178](https://github.com/FusionAuth/fusionauth-issues/issues/178), thanks to one of our FusionAuth All-Stars [@davidmw](https://github.com/davidmw) for suggesting this feature. * A new API to import Refresh Tokens. See [Import Refresh Tokens](/docs/apis/users#import-refresh-tokens) API for additional details. * Resolves [GitHub Issue #835](https://github.com/FusionAuth/fusionauth-issues/issues/835) * Application specific email templates for Passwordless, Email Verification, Setup Password, and Change Password. See updates to the [Application](/docs/apis/applications) API and the Application configuration in the FusionAuth admin. * Resolves [GitHub Issue #834](https://github.com/FusionAuth/fusionauth-issues/issues/834) * A new icon in cornflower blue. * I am Jack's complete lack of surprise. ### Enhancements * Enhanced Maintenance Mode support for initial DB schema setup on 3rd Party cloud managed database services such as Digital Ocean, Azure, etc. * Resolves [GitHub Issue #95](https://github.com/FusionAuth/fusionauth-issues/issues/95) * The FusionAuth log `fusionauth-app.log` now ships with a log rotation strategy. This will not affect those running FusionAuth in Docker. * Resolves [GitHub Issue #575](https://github.com/FusionAuth/fusionauth-issues/issues/575), thanks to [@oottinger](https://github.com/oottinger) and others for reporting and voting on this issue. * All configuration is not available in the `fusionauth.properties` file, environment variable or Java System Property to allow for additional flexibility in configuration regardless of your deployment model. See the Configuration reference for additional information. * Resolves [GitHub Issue #752](https://github.com/FusionAuth/fusionauth-issues/issues/752) * Restrict the response body on the Status API unless authenticated. Provide more granular HTTP response codes to provide insight into the issue. * Resolves [GitHub Issue #473](https://github.com/FusionAuth/fusionauth-issues/issues/473) ### Fixed * When using the View dialog for a custom form field in the FusionAuth admin UI, form `Control` type was not displayed. * Resolves [GitHub Issue #828](https://github.com/FusionAuth/fusionauth-issues/issues/828) * When submitting a custom Registration Form with non-required fields of type `number`, `date` or `bool`, you may receive a validation error indicating the value is invalid. * Resolves [GitHub Issue #827](https://github.com/FusionAuth/fusionauth-issues/issues/827) * Resolves [GitHub Issue #829](https://github.com/FusionAuth/fusionauth-issues/issues/829) * Unable to configure `database.mysql.enforce-utf8mb4` through an environment variable for use in Docker. * Resolves [GitHub Issue #798](https://github.com/FusionAuth/fusionauth-issues/issues/798) * A `404` status code is returned from the Start Passwordless API when more than one tenant exists in FusionAuth. * Resolves [GitHub Issue #833](https://github.com/FusionAuth/fusionauth-issues/issues/833), thanks to [@atrauzzi](https://github.com/atrauzzi) for reporting and helping us track this one down! * Normalize the use of the `aud` claim between the OAuth2 grants, Login API and other APIs that may return a JWT. The `aud` claim should always be even when the User is not registered for the application. * Resolves [GitHub Issue #832](https://github.com/FusionAuth/fusionauth-issues/issues/832), thanks to [@motzel](https://github.com/motzel) for the help! * Also resolves related issue [GitHub Issue #713](https://github.com/FusionAuth/fusionauth-issues/issues/713) * Custom Form validation errors and related fixes. * Resolves [GitHub Issue #827](https://github.com/FusionAuth/fusionauth-issues/issues/827) * [GitHub Issue #810](https://github.com/FusionAuth/fusionauth-issues/issues/810) * [GitHub Issue #828](https://github.com/FusionAuth/fusionauth-issues/issues/828) * [GitHub Issue #829](https://github.com/FusionAuth/fusionauth-issues/issues/829) * Both the Login Success and Login Failed events are triggered during a failed login attempt. This bug was likely introduced in version 1.18.0. * Resolves [GitHub Issue #838](https://github.com/FusionAuth/fusionauth-issues/issues/838) ### Security * Improve SAML AuthN Response validation ### Fixed * HYPR IdP related fixes. * When the HYPR authentication workflow begins the provided `loginId` was not properly validated to exist in FusionAuth. All other IdP configurations allow this scenario, but because HYPR provides MFA and is not itself considered by FusionAuth to be a SoR (source or record) the user must first exist in FusionAuth. * Because HYPR is not a traditional SoR and does not provide user claims to FusionAuth, a `username` or `email` address should behave exactly the same when used to initiate the HYPR MFA workflow. * Resolves [GitHub Issue #808](https://github.com/FusionAuth/fusionauth-issues/issues/808) * Resolves [GitHub Issue #809](https://github.com/FusionAuth/fusionauth-issues/issues/809) ### Fixed * When using self service registration, a JWT populate lambda and the Implicit Grant, the `registration` parameter to the JWT Populate lambda will be `null`. * Resolves [GitHub Issue #802](https://github.com/FusionAuth/fusionauth-issues/issues/802) ### Fixed * A JavaScript bug may cause some of the reports not to render correctly in the admin UI. * Resolves [GitHub Issue #783](https://github.com/FusionAuth/fusionauth-issues/issues/783) * A poor performing SQL query was found when using MySQL. The query performance will largely be dependant upon your server configuration, but once you exceed 2M+ login records you may realize some performance issues when logging into the FusionAuth admin UI due to the charts displayed on the main dashboard. * Resolves [GitHub Issue #786](https://github.com/FusionAuth/fusionauth-issues/issues/786) ### Enhancements * Add localized number formatting on the y-axis of charts in the FusionAuth admin UI. * Resolves [GitHub Issue #788](https://github.com/FusionAuth/fusionauth-issues/issues/788) ### Fixed * An exception occurs when you attempt to use a refresh token from tenant A with tenant B. * Resolves [GitHub Issue #716](https://github.com/FusionAuth/fusionauth-issues/issues/716), thanks to [@ulybu](https://github.com/ulybu) for reporting! * An exception may occur when using self service registration that will disrupt the user registration workflow. * Resolves [GitHub Issue #776](https://github.com/FusionAuth/fusionauth-issues/issues/776) * The registration object is `null` in the JWT Populate function when used with self service registration. * Resolves [GitHub Issue #780](https://github.com/FusionAuth/fusionauth-issues/issues/780) * A SAML response that includes an attribute element with the attribute of `xsi:nil="true"` will cause an exception when we try to parse the XML document. * Resolves [GitHub Issue SAML v2 #1](https://github.com/FusionAuth/fusionauth-samlv2/issues/1) ### Fixed * When attempting to add a registration for an user in the admin UI, if there are no available registrations to assign after the form has been rendered an exception may occur when you submit the form. * Resolves [GitHub Issue #630](https://github.com/FusionAuth/fusionauth-issues/issues/630) * When you have enabled verify email on change and you update a user's email address that was previously undefined, a verification email is not sent. * Resolves [GitHub Issue #749](https://github.com/FusionAuth/fusionauth-issues/issues/749), thanks to [@EddieWhi](https://github.com/EddieWhi) for letting us know! * When removing a user's registration, the search index is not updated correctly until the next user index event. * Resolves [GitHub Issue #750](https://github.com/FusionAuth/fusionauth-issues/issues/750), thanks to [@brennan-karrer](https://github.com/brennan-karrer) for reporting the issue! * Fixes form field name validation to limit spaces and other special characters. * Resolves [GitHub Issue #761](https://github.com/FusionAuth/fusionauth-issues/issues/761) * Form and field fixes including some JavaScript errors and the complete registration workflow when a custom form is used. * Resolves [GitHub Issue #762](https://github.com/FusionAuth/fusionauth-issues/issues/762) * The use of `${tenant.issuer}` is failing validation when used in an email template. * Resolves [GitHub Issue #770](https://github.com/FusionAuth/fusionauth-issues/issues/770), this to [@seanadkinson](https://github.com/seanadkinson) for reporting the bug. * Email template validation has been relaxed to allow the Preview API and UI action to report errors and warnings but still allow the changes to be saved. Due to the complexity of validating the email template without the exact data to be used at runtime, validation has been relaxed to ensure we do not prohibit a valid template from being saved. When using the UI to manage your templates, you will now find a test button which will allow you to send a template to an end user to test the rendering and delivery with a real user. ### Fixed * When running with PostgreSQL database and migrating from pre 1.18.0 with existing users, the table sequence may not be set correctly causing new users to fail to be created. * Resolves [GitHub Issue #759](https://github.com/FusionAuth/fusionauth-issues/issues/759), see issue for details and workaround. ### Fixed * An issue introduced in version 1.18.0 may cause the edit Application action in the admin UI to fail with a `500` message. Review the known issues of 1.18.0 for a workaround if you are unable to upgrade to version 1.18.1. * Resolves [GitHub Issue #760](https://github.com/FusionAuth/fusionauth-issues/issues/760), see issue for details and workaround. ### Known Issues * When editing an application in the admin UI you may encounter a `500 Internal Server Error` error message when attempting to save your changes. As a work around, you may use the API to modify the application. To resolve the issue, please upgrade to version 1.18.1. * See [GitHub Issue #760](https://github.com/FusionAuth/fusionauth-issues/issues/760) for additional details and workaround. * If running PostgreSQL database a database sequence may not be set correctly causing a `500` status code when creating new users. * See [GitHub Issue #759](https://github.com/FusionAuth/fusionauth-issues/issues/759) for additional details and workaround. * An exception may occur when using self service registration that will disrupt the user registration workflow. * See [GitHub Issue #776](https://github.com/FusionAuth/fusionauth-issues/issues/776) for additional details. * A JWT populate lambda that uses the `registration` parameter may fail when using self service registration. * See [GitHub Issue #780](https://github.com/FusionAuth/fusionauth-issues/issues/780) for additional details. ### Changed * In the FusionAuth admin UI, Email Templates and Themes are now found under the `Customizations` menu. ### New * Advanced Forms. Self service registration just got a huge upgrade! Now custom forms may be configured with one to many steps, each step consisting of one to many fields. A registration form may then be assigned to an application in the Self service registration configuration found in the `Registration` tab. Assigning a custom form to an application will require a licensed plan of FusionAuth. More details and documentation coming soon. * See [Form](/docs/apis/custom-forms/forms) API and [Form Field](/docs/apis/custom-forms/form-fields) API. * Resolves [GitHub Issue #680](https://github.com/FusionAuth/fusionauth-issues/issues/680). * Initial Tech Preview of Connectors. Connectors allow you to authenticate against external systems such as LDAP. A generic connector can also be configured to authenticate against any third party system. More details and documentation coming soon. When using a connector, you will utilize the Login API or OAuth frontend of FusionAuth as you normally would and the tenant may configure policies that would cause users to be authenticated against these external databases. * See [Connector](/docs/apis/connectors/) API. * Resolves [GitHub Issue #219](https://github.com/FusionAuth/fusionauth-issues/issues/219). ### Enhancement * When viewing the Application view dialog, an additional property named `Registration URL` will be provided in the OAuth2 & OpenID Connect Integration details section. You may use this value to copy/paste a URL for testing a direct link to the registration page. * Resolves [GitHub Issue #686](https://github.com/FusionAuth/fusionauth-issues/issues/686), thanks to [@ashokgelal](https://github.com/ashokgelal) for the suggestion! * When viewing the About panel found in the administrative UI, the node IP address will be reported. * Resolves [GitHub Issue #754](https://github.com/FusionAuth/fusionauth-issues/issues/754) * The JSON Web Tokens issued by FusionAuth will now include the `jti` claim. * Resolves [GitHub Issue #409](https://github.com/FusionAuth/fusionauth-issues/issues/409) * All objects now have an `insertInstant` and a `lastUpdateInstant` property in the JSON API response. * Resolves [GitHub Issue #755](https://github.com/FusionAuth/fusionauth-issues/issues/755) * Public keys stored with a certificate will have the `x5t` property provided in the JSON Web Key Set response. * Resolves [GitHub Issue #715](https://github.com/FusionAuth/fusionauth-issues/issues/715) ### Fixed * The user registration event may be missing the `registration` property. * Resolves [GitHub Issue #714](https://github.com/FusionAuth/fusionauth-issues/issues/714), thanks to [@joydeb28](https://github.com/joydeb28) for reporting the issue! * A user with one or more consents granted fails to be deleted. * Resolves [GitHub Issue #719](https://github.com/FusionAuth/fusionauth-issues/issues/719), thanks to one of our MVPs [@mgetka](https://github.com/mgetka) for reporting the issue! * When using COPPA consent with Email+, the second email is not sent to the parent. * Resolves [GitHub Issue #723](https://github.com/FusionAuth/fusionauth-issues/issues/724). * The Refresh Token cookie is written without a `Max-Age` attribute on the JWT Refresh API response. This causes the cookie to be treated as a session cookie. * Resolves [GitHub Issue #726](https://github.com/FusionAuth/fusionauth-issues/issues/726), thanks to [@satazor](https://github.com/satazor) for letting us know. ### Fixed * API validation fails on the Audit Log API when a JSON body is omitted from the HTTP request. * Resolves [GitHub Issue #605](https://github.com/FusionAuth/fusionauth-issues/issues/605) * Fixing a bug that prevents the Kafka integration from working correctly. * Resolves [GitHub Issue #649](https://github.com/FusionAuth/fusionauth-issues/issues/649), thanks to [@joydeb28](https://github.com/joydeb28) for reporting and for the persistence! * When selecting an Application in the user search controls in the UI an invalid Elasticsearch query causes an error on Elasticsearch version 7.7.0. The query seems to be working on versions 6.3.1, 6.8.1, and 7.6.1, as far as we can tell it only fails on the most recent versions of Elasticsearch. * Resolves [GitHub Issue #710](https://github.com/FusionAuth/fusionauth-issues/issues/710) ### Enhancement * Add a return to login link to the default templates for Passwordless, Register, Forgot, and Password Sent. * Resolves [GitHub Issue #666](https://github.com/FusionAuth/fusionauth-issues/issues/666), thanks to [@soullivaneuh](https://github.com/soullivaneuh) for the request! ### Fixed * A JavaScript bug caused the device verification URL field to toggle to hidden when any grant was enabled or disabled in the UI. This is primarily a cosmetic issue, if you encounter it you may simply refresh the page. * Resolves [GitHub Issue #692](https://github.com/FusionAuth/fusionauth-issues/issues/692) * The Search API performs a validation step when using Elasticsearch, and if Elasticsearch returns `valid: false` we fail the request. We are now always including the explanation from the Elasticsearch response in our error message on the API to assist the developer to understand why the requested query is considered invalid. * Resolves [GitHub Issue #697](https://github.com/FusionAuth/fusionauth-issues/issues/697) * The Apple Service Id override that can be provided per application was not being used, instead the global value was utilized. * Resolves [GitHub Issue #703](https://github.com/FusionAuth/fusionauth-issues/issues/703), thanks to [@ulybu](https://github.com/ulybu) for letting us know! ### Enhancement * When configuring an OpenID Connect Identity Provider, the claim that contains the user's email address may now be modified. This allows the OpenID Connect Identity Provider to be more flexible when configured with non-standard OpenID Connect providers or other OAuth2 providers such as LinkedIn. ### Fixed * When using `parent`, `child` and few other references in an email template, the validation step may fail unless you provide a null safe usage. * Resolves [GitHub Issue #685](https://github.com/FusionAuth/fusionauth-issues/issues/685) ### Fixed * In version 1.17.0 Key Master supports importing a standalone private key. If you attempt this request in the UI with an RSA private key an error will occur. * Resolves [GitHub Issue #665](https://github.com/FusionAuth/fusionauth-issues/issues/665), thanks to [@mgetka](https://github.com/mgetka) who is quickly becoming one of our FusionAuth MVPs! * When using an expired Forgot Password link if you have not added the `client_id` to the URL in the email template you will see an unexpected error when you attempt to begin the process again by entering your email address. You may also experience this error if you are sending users directly to `/oauth2/forgot` instead of the user clicking the link during an OAuth2 workflow. * Resolves [GitHub Issue #671](https://github.com/FusionAuth/fusionauth-issues/issues/671), thanks to [@maurobennici](https://github.com/maurobennici) for reporting! ### Changed * All Identity Provider configurations that did not have a lambda configured for User reconcile have been migrated to utilize a lambda to extract all optional user details from the IdP response. This allows you to have complete control over how these configurations work and what information is set or written to the user object during login. The business logic has not changed, but it has been moved from an internal FusionAuth service to a Lambda that can be modified. The following Identity Providers are affected: * All Facebook, Google and Twitter Identity Provider configurations * OpenID Connect and SAML v2 Identity Provider configurations without a configured lambda. * OpenID Connect and SAML v2 Identity Providers that were already configured with a lambda may require some manual migration. The claims that were mapped into the User by FusionAuth prior to this version have been moved into a lambda so they may be modified. For each of your OpenID Connect or SAML v2 Identity Provider configurations that already had a Lambda configured for User reconcile, please review to ensure all of the claims you desire are handled by your lambda. * For OpenID Connect Identity Provider configurations, review the new Lambda named `Default OpenID Connect Reconcile provided by FusionAuth`. Optionally copy any of the code you'd like to have executed into your configured Lambda and then test your integration. Specifically, the registered claims `given_name`, `middle_name`, `family_name`, `name`, `picture`, `phone_number`, `birthdate`, `locale` and `preferred_username` are now managed by the Lambda. If you would like these claims reconciled to the FusionAuth user, review the referenced Lambda function. * For SAML v2 Identity Provider configurations, review the new Lambda named `Default SAML v2 Reconcile provided by FusionAuth`. Optionally copy any of the code you'd like to have executed into your configured Lambda and then test your integration. Specifically, the SAML claims for `dateofbirth`, `givenname`, `surname`, `name`, and `mobilephone` are now managed by the Lambda. If you would like these SAML claims reconciled to the FusionAuth user, review the referenced Lambda function. ### New * Sign in with Apple. A new Identity Provider of type `Apple` is now available to enable Sign in with Apple support. * Resolves [GitHub Issue #336](https://github.com/FusionAuth/fusionauth-issues/issues/336) * See the [Apple Identity Provider](/docs/lifecycle/authenticate-users/identity-providers/social/apple) for additional details * One time Use Refresh Tokens. A one time use refresh token means that each the time the refresh token is used to get a new access token (JWT) a new refresh token is returned. This feature must be enabled at the tenant level, and can optionally be overridden by the Application JWT configuration. * Resolves [GitHub Issue #394](https://github.com/FusionAuth/fusionauth-issues/issues/394) * Sliding Window Refresh Token Expiration. By default the expiration of a refresh token is calculated from the time it was originally issued. Beginning in this release you may optionally configure the refresh token expiration to be based upon a sliding window. A sliding window expiration means that the expiration is calculated from the last time the refresh token was used. This expiration policy means that if you are using refresh tokens to maintain a user session, the session can be maintained as long as the user remains active. This expiration policy must be enabled at the tenant level, and may optionally be overridden by the Application JWT configuration. * Facebook, Google, HYPR and Twitter Identity Providers may be assigned a User Reconcile Lambda. * Previously the user reconcile logic was built into FusionAuth. Now the User reconcile logic has been moved to a lambda to provide additional control over attributes are extracted from the Identity Provider response and set into the FusionAuth user. ### Enhancements * Some development and possibly runtime errors that are used during external logins such as Facebook were not localized. These values may not be localized in your theme configuration. * Resolves [GitHub Issue #535](https://github.com/FusionAuth/fusionauth-issues/issues/535), thanks to [@mgetka](https://github.com/mgetka) for raising the issue. * Large cookies may cause the default maximum header size of 8k to be exceeded. When this occurs the request will fail and you may see an exception with a `400` status code indicating `java.lang.IllegalArgumentException: Request header is too large`. * This value may now be modified via configuration. See the [Configuration](/docs/reference/configuration) reference or additional information. * Resolves [GitHub Issue #608](https://github.com/FusionAuth/fusionauth-issues/issues/608), thanks to [@shortstack](https://github.com/shortstack) for letting us know, providing great debug and confirming the fix. * When a user is registered, a refresh token will not be returned. This makes this API response consistent with the User Create API. * Resolves [GitHub Issue #626](https://github.com/FusionAuth/fusionauth-issues/issues/626), thanks to [@LohithBlaze](https://github.com/LohithBlaze) for reporting and suggesting the change. * When configuring a SAML v2 Identity Provider, a warning will be added to the Identity Provider index page if the CORS configuration is not adequate to allow the login request to complete. The configuration will generally require a `POST` request from a particular origin be allowed through the CORS filter. * This should help reduce CORS configuration issues causing a `403` during integration testing. * Resolves [GitHub Issue #641](https://github.com/FusionAuth/fusionauth-issues/issues/641) ### Fixed * When importing a key using Key Master in the admin UI, when a key with an invalid length is imported the error was not being displayed. * Resolves [GitHub Issue #587](https://github.com/FusionAuth/fusionauth-issues/issues/578) * The hosted FusionAuth log page may fail to function properly after the user changes the locale using the locale selector on the themed page. Specifically, once you add more than one language to your theme, and the user continues past the first login panel to a subsequent themed page, if the user switches the locale the context will be lost and the user will see an OAuth error. * Resolves [GitHub Issue #623](https://github.com/FusionAuth/fusionauth-issues/issues/623), thanks to [@flangfeldt](https://github.com/flangfeldt) and [@yrammos](https://github.com/yrammos) for reporting. * A non POSIX compliant function definition in `setenv.sh` caused FusionAuth to fail to start on Ubuntu 18.04.4 and 20.04 (possibly others). This could be on any Linux distribution that sym-links `/bin/sh` to `dash` which is a POSIX compliant shell. This was introduced in version 1.16.0. * Resolves [GitHub Issue #645](https://github.com/FusionAuth/fusionauth-issues/issues/645), thanks to [@s-vlade](https://github.com/s-vlade) and [@yrammos](https://github.com/yrammos) for letting us know. * When using the Facebook IdP and specifying `picture` as one of the requested `fields` an error occurs during the User reconcile process which causes the login to fail. If you encounter this issue, the work around is to remove `picture` from the field configuration, even with this change you will still get the picture back from Facebook as FusionAuth makes a second call to the Me Picture API. * Resolves [GitHub Issue #648](https://github.com/FusionAuth/fusionauth-issues/issues/648), thanks to [@thekoding](https://github.com/thekoding) for reporting and helping us track down the issue. ### Fixed * When attempting to utilize a silent configuration to configure the database schema without using Elasticsearch, FusionAuth would enter maintenance mode. * Resolves [GitHub Issue #618](https://github.com/FusionAuth/fusionauth-issues/issues/618), thanks to [@mgetka](https://github.com/mgetka) for reporting the issue! ### Security * A vulnerability in an underlying SAML v2 library was resolved. If you are using SAML please upgrade FusionAuth to 1.16.0 or later as soon as possible. * [CVE-2020-12676](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12676) * [CSNC-2020-002](https://compass-security.com/fileadmin/Research/Advisories/2020-06_CSNC-2020-002_FusionAuth_Signature_Exclusion_Attack.txt) ### Changed * The favicon configuration in the default theme has been updated. If you have created your own theme and kept the default favicons using the FusionAuth logo you will want to either remove them or update them with the correct `href` paths. See the default theme for reference if you would like to use the FusionAuth favicons. ### New * The Identity Provider Lookup API will return a list of `applicationIds` to represent the enabled FusionAuth applications for the identity provider. * The Identity Provider Lookup API will return the SAML v2 `idpEndpoint` value configured in the SAML v2 IdP. ### Fixed * Specifying an Elasticsearch URL containing basic auth credentials works properly. For example the URL `https://user:password@myelasticsearchservice.com` now functions as expected. * Tested against https://bonsai.io and https://aiven.io. * Resolves [GitHub Issue #531](https://github.com/FusionAuth/fusionauth-issues/issues/531), thanks to [@joshuaavalon](https://github.com/joshuaavalon) for reporting and [@nscarlson](https://github.com/nscarlson) for the additional details and assistance. * Fixed a validation error when using the Import User API w/ an empty list of users. A `400` status code with a JSON response should have been returned. * Resolves [GitHub Issue #520](https://github.com/FusionAuth/fusionauth-issues/issues/520), thanks to [@smcoll](https://github.com/smcoll) for reporting. * Some JavaScript may fail on Internet Explorer version 11. Specifically the `Helper.js` which is used to handle the external login providers on the login page. * Resolves [GitHub Issue #423](https://github.com/FusionAuth/fusionauth-issues/issues/423), thanks to [@downagain](https://github.com/downagain) for reporting this issue and for the excellent debug. * A validation error in the OAuth2 Token endpoint returns a general error instead of the appropriate validation error. * Resolves [GitHub Issue #546](https://github.com/FusionAuth/fusionauth-issues/issues/546), thanks to [@mgetka](https://github.com/mgetka) for reporting the issue. * When using the Facebook login, it is possible that Facebook will send back an Image URL from the `/me/picture` API that will exceed `255` characters. If this occurs the login failed and an exception was logged. * Resolves [GitHub Issue #583](https://github.com/FusionAuth/fusionauth-issues/issues/583), thanks to our friends at [famous.co](https://famous.co/) and [frontdoorhome.com](https://www.frontdoorhome.com/) for letting us know. * Attempting to validate or save an Email template that contains a reference to a value stored in user data may cause an exception. For example `${user.data.company_name}` is a valid usage, but this would fail validation or cause an exception during validation. * Resolves [GitHub Issue #598](https://github.com/FusionAuth/fusionauth-issues/issues/598) * In some cases, when a webhook fails to respond and subsequently fails the request do to the configured transaction setting the Elasticsearch index will be out of sync. * Resolves [GitHub Issue #600](https://github.com/FusionAuth/fusionauth-issues/issues/600), thanks to our Icelandic friend [@arni-inaba](https://github.com/arni-inaba) for letting us know and providing excellent recreate steps. * An extra curly bracket caused the SQL migration to fail if you are running PostgreSQL and performed an upgrade without modifying the default tenant. * Resolves [GitHub Issue #606](https://github.com/FusionAuth/fusionauth-issues/issues/606), thanks to [@nscarlson](https://github.com/nscarlson) for reporting the issue. ### Fixed from RC.1 The following issues were fixed that only affect those running version 1.16.0-RC.1. * An unexpected request parameter may cause an exception due to the incorrect runtime mode. * Resolves [GitHub Issue #595](https://github.com/FusionAuth/fusionauth-issues/issues/595), thanks to [@ceefour](https://github.com/ceefour) ### Changed * Email Send API no longer requires a from email or a default from name, defaults may be taken from the tenant. See the [Emails API](/docs/apis/emails) documentation for reference. * The OpenID Connect [JSON Web Key Set](/docs/lifecycle/authenticate-users/oauth/endpoints#json-web-key-set-jwks) API endpoint returns only public keys generated by FusionAuth. This endpoint previously also returned imported public keys, for which we do not hold the private key. ### Security * Updated default CORS configuration for clean installs, see the [CORS Reference](/docs/operate/secure/cors#default-configuration) for details. It is highly recommended you modify your CORS configuration to match our new default values unless you have a technical requirement for your existing CORS configuration. * Upgrade Handlebars to version `4.7.6` due to a known vulnerability. There is no known exploit of this vulnerability in FusionAuth, this is a pro-active upgrade. FusionAuth uses this JavaScript library in the administrative UI to build dynamic table roles. * https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988 * Resolves [GitHub Issue #564](https://github.com/FusionAuth/fusionauth-issues/issues/564), thanks to [@michael-burt](https://github.com/michael-burt) for alerting us to this vulnerability. ### Enhancement * The OpenID Connect and SAML v2 Reconcile Lambda may now modify the assigned user roles. Prior to this version any changes to the roles were intentionally not preserved. This restriction has been lifted. * Resolves [GitHub Issue #536](https://github.com/FusionAuth/fusionauth-issues/issues/536), thanks to [@sedough](https://github.com/sedough) for opening the request. * In some cases the `state` parameter returning from external SAML v2 & OpenID Connect identity providers is decoded incorrectly. We are now Base64 encoding this value to preserve it's integrity. ### New * Support for Elasticsearch version 7 * FusionAuth maintains backward-compatibility with Elasticsearch 6.3.x clusters and indexes. * `fusionauth-app.search-engine-type` configuration property and `FUSIONAUTH_SEARCH_ENGINE_TYPE` environment variable exposed for configuring the search engine, see the [Configuration](/docs/reference/configuration) documentation for reference. * A reindex may be necessary depending on how you have upgraded your Elasticsearch cluster. You may issue a reindex in the FusionAuth admin UI under System -> Reindex. * Resolves [GitHub Issue #199](https://github.com/FusionAuth/fusionauth-issues/issues/199) * Support for using the database as the user search engine. This is now the default configuration. See the [Core Concepts - Users](/docs/get-started/core-concepts/users#user-search) documentation for details. * Use of the database search engine provides limited search capabilities, and has limitations for the Users API, see the [Bulk Delete Users API](/docs/apis/users#bulk-delete-users) and [Search for Users API](/docs/apis/users#search-for-users) documentation for details. * Resolves [GitHub Issue #427](https://github.com/FusionAuth/fusionauth-issues/issues/427) * The Registration API returns an access token within the `token` field of responses to `POST` requests. See the [Registrations API](/docs/apis/registrations) documentation for reference. * Application registration records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI. * The `applicationId` is now optional for `PUT` requests (update login instants) to the Login API. See the [Login API](/docs/apis/login#update-login-instant) documentation for reference. * `PUT` requests to the Login API records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI. * The User API returns an access token within the `token` field of responses to `POST` requests creating a user. See the [User API](/docs/apis/users#create-a-user) documentation for reference. * User creation records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI. * System logs can be viewed from the Admin interface. Navigate to System -> Log to view and download the system logs. * This feature is available in the UI and via a new API. * Resolves [GitHub Issue #540](https://github.com/FusionAuth/fusionauth-issues/issues/540) * System log export API has been added for retrieving a node's system logs as a compressed zip file. See the [System Logs API](/docs/apis/system) documentation for reference. * There is a Test SMTP button that you can utilize during an Edit or Add Tenant operation to ensure the correct SMTP configuration. * Resolves [GitHub Issue #539](https://github.com/FusionAuth/fusionauth-issues/issues/539) * Production runtime mode disables maintenance mode, database migrations must be applied manually in this runtime mode. See the [FusionAuth App Installation Guide](/docs/get-started/download-and-install/fusionauth-app#runtime-modes) documentation for reference. * Advanced configuration exposed for search engine type, runtime mode, and Same-Site cookie policy. See the [Configuration](/docs/reference/configuration) documentation for reference. * JWT Refresh webhook event, issued when an access token is refreshed by refresh token, see the [Events](/docs/extend/events-and-webhooks/events/jwt-refresh) documentation for reference. * Tenant email configuration provides a default from email and a default from name. See the [Tenants API](/docs/apis/tenants#create-a-tenant) documentation for reference. * Resolves [GitHub Issue #262](https://github.com/FusionAuth/fusionauth-issues/issues/262), thanks to [@engineertdog](https://github.com/engineertdog) for the request! ### Docker * Next time a release candidate is built, the `latest` tag will be preserved to always be the latest stable release. This way if you are always using the `latest` tag you will not automatically upgrade to a release candidate. * Resolves [GitHub Issue #596](https://github.com/FusionAuth/fusionauth-issues/issues/596), thanks to [@ceefour](https://github.com/ceefour) for the request. * The reference `docker-compose.yml` provided by the [fusionauth-containers project]([Docker installation guide](https://github.com/FusionAuth/fusionauth-containers) has been modified to install leveraging database as the User search engine. You will need to include the reference `docker-compose.override.yml` in order to install and configure Elasticsearch as the User search engine. See the )(/docs/get-started/download-and-install/docker) for reference. ### Internal * Java 14. Upgrade from Java 8. The FusionAuth Java runtime has been upgraded to version 14. All external Java packages such as the Java REST client and the Plugin interface are all still compiled against Java 8 so this upgrade should not impact any users. * Resolves [GitHub Issue #481](https://github.com/FusionAuth/fusionauth-issues/issues/481) * Upgrade Apache Tomcat to the latest patch version `8.5.53`. * Much smaller Docker images based upon Alpine Linux! Compressed size changed from ~ 150 MB to 76 MB. More features, less size? Yeah, that's right. * Check it out for yourself. See the [fusionauth/fusionauth-app](https://hub.docker.com/repository/docker/fusionauth/fusionauth-app/tags?page=1) repo. ### Fixed * When more than one tenant is defined, the redirect to `/oauth2/callback` which is used for 3rd Party SAML v2 or OpenId Connect identity providers will fail unless the corresponding application is in the default tenant. This issue was introduced in `1.15.6` which means it only affects version `1.15.6`. If you encounter this issue you may be shown an error on the login page indicating `A validation error occurred during the login attempt. An event log was created for the administrator to review.`. * Resolves [GitHub Issue #548](https://github.com/FusionAuth/fusionauth-issues/issues/548), thanks so much to [@lamuertepeluda](https://github.com/lamuertepeluda) for reporting and providing excellent technical details to assist in tracking down the bug. * A callback from a Social IdP configuration may fail to complete the login workflow. This issue was introduced in `1.15.6` which means it only affects version `1.15.6` and `1.15.7`. * Resolves [GitHub Issue #553](https://github.com/FusionAuth/fusionauth-issues/issues/553), thanks to [@ulybu](https://github.com/ulybu) for reporting the issue! ### Enhancements * When a user attempts to utilize an expired Passwordless or Forgot Password link, FusionAuth will now still be able to allow the user to restart the login workflow. * Resolves [GitHub Issue #468](https://github.com/FusionAuth/fusionauth-issues/issues/468), thanks to [@davidmw](https://github.com/davidmw) for suggesting this enhancement. * In order to take advantage of this enhancement, you will need to upgrade your email template for one or both of these workflows. See the [Email Templates](/docs/customize/email-and-messages/email-templates) documentation for a reference usage. ### Fixed * Due to a change in how FusionAuth encodes the `RelayState` value when redirecting to a 3rd party SAML v2 identity providers, the authentication request will fail with an OAuth2 error. This issue was introduced in `1.15.6` which means it only affects version `1.15.6`. ### Fixed * Handle tabs and other control characters in an included text file when parsing the Kickstart configuration files. * Resolves [GitHub Issue #524](https://github.com/FusionAuth/fusionauth-issues/issues/524), thanks to [@mgetka](https://github.com/mgetka) for reporting. * When the FusionAuth Reactor is enabled, a breach detection is incorrectly requested during a user update when the password is not being modified. You may see errors in the Event Log indicating Reactor returned a status code of `400`, this error is just noise and it did not affect the requested action. * Resolves [GitHub Issue #533](https://github.com/FusionAuth/fusionauth-issues/issues/533). * When running FusionAuth on an un-secured connection during development, newer versions of the Chrome browser will reject the `Set-Cookie` request in the HTTP response because the `SameSite` attribute is not set. * Resolves [GitHub Issue #537](https://github.com/FusionAuth/fusionauth-issues/issues/537). ### Enhancement * When integrating with 3rd Party Identity Providers FusionAuth will build a `state` parameter in order to complete the FusionAuth OAuth2 or SAML v2 request on the callback from the 3rd Party IdP. There are times when a 3rd Party IdP may un-intentionally modify the `state` parameter by decoding the value. When the `state` parameter is not returned to FusionAuth the way it was sent the integration breaks. FusionAuth will now Bas64 encode the `state` value to better defend against 3rd Party IdP integrations. * Resolves [GitHub Issue #538](https://github.com/FusionAuth/fusionauth-issues/issues/538). ### Fixed * Adding a Consent to a User that does not have a First or Last Name. This was causing an error in the UI where the Add Consent dialog was not rendering and instead displaying a stack trace. * Resolves [GitHub Issue #512](https://github.com/FusionAuth/fusionauth-issues/issues/512), thanks to [@mgetka](https://github.com/mgetka) for reporting. * When Reactor is enabled and more than one user requires action due to a breached password the Reactor index page will fail to render. * Resolves [GitHub Issue #514](https://github.com/FusionAuth/fusionauth-issues/issues/514), thanks to our friends at Frontdoor for reporting the issue. * When adding a new Tenant in the UI you may encounter a `500` status code with a `FusionAuth encountered an unexpected error.` message. If you encounter this error, edit the default tenant, click save and then retry the add operation. * Resolves [GitHub Issue #517](https://github.com/FusionAuth/fusionauth-issues/issues/517), thanks to [@vburghelea](https://github.com/vburghelea) for reporting. * A JavaScript exception was causing the ExternalJWT identity mapping dialog to fail. A work around is to use the API to add these claim mappings. This bug was introduced in version 1.15.3. * Resolves [GitHub Issue #518](https://github.com/FusionAuth/fusionauth-issues/issues/518), thanks to [@irzhywau](https://github.com/irzhywau) for reporting. ### Fixed * When using PostgreSQL and using the Import User API with a large amount of roles assigned to user FusionAuth may exceed the maximum allowed parameterized values in a prepared statement causing a SQL exception. If you encounter this issue you may work around the issue by reducing the size of your import request to 200-500 users per request. * Resolves [GitHub Issue #505](https://github.com/FusionAuth/fusionauth-issues/issues/505), thanks to [@leafknode](https://github.com/leafknode) for reporting and helping debug! * When creating a user through Kickstart with `passwordChangeRequired` set to `true` and exception will occur during the next login request. This issue was introduced in version 1.15.0. * Resolves [GitHub Issue #509](https://github.com/FusionAuth/fusionauth-issues/issues/509), thanks to [@mgetka](https://github.com/mgetka) for reporting! * When a Kickstart file contains multi-byte characters the string value may not be encoded properly if the default file encoding is not UTF-8. This has now been resolved by explicitly requesting UTF-8 encoding during file I/O. * Resolves [GitHub Issue #510](https://github.com/FusionAuth/fusionauth-issues/issues/510), thanks to [@mgetka](https://github.com/mgetka) for reporting! * When using the SAML IdP configuration where FusionAuth is the SAML service provider if the base64 encoded SAML response from the IdP contains line returns FusionAuth will fail to parse the request and the login request will fail. * Resolves [GitHub Issue #511](https://github.com/FusionAuth/fusionauth-issues/issues/511) ### Changed * The External JWT Identity Provider now manages keys used for token verification in the Key Master. All keys have been migrated to Key Master, and going forward all keys can be managed through the Key Master. * Prior to this version the OpenID Connect IdP would send the client secret using the `client_secret_basic` and the `client_secret_post` method. This was done for compatibility with providers that did not utilize the `client_secret_basic` method. Now this configuration is now provided and only the configured client authentication method will be used. ### Fixed * Using the JWT Refresh API with a JWT issued from one tenant for a user in another tenant. This error was causing an exception instead of the proper validation error being returned to the caller. A `404` will now properly be returned when this scenario occurs. * Resolves [GitHub Issue #399](https://github.com/FusionAuth/fusionauth-issues/issues/399), thanks to [@johnmaia](https://github.com/johnmaia) for helping us track it down. * Missing API validation on the `/oauth2/passwordless` endpoint. A `500` was returned instead of the correct validation errors. * Resolves [GitHub Issue #450](https://github.com/FusionAuth/fusionauth-issues/issues/450), thanks to [@GraafG](https://github.com/GraafG) for reporting. * On systems running MySQL, the SQL migration for `1.15.0` on the `DELIMITER` command and causes the instance table to have a null `license_id`. If you have previously connected your support contract Id with your instance and upgraded to a previous `1.15.x` version, you will need to reconnect your license Id in the Reactor tab. This issue was introduced in version 1.15.0. * Resolves [GitHub Issue #482](https://github.com/FusionAuth/fusionauth-issues/issues/482), thanks to [@nulian](https://github.com/nulian) for reporting! * The `CancelAction` method in the .NET Core client returning field error due to incorrect method definition. * Resolves [GitHub Issue #11](https://github.com/FusionAuth/fusionauth-netcore-client/issues/11), thanks to [@minjup](https://github.com/minjup) for reporting. * The OpenID Connect IdP client authentication method is now configurable as `client_secret_basic`, `client_secret_post`, or `none` and will authenticate solely with the configured method. See the [OIDC spec concerning Client Authentication](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication) for more information. * The `1.15.3` database migration configures the client authentication method to `client_secret_basic` for identity provider configurations with a client secret defined, and `none` for those without a client secret defined. If your OpenID Connect provider requires `client_secret_post` you will need to update your configuration to ensure the integration continues to function properly. Discord is one of the known IdPs that requires the `client_secret_post` client authentication method. * See the [OpenID Connect Identity Providers](/docs/apis/identity-providers/openid-connect) APIs, the [OpenID Connect Identity Provider Overview](/docs/lifecycle/authenticate-users/identity-providers/) and the [Discord OIDC integration tutorial](/docs/lifecycle/authenticate-users/identity-providers/gaming/discord) for more detail. * Resolves [GitHub Issue #445](https://github.com/FusionAuth/fusionauth-issues/issues/445), thanks to [@ovrdoz](https://github.com/ovrdoz) for reporting. * When you have enabled Self Service Registration and Registration Verification FusionAuth will fail to send the email to the end user during this workflow. * Resolves [GitHub Issue #496](https://github.com/FusionAuth/fusionauth-issues/issues/496), thanks to our great Slack community for letting us know and assisting with debug. * If a Two Factor Trust has been established with a particular browser through the user of a cookie, it was not being honored during the Passwordless Email workflow and the user would be prompted for the Two Factor challenge during each login attempt. * Resolves [GitHub Issue #495](https://github.com/FusionAuth/fusionauth-issues/issues/495), thanks to our great Slack community for reporting! * When using managed domains with the OpenID Connect or SAML v2 Identity Provider configurations the callback to FusionAuth may fail with an error. * Resolves [GitHub Issue #488](https://github.com/FusionAuth/fusionauth-issues/issues/488), thanks to [@sedough](https://github.com/sedough) for reporting. * When a stylesheet in your theme contains `>` the new HTML escaping strategy introduced in version X causes this value in the CSS to be incorrectly escaped. If you encounter this problem in your current them, update the usage of the stylesheet to `${theme.stylesheet()?no_esc}` instead of the previous usage of `${theme.stylesheet()}`. * Resolves [GitHub Issue #489](https://github.com/FusionAuth/fusionauth-issues/issues/489), thanks to [@snmed](https://github.com/snmed) for reporting. * Fix a Kickstart bug, when a variable is used in the very first API key the replacement was not honored. * Resolves [GitHub Issue #493](https://github.com/FusionAuth/fusionauth-issues/issues/493), thanks to [@tst-dhudlow](https://github.com/tst-dhudlow) for reporting! ### Enhancements * When the External JWT Identity Provider does not have any managed domains defined, allow a JWT from any domain to be reconciled. This change makes this IdP configuration more consistent with our IdP configurations that allow for managed domains. * Resolves [GitHub Issue #491](https://github.com/FusionAuth/fusionauth-issues/issues/491) ### Known Issues * Fixed in 1.15.3, on systems running MySQL, the `1.15.0` migration fails on a `DELIMITER` command and causes the instance table to have a null `license_id`. If you upgraded to `1.15.2`, have connected our instance to a support contract, and ran the `1.15.0` migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab. * A workaround for this issue is to download the `fusionauth-database-schema-1.15.0.zip` from [our direct download page](/direct-download), unzip and manually apply the `migrations/mysql/1.15.0.sql` migration. You may also wait to upgrade until `1.15.3` is available and allow maintenance mode to run the fixed migration. ### Fixed * Password breached fixes. On some systems running PostgreSQL a portion of the breach detections features may not function properly. If you are running MySQL this will not affect you, and only certain PostgreSQL versions are affected. If you are not using FusionAuth Reactor this issue will not affect you. ### Known Issues * Fixed in 1.15.3, on systems running MySQL, the `1.15.0` migration fails on a `DELIMITER` command and causes the instance table to have a null `license_id`. If you upgraded to `1.15.1`, have connected our instance to a support contract, and ran the `1.15.0` migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab. * A workaround for this issue is to download the `fusionauth-database-schema-1.15.0.zip` from [our direct download page](/direct-download), unzip and manually apply the `migrations/mysql/1.15.0.sql` migration. You may also wait to upgrade until `1.15.3` is available and allow maintenance mode to run the fixed migration. ### Fixed * A SQL statement in PostgreSQL may cause some 9.x versions to fail to store breach metrics once FusionAuth Reactor has been enabled. If you are running MySQL this will not affect you, and only certain PostgreSQL versions are affected. If you are not using FusionAuth Reactor this issue will not affect you. ### Known Issues * Fixed in 1.15.1, some versions of PostgreSQL may cause an exception when storing breach metrics after enabling FusionAuth Reactor. If you are not using FusionAuth Reactor or you are using MySQL instead of PostgreSQL this issue will not affect you. * Fixed in 1.15.3, on systems running MySQL, the `1.15.0` migration fails on a `DELIMITER` command and causes the instance table to have a null `license_id`. If you upgraded to `1.15.0`, have connected our instance to a support contract, and ran the `1.15.0` migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab. * A workaround for this issue is to download the `fusionauth-database-schema-1.15.0.zip` from [our direct download page](/direct-download), unzip and manually apply the `migrations/mysql/1.15.0.sql` migration. You may also wait to upgrade until `1.15.3` is available and allow maintenance mode to run the fixed migration. ### Changed * In the FusionAuth admin UI you will notice that User, Groups, Applications and Tenants are all now at the top level of the left navigation sidebar. This change has been done to provide quicker access to these frequently accessed menus. ### New * FusionAuth Reactor ™. FusionAuth Reactor is available with all paid plans of FusionAuth. The first feature in the Reactor suite will be breached password detection. All passwords will be checked against a breached list during all password change events, and optionally during login based upon your configuration. * New webhook event for use with FusionAuth Reactor breached password detection. This event when enabled will be fired during login if the user is using a vulnerable password. * User Password Breach (`user.password.breach`), see [Webhook Events](/docs/extend/events-and-webhooks/events/) for additional information. * New Tenant configuration in support of FusionAuth Reactor and additional password validation rules. This configuration can be found in the Password tab of the Tenant configuration on the [Tenant](/docs/apis/tenants) API. * `tenant.passwordValidationRules.validateOnLogin` - When enabled the user's password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password. Prior to this release password validation was only ever performed during a change event, you may now optionally enforce your password policy during login. * `tenant.passwordValidationRules.breachDetection` - A new object to provide configuration per tenant for password breach detection. * During login, if the user is required to change their password, the Login API, Authorization Code Grant, Implicit Grant and Password Grant will now also return a change reason. This additional value in the response will indicate why the user is being required to change their password. * See the [Login](/docs/apis/login) API, and corresponding [OAuth endpoints](/docs/lifecycle/authenticate-users/oauth/endpoints) for more detail. ### Security * A small window exists after a Refresh Token has expired when this token can still be used under specific circumstances. This symptom only occurs when using the `/api/jwt/refresh` API, and not when using the Refresh Grant using the `/oauth/token` endpoint. In a worst case scenario the Refresh Token may be honored up to 5 hours after the expiration date, in most circumstances it will be much less. This only applies to expired Refresh Tokens, revoking a Refresh Token is not affected. * Resolves [GitHub Issue #454](https://github.com/FusionAuth/fusionauth-issues/issues/454), thanks to [@johnmaia](https://github.com/johnmaia) one of our FusionAuth MVPs! ### Fixed * Editing a Group in a Tenant that does not yet have any Applications created causes and exception when you attempt to save the edit form in the FusionAuth admin UI. * Resolves [GitHub Issue #471](https://github.com/FusionAuth/fusionauth-issues/issues/471), thanks to [@dhait](https://github.com/dhait) for letting us know, we appreciate you! * When Self Service Registration, if Registration Verification is enabled and Email Verification is disabled the user will not receive a Registration Verification email. * Resolves [GitHub Issue #472](https://github.com/FusionAuth/fusionauth-issues/issues/472) * An exception may occur when using the Import User API if you are missing the `applicationId` property in a User Registration. This error should have been found as a validation error and instead an exception occurred. * Resolves [GitHub Issue #479](https://github.com/FusionAuth/fusionauth-issues/issues/479), thanks to our friends at Integra Financial Services for reporting the error. ### Enhancements * Allow Kickstart to better handle varying startup times and delays. A few users reported scenarios where Kickstart would begin before FusionAuth was ready causing Kickstart to fail. * Resolves [GitHub Issue #477](https://github.com/FusionAuth/fusionauth-issues/issues/477) This change may affect you if you are performing advanced HTML escaping in your themed templates. During upgrade, any usage of `?html` in a themed template will removed because it is now handled automatically and it is no longer valid to use the FreeMarker built-in `?html`. \ If any of your translated messages include an HTML entity such as `\&hellip;` and you are including this message using the theme message helper `theme.message` you may need to make a small adjustment in order for the entity to render properly. For example, on the Logout template the default text is `Logging out…` but if you see it rendered as `Logging out\&hellip;` you will need to add an the FreeMarker suffix `?no_esc` so that the usage looks like this `theme.message('logging-out')?no_esc`. \ It is recommended that you audit your theme for any usage of `?html` and ensure you test your theme after migration. In the FusionAuth UI if you navigate to Settings -> Themes you can use the View action to render each template and ensure they render properly.] ### Changed * A JWT Populate Lambda now has fewer reserved claims. All claims can now be removed or modified except for `exp`, `iat` and the `sub` claims by the JWT Populate Lambda. You remove or modify claims added by FusionAuth at your own peril. * See [JWT Populate](/docs/extend/code/lambdas/jwt-populate) for additional details. * Resolves [GitHub Issue #387](https://github.com/FusionAuth/fusionauth-issues/issues/387) * Add additional fields that can be merged by the `PATCH` HTTP method. The following fields were not being merge, but replaced. The limitation of this change is that it is difficult to remove fields from values from arrays. A future enhancement may be to support the [JSON Patch](https://github.com/FusionAuth/fusionauth-issues/issues/441) specification which provides semantics for add, replace and remove. * `User.preferredLanguages` * `User.memberships` * `User.registrations` * `User.data` * `UserRegistration.data` * `UserRegistration.preferredLanguages` * `UserRegistration.roles` * `Application.data` * Resolves [GitHub Issue #424](https://github.com/FusionAuth/fusionauth-issues/issues/424) ### New * [Kickstart](/docs/get-started/download-and-install/development/kickstart)™ allows you bypass the Setup Wizard in order to FusionAuth up and running quickly. Deploy development or production instances of FusionAuth using a pre-defined configuration of Users, Groups, Applications, Tenants, Templates, API keys, etc. * Resolves [GitHub Issue #170](https://github.com/FusionAuth/fusionauth-issues/issues/170) 🤘 * This feature is in *Tech Preview * which means if we find shortcomings with the design as we gather feedback from end users it is possible we will make breaking changes to the feature to correct or enhance the functionality. Any such changes will be documented in future release notes as appropriate. * The Tenant API can optionally take a new `sourceTenantId` parameter to allow you to create a new Tenant using the values from an existing Tenant. Using the `sourceTenantId` limits the required parameters to the Tenant name. * Resolves [GitHub Issue #311](https://github.com/FusionAuth/fusionauth-issues/issues/311) * Add a View action to a Group Membership in the Membership tab of the Manage User panel in the UI. * Resolves [GitHub Issue #413](https://github.com/FusionAuth/fusionauth-issues/issues/413) ### Fixed * A memory leak in the Nashorn JavaScript engine used to execute FusionAuth Lambdas has been resolved. * The OAuth2 Authorization Code grant was required to complete a SAMLv2 login, this grant is no longer required to be enabled. * Resolves [GitHub Issue #432](https://github.com/FusionAuth/fusionauth-issues/issues/432) * Added missing `theme_manager` role to the FusionAuth application ### Fixed * During a reindex operation the status will properly be displayed on every node when viewing the User Search or the Reindex pages in the UI. * Improve Kafka configuration validation when using the Test button in the UI. * Resolves [GitHub Issue #318](https://github.com/FusionAuth/fusionauth-issues/issues/318), thanks to [@nikos](https://github.com/nikos) for reporting the issue! * An exception may occur when using ReactNative with FusionAuth when an HTTP Origin header is sent to FusionAuth with a value of `file://`. The exception is caused because `file://` without a value after the double slash is not a valid URI and cannot be parsed by `java.net.URI`. However the HTTP specification indicates that an origin header with a scheme of `file://` is allowed and when used anything following the prefix is allowed. This fix follows a similar decision made by Apache Tomcat in their CORS filter, see [Bugzilla #60008](https://bz.apache.org/bugzilla/show_bug.cgi?id=60008). * Resolves [GitHub Issue #414](https://github.com/FusionAuth/fusionauth-issues/issues/414), thanks to [@karice](https://github.com/karice) for reporting the issue and helping us debug! * When an invalid code or expired code is used on a Passwordless login request an exception may occur. * Resolves [GitHub Issue #416](https://github.com/FusionAuth/fusionauth-issues/issues/416), thanks to [@downagain](https://github.com/downagain) for reporting the issue! * When a user email is verified implicitly due to a change password action that originated via an email request the `user.verified` event is now sent. * Resolves [GitHub Issue #418](https://github.com/FusionAuth/fusionauth-issues/issues/418), thanks to [@JonasDoe](https://github.com/JonasDoe) for asking via [StackOverflow](https://stackoverflow.com/questions/59502335/fusionauth-webhook-user-email-verified-not-triggered-when-confirmation-happend) and then opening an issue to help us resolve the issue. ### Fixed * The Elasticsearch migration required to complete the upgrade to 1.13.0 may not always run as intended. Upgrading to this release will kick off an Elasticsearch reindex operation to correct the search index state. ### Known Issues * A search index rebuild is required to complete this upgrade, this operation may not automatically be started during upgrade. If you have already upgraded to this release you can either upgrade to the 1.13.1, or manually initiate a reindex request by navigating in the UI to System -> Reindex. ### New * Delete users who have not verified their email address after a specified duration * See [Tenant](/docs/get-started/core-concepts/tenants) configuration or the [Tenant](/docs/apis/tenants) API for additional information. * Resolves [GitHub Issue #360](https://github.com/FusionAuth/fusionauth-issues/issues/360) * Delete application registrations of users who have not verified their registration after a specified duration * See [Application](/docs/get-started/core-concepts/applications) configuration or the [Application](/docs/apis/applications) API for additional information. * Resolves [GitHub Issue #360](https://github.com/FusionAuth/fusionauth-issues/issues/360) * Delete Users by Search Query * Resolves [GitHub Issue #361](https://github.com/FusionAuth/fusionauth-issues/issues/361) * See [Bulk Delete Users](/docs/apis/users#bulk-delete-users) API. ### Fixed * The newly supported `PATCH` HTTP method cannot be selected from the API key endpoint security settings. This means that you need to allow all methods in order to utilize the `PATCH` method. This has been resolved. * Resolves [GitHub Issue #402](https://github.com/FusionAuth/fusionauth-issues/issues/402), thanks to [@radicaljohan](https://github.com/radicaljohan) for reporting! * The newly supported `PATCH` HTTP method is not configurable in the CORS filter. * An empty salt value is recommended in an error message but this was failing validation during Import using the User Import API. * Resolves [GitHub Issue #410](https://github.com/FusionAuth/fusionauth-issues/issues/410), thanks to [@TanguyGiton](https://github.com/TanguyGiton) for reporting! * An exception may occur when using the PATCH method on the User API when more than one tenant exists. * Resolves [GitHub Issue #400](https://github.com/FusionAuth/fusionauth-issues/issues/400), thanks to [@JesperWe](https://github.com/JesperWe) for reporting! ### Enhancement * `DELETE /api/user/bulk` takes `queryString` and `query` parameters to search for users to delete by Elasticsearch query string and raw JSON query, and a `dryRun` parameter to preview the affected users. See the [User Bulk Delete API documentation](/docs/apis/users#bulk-delete-users). * Addresses [GitHub Issue #361](https://github.com/FusionAuth/fusionauth-issues/issues/361) * `POST /api/user/search` and `GET /api/user/search` take a `query` parameter to search for users by an Elasticsearch raw JSON query. See the [User Search API documentation](/docs/apis/users#search-for-users). * Addresses [GitHub Issue #361](https://github.com/FusionAuth/fusionauth-issues/issues/361) * `/api/user/search` takes new `sortFields` for sorting search results. See the [User Search API documentation](/docs/apis/users#search-for-users). * The Webhook URL is no longer constrained to 191 characters. Prior to this version, this URL was considered unique and the length was constrained due to indexing limitations. The URL is no longer required to be unique and it is up to the user to limit duplicate webhooks. * Resolves [GitHub Issue #386](https://github.com/FusionAuth/fusionauth-issues/issues/386), and thanks to [@davidmw](https://github.com/davidmw) for bringing this issue to our attention. Long URLs for everyone! ### Changed * In support of the OAuth Device Grant feature released in 1.11.0, a second template was added to separate the completion state. * New themed template `OAuth device complete`. Starting with version 1.12.0, templates will no longer be automatically migrated into an existing theme. We believe this is a safer choice overall. Instead your theme will be marked as requiring upgrade when viewed in the UI. You will be prompted to complete the missing templates when you edit and you will be provided with the option to copy in the default template as a starting point. * If FusionAuth attempts to render the missing template you will be prompted with a message indicating your theme needs to be upgraded. In generally this should happen when you are using a new feature and thus should occur at development time. Whenever a new template is added, it is recommended to edit and verify your theme right away after upgrade to ensure a smooth migration. * In support of the HYPR integration, a new template was added that will be used when waiting for the external HYPR authentication to complete. * New themed template `OAuth2 wait`. Starting with version 1.12.0, templates will no longer be automatically migrated into an existing theme. We believe this is a safer choice overall. Instead your theme will be marked as requiring upgrade when viewed in the UI. You will be prompted to complete the missing templates when you edit and you will be provided with the option to copy in the default template as a starting point. * The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization ``` wait-title=Complete login on your external device waiting=Waiting [ExternalAuthenticationExpired]=Your external authentication request has expired, please re-attempt authentication. ``` * A change has been made to how an event is sent to Webhooks when the Transaction configuration does not require any webhooks to succeed. Prior to this version each webhook would be called in order and once the status was collected from each webhook a decision was made to return to the caller or fail the request. In order to increase the performance of webhooks, when the Transaction configuration does not require any webhooks to succeed each webhook will be called in a separate thread (asynchronously) and the request will return immediately. In this scenario any failed requests will not be retried. See Webhooks for more information. ### New * Support HYPR IdP native integration. HYPR brings passwordless and biometric options to FusionAuth. * See the [HYPR Identity Provider](/docs/lifecycle/authenticate-users/identity-providers/enterprise/hypr) for additional details * Administrative actions added to Users -> Manage panel. * *Send password reset * always available from the drop down menu. * Addresses [GitHub Issue #351](https://github.com/FusionAuth/fusionauth-issues/issues/351), thanks to [@nicholasbutlin](https://github.com/nicholasbutlin) for the suggestion! * *Resend email verification * available when the user's email is not yet verified from the drop down menu. * *Resend verification * available as a new row button in the *Registrations * tab when a registration is not verified. ### Fixed * Modifying user actions with multi tenants returns a missing tenant error. * Resolves [GitHub Issue #328](https://github.com/FusionAuth/fusionauth-issues/issues/328), thanks to [@AlvMF1](https://github.com/AlvMF1) for reporting the issue! * The [JWT Validate](/docs/apis/jwt#validate-a-jwt) endpoint returns the wrong precision for `iat` and `exp` claims. * Resolves [GitHub Issue #347](https://github.com/FusionAuth/fusionauth-issues/issues/347), thanks to [@uncledent](https://github.com/uncledent) for reporting and providing detailed information. * When using the one time password returned from the Change Password API when a Refresh Token was provided during the change request a Refresh Token is not returned from the Login API. * Resolves [GitHub Issue #382](https://github.com/FusionAuth/fusionauth-issues/issues/382), thanks to [@colingm](https://github.com/colingm) for reporting the issue. * A "null" Origin header is allowed in the w3 spec, and when this occurs it may cause an exception when validating authorized origins. * Resolves [GitHub Issue #379](https://github.com/FusionAuth/fusionauth-issues/issues/379), thanks to [@karice](https://github.com/karice) for reporting and excellent assist! * Better handling on the Start Passwordless API when a user does not exist * Resolves [GitHub Issue #377](https://github.com/FusionAuth/fusionauth-issues/issues/377), thanks to [@smoorsausje](https://github.com/smoorsausje) for reporting! ### Enhancement * The User Delete API will no longer delete User Actions taken by the user. Instead the API will now disassociate any UserActions created by the deleted user by removing them from the Actioning User. In this scenario, a user will remain in an Action taken by a user that has now been deleted. * A User Action may be applied to a user in a different tenant than the User taking the action. Prior to this release, using the admin UI to take an action on a user in a different tenant may fail. * The following APIs now support the `PATCH` HTTP method. This enhancement completes [GitHub Issue #121](https://github.com/FusionAuth/fusionauth-issues/issues/121). * `/api/application` * `/api/application/role` * `/api/consents` * `/api/email/template` * `/api/group` * `/api/identity-provider` * `/api/integration` * `/api/lambda` * `/api/system-configuration` * `/api/tenant` * `/api/theme` * `/api/user` * `/api/user-action` * `/api/user-action-reason` * `/api/user/consent` * `/api/user/registration` * `/api/webhook` * The FusionAuth client libraries now also support the PATCH method. * When an encoded JWT is accepted in the Authorization header, FusionAuth will now accept the token in the `Bearer` or the `JWT` schema. * When you begin an external login such as Facebook, Google or Twitter an in progress indicator will be added to the login panel to indicate to the user that a request is in progress. * Resolves [GitHub Issue #331](https://github.com/FusionAuth/fusionauth-issues/issues/331), thanks to [@davidmw](https://github.com/davidmw) for the suggestion! * If you are using a theme and want to take advantage of this indicator, you can compare the stock OAuth2 Authorize template, look for the note in the top JavaScript section. ### Security * A change was made to the FreeMarker template engine to remove the possibility of malicious code execution through a FreeMarker template. To exploit this vulnerability, one of two scenarios must occur. The first scenario is a user with an API key capable of adding or editing Email or Theme templates, the second scenario is a user with access to the FusionAuth admin UI that has the necessary authority to add or edit Email or Theme templates. In these two scenarios the user would need to add code to the template with the intention of executing a malicious system command. There is a low probably of this exploitation to occur if you have trusted applications and administrative users. * [CVE-2020-7799](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7799) ### Changed * Remove the `sid` and the `iss` request parameters on the URL provided by `post_logout_redirect_uri`. This feature was added in version `1.10.0` and because the redirect URL may be a previously configured Logout URL or a URL provided by the `post_logout_redirect_uri` we were always adding these additional request parameters to the URL. This change will remove them from the redirect URL and they will only be added to the URLs used to build the iframes in the logout template. * Resolves [GitHub Issue #332](https://github.com/FusionAuth/fusionauth-issues/issues/332), thanks to [@davidmw](https://github.com/davidmw) for the feedback! * In support of the OAuth Device Grant feature, the following theme changes have been made. * New themed template `OAuth device`. This template has been added to each of your existing themes. As part of your migration please review this template to ensure it matches your intended style. * The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization ``` device-form-title=Device login device-login-complete=Successfully connected device device-title=Connect Your Device userCode=Enter your user code [blank]user_code=Required [invalid]user_code=Invalid user code ``` * The following hidden fields were added and you will need to update your `[#macro oauthHiddenFields]` in the theme "Helpers" of existing Themes if you intend to utilize the Device Grant or `response_mode` in the Authorization grant: ``` [@hidden name="response_mode"/] [@hidden name="user_code"/] ``` * An update has been made to the `[@link]` macro in the Helpers template. If you intend to utilize the Device Grant you will need to add the missing parameters to your macro or copy the updated macro and usage from the default FusionAuth theme. The `user_code` request parameter has been added to this macro. ### New * [Device Authorization Grant](/docs/lifecycle/authenticate-users/oauth/endpoints#device) * This satisfies [GitHub Issue #320](https://github.com/FusionAuth/fusionauth-issues/issues/320) - OAuth2 Device Authorization Grant * This grant type is commonly used to connect a set top box application to a user account. For example when you connect your HBO NOW Roku application to your account you are prompted with a 6 digit code on the TV screen and instructed to open a web browser to [hbonow.com/tvcode](https://hbonow.com/tvcode) to complete the sign-in process. This process is using the OAuth Device Grant or a variation of this workflow. * Support for the `response_mode` request parameter during the Authorization Code grant and the Implicit grant workflows. * This will provide support for `response_mode=form_post` * Resolves [GitHub Issue #159](https://github.com/FusionAuth/fusionauth-issues/issues/159), thanks to [@bertiehub](https://github.com/bertiehub) for requesting. * An additional API is available in support of Passwordless Login to allow additional flexibility with third party integrations. * See [GitHub Issue #175](https://github.com/FusionAuth/fusionauth-issues/issues/175) * This feature will be available in 3 steps, Start, Send and Complete. Currently the Send API generates a code and sends it to the user, and then a Login API completes the request. The change is backwards compatible, but a Start action will be provided so you may skip the Send and collect the code and send it to the user using a third party system. * See the [Passwordless API documentation](/docs/apis/passwordless) for additional information. ### Preview * The `PATCH` HTTP method is available on some APIs in a developer preview. This is not yet documented and should only be used in development. The following APIs support the `PATCH` method, more to come. * `/api/application` * `/api/user` * `/api/user/registration` * This is in support of [GitHub Issue #121 - Support HTTP method PATCH](https://github.com/FusionAuth/fusionauth-issues/issues/121). ### Fixed * Return a `400` status code with a JSON response body on the Import API when a foreign key constraint causes the import to fail * Resolves [GitHub Issue #317](https://github.com/FusionAuth/fusionauth-issues/issues/317), thanks to [@AlvMF1](https://github.com/AlvMF1) for reporting the issue! * Return a `401` status code on the `Userinfo` endpoint for invalid tokens * Resolves [GitHub Issue #321](https://github.com/FusionAuth/fusionauth-issues/issues/321) * The Passwordless login external identifier complexity settings are not working * Resolves [GitHub Issue #322](https://github.com/FusionAuth/fusionauth-issues/issues/322), thanks to [@pawpro](https://github.com/pawpro) for letting us know! * An error is incorrectly displayed on the Forgot Password form even when the code is valid * Resolves [GitHub Issue #330](https://github.com/FusionAuth/fusionauth-issues/issues/330), thanks to [@JesperWe](https://github.com/JesperWe) for reporting the issue! * When a large number of tenants exist such as 3-5k, an exception may be thrown during a key cache reload request * Resolves [GitHub Issue #326](https://github.com/FusionAuth/fusionauth-issues/issues/326), thanks to [@johnmaia](https://github.com/johnmaia) for reporting! * When using the `id_token_hint` on the Logout endpoint, if the token was issued to a user that is not registered for the application it will not contain the `applicationId` claim. This claim was being used to resolve the `client_id` required to complete logout. An alternative strategy is now used so that an `id_token` issued to a user that is registered, or not registered will work as expected when provided on the Logout endpoint. * Resolves [GitHub Issue #350](https://github.com/FusionAuth/fusionauth-issues/issues/350), thanks to [@paulspencerwilliams](https://github.com/paulspencerwilliams) for taking the time to let us know! * Support a SAML SP that does not send the `` constraint in the AuthN request, in this case we will default to `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`. ### Enhancement * Front-channel logout was made more flexible * Resolves [GitHub Issue #324](https://github.com/FusionAuth/fusionauth-issues/issues/324) * A new attribute `Logout behavior` was added to the Application -> OAuth configuration * `Redirect only` - legacy behavior of only logging out of SSO and redirecting to either the registered logout URL in the application or the `post_logout_redirect_uri`. * `All applications` - performs a front channel logout of all registered applications in the tenant. Optionally, the themeable `Oauth logout` page can be modified to only logout of those applications the user is registered for. * In some cases the Facebook IdP configuration requires a permission of `email` to be configured in order for the `email` claim to be returned from the Facebook Me API even when `email` is also specified in the `field` parameter. FusionAuth will default both the `fields` and the `permissions` parameters to `email` on create if not provided to make the Facebook IdP work out of the box for more users. Defaults will not be applied if these fields are left blank or omitted on an update. * The [Passwordless Send API](/docs/apis/passwordless#send-passwordless-login) now takes an optional `code` parameter which will be used as the Passwordless code sent in the email. This `code` can be generated by the new Passwordless Start API. ### Fixed * When logging into Google or other external Identity Provider for an Application outside of the default tenant the login may not complete successfully. This issue was introduced in version 1.9.0. A work around is to use an application in the default tenant. * A status code of `500` may occur during the processing of the SAML v2 response from an SAML v2 IdP. * Resolves [GitHub Issue #314](https://github.com/FusionAuth/fusionauth-issues/issues/314), thanks to [@Raghavsalotra](https://github.com/Raghavsalotra) for all his help verifying a fix for this issue. ### Changed * In support of the OpenID Connect Front Channel logout feature, the following theme changes have been made. * New themed template `OAuth logout`. This template has been added to each of your existing themes. As part of your migration please review this template to ensure it matches your intended style. * The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization ``` logging-out=Logging out&hellip; logout-title=Logging out or=Or [ExternalAuthenticationException]=%1$s The login request failed. ``` ### New * Support for the OpenID Connect Front Channel logout * This updates the existing OAuth2 Logout endpoint to be compliant with the [OpenID Connect Front-Channel Logout 1.0 - draft 02](https://openid.net/specs/openid-connect-frontchannel-1_0.html) specification * TL;DR The `/oauth2/logout` endpoint will call logout URLs of all tenant applications. A redirect URL can be requested on the URL via `post_logout_redirect_uri`. * Resolves [GitHub Issue #256](https://github.com/FusionAuth/fusionauth-issues/issues/256), thanks to all who up voted and provided valuable feedback. * The [OpenId Connect discovery endpoint](/docs/lifecycle/authenticate-users/oauth/endpoints#openid-configuration) now returns the following attributes: * `end_session_endpoint` * `frontchannel_logout_supported` * `backchannel_logout_supported` ### Fixed * Send email API may fail with a `500`. This issue was introduced in version `1.9.0`. * SAML v2 Invalid Redirect. This resolves [GitHub Issue #287](https://github.com/FusionAuth/fusionauth-issues/issues/287), thanks to [@prasanna10021991](https://github.com/prasanna10021991) for reporting and helping! ### Enhancement * Allow request parameters to be provided on the Authorization endpoint in the OpenID Connect relaying party configuration. This allows FusionAuth to integrate with the [Twitch OpenID Authorization Grant implementation](https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-flow). * This resolves [GitHub Issue #309](https://github.com/FusionAuth/fusionauth-issues/issues/309), thanks to [@tauinger-de](https://github.com/tauinger-de) for reporting and helping out! * This is a partial fix to work around not supporting the `claims` parameter on the Authorize request. See [GitHub Issue #308](https://github.com/FusionAuth/fusionauth-issues/issues/308) for additional information. ### Fixed * If you have one or more themes defined prior to upgrade you may be unable to login. * Resolves [GitHub Issue #306](https://github.com/FusionAuth/fusionauth-issues/issues/306), thanks to [@flangfeldt](https://github.com/flangfeldt) and [@jerryhopper](https://github.com/jerryhopper) for the assist! * See workaround in the linked GitHub issue. * Resolves [Internal Server Error after Fusion Auth Upgrade to v 1.9.1](https://stackoverflow.com/questions/58083668/internal-server-error-after-fusion-auth-upgrade-to-v-1-9-1), thanks to [Tom Bean](https://stackoverflow.com/users/7205239/tom-bean) for reporting! ### Fixed * Unable to modify the name of the default FusionAuth theme. If you attempt to edit the theme and save the form a validation error occurs that is not expected and will cause an exception. If you encounter this problem you can simply not edit the FusionAuth theme since you are not able to modify the templates anyway. Instead just duplicate the theme if you would like to view any of the default messages. ### New * Full theme localization support for errors and all other text * If you're interested in helping us crowd source additional languages check out this Git repo and open an issue or submit a PR. * https://github.com/FusionAuth/fusionauth-localization ### Fixed * When editing a new email template that contained `${user.tenantId}` the template validation may fail. * Resolves [GitHub Issue #294](https://github.com/FusionAuth/fusionauth-issues/issues/294), thanks to [@tauinger-de](https://github.com/tauinger-de) for reporting the issue. * A locked account may still be able to login via Google or other external identity provider. * Resolves [GitHub Issue #301](https://github.com/FusionAuth/fusionauth-issues/issues/301), thanks to [@jerryhopper](https://github.com/jerryhopper) (a FusionAuth MVP) for the bug report! * Previous to this change when using the OAuth2 login or the Login API, a locked account was treated as a "soft" lock and a `404` would be returned from the Login API which in turn displayed an Invalid credentials error. The account locked (soft delete) state will not return a `423` status code instead of a `404` which will result in a different message to the OAuth2 login. ### Fixed * The SQL issue described below in the warning message has been resolved. * Performing a clean install of `1.8.0-RC.1` may fail in some cases * When `user.passwordChangeRequired` is `true` and you login via an external identity provider you will be redirected to `/password/change` with an invalid code so you will not be able to complete the change password workflow. You may work around this change by navigating back to the login page and clicking the forgot password link. *Known Issues:* \ Any rows in the `user_external_ids` table with a `null` value in the `applications_id` column may cause the migration to fail. Prior to upgrading run the following SQL command: \ `DELETE from user_external_ids WHERE applications_id IS NULL;` This issue will be resolved in the final release of `1.8.0`. \ ] ### Community MVPs Thanks to all of our community members who take the time to open features, report bugs, assist others and help us improve FusionAuth! For this release we would like to thank the following GitHub users who helped us out! * [@AlvMF1](https://github.com/AlvMF1) * [@colundrum](https://github.com/colundrum) * [@damienherve](https://github.com/damienherve) * [@davidmw](https://github.com/davidmw) * [@fabiojvalente](https://github.com/fabiojvalente) * [@flangfeldt](https://github.com/flangfeldt) * [@johnmaia](https://github.com/johnmaia) * [@petechungtuyco](https://github.com/petechungtuyco) * [@prabhakarreddy1234](https://github.com/prabhakarreddy1234) * [@snmed](https://github.com/snmed) * [@tombeany](https://github.com/tombeany) * [@unkis](https://github.com/unkis) * [@whiskerch](https://github.com/whiskerch) * [@zbruhnke](https://github.com/zbruhnke) ### Changed * Most of the configuration previously available in the System Settings has been moved to the Tenant configuration to allow for additional flexibility. This is important if you will be utilizing more than one tenant, you may now configure password policies, email configuration, etc per tenant. If you are using the System Configuration or Tenant APIs, please be aware of this change and plan accordingly. If you were manually synchronizing these configurations between systems, you will need to update these processes. * SMTP configuration * Event configuration * Password configuration * Failed Authentication configuration * Password configuration * JWT configuration * Theme * When using a theme, whenever possible provide the `tenantId` on the request using an HTTP request parameter. This will help ensure FusionAuth will render the page using your chosen theme. In most cases FusionAuth can identify the correct tenant and theme based upon other parameters in the request, but in some circumstances there is not enough information and FusionAuth will default to the stock theme if the `tenantId` is not explicitly provided. * For example in each of the shipped email templates the following has been added to the generated URL `?tenantId=${tenantId}`. You may wish to add this to your email templates if you're using themes. * If you were previously accessing a themed stylesheet in your template as `${loginTheme.stylesheet}` it is now accessed like this `${theme.stylesheet()}`. ### New * Top level theme menu in FusionAuth UI. Settings -> Themes. * Create, delete, edit and update themes * Assign a named theme to a tenant * Theme preview * User modifiable [CORS configuration](/docs/operate/secure/cors) * [GitHub Feature #180 : Expose a CORS configuration to the end user](https://github.com/FusionAuth/fusionauth-issues/issues/180) * A public key may also be retrieved by `kid` in addition to the `applicationId` when using the [Public Key API](/docs/apis/jwt#retrieve-public-keys). This resolves [GitHub Issue #227](https://github.com/FusionAuth/fusionauth-issues/issues/227). * PKCE support for use during the Implicit Grant * New [User Email Verified](/docs/extend/events-and-webhooks/events/user-email-verified) and [User Registration Verified](/docs/extend/events-and-webhooks/events/user-registration-verified) events. Resolves [GitHub Issue #163](https://github.com/FusionAuth/fusionauth-issues/issues/163), thanks to [@unkis](https://github.com/unkis), [@prabhakarreddy1234](https://github.com/prabhakarreddy1234) and [@davidmw](https://github.com/davidmw) for the great feedback! * Email Verification, Registration Verification, Change Password, Setup Password and Passwordless Login can be optionally configured to use codes made up of digits instead of long strings. This may be helpful if you wish the user to type in a code during an interactive workflow. * Resolves [GitHub Issue #269](https://github.com/FusionAuth/fusionauth-issues/issues/269), thanks to [@zbruhnke](https://github.com/zbruhnke) for helping us get this one delivered. ### Fixed * Tenant scoped SMTP configuration, password rules, event transactions, JWT signing configuration, etc. * When viewing Refresh token expiration in the Manage User panel under the Sessions tab, the expiration may be displayed incorrectly if the Refresh Token Time to Live has been set at the Application level. The actual time to live was still correctly enforced, but this display may have been incorrect. * In some cases an Id Token signed by FusionAuth may not be able to be verified if it is sent back to FusionAuth. This issue was introduced in version `1.6.0`. * If the host operating system is not configured for `UTF-8` and you specify multi-byte characters in an email template subject, the subject text may not be rendered correctly when viewed by the recipient. * Resolves [GitHub Issue #231](https://github.com/FusionAuth/fusionauth-issues/issues/231), thanks to [@Lechu67](https://stackoverflow.com/users/8266623/lechu67) for reporting via [Stack Overflow](https://stackoverflow.com/questions/57146832/) and helping to diagnose the issue. * Toggle rendering issue in Firefox. Resolves [GitHub issue #260](https://github.com/FusionAuth/fusionauth-issues/issues/260), thanks to [@snmed](https://github.com/snmed) for the assist! * When creating users and applications programatically, due to a timing issue, you may receive an unexpected error indicating the Application does not exist. Resolves [GitHub Issue $252](https://github.com/FusionAuth/fusionauth-issues/issues/252), thanks to [@johnmaia](https://github.com/johnmaia) for reporting the issue. * An exception may occur when using the Login with Google feature if the `picture` claim returned is not a valid URI. Resolves [GitHub Issue #249](https://github.com/FusionAuth/fusionauth-issues/issues/249), thanks to [@damienherve](https://github.com/damienherve) for reporting the issue. * A tenant may fail to be deleted. Resolves [GitHub Issue #221](https://github.com/FusionAuth/fusionauth-issues/issues/221), thanks to [@johnmaia](https://github.com/johnmaia) for the assist! If you encounter this issue, ensure the search index is updated, generally this will only happen if you programatically create users and then immediately attempt to delete a tenant. * The relative link on the Change Password themed template to restart the Forgot Password workflow when the code has expired is broken. Resolves [GitHub Issue #280](https://github.com/FusionAuth/fusionauth-issues/issues/280), thanks to [@flangfeldt](https://github.com/flangfeldt) for letting us know! * The Import API may fail due to a false positive during password salt validation. Resolves [GitHub Issue #272](https://github.com/FusionAuth/fusionauth-issues/issues/272), thanks to [@tombeany](https://github.com/tombeany) for reporting the issue. * Modifying an Identity Provider configuration when an Application has been disabled may cause an error in the UI. Resolves [GitHub Issue #245](https://github.com/FusionAuth/fusionauth-issues/issues/245), thanks to [@fabiojvalente](https://github.com/fabiojvalente) for reporting the issue. * When the FusionAuth schema exists in the database and you reconnect FusionAuth using the database maintenance mode, depending upon the version of PostgreSQL we may not properly detect that the schema exists and return an error instead of continuing. Resolves [GitHub Issue #237](https://github.com/FusionAuth/fusionauth-issues/issues/237), thanks to [@whiskerch](https://github.com/whiskerch) for reporting the issue. * A typo in the Java FusionAuth client causes the to fail the `generateEmailVerificationId` request. Resolves [GitHub Issue #282](https://github.com/FusionAuth/fusionauth-issues/issues/282), thanks to [@petechungtuyco](https://github.com/petechungtuyco) for reporting the issue and pointing out the solution! ### Enhancement * [JWT Refresh Token Revoke](/docs/extend/events-and-webhooks/events/jwt-refresh-token-revoke) event will contain a User object when available * Resolves [GitHub Issue #255](https://github.com/FusionAuth/fusionauth-issues/issues/255), thanks to [@AlvMF1](https://github.com/AlvMF1) for the great suggestion! * In a themed template that may have the `passwordValidationRules` available after a password validation field error will now always have the `passwordValidationRules` available if you choose to display them. Resolves [GitHub Issue #263](https://github.com/FusionAuth/fusionauth-issues/issues/263), thanks to [@AlvMF1](https://github.com/AlvMF1) for the suggestion! * Updated PostgresSQL connector to support `SCRAM-SHA-256`. Thanks to [@colundrum](https://github.com/colundrum) for letting us know and assisting in testing. Resolves [GitHub Issue #209](https://github.com/FusionAuth/fusionauth-issues/issues/209) * The [OpenId Connect discovery endpoint](/docs/lifecycle/authenticate-users/oauth/endpoints#openid-configuration) now accepts optional `tenantId` request parameter. * A [User](/docs/apis/users) object is returned in the `jwt.refresh-token.revoke` event JSON. * The field `tenantId` is returned in event JSON. ### Fixed * When configuring a SAML v2 IdP relying party using the FusionAuth SP metadata, the configured ACS may not work properly. If you encounter this issue you may manually modify the relying party configuration to change the ACS endpoint to `/oauth2/callback`. * Resolves [Stack Overflow : FusionAuth ADFS integration issue](https://stackoverflow.com/questions/57607810/fusionauth-adfs-integration-issue), thanks to [@johan](https://stackoverflow.com/users/3702939/johan) for reporting the issue. ### New * SAML v2, OpenID Connect, Google, Facebook, Twitter and External JWT Identity Provider configurations now have a debug flag. When enabled a debug Event Log will be created during each request to the Identity Provider to assist in debugging integration issues that may occur. In addition, error cases will be logged in the Event log instead of to the product log. * SAML v2 Service Provider (Relaying Party) Metadata URL ### Fixed * In some cases when running FusionAuth behind a proxy without setting the `X-Forwarded-Port` header the URLs returned in the OpenID Configuration discovery document may contain an `https` URL that is suffixed with port `80`. If this is encountered prior to this version you may simply add the `X-Forwarded-Port` header in your proxy configuration. * SAML v2 fix when using `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` or `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` Name Id formats. * Resolves [GitHub Issue #205](https://github.com/FusionAuth/fusionauth-issues/issues/205), thanks to [@mikerees](https://github.com/mikerees) for reporting the issue and helping us test a fix. * SAML v2 fix in the IdP Metadata. The `IDPSSODescriptor` was missing the `protocolSupportEnumeration` which may cause some SAML metadata parsers to fail processing. * Resolves [GitHub Issue #235](https://github.com/FusionAuth/fusionauth-issues/issues/235), thanks to [@user1970869 ](https://github.com/user1970869 ) for reporting the issue and helping us test a fix. * SAML v2 fix in the IdP Metadata. The value returned in the `issuer` attribute was not the same as the `entityId` provided in the metadata which may cause some SAML metadata parsers to fail processing. * Resolves [GitHub Issue #240](https://github.com/FusionAuth/fusionauth-issues/issues/240), thanks to [@user1970869 ](https://github.com/user1970869 ) for reporting the issue and helping us test a fix. * And audit log entry may not be created for a FusionAuth admin that does not have an email address when modifying configuration with the FusionAuth UI. * Resolves [GitHub Issue #268](https://github.com/FusionAuth/fusionauth-issues/issues/268) ### Enhancement * Integration details have been moved to a view dialog for each Identity Provider configuration. Previously these values were provided as read only fields on the edit panel in the UI. * See the View action for your Identity Provider configurations by navigating to Settings -> Identity Providers. ### Fixed * Deleting a user that has recently had a failed login may fail when FusionAuth is tracking failed login attempts to lock user accounts. * Resolves [GitHub Issue #184 : Cannot delete user with too many login attempts](https://github.com/FusionAuth/fusionauth-issues/issues/184), thanks to [@gmpreussner](https://github.com/gmpreussner) for reporting the issue. * Login to a 3rd party SAML IdP may fail * Resolves [GitHub Issue #181 : Trouble with SAML and OpenID logins](https://github.com/FusionAuth/fusionauth-issues/issues/181), thanks to [@davidmw](https://github.com/davidmw) for reporting the issue. * Fix the uptime calculation for nodes when viewed in the About panel. System -> About ### Fixed * Possible migration error for PostgreSQL users ### Changed * The `timezone` field in the User and UserRegistration must be a [IANA](https://www.iana.org/time-zones) time zone. This was previously assumed, but not always enforced. If a timezone is set for a User or UserRegistration that is not a valid IANA timezone, `null` will be returned when retrieving the User or UserRegistration timezone. ### New * Family and relationship modeling. Yeah, everyone has users, but does your IdP manage family relationships? * Family concepts * [Family APIs](/docs/apis/families) * Consent management. Need to record parental consent, or track opt-in for your users? Look no further. * Consent concepts * [Consent APIs](/docs/apis/consents) * We will ship FusionAuth with COPPA VPC, and COPPA Email+ consents, additional consents may be added through the Consent management interface and through the Consent APIs. * Export of Audit Logs to a zipped CSV in the UI and via the [Export API](/docs/apis/audit-logs#export-audit-logs) * Export of Login Records to a zipped CSV in the UI and via the [Export API](/docs/apis/login#export-login-records) * Login Record view that contains limited search and pagination capability. In the UI see System -> Login Records * Retention policy for Audit Logs. This feature is disabled by default and may be enabled to retain a configured number of days worth of Audit Logs. * Retention policy for Login Records. This feature is disabled by default and may be enabled to retain a configured number of days worth of Login Records. ### Fixed * Some timezones may not be correctly discovered during login. When this occurs an `undefined` value is set which may cause an error during login to the FusionAuth UI. * Support importing Bcrypt hashes that contain a `.` (dot). The Bcrypt Base64 encoding uses a non standard character set which includes a `.` (dot) instead of a `+` (plus) as in the standard character set. Thank you to Diego Souza Rodrigues for discovering this issue and letting us know!. * Better support for third party 2FA devices such as an RSA key fob. When providing FusionAuth with a secret to enable Two Factor authentication we will accept a string in a Bas32 or Base64 encoded format. The documentation has been updated to further clarify this behavior. Previously if you brought your own secret to FusionAuth to enable 2FA, depending upon the format of the key, you may not have been successful in enabling 2FA for a user. * Managed domains were not being returned properly for a SAML v2 IdP configuration. This means that you could not limit the SAML v2 IdP configuration to users with a specific email domain. ### Enhancement * The User Registration object is now available as a top level object in the Verify Registration email template. The registration was previously available in the `user` object, but it will now also be a top level object `registration`. * Support arbitrary URIs for OAuth redirects. * Resolves [GitHub Issue #58 : Support OAuth2 redirect to an arbitrary scheme in support of native applications](https://github.com/FusionAuth/fusionauth-issues/issues/58) * Add `user.mobilePhone` to the search index. For an existing installation, to take advantage of this field for existing users, you may need to rebuild the search index. See System -> Reindex * Resolves [GitHub Issue #165 : Add mobilePhone in User Search](https://github.com/FusionAuth/fusionauth-issues/issues/165) * Thanks to [@petechungtuyco](https://github.com/petechungtuyco) for letting us know and suggesting the addition. ### Fixed * Using OpenID Connect with Microsoft Azure AD may fail * Thanks to [@stevenrombauts](https://github.com/FusionAuth/fusionauth-issues/issues/153) and [@plunkettscott](https://github.com/plunkettscott) for reporting the issue. [OpenID connect fails with Azure AD #153](https://github.com/FusionAuth/fusionauth-issues/issues/153). ### Changed * Deprecated the following properties `SystemConfiguration` and `Application` domain. This is all now managed through Key Master, and existing keys have been migrated into Key Master. * `jwtConfiguration.issuer` * `jwtConfiguration.algorithm` * `jwtConfiguration.secret` * `jwtConfiguration.publicKey` * `jwtConfiguration.privateKey` * Deprecated the following property `SystemConfiguration.jwtConfiguration.issuer`, it has moved to `SystemConfiguration.issuer`. * A new macro was added to the `_helpers.ftl` that may be managed by your theme. If you have modified the `_helpers.ftl` template as part of your theme, you will either need to reset that template and merge your changes back in, or add the following code to your `_helpers.ftl` managed by your theme. If you encounter an issue with this, you will still likely be able to login to correct the issue, if you do get stuck you may disable your theme to login. See [Troubleshooting themes](/docs/customize/look-and-feel/#troubleshooting). ```html [#macro link url text extraParameters=""] ${text?html} [/#macro] ``` ____ ### New * Support for SAMLv2 IdP. This satisfies [GitHub Issue #3](https://github.com/FusionAuth/fusionauth-issues/issues/3) * Support for SAMLv2 Service Provider to support federated authentication to a SAMLv2 Identity Provider. This satisfies [GitHub Issue #104](https://github.com/FusionAuth/fusionauth-issues/issues/104) * Lambda support. Lambdas are user defined JavaScript functions that may be executed at runtime to perform various functions. In the initial release of Lambda support they can be used to customize the claims returned in a JWT, reconcile a SAML v2 response or an OpenID Connect response when using these Identity Providers. * See the Lambda API and the new Lambda settings in the UI Settings -> Lambdas. * Event Log. The event log will assist developers during integration to debug integrations. The event log will be found in the UI under System -> Event Log. * SMTP Transport errors * Lambda execution exceptions * Lambda debug output * SAML IdP integration errors and debug * Runtime exceptions due to email template rendering issues * And more! * Key Master, manage HMAC, Elliptic and RSA keys, import, download, generate, we do it all here at Key Master. * [Key APIs](/docs/apis/keys) * New events * `user.login.failed` * `user.login.success` * `user.registration.create` * `user.registration.update` * `user.registration.delete` * Easily duplicate email templates using the Duplicate action. * https://github.com/FusionAuth/fusionauth-issues/issues/142 * Manage Access Token and Id Token signing separately ### Enhancement * Insert instant provided on the Import API for Users and Registrations will be reflected in the historical registration reports * https://github.com/FusionAuth/fusionauth-issues/issues/144 * Additional node information will be available on the About panel when running multiple FusionAuth nodes in a cluster. See System -> About. ### Fixed * If Passwordless login is disabled because no email template has been configured the button will not be displayed on the login panel. If a user attempts to use the passwordless login and the feature has been disabled or the user does not have an email address a error will be displayed to alert the user. * If you are using the Implicit Grant and you have Self Service Registration enabled for the same application, the redirect after the registration check will assume you are using the Authorization Code grant. To work around this issue prior to this release, disable Self Service Registration. Thanks to [@whiskerch](https://github.com/whiskerch) for reporting this issue in [GitHub Issue #102](https://github.com/FusionAuth/fusionauth-issues/issues/102). * Fixed OpenID Connect federated login. Our JavaScript code was throwing an exception due to the removal of the `device` field from OAuth. This code wasn't updated and therefore would not perform the redirect to the third-party Open ID Connect IdP. To fix this issue in 1.5.0 or below, you can remove this line from OpenIDConnect.js on or near line 48: `+ '&device=' + Prime.Document.queryFirst('input[name=device]').getValue()`. * When you use the Refresh Grant with a Refresh Token that was obtained using the Authorization Code grant using the `openid` scope, the response will not contain an `id_token` as you would expect. This fixes [GitHub Issue #110 - OIDC and Refresh Tokens](https://github.com/FusionAuth/fusionauth-issues/issues/110). Thanks to [@fabiosimeoni](https://github.com/fabiosimeoni) for reporting this issue * When using the OpenID Connect Identity Provider that requires client authentication may fail even when you provide a client secret in your OpenID Connect configuration. * https://github.com/FusionAuth/fusionauth-issues/issues/118 * https://github.com/FusionAuth/fusionauth-issues/issues/119 * https://github.com/FusionAuth/fusionauth-issues/issues/122 ### Changed * Removed `/oauth2/token` from the CORS configuration. This change will cause the CORS filter to reject a `POST` request to the `/oauth2/token` endpoint when the request originates in JavaScript from a different domain. This will effectively prohibit the use of the OAuth2 Password grant from JavaScript. * The `device` parameter is no longer required on the [Login API](/docs/apis/login) or the [Authorized](/docs/lifecycle/authenticate-users/oauth/endpoints#authorize) endpoint in order to receive a Refresh Token. If the `device` parameter is provided it will be ignored. * Correct the [Refresh API](/docs/apis/jwt#refresh-a-jwt) response body to match the documentation. If you are currently consuming the JSON body of this API using the `POST` method, you will need to update your integration to match the documented response body. ### New * Support for Passwordless login via email. See [Passwordless API] if you'll be integrating with this API to build your own login form. To use this feature using the provided FusionAuth login form, enable Passwordless by navigating to your FusionAuth Application [breadcrumb](/docs/apis/passwordless)#Settings -> Applications# and selecting the `Security` tab. * Support for the OAuth2 Implicit Grant. See the [OAuth 2.0 & OpenID Connect Overview](/docs/lifecycle/authenticate-users/oauth/) and [OAuth 2.0 Endpoints](/docs/lifecycle/authenticate-users/oauth/endpoints) for additional information. * The `Authorization Code`, `Password`, `Implicit` and `Refresh Token` grants maybe enabled or disabled per application. See `oauthConfiguration.enabledGrants` property in the [Application API](/docs/apis/applications), or the `OAuth` tab in the Application configuration in the FusionAuth UI. * The [Change Password API](/docs/apis/users) can be called using a JWT. This provides additional support for the Change Password workflow in a single page web application. See the Change Password API for additional details. * The [Change Password API](/docs/apis/users) in some cases will return a One Time password (OTP). This password may then be exchanged for a new JWT and a Refresh Token on the Login API. This allows for a more seamless user experience when performing a change password workflow. See the Change Password and Login API for additional details. * The [Login API](/docs/apis/login) can now be restricted to require an API key. The default for new applications will require authentication which can be disabled. Existing applications will not require authentication via API to preserve the existing behavior. The Login API may also be restricted from return Refresh Tokens are allowing an existing Refresh Token be used to refresh an Access Token. These settings will be configurable per Application, see the Application API for additional details, or the `Security` tab in the Application configuration in the UI. If using the [Application API](/docs/apis/applications), see the `application.loginConfiguration` parameters. * The `c_hash`, `at_hash` and `nonce` claims will be added to the `id_token` payload for the appropriate grants. * Add support for `client_secret_post` to the already provided `client_secret_basic` Client Authentication method. This means that in addition to using HTTP Basic Authentication, you may also provide the `client_id` and `client_secret` in the request body. ### Enhancement * Better ECDSA private and public key validation to ensure the algorithm selected by the user matches the provided key. * When using the Change Password workflow in the OAuth2 Implicit or Authorization Code grants, the user will be automatically logged in upon completing a change password that is required during login. * The Two Factor Login API will return the `twoFactorTrustId` as an HTTP Only secure cookie in addition to being returned in the JSON response body. This provides additional support and ease of use when making use of this API in a single page web application. See the Two Factor Login API for additional details. ### Fixed * When using the Login Report in the UI and searching by user, if you have more than one tenant you will encounter an error. * Validation errors are not displayed in the Add Claim dialog when configuring claim mapping for an External JWT Identity Provider * Calling the Tenant API with the `POST` or `PUT` methods w/out a request body will result in a `500` instead of a `400` with an error message. * When a locale preference has not been set for a FusionAuth admin and the English locale is used the user may see dates displayed in `d/M/yyyy` instead of `M/d/yyyy`. * Fix some form validation errors during self-registration. * The Action user action on the Manage User panel was opening the Comment dialog instead of the Action user dialog * When a user has 2FA enabled and a password change is required during login, the 2FA will now occur before the change password workflow * When more than one tenant exists, the Forgot Password link on the FusionAuth login page will not function properly. * The Logout API may not always delete the `access_token` and `refresh_token` cookies if they exist on the browser. * The `id_token` will be signed with the `client_secret` when `HS256`, `HS384` or `HS512` is selected as the signing algorithm. This is necessary for compliance with [OpenID Connect Core 3.1.3.7 ID Token Validation](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). This fixes GitHub issue [GitHub Issue #57](https://github.com/FusionAuth/fusionauth-issues/issues/57), thanks to [@anbraten](https://github.com/anbraten) for reporting this issue. If you encounter this issue prior to this version, copy the Client Secret found in the UI on the `OAuth` tab of your Application configuration into the HMAC secret on the `JWT` configuration tab. * The [Login API](/docs/apis/login) will now return a `400` with an error JSON response body if the `applicationId` parameter does not belong to any configured applications. Previous to this release, this was treated the same as if the User was not registered to the requested application. * A change to the Docker build for permissions reduced the overall `fusionauth-app` image by ~ 200 MB. ### Changed * Renamed `Type` enum in `DeviceInfo` class to `DeviceType`. This will only affect you if you are using the Java or C# client and reference this enum directly. If you are using this class directly, you may need to update an import in your client code. * More than one authorization code may exist for a single user at a given time. This will allow multiple asynchronous requests to begin an OAuth2 Authorization Grant workflow and succeed regardless of order. ### New * Self service registration. You may optionally enable this feature per application and allow users to create a new account or register for new applications without building your own registration forms. * JSON Web Key set support. This endpoint will be exposed at `/.well-known/jwks.json` and will be published in the [OpenID Configuration](/docs/lifecycle/authenticate-users/oauth/endpoints#openid-configuration) metadata endpoint as well. Prior to this release the public keys used to sign JSON Web Tokens were only available in PEM format using the [Public Key API](/docs/apis/jwt#retrieve-public-keys), this endpoint will still be available and supported. * See [JSON Web Key Set (JWKS)](/docs/lifecycle/authenticate-users/oauth/endpoints#json-web-key-set-jwks) for more information. * Added Elliptic Curve signature support for JSON Web Tokens, ES256, ES384 and ES512. * Added Typescript client library https://github.com/FusionAuth/fusionauth-typescript-client * The Login Report may now be optionally filtered to a particular User in the UI, and the [Login Report](/docs/apis/reports#retrieve-login-report) API will now take `loginId` or `userId`. ### Fixed * When using Docker compose, if you start up with `--pull` to update to the latest version of FusionAuth and there happens to be a database schema update, the silent configuration mode may fail. This occurs because the silent configuration was not performing the database schema update automatically. If you encounter this issue, you will need to manually update the schema. * This will only occur if you are running a version of FusionAuth prior to `1.1.0` and upgrade using `--pull` during `docker compose up`. * When you have multiple tenants created, a tenant may be deleted with an API key that is not assigned to the tenant. This has been corrected and a tenant may only be deleted using an API key that is not assigned to any tenant. This issue will only affect you if you have more than one tenant. * Updated Maintenance Mode (setup wizard) to work with MySQL version 8.0.13 and above. MySQL has changed their SSL/TLS handling and our connections were not correctly handling public keys. This has been fixed by allowing FusionAuth to perform a secondary request to MySQL to fetch the public key. * Logging in with a Social Login provider such as Google for an existing FusionAuth user may cause them to be unable to login to FusionAuth directly using their original credentials. * When using the OpenID Connect Identity Provider, the incoming claim `given_name` was being saved in the `fullName` field instead of the `firstName`. * When a user is soft deleted, actioned to prevent login, expired, or they have changed their password since their last login, their SSO session will be invalidated instead of waiting for the session to expire. * Resolves [GitHub Issue #59 :Using a access token for a lock account](https://github.com/FusionAuth/fusionauth-issues/issues/59) ### Internal * Upgrade to fusionauth-jwt 3.0.1 in support of Elliptic Curve crypto support. ### Changed * API key will take precedence for API authentication if both a JWT and an API key are provided on the request. For example, when making a GET request to the User API, if a JWT is provided in a cookie, and a valid API key is also provided in the `Authorization` HTTP header, the previous design was to prefer the JWT. This design point meant that even when an API key was provided, even when providing a valid API key, you would be unable to retrieve any user but the one represented by the JWT. * Resolves [GitHub Issue #43 : Id is ignored on Retrieve User when JWT is present](https://github.com/FusionAuth/fusionauth-issues/issues/43) * The `client_id` is no longer required on the OAuth Token endpoint when client authentication is configured as required, in this scenario the client Id is provided in the HTTP Basic Authorization header. * Resolves [GitHub Issue #54 :Token request returning 500 when client_id is omitted](https://github.com/FusionAuth/fusionauth-issues/issues/54) ### Fixed * When editing the JWT settings in the FusionAuth application the UI a JavaScript error may cause some of the settings to not render properly. This error was introduced in version `1.3.0`. * Added missing properties to the Application view dialog in the FusionAuth UI. * The `openid` scope may not be honored during login when a user has Two Factor authentication enabled. The symptom of this issue is that the response from the Token endpoint will not contain an `id_token` even when the `openid` scope was requested. * Resolves [GitHub Issue #53 : Authorization with scope openid fails when 2FA is enabled](https://github.com/FusionAuth/fusionauth-issues/issues/53) * Validation for the OAuth2 Token endpoint may fail when the `client_id` request body parameter is omitted and return a `500` instead of a `400` status code. * Resolves [GitHub Issue #54 : Token request returning 500 when client_id is omitted](https://github.com/FusionAuth/fusionauth-issues/issues/54) * When a OAuth2 redirect URI is registered with a query parameter, the resulting redirect URI will not be built correctly. * Resolves [GitHub Issue #55 : Adding a query parameter to the redirect_uri causes an invalid URI to be returned](https://github.com/FusionAuth/fusionauth-issues/issues/55) * When trying to configure Elasticsearch engine during maintenance mode the index may get created but fail to leave maintenance mode. FusionAuth makes a `HEAD` request to Elasticsearch to check if the required indexes exist during startup and prior to leaving maintenance mode. When connected to an AWS Elasticsearch cluster this request does not behave as expected which causes FusionAuth to stay in maintenance mode. This issue has been resolved and should allow FusionAuth to properly connect to and utilize Elasticsearch running in an AWS cluster. ### New * An Application may disable the issue of refresh tokens through configuration. See `oauthConfiguration.generateRefreshTokens` in the [Application API](/docs/apis/applications) or the `Generate refresh tokens` toggle in the FusionAuth UI when editing an application. * The OAuth2 client secret may be optionally regenerated using the FusionAuth UI during Application edit. * Support for OAuth2 confidential clients, this is supported by optionally requiring client authentication via configuration. See `oauthConfiguration.requireClientAuthentication` in the [Application API](/docs/apis/applications) or the `Require authentication` toggle in the FusionAuth UI when editing an application. ### Fixed * Calling the [Introspect](/docs/lifecycle/authenticate-users/oauth/endpoints#introspect) endpoint with a JWT returned from the Issue API may fail due to the missing `aud` claim. * The MySQL schema previously was using `random_bytes` which is not available in MariaDB. These usages have been replaced with an equivalent that will function the same in MySQL and MariaDB. * Thanks to [@anbraten](https://github.com/anbraten) for bringing this to our attention and suggesting and verifying a solution via [GitHub Issue #48 : Support for MariaDB](https://github.com/FusionAuth/fusionauth-issues/issues/48) * When editing or adding a new user in the FusionAuth UI, the `Birthdate` field may get set automatically before the date selector is utilized. A JavaScript error was causing this condition and it has been fixed. * Resolves [GitHub Issue #41 : Birthday is autofilled when adding or editing a user](https://github.com/FusionAuth/fusionauth-issues/issues/41) ### Fixed * Add `X-FusionAuth-TenantId` to allowed CORS headers. * Resolves [GitHub Issue #44 : CORS blocks API request containing X-FusionAuth-TenantId](https://github.com/FusionAuth/fusionauth-issues/issues/44) * When FusionAuth is running behind a proxy such as an AWS ALB / ELB the redirect URI required to complete login may not be resolved correctly. This may cause the redirect back to the FusionAuth UI login to fail with a CSRF exception. If you encounter this issue you may see an error message that says `Something doesn't seem right. You have been logged out of FusionAuth`. The work-around for this issue if you encounter it will be to perform the redirect from HTTP to HTTPS in your load balancer. * Some minor usability issues in the Identity Provider configuration UI. ### Enhancement * Better error handling when an API caller sends invalid JSON messages. Prior to this enhancement if FusionAuth did not provide a specific error message for a particular field a `500` HTTP status code was returned if the JSON could not be parsed properly. This enhancement will ensure that sending a FusionAuth API invalid JSON will consistently result in a `400` status code with a JSON body describing the error. * Resolves [GitHub Issue #17 : Malformed or invalid JSON causes 500 error](https://github.com/FusionAuth/fusionauth-issues/issues/17) * Allow an Identity Provider to be enabled and disabled from the UI. You may still choose to enable or disable a specific Application for use with an Identity Provider, but with this enhancement you may not turn off an Identity Provider for all Applications with one switch. ### Fixed * Preserve Application Identity Provider configuration for disabled Applications when editing a Identity Provider from the UI. ### New * Add TTL configuration for Refresh Tokens to the Application configuration. When you enable JWT configuration per Application this value will override the global setting. ### Fixed * An error in the Twitter OAuth v1 workflow has been resolved. ### Fixed * If you were to have an Identity Provider for federated third party JSON Web Tokens configured prior to upgrading to `1.1.0` FusionAuth may fail during the database migration to version `1.1.0`. ### New * Social login support * [Facebook](/docs/apis/identity-providers/facebook) Identity Provider * [Google](/docs/apis/identity-providers/google) Identity Provider * [Twitter](/docs/apis/identity-providers/twitter) Identity Provider * [OpenID Connect](/docs/apis/identity-providers/openid-connect) Identity Provider * Full theme support for login. See the [Login Theme](/docs/customize/look-and-feel/) tutorial for additional information and examples. * Better localization support in the FusionAuth UI. You now have the option to set or modify your preferred language for use in the FusionAuth UI. Providing a preferred language will cause dates to be formatted based upon your preference. For example, the default data format is `M/D/YYYY`, but if you are not in the United States this may not be the way you expect a date to be formatted. If you set your locale to `French` you will now see a more appropriate format of `D/M/YYYY`. This value is stored on the User Registration for FusionAuth in the `preferredLanguages` field. ### Enhancement * When viewing sessions (refresh tokens) on the Manage User panel, the start and expiration times will be displayed. ### Fixed * If FusionAuth starts up in maintenance mode and stays there for an extended period of time without the User completing the configuration from the web browser, FusionAuth may get stuck in maintenance mode. If you encounter this issue, where you seemingly are entering the correct credentials on the Database configuration page and are unable to continue, restart FusionAuth and the issue will be resolved. ### Fixed * When running in Docker Compose, FusionAuth cannot connect to the search service when trying to exit the setup wizard. * https://github.com/FusionAuth/fusionauth-containers/issues/2 ### Enhancement * Better support for running in Docker. Enhanced silent configuration capability for database and search engine boot strap configuration in Docker Compose to be more resilient. ### Fixed * If custom data is added to an Application, Group or Tenant before editing the corresponding object in the UI, the custom data may be lost. ### New * Better support for running in Docker. Configuration can be override using environment variables. See [Docker Install](/docs/get-started/download-and-install/docker) for additional information. ### Fixed * The first time a user reached the failed login threshold and a `409` response code was returned the response body was empty. Subsequent login requests correctly returned the JSON response body with the `409`, now the JSON response body is correctly returned the first time the user reaches the failed login threshold. ### Fixed * When using PostgreSQL an exception may occur during an internal cache reload request. If you encounter this issue you will see a stack trace in the `fusionauth-app.log`. If you see this error and need assistance, please open an issue in the FusionAuth [Issues](https://github.com/FusionAuth/fusionauth-issues) GitHub project. ``` Unexpected error. We're missing an internal API key to notify distributed caches. ``` ### New * General availability release {/* */} # FusionAuth Release Notes - What's New in FusionAuth import Breadcrumb from 'src/components/Breadcrumb.astro'; import DatabaseMigrationWarning from 'src/components/docs/release-notes/DatabaseMigrationWarning.mdx'; import DeprecationWarning from 'src/components/docs/release-notes/DeprecationWarning.astro'; import GeneralMigrationWarning from 'src/components/docs/release-notes/GeneralMigrationWarning.astro'; import InlineField from 'src/components/InlineField.astro'; import InlineUIElement from 'src/components/InlineUIElement.astro'; import Issue from 'src/components/docs/release-notes/ReleaseNotesIssue.astro'; import RelatedToIssue from 'src/components/docs/release-notes/ReleaseNotesRelatedToIssue.astro'; import IssueResolvedVia from 'src/components/docs/release-notes/ReleaseNoteIssueResolvedVia.astro'; import ReleaseNotesSelector from 'src/components/docs/release-notes/ReleaseNotesSelector.astro'; import ReleaseNoteHeading from 'src/components/docs/release-notes/ReleaseNoteHeading.astro'; import ThemeUpdateWarning from 'src/components/docs/release-notes/ThemeUpdateWarning.astro'; import { YouTube } from '@astro-community/astro-embed-youtube'; {/* Hey, developer! Read this please! Also see some additional detail in the _README.md if it is still relevant. If you are adding a new release note, please read. 1. If you have a db migration, add the to the release note. 2. If you have a db migration, add the version to operate/deploy/upgrade.mdx in the `Out-of-Band Database Upgrades` section. 3. Add the following sections, removing any that are empty, but keeping this order: - Known Issues - Security - Changed - New - Fixed - Enhancements - Internal For fixed bugs, provide the following information to the reader 1. What it is and Why they care 2. What specific situation and configuration causes the issue that we've fixed 3. What symptom(s) they will observe if they have or may hit this condition */} Looking for release notes older than 1.44.0? Look in the [release notes archive](/docs/release-notes/archive). Looking to be [notified of new releases?](/docs/operate/roadmap/releases#release-notifications) ### Fixed * In version `1.56.0`, a bug was introduced that caused FusionAuth to fail to start after being installed using RPM and Debian packages. The following only applies if you have manually installed fusionauth using the RPM or Debian packages. When upgrading from releases prior to `1.57.1`, you must ensure that both the `fusionauth-app` and `fusionauth-search` services are stopped. This is typically done by running the following command: ```bash sudo systemctl stop fusionauth-app fusionauth-search ``` The upgrade will run a `usermod` command to modify the `fusionauth` user account so both processes must be stopped in order for the upgrade to succeed. This release provides a handful of improvements to the webhook event log. In versions `1.53.0` through `1.56.0`, very large webhook event log volumes could impact performance during log cleaning operations. If you are currently using a version of FusionAuth earlier than `1.53.0` and use webhooks, we recommend upgrading to version `1.57.0`. ### Changed * The process for deleting webhook event logs according to retention rules was formerly turned off by default, causing all webhook event log entries to be retained forever. This will now be enabled by default in new FusionAuth installations. Existing installations that are being upgraded will retain their former setting. ### Fixed * The client libraries were missing `PATCH` support for Entities. Support for this operation has been added. * Client libraries are missing full support for `PUT` and `PATCH` operations for entity types, forms, form fields, IP ACLs, webhooks, and families. This fix adds support for these. ### Enhancements * When prompted for how you heard about FusionAuth in the setup wizard, you may now supply "ChatGPT/LLMs/AI" as a standard response. * Two enhancements were added to the configuration for controlling webhook event logging behavior: * Webhook event logging can now be turned off, which is the default for new FusionAuth installations. Previously, you were only able to reduce the retention period to a very small window, however in this case the logging and log management would still occur. * Deleting webhook event logs according to a configured retention period is now enabled by default. Previously, it was disabled by default. * Webhook event log searching was improved by setting a default 1-hour search window when no duration parameters are provided. Webhook event logging can create a large number of log records, and the performance of unbounded searches scaled roughly linearly with the number of log records, leading to less performant searches as the data size increased. * The process that applies webhook event log retention rules is getting some performance improvements. This is a background process that generally does not impact performance but could consume a disproportionate amount of system resources when under heavy load. ### Security * Improved security around certain cross-origin requests ### Fixed * FusionAuth returns a 500 when supplying a malformed application Id in an IdP-initiated SAML login, making it hard to troubleshoot. The error should be handled more gracefully, and a more meaningful error message should be returned. * The Application / Multi-Factor / SMS Template tooltip is incorrectly referencing an email template instead of an SMS template. Update this to reference the correct template type. * The passwordless API returns a 500 error when a non-existent application Id is provided. This should return a correct response code and meaningful error. * When posting an invalid grant type to the `/oauth2/token` endpoint, the list of supported grant types in the error message is missing the `device` grant type * Users are being prompted to re-submit a form when first logging into a new deployment using Firefox. The request should proceed on the first attempt. * When creating an entity grant for a user using the API, some invalid payloads will yield a 500 error. A more meaningful error should be returned. * FusionAuth shows a notification for getting a free license even after a license has been installed. This notification should disappear after a FusionAuth instance has been licensed. * Executing a manual system reset in development mode with a valid kickstart file fails. This should work as expected. * Supplying a malformed license key to Reactor is producing a generic error. A specific error would be more helpful. * The Daily Active Users report is missing data from the most recent day. The report should include this data. * After setting an application-level email verification template, the tenant-level template is still being used. The application-level setting should be honored. * The standard first name field intended for use in user edit forms has an incorrect name in MySQL installations, which is preventing it from showing up in the user edit form * The webhook event log can return fewer records per page than requested with the _Results per page_ dropdown, even when more results are available. Ensure that the number of results equals the requested number. * A nondescript error is returned when trying to save system settings via the FusionAuth admin application. It is still possible to update system settings using the API. * The simple theme editor's right-hand panel isn't constraining its content properly, allowing content to spill over the bottom border ### Enhancements * FusionAuth now allows you to create non-retrievable API keys. If you select this option when creating a key, the key will only be visible during creation and not thereafter. Make a copy and keep it secure! * Improved the execution performance of lambdas * Allow the post-login bootstrapping of a FusionAuth SSO session using an access token. This can be useful if you've authenticated a user outside of an OAuth workflow, or if you've lost access to the SSO session cookie. ### Internal * Update dependencies. * Upgrade `ch.qos.logback:logback-core` `1.5.6` -> `1.5.16` * Upgrade `org.primeframework:prime-mvc` `4.27.0` -> `4.29.2` * Upgrade `org.graalvm.polyglot:polyglot` `22.3.3` -> `24.1.2` * Upgrade `org.graalvm.js:js` `22.3.3` -> `24.1.2` * Upgrade `com.inversoft:inversoft-cache` `0.6.0` -> `0.6.1` * Upgrade `com.inversoft:inversoft-api-authentication` `0.29.0` -> `0.30.0` * Removed duplicated storage of internal messages relating to SCIM group operations * Added instrumentation to help with the auto-generation of documentation ### Known Issues * You can't save the System Settings in the admin UI. ### Security * Correct validation for configured authorized redirect URLs when using wild card support has been enabled. * Add additional validation of an authorizing JWT when using the Issue JWT API (`/api/jwt/issue`). ### Changed * The length of the refresh token has increased from `54` to `64` characters. If for some reason you are expecting a specific length, you may need to account for this change. ### New * Allow for the sending of usage stats. Enabling usage stats allow FusionAuth to better understand how our users use our product. Usage data does not contain configuration, user data or any information that can be used to identity a company or individual. This information will help us know where we need to invest in new features and enhancements. If you are using FusionAuth Cloud, this feature will be enabled by default and cannot be disabled. ### Fixed * The confirmation page shown when users are completing verification and other workflows shows a FreeMarker error when some cookies are unavailable. This could happen when cookies are deleted by a user, removed by a proxy, or when running in an iframe. * When an OAuth workflow ends in redirecting with an error to a `redirect_uri` that contains query parameters, the resulting URL is being built incorrectly. * The SCIM ResourceTypes endpoint is returning resource type URLs with incorrect paths. The endpoint is returning a path prefix of `/api/scim/v2/` when it should be `/api/scim/resource/v2/`. * The OAuth scopes consent form has text that cannot be localized. Hosted pages should be fully localizable for users. * When viewing user data in the `Manage user` view, a boolean value is always shown as `-`, regardless of its actual value. * The JWT populate lambda is not executed when a user is logged in using the login API, but only when that user does not have a registration for the application named in the API call. This could lead to inconsistent behavior between a login using the hosted OAuth pages and a login using the login API. * The PHP client library is not handling libcurl errors gracefully, making it difficult to troubleshoot integration problems when using this library. See the [client library issue](https://github.com/FusionAuth/fusionauth-php-client/issues/28) for more details. * When downloading login records from System -> Login Records, the exported file format contains a place for zip code, however the zip code values are not being populated in the export. * The `POST /api/user/registration` call is documented as returning a `refreshTokenId`, but this value is not being returned on the response. * When editing a user's password in the FusionAuth admin UI after a new hashing scheme is set on the tenant, the password is not re-hashed using the new scheme. The re-hashing occurs as expected on a login or when the user changes their own password. ### Enhancements * The `rate limit` error message was added to the default theme messages to make it more obvious that it is customizable. The `[RateLimitedException]` message key was previously supported, but not easily discoverable. * Add an additional refresh token revocation policy to revoke a one-time use token on reuse. This policy helps protect against token theft by revoking the token if it were to be stolen and reused. * FusionAuth can now accept encrypted SAML assertions when acting as a SAML service provider. Support for encrypted assertions when FusionAuth is the SAML identity provider was added in version `1.47.0 `. * API keys can now be optionally set to expire at a given date/time. An expired key will not be deleted but will cause a `401` response to be returned when used. The expiration value can be edited to allow the expiration to be extended. * Additional parameters are now accepted on the hosted backend `/app/login` and `/app/registration` endpoints. This means you can pass things like `login_hint`, `idp_hint`, and analytics parameters that will be available on the respective OAuth hosted pages. * The First-time Setup wizard was improved with more descriptive and consistent text around using a Community plan license. * In the new Webhook Event Log there were numerous small UX and copy improvements. * Improved handling of a SAML `RelayState` in an IdP-initiated login. Previously, FusionAuth would only look for a valid ACS URL in the `RelayState`. Now, if the ACS URL can be resolved via other means, the `RelayState` value will be preserved and passed as a parameter in the final call to the ACS URL. * Added support for providing connect and read timeout values when making a `fetch` call from a lambda. * You can now configure a grace period for single-use refresh tokens, during which time the previous token will remain active. This is required for various use cases, including when clustered OAuth clients employ eventual consistency when synchronizing a refresh token, and some nodes of a client can find themselves with an out-of-date refresh token. ### Internal * Added tests to verify correct handing of wildcards in URLs in various places in the application. This change does not contain any functional changes. * Remove unused comments in a few theme templates. * Update dependencies. * Upgrade `org.primeframework:prime-mvc` `4.22.13` -> `4.27.0` * Better exception handling in extreme edge cases related to licensing of Breached Password Detection. ### Security * A vulnerability was discovered in the FusionAuth hosted pages. Under specific application configurations, and with insufficient authorization validation being performed on an access token, a malicious user could bypass required steps in post-authentication workflows, allowing unauthorized access to protected resources. This vulnerability was introduced in version `1.41.0`. It is recommended that you upgrade to version `1.54.0` at your earliest convenience. ### Fixed * The SCIM Groups API does not properly perform atomic updates to groups and members. This can lead to consistency issues when multiple SCIM update requests are simultaneously processed requiring membership changes. A fix for FusionAuth SSO session management with external identity providers requires a change to Google IdP usage. ### Fixed * In order to better protect 3rd party logins via SAML v2, OpenID Connect, and other 3rd party identity providers, a CSRF (cross site request forgery) token was added in version `1.47.0`. This token was not being used when all identity providers configured for the requested `client_id` were also configured to use managed domains, and the authorize request also contained the `idp_hint` request parameter. In this specific configuration, because the token was not being utilized, the login workflow would fail with the error `The request origin could not be verified. Unable to complete this login request.` * When using the hosted login pages, the end user is generally shown a checkbox named `Keep me signed in`, which indicates whether the user wishes to create an SSO session after logging in. When using an external identity provider along with an `idp_hint` or `login_hint` parameter, a user may be taken directly to the identity provider, bypassing the page with this checkbox. In this case, the user will not have the option of making a choice to establish or not establish an SSO session. This behavior has been improved in order to provide additional control on how the SSO session should be created. FusionAuth will now use the following order of operations in this non-interactive workflow to decide if the SSO session should be created. 1. The user's previous selection, if available. This past choice will have been stored in an HTTP only cookie. 2. The optionally supplied `rememberDevice` query parameter. In the event that the user has never seen the login page, the value of the `rememberDevice` query parameter will be the deciding factor. A value of `true` indicates that an SSO session should be created and a value of `false` indicates that an SSO session should not be created. If this parameter is omitted, the default behavior will be to create the SSO session. For more information on using the `idp_hint` and `login_hint` parameters, see the [Identity Providers Overview](/docs/lifecycle/authenticate-users/identity-providers/) documentation. * When using the login validation lambda with a 3rd party identity provider such as OpenID Connect, when the validation lambda causes the login to fail, the end user will not see the specific error returned by the lambda. Instead the user will see the following generic error (unless this message has been modified in a theme): > A validation error occurred during the login attempt. An event log was created for the administrator to review. The reason for this generic message is that in most cases if FusionAuth cannot complete a login request to a 3rd party we do not want to show the end user the technical reason. When a login validation lambda is the cause of the login failure, we do intend to the show the end user a more specific message. This issue has been corrected and if the login validation lambda was the cause of the failure, the event log is created when the identity provider has enabled debug. ### Security * Improvements to better defend against XSS (Cross-Site Scripting) attacks. ### Fixed * The `kickstart.success` event may not fire correctly after Kickstart completes due to a timing issue when creating the webhook in your Kickstart definition. * Navigating to the System -> About page in the FusionAuth admin UI may fail to render if you start up without an internet connection. * Navigating to the System -> Webhook Log in the FusionAuth admin UI may display a general error and fail to return search results if there are any events of type `user.login.failed` displayed. You may work around this issue by selecting a specific event type, or narrowing the scope of the results by using any of the additional search criteria found in the Advanced search controls. ### Fixed * A user may fail to enroll a new Passkey (WebAuthn credential) used for reauthentication during a login workflow. Previously configured Passkeys should continue to work as expected. This bug was introduced in version `1.53.0`. ### Known Issues * FusionAuth's hosted login pages no longer create an SSO session when signing in using an external IdP. * A user may fail to enroll a new Passkey (WebAuthn credential) used for reauthentication during a login workflow. Previously configured Passkeys should continue to work as expected. * Currently, FusionAuth's Webhook Event Log does not set a retention policy by default and may grow too large in volume which can result in an impact to performance when searching Webhook Event Logs. See issue for workaround. * Related to [GitHub Issue #3008](https://github.com/FusionAuth/fusionauth-issues/issues/3008) ### Changed * The Docker image for the `linux/arm/v7` architecture is not being published for this release. This deprecation was announced in version `1.52.0`, and while we had planned to continue publishing this build for the next few releases, Java 21 is not being built for this architecture which means we can no longer support it. Please see thread in [Adoptium support](https://github.com/adoptium/adoptium-support/issues/962) or the [Adoptium release status](https://github.com/adoptium/temurin/issues/49) for additional details. * Related to [GitHub Issue #2473](https://github.com/FusionAuth/fusionauth-issues/issues/2473) ### New * The Webhook Event Log! The Webhook Event Log will contain a record of each triggered event and the corresponding attempts to deliver the event to each configured webhook. This log will be useful for monitoring events that have succeeded or failed to be received by your configured webhooks. The attempt log will provide you with timing, the status code returned by your webhook, and other metadata. The longer term goal of this feature will be to allow events to be retried when one or more webhooks failed to receive the event, or for some reason was unable to process the event. This is the first step towards that goal. You will find this new feature in the FusionAuth Admin UI under System -> Webhook Log. See the [API docs](/docs/apis/webhook-event-logs) and [Webhook Event Log documentation](/docs/extend/events-and-webhooks/webhook-event-log) for more detail. * Resolves [GitHub Issue #1314](https://github.com/FusionAuth/fusionauth-issues/issues/1314) * A new lambda function has been introduced that can be used to prevent login based on information in a user record, an application registration, and more. This allows the notion of a valid login to be extended beyond the standard items such as credential checks and MFA. See [Login Validation Lambda](/docs/extend/code/lambdas/login-validation) for more detail. * Resolves [GitHub Issue #1282](https://github.com/FusionAuth/fusionauth-issues/issues/1282) ### Fixed * When using an SSO TTL of `0` seconds or a very small number, it is possible that a user may not be able to complete login using the FusionAuth hosted login pages. If you encounter this problem prior to this version, you may work around the issue by increasing the TTL to something larger than `0`, ideally at least `30` seconds. The potential for this issue has existed for some time, but some changes made in version `1.50.0` made it more likely for this to occur. * Resolves [GitHub Issue #2736](https://github.com/FusionAuth/fusionauth-issues/issues/2736) * When using the start and end times in the Advanced search criteria in the FusionAuth admin UI for the Audit Log, Event Log, and Login Records the selected values were being incorrectly adjusted. This bug was introduced in version `1.52.0`. * Resolves [GitHub Issue #2843](https://github.com/FusionAuth/fusionauth-issues/issues/2843). Thanks to [@runely](https://github.com/runely) for reporting this! ⭐️ ### Enhancements * In the FusionAuth admin UI, tables had one-too-many 😜 action buttons. These action buttons have been replaced with a dropdown menu. The number of buttons on some pages grew to the point that it was becoming difficult to differentiate between the buttons, and was also visually cluttering up the view. We hope you like it! More UI and UX updates coming! * Resolves [GitHub Issue #2810](https://github.com/FusionAuth/fusionauth-issues/issues/2810) ### Internal * Java 21 LTS. Upgrade from Java 17, to the latest long term support (LTS) version of Java which is 21. * Resolves [GitHub Issue #2473](https://github.com/FusionAuth/fusionauth-issues/issues/2473) * Improve database connection resiliency under heavy load by separating interactive and non-interactive tasks into separate connection pools. This change should improve performance and scalability. Please note that if you are self-hosting FusionAuth you will see an increase in the number of open connections to the relational database from FusionAuth. Previously each FusionAuth node would open `10` connections. Starting in this release, this number will increase to a minimum of `21`, and can scale to a maximum of `50`. These numbers are subject to change in future releases. To calculate the total number of connections to the relational database, multiple these numbers by the number of nodes in your cluster. If you have a `3` node FusionAuth cluster, the minimum number of connections open to your database will be `63` with a maximum of `150`. * Resolves [GitHub Issue #2700](https://github.com/FusionAuth/fusionauth-issues/issues/2700) * Update dependencies. * Upgrade `js/handlebars.js` `4.7.6` -> `4.7.8` * Resolves [GitHub Issue #2829](https://github.com/FusionAuth/fusionauth-issues/issues/2829) ### Fixed * The SCIM Patch operation now properly handles removing multiple array elements, such as group memberships, in a single request. * Resolves [GitHub Issue #2834](https://github.com/FusionAuth/fusionauth-issues/issues/2834) ### Internal * Update dependencies. * Upgrade `io.fusionauth:fusionauth-scim` `2.2.1` -> `2.2.2` * Resolves [GitHub Issue #2858](https://github.com/FusionAuth/fusionauth-issues/issues/2858) **User Registrations API** When using the User Registrations API, the `data` field for the FusionAuth application with Id `3c219e58-ed0e-4b18-ad48-f4f92793ae32` may now contain a `preferences` object. This object is reserved and should not be modified. **Upgrading in an air-gapped configuration** If you are not using an air-gapped license, this message can be disregarded. Have a good day! For those running in an air-gapped configuration, you'll want to review this note. To ensure your premium features remain active after upgrading, please do the following: * Navigate to the [Plan page](https://account.fusionauth.io/account/plan) in your FusionAuth account * Pick up your license key and newly generated license text * Navigate to `Reactor` in your Admin UI on your FusionAuth instance * Decommission your license * Reactivate FusionAuth Reactor using the license key and text More details on activating and deactivating your license can be found in the [Licensing docs](/docs/get-started/core-concepts/licensing). **Group Member API** The `user` field on the Group Member API responses is being deprecated. This field was not documented, and has never been populated on the API response. However, because this field was generated and part of the domain in FusionAuth client libraries, we are providing a deprecation notice in case this may affect your integration. Client library users should remove references at your earliest convenience. Removal of this field is targeted for the end of 2024. **Docker architectures** We are planning to discontinue publishing Docker images for the following architectures: `linux/arm/v7`, `linux/ppc64le`, and `linux/s390x`. The rationale behind this decision is that we do not believe they are actively being used, and we would like to move to the GraalVM Java distribution which does not provide builds for these architectures. * https://hub.docker.com/r/fusionauth/fusionauth-app We plan to stop publishing docker images for these architectures at the end of 2024. If you are actively using any of these architectures, please let us know how this could affect you by contacting support or reaching out to sales. A new date picker element with enhanced styling and mobile support is now available. ### Known Issues * When using the start and end times in the Advanced search criteria in the FusionAuth admin UI for the Audit Log, Event Log and Login Records the selected value was being incorrectly adjusted. * Resolved in version `1.53.0` via [GitHub Issue #2843](https://github.com/FusionAuth/fusionauth-issues/issues/2843) ### Security * When detecting impossible travel or similarly suspicious login events, it is possible that not all device trust cookies were correctly revoked. These are now automatically revoked. * Resolves [GitHub Issue #2753](https://github.com/FusionAuth/fusionauth-issues/issues/2753) ### New * A free community license is now available, which adds WebAuthn (Passkeys) to the Community plan. All those with a Community license will now find a license key in their [FusionAuth account plan](https://account.fusionauth.io/account/plan) page. And there was much rejoicing! 🥳 * Resolves [GitHub Issue #2662](https://github.com/FusionAuth/fusionauth-issues/issues/2662) * Resolves [GitHub Issue #2663](https://github.com/FusionAuth/fusionauth-issues/issues/2663) ### Fixed * Clicking the toggle checkbox element in the admin UI quickly may cause the checkbox state to be inverted. This can be easily fixed by refreshing the page. You should now be able to click as fast as you want! Go forth and click! * Resolves [GitHub Issue #2718](https://github.com/FusionAuth/fusionauth-issues/issues/2718) * Attempting to sort API keys by key value in the admin UI by clicking the key value header would result in an error. * Resolves [GitHub Issue #2738](https://github.com/FusionAuth/fusionauth-issues/issues/2738) * When using the API Key API and specifying an invalid `tenantId` on the request in order to create a tenant-scoped API key, the request fails with a `500` status code. This error has been corrected, and an appropriate validation error is now returned. * Resolves [GitHub Issue #2749](https://github.com/FusionAuth/fusionauth-issues/issues/2749) * The date picker that was being used for birthdates and custom date fields was not styled correctly based upon the selected theme. The date picker has been changed to the browser-default date picker, which should work much better on mobile devices. This picker style will now be used in themed hosted login pages, as well as the admin UI for searching a date range or selecting a birthdate. This change should not affect any existing advanced theme that may still use the older style date picker. See [theme upgrade notes](/docs/customize/look-and-feel/upgrade#version-1520) for details on updating an existing advanced theme to use this new option. * Resolves [GitHub Issue #2770](https://github.com/FusionAuth/fusionauth-issues/issues/2770) * Adding custom message keys to your theme messages using the admin UI was failing to persist these changed messages. The UI for editing messages in the simple theme editor has also been improved to make it easier to understand which messages have been modified. * Resolves [GitHub Issue #2778](https://github.com/FusionAuth/fusionauth-issues/issues/2778) * When the Browser preview button was used to open a new tab for simple themes in the admin UI the page would render without any applied CSS when using the Firefox browser. Sorry Firefox users, we ask for your forgiveness. 😔 * Resolves [GitHub Issue #2794](https://github.com/FusionAuth/fusionauth-issues/issues/2794) * The default `orderBy` parameter value for the [Group Member Search API](/docs/apis/groups#search-for-group-members) did not provide a consistent ordering of results because the default sort was on `insertInstant ASC` which may not always be unique. This API is used by the SCIM Groups Resource API which then can cause inconsistent results for the SCIM client. The default `orderBy` is now set to `insertInstant ASC, userId ASC, groupId ASC` to ensure a consistent result between API calls. * Resolves [GitHub Issue #2798](https://github.com/FusionAuth/fusionauth-issues/issues/2798) * When using the simple theme editor in the admin UI, the color picker did not always render next to the input field. The color picker will now always correctly render adjacent to the input field you select. * Resolves [GitHub Issue #2803](https://github.com/FusionAuth/fusionauth-issues/issues/2803) * Newlines and tabs were not rendered when viewing audit entries in the view dialog from the admin UI. If you are using new lines or tabs in your audit log messages, you may now enjoy viewing them in all their intended glory! * Resolves [GitHub Issue #2808](https://github.com/FusionAuth/fusionauth-issues/issues/2808) * When using the interactive maintenance mode to upgrade your database schema, it is possible that you had to click the Submit button twice to exit maintenance mode. This was only a cosmetic issue but may be annoying or confusing to the user. We are sorry if you had to click the Submit button twice. 😬 * Resolves [GitHub Issue #2815](https://github.com/FusionAuth/fusionauth-issues/issues/2815) ### Enhancements * Add the new health check endpoint (`/api/health`) that was added in `1.51.1` to the client libraries. * Resolves [GitHub Issue #2804](https://github.com/FusionAuth/fusionauth-issues/issues/2804) ### Internal * For users in FusionAuth Cloud, attempting to save a Simple theme may result in an error. * Resolves [GitHub Issue #2777](https://github.com/FusionAuth/fusionauth-issues/issues/2777) * An equals (`=`) sign in query parameter value was not being parsed correctly. There are no known issues related to this bug as generally speaking an equals (`=`) sign will be URL encoded as `%3D`. However, because it is legal use an equals (`=`) sign un-encoded in a query string name or query string value, this has been corrected. * Resolves [GitHub Issue #2792](https://github.com/FusionAuth/fusionauth-issues/issues/2792) * An unused template was removed from the self-service login workflow. In practice this page was never rendered and was not included in the theme configuration. This change should not impact anyone using themes. * Resolves [GitHub Issue #2818](https://github.com/FusionAuth/fusionauth-issues/issues/2818) * Update dependencies. * Upgrade `org.freemarker:freemarker` `2.3.32` -> `2.3.33` * Upgrade `org.primeframework:prime-mvc` `4.22.7` -> `4.22.12` * Upgrade `org.apache.kafka:kafka-clients` `3.6.1` -> `3.7.1` * Upgrade `com.fasterxml.jackson.*` `2.15.4` -> `2.17.2` * Upgrade base docker image `ubuntu:jammy (22.04)` -> `ubuntu:noble (24.04)` * Resolves [GitHub Issue #2726](https://github.com/FusionAuth/fusionauth-issues/issues/2726) ### Security * A XSS (Cross-Site Scripting) vulnerability was identified in the FusionAuth admin UI. * Resolves [GitHub Issue #2801](https://github.com/FusionAuth/fusionauth-issues/issues/2801) ### Fixed * An HTTP request sent to FusionAuth with non-ASCII characters in request header values caused the request to be rejected and caused the connection to be closed without a response. Generally speaking values outside of the ASCII character set are not allowed, but in practice they may be used, and so these values are now treated as opaque and ignored by the HTTP request parser. * Resolves [GitHub Issue #2774](https://github.com/FusionAuth/fusionauth-issues/issues/2774) * A typo was found in the description of the `user.password.reset.send` event on the tenant edit page. * Resolves [GitHub Issue #2782](https://github.com/FusionAuth/fusionauth-issues/issues/2782) * The SCIM API is not properly handling reading, creating, and updating groups with more than one hundred memberships. Responses containing groups with more than one hundred memberships are only returning the first one hundred. Create and update operations are only creating or updating one hundred, and deleting the remainder. This defect also caused the FusionAuth event for `group.member.update` and `group.member.update.complete` to contain the same truncated list of members. * Resolves [GitHub Issue #2784](https://github.com/FusionAuth/fusionauth-issues/issues/2784) ### New * A Health API `/api/health` has been added. Prior to this addition, the `/api/status` endpoint was the best option for performing health checks. The Status API may not be ideal for all use cases because it returns a JSON body and the status code is used to indicate the status of various health checks that may not be valuable by a load balancer to indicate if requests should be routed to this node. This new endpoint provides a binary indication of the healthiness or unhealthiness of a FusionAuth instance by only returning a `200` or `500` status code w/out a JSON response. This new API also runs fewer health checks and may perform better than the Status API. * Resolves [GitHub Issue #1166](https://github.com/FusionAuth/fusionauth-issues/issues/1166) ### Internal Update dependencies. * Upgrade `io.fusionauth:java-http` `0.3.4` to `0.3.5` * Resolves [GitHub Issue #2786](https://github.com/FusionAuth/fusionauth-issues/issues/2786) ### Fixed * In version `1.45.0` we added a hosted OAuth backend capability, allowing a developer to write a front end-only application, but still take advantage of an authorization code grant workflow by leveraging the backend provided by FusionAuth. Multi-segment domain suffixes (e.g. `.co.uk`) are not handled correctly by this hosted backend when setting the domain on cookies. Cookie domains are now set properly. * Resolves [GitHub Issue #2735](https://github.com/FusionAuth/fusionauth-issues/issues/2735) * A SAML login request that is missing a `Content-Type` header yields a cryptic error message. A more meaningful error message is now provided. Additionally, sending a `binding` parameter would lead to an error message, when this parameter is not one we process. We now ignore this parameter if it is provided. * Resolves [GitHub Issue #2722](https://github.com/FusionAuth/fusionauth-issues/issues/2722) * A SMS two factor messages template can be set at the Tenant level and should be overridable at the Application level. When a template is set at the Application level it is not being honored and the Tenant-level template is always used. Application overrides of SMS two-factor templates are now used correctly. * Resolves [GitHub Issue #2728](https://github.com/FusionAuth/fusionauth-issues/issues/2728) ### Security * Improve SAMLv2 callback handing with malformed requests. * Resolves [GitHub Issue #2757](https://github.com/FusionAuth/fusionauth-issues/issues/2757) ### New * WYSIWYG theme editing! Version `1.51.0` introduces a new Simple Theme type, along with a visual editor. This first version of visual theme editing allows you to change the basic styling of FusionAuth hosted pages, including logos and background images, colors, fonts, and more. See the [Simple Theme Editor docs](/docs/customize/look-and-feel/simple-theme-editor) for more information. * Resolves [GitHub Issue #2669](https://github.com/FusionAuth/fusionauth-issues/issues/2669) ### Internal * Update dependencies. * Upgrade `org.graalvm.sdk:*:22.3.3` to `org.graalvm.polyglot:*:23.1.2` * Upgrade `org.graalvm.js:js` `22.3.3` to `23.0.3` * Upgrade `io.fusionauth:java-http` `0.3.2` to `0.3.4` * Resolves [GitHub Issue #2727](https://github.com/FusionAuth/fusionauth-issues/issues/2727) ### Fixed * FusionAuth added a First Time Setup wizard in 1.50.0. This release fixes a couple of usability items related to the new wizard. * Items related to the first time setup wizard are being show after upgrades, when the intent was to only show them for new installations. These are now only being shown for unconfigured FusionAuth instances. * In the First Time Setup summary page, FusionAuth shows sample configuration for various [quickstarts](/docs/quickstarts/). The configuration for the [React quickstart](/docs/quickstarts/quickstart-javascript-react-web) corresponds to a previous version of the quickstart and is incompatible with the current version. The React quickstart configuration is now formatted for the current quickstart version. * Resolves [GitHub Issue #2729](https://github.com/FusionAuth/fusionauth-issues/issues/2729) This release makes significant changes to the default behavior of new Applications with regard to scopes in OAuth workflows. The database migration will update existing Applications to behave in a backwards compatible manner. See the OAuth [Scopes](/docs/lifecycle/authenticate-users/oauth/scopes) documentation for more information, in particular the `Relationship`, `Unknown scope policy`, and `Scope handling policy` configurations. If you are using IFRAMEs to access the FusionAuth hosted login pages please check that the IFRAME `src` is from the same domain as the FusionAuth pages. [FusionAuth uses cookies](/docs/reference/cookies) to manage user state with the `SameSite` attribute set to `Lax` or `Strict`. Browsers will block `Set-Cookie` headers on cross-domain requests. This release introduces a new redirect into the OAuth flows to `/oauth2/consent` as part of the OAuth [Scopes](/docs/lifecycle/authenticate-users/oauth/scopes) feature. This redirect will occur during each browser-based interactive OAuth workflow. Prior to this version it was possible to complete an OAuth code grant flow without cookies being set as long as there were no additional redirects to FusionAuth before the final redirect to the configured redirect_url. As a result it did not matter if the `Set-Cookie` headers were blocked. The redirect with the code would still work. However, in this version the browser will not be able to send the FusionAuth cookies required to maintain user state along with the redirect to `/oauth2/consent` and the login flow will fail. The user will be redirected back to `/oauth2/authorize` and will be unable to log in. The use of JWT authentication for the `/api/user` API is being deprecated. This functionality will be removed in a future release. If you are using this API with JWT authentication, you will need to modify your integration to use the `/oauth2/userinfo` endpoint if you have obtained your JWT using an OAuth2 grant, or authenticate the request to the User API using an API key. Removal of this authentication type is targeted for the end of 2024. The new consent prompt themed page requires the `scopeConsentField` macro and `resolveScopeMessaging` function to be defined in the *Helpers* template in order to render scope consent form fields. These *must* be added to a custom theme in order for it to function. ### Known Issues * When using an SSO TTL of `0` seconds or a very small number, it is possible that a user may not be able to complete login using the FusionAuth hosted login pages. You may work around the issue by increasing the TTL to something larger than `0`, ideally at least `30` seconds. * Resolved in version `1.53.0` via [GitHub Issue #2736](https://github.com/FusionAuth/fusionauth-issues/issues/2736) ### Changed * The `/oauth2/userinfo` endpoint now requires the `aud` claim to be present on the provided access token, allowing for tighter compliance with the OIDC spec. See the [UserInfo endpoint](/docs/lifecycle/authenticate-users/oauth/endpoints#userinfo) for more detail. If you are not using OAuth, and your JWT does not contain the `aud` claim, consider using the [JWT validate](/docs/apis/jwt#validate-a-jwt) API instead. * GitHub issue pending * Resolves [GitHub Issue #2725](https://github.com/FusionAuth/fusionauth-issues/issues/2725) * Applications now offer an `Unknown Scope Policy`. This can be used to enhance security by rejected or removing unrecognized scopes during an OAuth workflow. See the application [Scopes tab](/docs/get-started/core-concepts/applications#scopes) for more detail. * Delivered as part of the Custom OAuth Scopes body of work, which resolves [GitHub Issue #275](https://github.com/FusionAuth/fusionauth-issues/issues/275) (see below) * Applications now have a new Scope Handling Policy. The `Strict` option provides behaviors that are more compliant with the OIDC specification, while the `Compatibility` option provides backwards-compatible behavior. Specifically, `Strict` mode limits information in access tokens and populates Id tokens and UserInfo responses based on the requested OAuth scopes. This option also restricts the UserInfo endpoint to accepting only access tokens containing the `openid` scope. See [Scope handling policy](/docs/lifecycle/authenticate-users/oauth/scopes#scope-handling-policy) for more detail. * New applications will default to the `Strict` option. If your integration requires the `Compatibility` policy because you need backwards compatible behavior, please specify that option when creating the application. * Resolves [GitHub Issue #1582](https://github.com/FusionAuth/fusionauth-issues/issues/1582) and [GitHub Issue #1475](https://github.com/FusionAuth/fusionauth-issues/issues/1475), thanks to [@awoodobvio](https://github.com/awoodobvio) for the suggestions! * The [Refresh Token Grant](/docs/lifecycle/authenticate-users/oauth/endpoints#refresh-token-grant-request) request now supports requesting a subset of the original scopes. The former behavior was to respond with an `invalid_scope` OAuth error. * Resolves [GitHub Issue #2590](https://github.com/FusionAuth/fusionauth-issues/issues/2590) * Support for optional expansion of the `application.roles` and `application.scopes` properties on the Application Search API. This change is backwards compatible, but you may optionally request the Search API omit these properties on the response which may improve performance. See the [Application Search](/docs/apis/applications#search-for-applications) API for additional details on using the `expand` request parameter, and the `expandable` response value. * Resolves [GitHub Issue #2724](https://github.com/FusionAuth/fusionauth-issues/issues/2724) * The `/oauth2/device/user-code` endpoint now returns the `scope` parameter value that should be used in the interactive portion of the Device Code Grant workflow. See [Device User Code](/docs/lifecycle/authenticate-users/oauth/endpoints#device-user-code) for more detail. * Addressed as part of the Custom OAuth Scopes body of work, which resolves [GitHub Issue #275](https://github.com/FusionAuth/fusionauth-issues/issues/275) (see below) ### Fixed * FusionAuth will now limit passwords to 50 characters when using the bcrypt algorithm. This restriction is due to limitations in the bcrypt algorithm. This limit will be enforced even when the tenant policy allows for a maximum password length greater than 50. If the tenant policy requires a maximum password length of less than 50, the tenant policy will take precedence. * Resolves [GitHub Issue #2671](https://github.com/FusionAuth/fusionauth-issues/issues/2671) * There are several scenarios where implicit email verification can occur. They are, during registration verification, password change, passwordless authentication, and MFA code validation. In these cases, a configured email verification email was not being sent, and the email verification event was not being generated. The email and event will both be triggered during implicit verification now. * Resolves [GitHub Issue #1651](https://github.com/FusionAuth/fusionauth-issues/issues/1651) and [GitHub Issue #2672](https://github.com/FusionAuth/fusionauth-issues/issues/2672). Thanks to [@ashutoshningot](https://github.com/ashutoshningot) and [@mou](https://github.com/mou), respectively, for the suggestions! * When configuring MFA for an application, the `Trust policy` selector is not being shown when MFA is required for the application, but only shown when MFA enabled for optional use. The selector is now shown when the `On login policy` is set to either `Enabled` or `Required`. * Resolves [GitHub Issue #2593](https://github.com/FusionAuth/fusionauth-issues/issues/2593) * When using FusionAuth behind a proxy, a missing `X-Forwarded-Proto` header could incorrectly cause a warning of a missing `X-Forwarded-Port` header. These warnings are now reported accurately. Additionally, FusionAuth will now be smarter about determining the forwarded port, taking it from one of multiple sources including `X-Forwarded-Host`, `X-Forwarded-Port`, or inferring it from `X-Forwarded-Proto`. This should make FusionAuth work with more proxies out of the box without additional configuration. * Resolves [GitHub Issue #2702](https://github.com/FusionAuth/fusionauth-issues/issues/2702) * When authentication with an identity provider fails due to misconfiguration, and a user falls back to logging in with a username and password, the `authenticationType` that is reported by FusionAuth is for the original identity provider despite the user having logged in with a username and password. FusionAuth now correctly reports the authentication type as `PASSWORD`. Thanks to [@charlesericjs](https://github.com/charlesericjs) for bringing this to our attention! * Resolves [GitHub Issue #2670](https://github.com/FusionAuth/fusionauth-issues/issues/2670) ### Enhancements * FusionAuth will now enforce a maximum password length of 256 characters in the tenant password policy. This decision was made to strike a balance between allowing for very secure passwords, but also for maintaining acceptable performance when using a large number of hash iterations. * Resolves [GitHub Issue #2688](https://github.com/FusionAuth/fusionauth-issues/issues/2688) ### New * Custom OAuth scopes are now supported for applications. Custom OAuth scopes come along with a number of related features, including support for third-party applications, themeable user consent, and much more. See the [API docs](/docs/apis/scopes) and [OAuth Scopes documentation](/docs/get-started/core-concepts/scopes) for more detail. * Resolves [GitHub Issue #275](https://github.com/FusionAuth/fusionauth-issues/issues/275), thanks to [@badaz](https://github.com/https://github.com/badaz) for the suggestion! * Applications may now be designated as third-party applications. In addition to the prompting for authorization that comes with the `Custom OAuth Scopes` feature (see above), limitations are being added to how third-party applications may interact with FusionAuth. * Resolves [GitHub Issue #2723](https://github.com/FusionAuth/fusionauth-issues/issues/2723) * Applications can now be configured to prompt users to grant consent to requested OAuth scopes using the `/oauth2/consent` [themed](/docs/customize/look-and-feel/) page. See the OAuth [Scopes](/docs/lifecycle/authenticate-users/oauth/scopes) for more detail. * Resolves [GitHub Issue #411](https://github.com/FusionAuth/fusionauth-issues/issues/411) * A new lambda function has been introduced that can be used to customize the UserInfo response for an application. See [UserInfo Populate Lambda](/docs/extend/code/lambdas/userinfo-populate) for more detail. * Resolves [GitHub Issue #1647](https://github.com/FusionAuth/fusionauth-issues/issues/1647) and [GitHub Issue #659](https://github.com/FusionAuth/fusionauth-issues/issues/659), thanks to [@themobi](https://github.com/themobi) and [@soullivaneuh](https://github.com/soullivaneuh) for the suggestions! * A new, optional First Time Setup wizard has been added, which guides a developer through the basic setup needed to integrate their first application. After installing FusionAuth, you'll be able to access this from the main admin dashboard, as well as from the top of the left hand navigation. * Resolves [GitHub Issue #2717](https://github.com/FusionAuth/fusionauth-issues/issues/2717) ### Internal * Update dependencies. * Upgrade `ch.qos.logback:logback-*` `1.4.14` to `1.5.6` * Upgrade `com.fasterxml.jackson.*` `2.15.3` to `2.15.4` * Upgrade `io.fusionauth:java-http` `0.2.10` to `0.3.2` * Upgrade `org.mybatis:mybatis` `3.5.15` to `3.5.16` * Upgrade `org.primeframework:prime-mvc` `4.22.0` to `4.22.7` * Upgrade `org.postgresql:postgresql` `42.7.2` to `42.7.3` * Upgrade `org.slf4j:slf4j-api` `2.0.7` to `2.0.13` * Resolves [GitHub Issue #2678](https://github.com/FusionAuth/fusionauth-issues/issues/2678) ### New * The search index default refresh interval may now be configured. In general this should not be modified, but the configuration option has been added and will default to `1s`. The new configuration is named `fusionauth-app.search.default-refresh-interval`. See the [Configuration](/docs/reference/configuration) reference for additional detail. * Resolves [GitHub Issue #2679](https://github.com/FusionAuth/fusionauth-issues/issues/2679) ### Fixed * When configured to use an email verification strategy of `Form Field` without setting the unverified behavior to `Gated` the verification strategy was always functionally using `Clickable Link` which means the user would receive an email with a clickable URL instead of a short code. With this fix, you may now use an unverified behavior of `Allow` with a verification strategy of `Form Field`. When you configure FusionAuth this way, it is assumed that you will be handling the verification process in your own application. * Resolves [GitHub Issue #1734](https://github.com/FusionAuth/fusionauth-issues/issues/1734) * When using the Bulk User Import API `/api/user/import` the search index refresh interval is modified to improve performance. Specifically the index `refresh_interval` is set equal to `-1`. When this API is called in parallel, it is possible that this index setting is not reset and will stay configured as `-1`. The symptom of this error is that changes to the index are not reflected by the Search API and the search results may no longer be accurate. * Resolves [GitHub Issue #2679](https://github.com/FusionAuth/fusionauth-issues/issues/2679) * When Advanced Threat Detection is enabled, an IP location database will be downloaded and used for IP address resolution. For these licensed customers, it is possible that a corrupted IP location database was downloaded and not correctly discarded and as a result the IP address location data may not be available. You may have been impacted if you were using version `1.47.0` or later, between February 1st, 2024 and February 23rd, 2024. The observable symptom would be that your license status for the Advanced Threat Detection will show `Pending` instead of `Active`. This condition has already been corrected for FusionAuth Cloud. If you are self-hosting FusionAuth, upgrading will correct this condition. If you have a support contract and believe you are currently in this state and are not able to upgrade, please reach out to support for assistance. * Resolves [GitHub Issue #2673](https://github.com/FusionAuth/fusionauth-issues/issues/2673) ### Enhancements * Add email and registration verification Ids to the User and Registration API responses when available for consistency and to better enable out of band management of these verification workflows. * Resolves [GitHub Issue#2681](https://github.com/FusionAuth/fusionauth-issues/issues/2681) ### Changed * The Nashorn JavaScript engine has been removed from FusionAuth. All Lambda functions will now use the GraalJS engine which has been available since version `1.35.0`. No action is required, but please note that if you had any Lambda functions still configured to use the Nashorn engine they will be migrated to use GraalJS. * Resolves [GitHub Issue #1828](https://github.com/FusionAuth/fusionauth-issues/issues/1828) * In prior versions of FusionAuth, if a new themed page was added, until you upgraded your theme by adding this new page, the end user may be shown a page indicate the page was missing. This was shown because it was assumed that a new page would only be shown for a new feature that had not been enabled, and this page would only ever been seen during development. In this release we are adding a new page that may be shown w/out any additional features being enabled. For this reason, we have removed this place holder page, and we will always fall back to the default theme when a page is missing. You will still want to upgrade your theme as part of your upgrade process, but this change will ensure that we will not break any new or existing workflows when a new page is added. * Resolves [GitHub Issue #2443](https://github.com/FusionAuth/fusionauth-issues/issues/2443) ### Security * An incorrectly formatted SAML request may cause excessive CPU load. * Resolves [GitHub Issue #1681](https://github.com/FusionAuth/fusionauth-issues/issues/1681) * Disable additional JNDI settings in the LDAP connector. This update is proactive, there are no known exploits. * Resolves [GitHub Issue #2605](https://github.com/FusionAuth/fusionauth-issues/issues/2605) * Add additional protection against cross-site attacks when FusionAuth is acting as a SAML IdP. * Resolves [GitHub Issue #2611](https://github.com/FusionAuth/fusionauth-issues/issues/2611) * Audit log entries added by the FusionAuth admin application may contain sensitive information. Sensitive fields will now be masked when written to the audit log. Please note that this does not affect the Audit Log API, only the use of this API by the FusionAuth admin app. * Resolves [GitHub Issue #2623](https://github.com/FusionAuth/fusionauth-issues/issues/2623) * Added additional protection against cross-site attacks when using the self-service account pages. * Resolves [GitHub Issue #2626](https://github.com/FusionAuth/fusionauth-issues/issues/2626) ### Fixed * The default permissions in AWS RDS PostgreSQL version 15.2 caused the initial configuration of FusionAuth to fail to create the tables required to complete the initial configuration. The required permissions are now being explicitly granted, and the errors reported back to the user have been improved. * Resolves [GitHub Issue #2264](https://github.com/FusionAuth/fusionauth-issues/issues/2264) * If a user starts a Forgot Password flow, and clicks on a change password link in an email after the link has expired, the redirect back to the original Forgot Password form will not include the locale parameter. This fix ensures that a locale parameter, when present in the change password link, is preserved through this workflow and allows for localization to remain consistent. * Resolves [GitHub Issue #2328](https://github.com/FusionAuth/fusionauth-issues/issues/2328) * When setting up a Facebook IdP, an option was provided in the admin UI to select `Use vendor JavaScript` as a Login method. This option is not applicable and has been removed. * Resolves [GitHub Issue #2351](https://github.com/FusionAuth/fusionauth-issues/issues/2351) * Fix the SCIM filter when filtering on `userName eq {username}` to always return a single result. * Resolves [GitHub Issue #2455](https://github.com/FusionAuth/fusionauth-issues/issues/2455) * The LinkedIn APIs have changed, and the LinkedIn IdP no longer worked for new LinkedIn applications. This update allows FusionAuth to work with new and legacy LinkedIn applications. * Resolves [GitHub Issue #2496](https://github.com/FusionAuth/fusionauth-issues/issues/2496) * The FusionAuth TypeScript client library was incorrectly encoding arrays values into query parameters. This bug was preventing a few specific search queries from working correctly. * Resolves [GitHub Issue #2513](https://github.com/FusionAuth/fusionauth-issues/issues/2513) * When using MySQL, the default Admin user form was missing the `First name` field. The field could be added to the form, but was missing in the default version. * Resolves [GitHub Issue #2529](https://github.com/FusionAuth/fusionauth-issues/issues/2529) * When an invalid Tenant Id was provided on the `.well-known/openid-configuration` the default configuration was returned. This has been updated to return a `404` status code. * Resolves [GitHub Issue #2538](https://github.com/FusionAuth/fusionauth-issues/issues/2538) * When creating a User with a group membership with a specified member Id that was already in use, the requested completed w/out a validation error and the membership was ignored. The API now correctly validates this condition and will return a `400` and a JSON response. * Resolves [GitHub Issue #2586](https://github.com/FusionAuth/fusionauth-issues/issues/2586) * When retrieving all refresh tokens for a user, the response may contain the user's SSO token. The SSO token can be identified because it does not contain an `applicationId` and it may not be refreshed. Validation has been improved when using the Refresh Grant, or the Refresh API to ensure FusionAuth correctly fails indicating the token is invalid and may not be refreshed. * Resolves [GitHub Issue #2594](https://github.com/FusionAuth/fusionauth-issues/issues/2594) * A regression was introduced in version `1.47.0` to the Change Password themed page. The issue is that the `passwordValidationRules` variable may be `null` on the first render. If you had been referencing this field in your template, the render may fail. * Resolves [GitHub Issue #2616](https://github.com/FusionAuth/fusionauth-issues/issues/2616) * The Identity Provider Link API states that a `token` parameter can be accepted during a create. When provided, the token was not being persisted on the link. * Resolves [GitHub Issue #2622](https://github.com/FusionAuth/fusionauth-issues/issues/2622) * Fix the "Getting Started" link found in the index page in the default theme. * Resolves [GitHub Issue #2625](https://github.com/FusionAuth/fusionauth-issues/issues/2625) * When viewing a User's Consents in the FusionAuth admin UI, if one or more of the consents have been granted by another user that is not a member of their family, an error is shown in the `Given by` column. * Resolves [GitHub Issue #2639](https://github.com/FusionAuth/fusionauth-issues/issues/2639) * When you have configured the JWT signing key with the `ES512` algorithm, the generated signature may be intermittently invalid. This means that JWTs may seemingly fail to validate randomly and you may think you are crazy. You are not crazy. If you are using this signing algorithm, it is recommended you use a different algorithm until you are able to upgrade. * Resolves [GitHub Issue #2661](https://github.com/FusionAuth/fusionauth-issues/issues/2661) * SCIM PATCH requests may fail to parse if an op path value contains a named schema containing a `.` (dot). This parsing error has been corrected. For example: `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department` * Resolves [GitHub Issue #2667](https://github.com/FusionAuth/fusionauth-issues/issues/2667) * When an SCIM create or update request contains schemas for which no properties exist, subsequent PATCH requests to those schema namespaces may fail. For example, if the initial request contains a schema `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User` without any properties, the default lambda function used to map this request to FusionAuth was not persisting this schema namespace. Then a subsequent PATCH request to add a member to that namespace such as `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department` would fail. The default SCIM request converter (Lambda function) has been updated to correct this behavior. * Resolves [GitHub Issue #2667](https://github.com/FusionAuth/fusionauth-issues/issues/2667) ### Enhancements * Link checkers are great. They aim to protect end users from malicious links and phishing attacks. However, they wreak havoc and pain on identity providers using email based workflows to complete passwordless login, or email verification. And FusionAuth is one of those identity providers! FusionAuth has employed various tactics over the years to stay ahead of the techniques used by these 3rd party tools. Their techniques continue to evolve making it difficult or impossible to know the difference between a link checker and a real human interacting with the link. A new confirmation page has been added that is intended to protect the user, and make our email workflows immune to link checkers. For example, when a user initiates a request such as passwordless login, and then completes the request in the same browser, the user will not observe any change. If the user completes the request on a different browser, or completes a request they did not initiate - such as clicking on an email verification link sent when a use is provisioned by an administrator, the user will be prompted to confirm they wish to complete the request. If you are using a custom theme, you will want to upgrade your theme to include this new page. Until you complete this upgrade, the default theme will be used for this new page. In the FusionAuth admin UI, the theme page will be named *Confirmation required*. * Resolves [GitHub Issue #2443](https://github.com/FusionAuth/fusionauth-issues/issues/2443) * Ensure the Login API never fails validation due to a timing issue with an Application cache. This rarely affects runtime, but this can be useful for testing where you may create an application and immediately perform a login. * Resolves [GitHub Issue #2557](https://github.com/FusionAuth/fusionauth-issues/issues/2557) * Add a trusted proxy configuration to the System Configuration. This new configuration allows you to define one or more trusted upstream proxies using an IP address, or range of addresses using a CIDR notation. A client IP address will be captured in a login record, sent to webhooks, and used to provide access when IP ACLs are configured. To correctly resolve the client IP address, we often will need to use the `X-Forwarded-For` request header. This header is modified when it passes through a proxy. In order to trust the contents of this header and resolve the client IP address, FusionAuth must know if it can trust all proxies implicitly, or to only trust those that are explicitly configured as trusted. The change is to optionally configure FusionAuth to no longer trust any upstream proxy that is not explicitly configured as trusted. This new configuration can be found in the FusionAuth admin UI by navigating to `Settings > System > Networking`, or on the System Configuration API. * Resolves [GitHub Issue #2624](https://github.com/FusionAuth/fusionauth-issues/issues/2624) ### Internal * Update dependencies. * Upgrade `org.postgresql:postgresql` `42.6.0` to `42.7.2` * Upgrade `com.fasterxml.jackson.*` `2.15.2` to `2.15.3` * Upgrade `org.mybatis:mybatis` `3.5.13` to `3.5.15` * Resolves [GitHub Issue #2534](https://github.com/FusionAuth/fusionauth-issues/issues/2534) * During a reindex operation, log the progress based upon a fixed time interval instead of every 250k records. This ensures the output is predictable regardless of the reindex performance. * Resolves [GitHub Issue #2565](https://github.com/FusionAuth/fusionauth-issues/issues/2565) ### Fixed * Update the refresh token TTL when using the sliding window with a maximum lifetime JWT Expiration Policy. The symptom of this bug is that a refresh token will expire before the maximum configured lifetime. * Resolves [GitHub Issue #2566](https://github.com/FusionAuth/fusionauth-issues/issues/2566) ### Fixed * When paging beyond 10,000 in the FusionAuth admin UI for Users or Entities, the bottom set of pagination controls may not work. If you encounter an error when clicking on the pagination controls, use the top set of controls instead. This bug is specific to the new pagination introduced in version `1.48.0`. * Resolves [GitHub Issue #2544](https://github.com/FusionAuth/fusionauth-issues/issues/2544) * In some cases when using with FusionAuth-hosted pages in an non-secure context, such as accessing FusionAuth on `localhost`, the `PublicKeyCredential` JavaScript API will not be available. This may cause an error on your JavaScript console `PublicKeyCredential is not defined`. This error kept the form on the page from correctly submitting. * Resolves [GitHub Issue #2500](https://github.com/FusionAuth/fusionauth-issues/issues/2500) * In version `1.48.0` a change was made to reject a link request from an OpenID Connect IdP when the `email_verified` claim is supplied with a value of `false`. An assumption was made that the `email` and `email_verified` claims would both be present in the `Userinfo` response or the `id_token`. Some providers may split these claims, so this assumption has been removed. * Resolves [GitHub Issue #2542](https://github.com/FusionAuth/fusionauth-issues/issues/2542) ### Security * Correct the validation of the `post_logout_redirect_uri` parameter on the OAuth2 Logout request for relative URIs intended for use for FusionAuth applications. * Resolves [GitHub Issue #2539](https://github.com/FusionAuth/fusionauth-issues/issues/2539) ### Internal * Improve our JWT validation for internal security schemes by failing faster on invalid tokens. * Resolves [GitHub Issue #2555](https://github.com/FusionAuth/fusionauth-issues/issues/2555) ### Fixed * A bug was identified in a change made in version `1.48.0` that may affect performance for those with > 1M users. * Resolves [GitHub Issue #2535](https://github.com/FusionAuth/fusionauth-issues/issues/2535) ### Known Issues * A bug was identified in a change made in this version that may affect performance for those with > 1M users. * Resolved in version `1.48.1` via [GitHub Issue #2535](https://github.com/FusionAuth/fusionauth-issues/issues/2535) ### Changed * We are officially announcing the end of life for the Nashorn JavaScript engine used by FusionAuth Lambda functions. All new functions have defaulted to the GraalJS since version `1.35.0`. The engine is not being removed in the release, but this is an official notice that we plan to remove this engine in early 2024. Please review your lambda functions and ensure the `engineType` is set to `GraalJS`. * Resolves [GitHub Issue #1828](https://github.com/FusionAuth/fusionauth-issues/issues/1828) * We are officially announcing the end of life for the `fusionauth-search` package. This is currently available in a `.deb`, `.rpm` and `.zip` bundle for various platforms. This package is still available, but the plan is to stop building this at the end of 2023. Please make plans to discontinue use of the `fusionauth-search` package if you are currently using it. * Resolves [GitHub Issue #2532](https://github.com/FusionAuth/fusionauth-issues/issues/2532) * When the OpenID Connect or External JWT Identity Provider is configured to Link by Email and the IdP returns a claim named `email_verified` and the value is `false`, the link request will be rejected. This change is intended to reduce the risk of linking on an un-verified email address. * Resolves [GitHub Issue #2423](https://github.com/FusionAuth/fusionauth-issues/issues/2423) ### Security * When an IdP is configured to Link by Email or Link by Username and a user already exists with this email or username respectively, perform additional validation to ensure the user does not already have an existing link to the current Identity Provider. This only affects IdP that allow for one to many tenants to be accessed through a single IdP configuration. In practice this means that the IdP cannot guarantee that an email address is considered globally unique and only assigned to a single user. * Resolves [GitHub Issue #2512](https://github.com/FusionAuth/fusionauth-issues/issues/2512) * A bug was identified in the `multipart/form-data` parser that may cause elevated CPU usage in some specific cases. * Resolves [GitHub Issue #2385](https://github.com/FusionAuth/fusionauth-issues/issues/2385) ### Fixed * Enhance the widget used in multi-value select controls to accept a value when pasting. For example, you may now paste a value from the clipboard directly into the `Authorized redirect URLs` field. While previously the paste operation worked, the user would have to click the value to confirm. If you clicked off of the field, the value would not be saved. * Resolves [GitHub Issue #1784](https://github.com/FusionAuth/fusionauth-issues/issues/1784) * Correct the error message when a user has enabled MFA and a webhook returns a non-200 status code for the `user.login.success` event. The message will now correctly indicate the webhook has failed instead of the previously incorrect error indicating an invalid token was used. * Resolves [GitHub Issue #1955](https://github.com/FusionAuth/fusionauth-issues/issues/1955) * When viewing an Email Template in the FusionAuth admin UI, two dialogs open instead of one. This was the result of two event handlers being bound instead of one. * Resolves [GitHub Issue #2304](https://github.com/FusionAuth/fusionauth-issues/issues/2304) * When using the asynchronous tenant delete, it is possible for the delete job to fail if the system is under heavy load. When this occurs the delete job status may not be correctly updated and you are stuck in a `Deleting` state. The asynchronous job processor has been enhanced to account for this potential failure condition so the job can be correctly restarted if necessary. * Resolves [GitHub Issue #2307](https://github.com/FusionAuth/fusionauth-issues/issues/2307) * Correct a potential race condition that could cause a request to the `/.well-known/jwks.json` endpoint to exception and return a `500` status code when under heavy load. * Resolves [GitHub Issue #2390](https://github.com/FusionAuth/fusionauth-issues/issues/2390) * The Lambda metrics introduced in version `1.47.0` may not always correctly increment the failed count when a lambda invocation failed. This affects the `lambda.[*].failures` and `lambda.[{webhookId}].failures` metric names. * Resolves [GitHub Issue #2408](https://github.com/FusionAuth/fusionauth-issues/issues/2408) * When using the `PATCH` method on the Tenant API, if you previously had any explicit webhooks configured for this tenant, the association between the tenant and the webhook was lost. If you are not using webhooks, or all of your webhooks are configured for `All tenants` (`webhook.global`), this bug would not affect you. * Resolves [GitHub Issue #2411](https://github.com/FusionAuth/fusionauth-issues/issues/2411) * Improve the validation for the Entity API to correctly validate the `type.id` value. Because this value was not being correctly validated, it means the API caller may receive a `500` status code instead of a `400` with a developer friendly JSON response body to indicate how the input can be corrected. * Resolves [GitHub Issue #2412](https://github.com/FusionAuth/fusionauth-issues/issues/2412) * A critical bug was identified that caused FusionAuth to incorrectly identify users eligible for deletion based upon the tenant policy to delete users with an unverified email address. Until you have upgraded to version `1.48.0` please disable `Delete unverified users` if you currently have enabled `Email verification`, `Verify email when changed` and `Delete unverified users`. * Resolves [GitHub Issue #2441](https://github.com/FusionAuth/fusionauth-issues/issues/2441) * A bug was identified that affected several APIs when using the `PATCH` method with fields that require custom deserializers in FusionAuth. Affected APIs included Application, Connector, Message Template and Identity Provider. The symptom you will observe is a failed request with a `500` status code. * Resolves [GitHub Issue #2454](https://github.com/FusionAuth/fusionauth-issues/issues/2454) * When using PostgreSQL, under heavy load, a potential deadlock conditions exists when attempting to write login metrics to the database. MySQL database was not affected by this bug. If you were to encounter this bug you may observe some exceptions in the log related to the LoginQueue. * Resolves [GitHub Issue #2465](https://github.com/FusionAuth/fusionauth-issues/issues/2465) * Fix a JavaScript error that was preventing Audit Log searches by user from returning results. * Resolves [GitHub Issue #2470](https://github.com/FusionAuth/fusionauth-issues/issues/2470) * Resolve an issue where users could not enable two-factor authentication during authentication when they were not registered for the application. Thanks to [@wproffitt-elder](https://github.com/wproffitt-elder) for reporting! * Resolves [GitHub Issue #2474](https://github.com/FusionAuth/fusionauth-issues/issues/2474) * When using the Refresh Token API, un-expired SSO sessions may be incorrectly omitted from the API response. The result of this bug is that an active SSO session may not be displayed in the FusionAuth admin UI. This has now been corrected, and the FusionAuth admin UI and the Refresh Token API will correctly return all valid SSO sessions. * Resolves [GitHub Issue #2489](https://github.com/FusionAuth/fusionauth-issues/issues/2489) * If the `search.servers` configuration value was not added to the `fusionauth.properties` configuration file, and you omit the `SEARCH_SERVERS` environment value, FusionAuth would fail to start. The correct behavior is for FusionAuth to default to `http://localhost:9021`. * Resolves [GitHub Issue #2507](https://github.com/FusionAuth/fusionauth-issues/issues/2507) ### Enhancements * Enhance the User and Entity Search APIs to paginate beyond 10,000 results. The Search API response will now include a `nextResults` value that can be used to ask for the next set of search results which enables the API to paginate through the entire available result set. * See the [Entity Search APIs](/docs/apis/entities/entities#search-for-entities) and [User Search APIs](/docs/apis/users#search-for-users) for API details. * Resolves [GitHub Issue #494](https://github.com/FusionAuth/fusionauth-issues/issues/494) * When using the Webhook test action in the FusionAuth admin UI, additional information will now be returned if the webhook returns a non-200 status code. This should make it simpler to debug your webhook integration. Prior to this change, the response would only indicate if the response was successful or not. * Resolves [GitHub Issue #793](https://github.com/FusionAuth/fusionauth-issues/issues/793) * When using the Webhook test action in the UI, changes to the example request body were not preserved. Changes will now be preserved across send requests for the browser session. This means a test can be run repeatedly without having to perform the same edits to the default event request body. * Resolves [GitHub Issue #797](https://github.com/FusionAuth/fusionauth-issues/issues/797) * Support specifying webhook SSL certificates from Key Master. Prior to this enhancement, if you needed to specify an SSL certificate, it had to be added to the webhook in PEM format. You may now store this certificate in Key Master and then use this same certificate between webhooks. This change is backwards compatible, but the ability to manually specify X.509 certificates in PEM format on the webhook configuration has been deprecated and may be removed in the future. See the [Webhook](/docs/apis/webhooks) API `sslCertificateKeyId` field for additional details. * Resolves [GitHub Issue #883](https://github.com/FusionAuth/fusionauth-issues/issues/883) * Modal dialogs in the FusionAuth admin UI can now be closed by using the escape key or by clicking outside of the modal. * Resolves [GitHub Issue #903](https://github.com/FusionAuth/fusionauth-issues/issues/903) * Add support for signing webhook events with a SHA-256 hash function. This feature will allow consumers of FusionAuth events to verify the message body has not been modified. The signature is contained in a JWT and will be sent using an HTTP request header named `X-FusionAuth-Signature-JWT`. You may use existing JWT verification strategies including consuming the public key from the JWKS endpoint. * See the [Signing Webhooks](/docs/extend/events-and-webhooks/signing) and [Webhooks APIs](/docs/apis/webhooks) for signing and verification details. * Resolves [GitHub Issue #1859](https://github.com/FusionAuth/fusionauth-issues/issues/1859) * Expose the `id_token` returned by the Identity Provider to the Reconcile Lambda function when available. If the `id_token` is returned by the IdP and the signature can be verified it will be now be passed to the lambda function in the `tokens` argument. Example: `tokens.id_token`. * Resolves [GitHub Issue #2189](https://github.com/FusionAuth/fusionauth-issues/issues/2189) * Add the `curl` command to the FusionAuth Docker image. This allows you to use the `curl` command for use in health checks or anytime you need to use `curl`! * Resolves [GitHub Issue #2272](https://github.com/FusionAuth/fusionauth-issues/issues/2272) * Support for optional expansion of the `user.registrations` and `user.memberships` properties on the User Search API. This change is backwards compatible, but you may optionally request the Search API omit these properties on the response which may improve performance. See the [User Search](/docs/apis/users#search-for-users) API for additional details on using the `expand` request parameter, and the `expandable` response value. * Resolves [GitHub Issue #2319](https://github.com/FusionAuth/fusionauth-issues/issues/2319) * Enhance the error messaging returned to the end user when using the Test SMTP button in the FusionAuth admin UI. This enhancement will make it easier to test your SMTP configuration. * Resolves [GitHub Issue #2373](https://github.com/FusionAuth/fusionauth-issues/issues/2373) * Reduce un-necessary logging when fuzzers send parameter names containing `class`. * Resolves [GitHub Issue #2393](https://github.com/FusionAuth/fusionauth-issues/issues/2393) * When updating a theme, a validation error will be returned if you are missing messages. Currently the error response does include the missing message keys. This error response is now enhanced to return the keys and the default values from the default theme. This allows you to optionally parse the response for the missing keys and values. * Resolves [GitHub Issue #2427](https://github.com/FusionAuth/fusionauth-issues/issues/2427) * Expose the `access_token` returned by the Identity Provider to the Reconcile Lambda function. The `access_token` will now be passed to the lambda function in the `tokens` argument. Example: `tokens.access_token`. * Resolves [GitHub Issue #2494](https://github.com/FusionAuth/fusionauth-issues/issues/2494) * When the `id_token` is returned from the IdP and the signature can be verified it will now be used to optionally resolve the `uniqueIdClaim` in addition to the `emailClaim` and `usernameClaim`. This means you can configure the `uniqueIdClaim` to a claim that is only available in the `id_token`. Prior to this change, the `id_token` could only be verified if it was signed using the an HMAC algorithm using the `client_secret`. With this change, if the IdP publishes public keys using the JWKS endpoint that is resolved from the `.well-known/openid-configuration` FusionAuth will attempt to validate the signature. * Resolves [GitHub Issue #2501](https://github.com/FusionAuth/fusionauth-issues/issues/2501) ### Internal * Update dependencies to remove CVE scan warnings and to stay current. These upgrades are simply a precautionary measure to stay current. * Upgrade `com.google.inject:guice` `5.1.0` to `6.0.0` * Upgrade `com.google.guava:guava` `30.1.0` to `32.1.2` * Upgrade `io.fusionauth:java-http` `0.2.0` to `0.2.9` * Upgrade `org.apache.kafka:kafka-clients` `2.8.2` to `3.6.0` * Upgrade `org.primeframework:prime-mvc` `4.11.0` to `4.17.1` * Upgrade `org.xerial.snappy:snappy-java` `1.1.8.1` to `1.1.10.4` * Resolves [GitHub Issue #2385](https://github.com/FusionAuth/fusionauth-issues/issues/2385) * Upgrade to the latest Java 17 LTS. Upgraded from `17.0.3+7` to `17.0.8+1`. * Resolves [GitHub Issue #2386](https://github.com/FusionAuth/fusionauth-issues/issues/2386) * Update the logging configuration when using the `fusionauth-search` distribution (`.deb`, `.rpm`, or `.zip`) to be more consistent with the `fusionauth-app` logging configuration. If you are using Elasticsearch or OpenSearch in Docker or other off the shelf installation of Elasticsearch or OpenSearch this change will not affect you. * Resolves [GitHub Issue #2391](https://github.com/FusionAuth/fusionauth-issues/issues/2391) * Update the FusionAuth static file resolution configuration to further limit class path resolution. While no known security risks exist with the current behavior, it is not necessary. * Resolves [GitHub Issue #2462](https://github.com/FusionAuth/fusionauth-issues/issues/2462) ### Fixed * Revert the GC (garbage collection) logging change introduced in version `1.47.0` for compatibility with the FusionAuth docker image. * Resolves [GitHub Issue #2392](https://github.com/FusionAuth/fusionauth-issues/issues/2392), thanks to [@pigletto](https://github.com/pigletto) and [@patricknwn](https://github.com/patricknwn) for reporting. Please be sure to read the notes in the **Changed** section before upgrading. ### Known Issues * The garbage collection logging change introduced in version `1.47.0` was not compatible with the way the FusionAuth docker image was built. You will need to use version `1.47.1` if you will be using the FusionAuth docker image. * The `passwordValidationRules` variable may be `null` on the first render of the Change Password themed page. If you had been referencing this field in your template, the render may fail. * The CSRF token used with federated login is not being applied when all configured IdPs for an application use managed domains and an `/oauth2/authorize` request for the application includes an `idp_hint` parameter. ### Security * A race condition exists when using a refresh token with a one-time-use policy where the same token value could successfully be used twice to obtain a new access token. In practice this would be very difficult to replicate outside of a scripted example. * Resolves [GitHub Issue #1840](https://github.com/FusionAuth/fusionauth-issues/issues/1840) Thanks to [@avitsrimer](https://github.com/avitsrimer) for reporting the issue! * Use a CSRF token with all federated login requests. This change will add additional protection when using a federated login to ensure the login is completed from the same browser that started the login workflow. This mitigates an attack vector that can be used in phishing attacks where a victim could be convinced to click on a link that would cause the user to unknowingly complete a login. * Resolves [GitHub Issue #2238](https://github.com/FusionAuth/fusionauth-issues/issues/2238) ### Changed * A change was made to the OAuth2 origin validation code. This change is not expected to cause any change in behavior for anyone with configured Authorized Origin URLs. The change is to inspect the port in addition to the schema and host when comparing the request and the `Referer` or `Host` header to determine if the request has originated from FusionAuth. One possible edge case that could be affected is if you using `localhost` in development for both FusionAuth and another application. In this example, it is possible that FusionAuth was not validating the Origin of requests from your application running on `localhost` correctly. If you encounter this case, you can either remove all Authorized Origin URLs from your configuration, or add the origin of your application so that it can be correctly validated. * Due to the necessary change related to adding a CSRF token when performing a federated login, a manual change may be required to your themed login pages. Please read through these details to understand if you will be affected. If you are using any 3rd party IdP configurations such as OpenID Connect, SAML v2, Google, Facebook with a custom theme, you will need to make a modification to your template in order for federated login to continue to work correctly. If you are not using any 3rd party IdP configurations, or you are not using a custom theme, no change will be necessary. If you will be affected by this change, please review the following details and then make the update to your theme as part of your upgrade process. 1. Find the `alternativeLogins` macro usage in `oauth2Authorize` and `oauth2Register` and add `federatedCSRFToken=federatedCSRFToken` as the last argument to this macro. ```html [#-- Updated macro usage. Line breaks added for readability. --] [@helpers.alternativeLogins clientId=client_id identityProviders=identityProviders passwordlessEnabled=passwordlessEnabled bootstrapWebauthnEnabled=bootstrapWebauthnEnabled idpRedirectState=idpRedirectState federatedCSRFToken=federatedCSRFToken/] ``` 2. Find the macro named `alternativeLogins` in `helpers` and add `federatedCSRFToken=""` as the last argument to this macro. ```html [#-- Updated macro in helpers. Line breaks added for readability. --] [#macro alternativeLogins clientId identityProviders passwordlessEnabled bootstrapWebauthnEnabled=false idpRedirectState="" federatedCSRFToken=""] ``` 3. Find the element `