Release Notes
Looking for release notes older than 1.44.0? Look in the release notes archive. Looking to be notified of new releases?
Version 1.55.1 - Holiday Hippo
December 21, 2024
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Security
-
Correct validation for configured authorized redirect URLs when using wild card support has been enabled.
- Resolves GitHub Issue #2906
-
Add additional validation of an authorizing JWT when using the Issue JWT API (
/api/jwt/issue
).- Resolves GitHub Issue #2916
Changed
-
The length of the refresh token has increased from
54
to64
characters. If for some reason you are expecting a specific length, you may need to account for this change.- Related to GitHub Issue #2952
New
-
Allow for the sending of usage stats. Enabling usage stats allow FusionAuth to better understand how our users use our product. Usage data does not contain configuration, user data or any information that can be used to identity a company or individual. This information will help us know where we need to invest in new features and enhancements.
If you are using FusionAuth Cloud, this feature will be enabled by default and cannot be disabled.
- Resolves GitHub Issue #2741
Fixed
-
The confirmation page shown when users are completing verification and other workflows shows a FreeMarker error when some cookies are unavailable. This could happen when cookies are deleted by a user, removed by a proxy, or when running in an iframe.
- Resolves GitHub Issue #2737
-
The SCIM ResourceTypes endpoint is returning resource type URLs with incorrect paths. The endpoint is returning a path prefix of
/api/scim/v2/
when it should be/api/scim/resource/v2/
.- Resolves GitHub Issue #2793. Thanks to @runely for reporting the issue!
-
The OAuth scopes consent form has text that cannot be localized. Hosted pages should be fully localizable for users.
- Resolves GitHub Issue #2817
-
When viewing user data in the
Manage user
view, a boolean value is always shown as-
, regardless of its actual value.- Resolves GitHub Issue #2839. Thanks to @rod-martens-alida for reporting the issue!
-
The JWT populate lambda is not executed when a user is logged in using the login API, but only when that user does not have a registration for the application named in the API call. This could lead to inconsistent behavior between a login using the hosted OAuth pages and a login using the login API.
- Resolves GitHub Issue #2899
-
The PHP client library is not handling libcurl errors gracefully, making it difficult to troubleshoot integration problems when using this library. See the client library issue for more details.
- Resolves GitHub Issue #2909
-
When downloading login records from System -> Login Records , the exported file format contains a place for zip code, however the zip code values are not being populated in the export.
- Resolves GitHub Issue #2917
-
The
POST /api/user/registration
call is documented as returning arefreshTokenId
, but this value is not being returned on the response.- Resolves GitHub Issue #2928. Thanks to @cezarneaga for reporting the issue!
-
When editing a user’s password in the FusionAuth admin UI after a new hashing scheme is set on the tenant, the password is not re-hashed using the new scheme. The re-hashing occurs as expected on a login or when the user changes their own password.
- Resolves GitHub Issue #2932
Enhancements
-
The
rate limit
error message was added to the default theme messages to make it more obvious that it is customizable. The[RateLimitedException]
message key was previously supported, but not easily discoverable.- Resolves GitHub Issue #1596. Thanks to @juansedo for reporting the issue!
-
Add an additional refresh token revocation policy to revoke a one-time use token on reuse. This policy helps protect against token theft by revoking the token if it were to be stolen and reused.
- Resolves GitHub Issue #1619
-
FusionAuth can now accept encrypted SAML assertions when acting as a SAML service provider. Support for encrypted assertions when FusionAuth is the SAML identity provider was added in version
1.47.0
.- Resolves GitHub Issue #2378
-
API keys can now be optionally set to expire at a given date/time. An expired key will not be deleted but will cause a
401
response to be returned when used. The expiration value can be edited to allow the expiration to be extended.- Resolves GitHub Issue #2537
-
Additional parameters are now accepted on the hosted backend
/app/login
and/app/registration
endpoints. This means you can pass things likelogin_hint
,idp_hint
, and analytics parameters that will be available on the respective OAuth hosted pages.- Resolves GitHub Issue #2742
-
The First-time Setup wizard was improved with more descriptive and consistent text around using a Community plan license.
- Resolves GitHub Issue #2859
-
In the new Webhook Event Log there were numerous small UX and copy improvements.
- Resolves GitHub Issue #2864
-
Improved handling of a SAML
RelayState
in an IdP-initiated login. Previously, FusionAuth would only look for a valid ACS URL in theRelayState
. Now, if the ACS URL can be resolved via other means, theRelayState
value will be preserved and passed as a parameter in the final call to the ACS URL.- Resolves GitHub Issue #2878
-
Added support for providing connect and read timeout values when making a
fetch
call from a lambda.- Resolves GitHub Issue #2938
-
You can now configure a grace period for single-use refresh tokens, during which time the previous token will remain active. This is required for various use cases, including when clustered OAuth clients employ eventual consistency when synchronizing a refresh token, and some nodes of a client can find themselves with an out-of-date refresh token.
- Resolves GitHub Issue #2952
Internal
-
Added tests to verify correct handing of wildcards in URLs in various places in the application. This change does not contain any functional changes.
- Resolves GitHub Issue #2147
-
Remove unused comments in a few theme templates.
- Resolves GitHub Issue #2880
-
Update dependencies.
- Upgrade
org.primeframework:prime-mvc
4.22.13
->4.27.0
- Resolves GitHub Issue #2873
- Upgrade
-
Better exception handling in extreme edge cases related to licensing of Breached Password Detection.
- Resolves GitHub Issue #2929
Version 1.54.0
November 25, 2024
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Security
-
A vulnerability was discovered in the FusionAuth hosted pages. Under specific application configurations, and with insufficient authorization validation being performed on an access token, a malicious user could bypass required steps in post-authentication workflows, allowing unauthorized access to protected resources.
This vulnerability was introduced in version
1.41.0
. It is recommended that you upgrade to version1.54.0
at your earliest convenience.- Resolves GitHub Issue #2933
Fixed
-
The SCIM Groups API does not properly perform atomic updates to groups and members. This can lead to consistency issues when multiple SCIM update requests are simultaneously processed requiring membership changes.
- Resolves GitHub Issue #2869
Version 1.53.3
October 25, 2024
This version of FusionAuth includes changes that may affect you if you have one more custom themes. Please read below to understand if this affects you, or if you need to take immediate action prior to upgrading.
A fix for FusionAuth SSO session management with external identity providers requires a change to Google IdP usage.
See Theme Upgrade Notes for details on updating an existing advanced theme specific to this release. See Theme Upgrades for additional information about the upgrade process.
Fixed
-
In order to better protect 3rd party logins via SAML v2, OpenID Connect, and other 3rd party identity providers, a CSRF (cross site request forgery) token was added in version
1.47.0
. This token was not being used when all identity providers configured for the requestedclient_id
were also configured to use managed domains, and the authorize request also contained theidp_hint
request parameter.In this specific configuration, because the token was not being utilized, the login workflow would fail with the error
The request origin could not be verified. Unable to complete this login request.
- Resolves GitHub Issue #2764
-
When using the hosted login pages, the end user is generally shown a checkbox named
Keep me signed in
, which indicates whether the user wishes to create an SSO session after logging in.When using an external identity provider along with an
idp_hint
orlogin_hint
parameter, a user may be taken directly to the identity provider, bypassing the page with this checkbox. In this case, the user will not have the option of making a choice to establish or not establish an SSO session.This behavior has been improved in order to provide additional control on how the SSO session should be created.
FusionAuth will now use the following order of operations in this non-interactive workflow to decide if the SSO session should be created.
- The user’s previous selection, if available. This past choice will have been stored in an HTTP only cookie.
- The optionally supplied
rememberDevice
query parameter.
In the event that the user has never seen the login page, the value of the
rememberDevice
query parameter will be the deciding factor. A value oftrue
indicates that an SSO session should be created and a value offalse
indicates that an SSO session should not be created. If this parameter is omitted, the default behavior will be to create the SSO session.For more information on using the
idp_hint
andlogin_hint
parameters, see the Identity Providers Overview documentation.- Resolves GitHub Issue #2893
-
When using the login validation lambda with a 3rd party identity provider such as OpenID Connect, when the validation lambda causes the login to fail, the end user will not see the specific error returned by the lambda. Instead the user will see the following generic error (unless this message has been modified in a theme):
A validation error occurred during the login attempt. An event log was created for the administrator to review.
The reason for this generic message is that in most cases if FusionAuth cannot complete a login request to a 3rd party we do not want to show the end user the technical reason. When a login validation lambda is the cause of the login failure, we do intend to the show the end user a more specific message. This issue has been corrected and if the login validation lambda was the cause of the failure, the event log is created when the identity provider has enabled debug.
- Resolves GitHub Issue #2903
Version 1.53.2
September 12, 2024
Security
-
Improvements to better defend against XSS (Cross-Site Scripting) attacks.
- Resolves GitHub Issue #2868
Fixed
-
The
kickstart.success
event may not fire correctly after Kickstart completes due to a timing issue when creating the webhook in your Kickstart definition.- Resolves GitHub Issue #2863
-
Navigating to the System -> About page in the FusionAuth admin UI may fail to render if you start up without an internet connection.
- Resolves GitHub Issue #2865
-
Navigating to the System -> Webhook Log in the FusionAuth admin UI may display a general error and fail to return search results if there are any events of type
user.login.failed
displayed.You may work around this issue by selecting a specific event type, or narrowing the scope of the results by using any of the additional search criteria found in the Advanced search controls.
- Resolves GitHub Issue #2871
Version 1.53.1
September 6, 2024
Fixed
-
A user may fail to enroll a new Passkey (WebAuthn credential) used for reauthentication during a login workflow. Previously configured Passkeys should continue to work as expected. This bug was introduced in version
1.53.0
.- Resolves GitHub Issue #2861
Version 1.53.0 - Lambda Llama
September 5, 2024
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Known Issues
- FusionAuth’s hosted login pages no longer create an SSO session when signing in using an external IdP.
-
A user may fail to enroll a new Passkey (WebAuthn credential) used for reauthentication during a login workflow. Previously configured Passkeys should continue to work as expected.
-
Resolved in version
1.53.1
via GitHub Issue #2861
-
Resolved in version
Changed
-
The Docker image for the
linux/arm/v7
architecture is not being published for this release.This deprecation was announced in version
1.52.0
, and while we had planned to continue publishing this build for the next few releases, Java 21 is not being built for this architecture which means we can no longer support it. Please see thread in Adoptium support or the Adoptium release status for additional details.- Related to GitHub Issue #2473
New
-
The Webhook Event Log! The Webhook Event Log will contain a record of each triggered event and the corresponding attempts to deliver the event to each configured webhook. This log will be useful for monitoring events that have succeeded or failed to be received by your configured webhooks. The attempt log will provide you with timing, the status code returned by your webhook, and other metadata.
The longer term goal of this feature will be to allow events to be retried when one or more webhooks failed to receive the event, or for some reason was unable to process the event. This is the first step towards that goal. You will find this new feature in the FusionAuth Admin UI under System -> Webhook Log .
See the API docs and Webhook Event Log documentation for more detail.
- Resolves GitHub Issue #1314
-
A new lambda function has been introduced that can be used to prevent login based on information in a user record, an application registration, and more. This allows the notion of a valid login to be extended beyond the standard items such as credential checks and MFA. See Login Validation Lambda for more detail.
- Resolves GitHub Issue #1282
Fixed
-
When using an SSO TTL of
0
seconds or a very small number, it is possible that a user may not be able to complete login using the FusionAuth hosted login pages. If you encounter this problem prior to this version, you may work around the issue by increasing the TTL to something larger than0
, ideally at least30
seconds.The potential for this issue has existed for some time, but some changes made in version
1.50.0
made it more likely for this to occur.- Resolves GitHub Issue #2736
-
When using the start and end times in the Advanced search criteria in the FusionAuth admin UI for the Audit Log, Event Log, and Login Records the selected values were being incorrectly adjusted. This bug was introduced in version
1.52.0
.- Resolves GitHub Issue #2843. Thanks to @runely for reporting this! ⭐️
Enhancements
-
In the FusionAuth admin UI, tables had one-too-many 😜 action buttons. These action buttons have been replaced with a dropdown menu. The number of buttons on some pages grew to the point that it was becoming difficult to differentiate between the buttons, and was also visually cluttering up the view. We hope you like it!
More UI and UX updates coming!
- Resolves GitHub Issue #2810
Internal
-
Java 21 LTS. Upgrade from Java 17, to the latest long term support (LTS) version of Java which is 21.
- Resolves GitHub Issue #2473
-
Improve database connection resiliency under heavy load by separating interactive and non-interactive tasks into separate connection pools. This change should improve performance and scalability.
Please note that if you are self-hosting FusionAuth you will see an increase in the number of open connections to the relational database from FusionAuth. Previously each FusionAuth node would open
10
connections. Starting in this release, this number will increase to a minimum of21
, and can scale to a maximum of50
. These numbers are subject to change in future releases.To calculate the total number of connections to the relational database, multiple these numbers by the number of nodes in your cluster. If you have a
3
node FusionAuth cluster, the minimum number of connections open to your database will be63
with a maximum of150
.- Resolves GitHub Issue #2700
-
Update dependencies.
- Upgrade
js/handlebars.js
4.7.6
->4.7.8
- Resolves GitHub Issue #2829
- Upgrade
Version 1.52.1
August 15, 2024
Fixed
- The SCIM Patch operation now properly handles removing multiple array elements, such as group memberships, in a single request.
- Resolves GitHub Issue #2834
Internal
- Update dependencies.
- Upgrade
io.fusionauth:fusionauth-scim
2.2.1
->2.2.2
- Resolves GitHub Issue #2858
- Upgrade
Version 1.52.0 - Passkey Platypus
August 8, 2024
User Registrations API
When using the User Registrations API, the data
field for the FusionAuth application with Id 3c219e58-ed0e-4b18-ad48-f4f92793ae32
may now contain a preferences
object. This object is reserved and should not be modified.
Upgrading in an air-gapped configuration
If you are not using an air-gapped license, this message can be disregarded. Have a good day!
For those running in an air-gapped configuration, you’ll want to review this note. To ensure your premium features remain active after upgrading, please do the following:
- Navigate to the Plan page in your FusionAuth account
- Pick up your license key and newly generated license text
- Navigate to
Reactor
in your Admin UI on your FusionAuth instance - Decommission your license
- Reactivate FusionAuth Reactor using the license key and text
More details on activating and deactivating your license can be found in the Licensing docs.
Group Member API
The user
field on the Group Member API responses is being deprecated.
This field was not documented, and has never been populated on the API response. However, because this field was generated and part of the domain in FusionAuth client libraries, we are providing a deprecation notice in case this may affect your integration. Client library users should remove references at your earliest convenience.
Removal of this field is targeted for the end of 2024.
Docker architectures
We are planning to discontinue publishing Docker images for the following architectures: linux/arm/v7
, linux/ppc64le
, and linux/s390x
. The rationale behind this decision is that we do not believe they are actively being used, and we would like to move to the GraalVM Java distribution which does not provide builds for these architectures.
We plan to stop publishing docker images for these architectures at the end of 2024. If you are actively using any of these architectures, please let us know how this could affect you by contacting support or reaching out to sales.
This version of FusionAuth includes changes that may affect you if you have one more custom themes. Please read below to understand if this affects you, or if you need to take immediate action prior to upgrading.
A new date picker element with enhanced styling and mobile support is now available.
See Theme Upgrade Notes for details on updating an existing advanced theme specific to this release. See Theme Upgrades for additional information about the upgrade process.
Known Issues
- When using the start and end times in the Advanced search criteria in the FusionAuth admin UI for the Audit Log, Event Log and Login Records the selected value was being incorrectly adjusted.
- Resolved in version
1.53.0
via GitHub Issue #2843
- Resolved in version
Security
- When detecting impossible travel or similarly suspicious login events, it is possible that not all device trust cookies were correctly revoked. These are now automatically revoked.
- Resolves GitHub Issue #2753
New
- A free community license is now available, which adds WebAuthn (Passkeys) to the Community plan. All those with a Community license will now find a license key in their FusionAuth account plan page. And there was much rejoicing! 🥳
- Resolves GitHub Issue #2662
- Resolves GitHub Issue #2663
Fixed
-
Clicking the toggle checkbox element in the admin UI quickly may cause the checkbox state to be inverted. This can be easily fixed by refreshing the page. You should now be able to click as fast as you want! Go forth and click!
- Resolves GitHub Issue #2718
-
Attempting to sort API keys by key value in the admin UI by clicking the key value header would result in an error.
- Resolves GitHub Issue #2738
-
When using the API Key API and specifying an invalid
tenantId
on the request in order to create a tenant-scoped API key, the request fails with a500
status code. This error has been corrected, and an appropriate validation error is now returned.- Resolves GitHub Issue #2749
-
The date picker that was being used for birthdates and custom date fields was not styled correctly based upon the selected theme. The date picker has been changed to the browser-default date picker, which should work much better on mobile devices. This picker style will now be used in themed hosted login pages, as well as the admin UI for searching a date range or selecting a birthdate. This change should not affect any existing advanced theme that may still use the older style date picker. See theme upgrade notes for details on updating an existing advanced theme to use this new option.
- Resolves GitHub Issue #2770
-
Adding custom message keys to your theme messages using the admin UI was failing to persist these changed messages. The UI for editing messages in the simple theme editor has also been improved to make it easier to understand which messages have been modified.
- Resolves GitHub Issue #2778
-
When the Browser preview button was used to open a new tab for simple themes in the admin UI the page would render without any applied CSS when using the Firefox browser. Sorry Firefox users, we ask for your forgiveness. 😔
- Resolves GitHub Issue #2794
-
The default
orderBy
parameter value for the Group Member Search API did not provide a consistent ordering of results because the default sort was oninsertInstant ASC
which may not always be unique. This API is used by the SCIM Groups Resource API which then can cause inconsistent results for the SCIM client. The defaultorderBy
is now set toinsertInstant ASC, userId ASC, groupId ASC
to ensure a consistent result between API calls.- Resolves GitHub Issue #2798
-
When using the simple theme editor in the admin UI, the color picker did not always render next to the input field. The color picker will now always correctly render adjacent to the input field you select.
- Resolves GitHub Issue #2803
-
Newlines and tabs were not rendered when viewing audit entries in the view dialog from the admin UI. If you are using new lines or tabs in your audit log messages, you may now enjoy viewing them in all their intended glory!
- Resolves GitHub Issue #2808
-
When using the interactive maintenance mode to upgrade your database schema, it is possible that you had to click the Submit button twice to exit maintenance mode. This was only a cosmetic issue but may be annoying or confusing to the user. We are sorry if you had to click the Submit button twice. 😬
- Resolves GitHub Issue #2815
Enhancements
- Add the new health check endpoint (
/api/health
) that was added in1.51.1
to the client libraries.- Resolves GitHub Issue #2804
Internal
-
For users in FusionAuth Cloud, attempting to save a Simple theme may result in an error.
- Resolves GitHub Issue #2777
-
An equals (
=
) sign in query parameter value was not being parsed correctly. There are no known issues related to this bug as generally speaking an equals (=
) sign will be URL encoded as%3D
. However, because it is legal use an equals (=
) sign un-encoded in a query string name or query string value, this has been corrected.- Resolves GitHub Issue #2792
-
An unused template was removed from the self-service login workflow. In practice this page was never rendered and was not included in the theme configuration. This change should not impact anyone using themes.
- Resolves GitHub Issue #2818
-
Update dependencies.
- Upgrade
org.freemarker:freemarker
2.3.32
->2.3.33
- Upgrade
org.primeframework:prime-mvc
4.22.7
->4.22.12
- Upgrade
org.apache.kafka:kafka-clients
3.6.1
->3.7.1
- Upgrade
com.fasterxml.jackson.*
2.15.4
->2.17.2
- Upgrade base docker image
ubuntu:jammy (22.04)
->ubuntu:noble (24.04)
- Resolves GitHub Issue #2726
- Upgrade
Version 1.51.2
July 3, 2024
Security
- A XSS (Cross-Site Scripting) vulnerability was identified in the FusionAuth admin UI.
- Resolves GitHub Issue #2801
Version 1.51.1
June 12, 2024
Fixed
- An HTTP request sent to FusionAuth with non-ASCII characters in request header values caused the request to be rejected and caused the connection to be closed without a response. Generally speaking values outside of the ASCII character set are not allowed, but in practice they may be used, and so these values are now treated as opaque and ignored by the HTTP request parser.
- Resolves GitHub Issue #2774
- A typo was found in the description of the
user.password.reset.send
event on the tenant edit page.- Resolves GitHub Issue #2782
- The SCIM API is not properly handling reading, creating, and updating groups with more than one hundred memberships. Responses containing groups with more than one hundred memberships are only returning the first one hundred. Create and update operations are only creating or updating one hundred, and deleting the remainder. This defect also caused the FusionAuth event for
group.member.update
andgroup.member.update.complete
to contain the same truncated list of members.- Resolves GitHub Issue #2784
New
- A Health API
/api/health
has been added. Prior to this addition, the/api/status
endpoint was the best option for performing health checks. The Status API may not be ideal for all use cases because it returns a JSON body and the status code is used to indicate the status of various health checks that may not be valuable by a load balancer to indicate if requests should be routed to this node. This new endpoint provides a binary indication of the healthiness or unhealthiness of a FusionAuth instance by only returning a200
or500
status code w/out a JSON response. This new API also runs fewer health checks and may perform better than the Status API.- Resolves GitHub Issue #1166
Internal
Update dependencies.
- Upgrade
io.fusionauth:java-http
0.3.4
to0.3.5
- Resolves GitHub Issue #2786
Version 1.51.0 - Theming Toucan
May 28, 2024
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Fixed
- In version
1.45.0
we added a hosted OAuth backend capability, allowing a developer to write a front end-only application, but still take advantage of an authorization code grant workflow by leveraging the backend provided by FusionAuth. Multi-segment domain suffixes (e.g..co.uk
) are not handled correctly by this hosted backend when setting the domain on cookies. Cookie domains are now set properly.- Resolves GitHub Issue #2735
- A SAML login request that is missing a
Content-Type
header yields a cryptic error message. A more meaningful error message is now provided. Additionally, sending abinding
parameter would lead to an error message, when this parameter is not one we process. We now ignore this parameter if it is provided.- Resolves GitHub Issue #2722
- A SMS two factor messages template can be set at the Tenant level and should be overridable at the Application level. When a template is set at the Application level it is not being honored and the Tenant-level template is always used. Application overrides of SMS two-factor templates are now used correctly.
- Resolves GitHub Issue #2728
Security
- Improve SAMLv2 callback handing with malformed requests.
- Resolves GitHub Issue #2757
New
- WYSIWYG theme editing! Version
1.51.0
introduces a new Simple Theme type, along with a visual editor. This first version of visual theme editing allows you to change the basic styling of FusionAuth hosted pages, including logos and background images, colors, fonts, and more. See the Simple Theme Editor docs for more information.- Resolves GitHub Issue #2669
Internal
- Update dependencies.
- Upgrade
org.graalvm.sdk:*:22.3.3
toorg.graalvm.polyglot:*:23.1.2
- Upgrade
org.graalvm.js:js
22.3.3
to23.0.3
- Upgrade
io.fusionauth:java-http
0.3.2
to0.3.4
- Resolves GitHub Issue #2727
- Upgrade
Version 1.50.1
April 25, 2024
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Fixed
- FusionAuth added a First Time Setup wizard in 1.50.0. This release fixes a couple of usability items related to the new wizard.
- Items related to the first time setup wizard are being show after upgrades, when the intent was to only show them for new installations. These are now only being shown for unconfigured FusionAuth instances.
- In the First Time Setup summary page, FusionAuth shows sample configuration for various quickstarts. The configuration for the React quickstart corresponds to a previous version of the quickstart and is incompatible with the current version. The React quickstart configuration is now formatted for the current quickstart version.
- Resolves GitHub Issue #2729
Version 1.50.0 - Scopes Salamander
April 24, 2024
This release makes significant changes to the default behavior of new Applications with regard to scopes in OAuth workflows.
The database migration will update existing Applications to behave in a backwards compatible manner.
See the OAuth Scopes documentation for more information, in particular the Relationship
, Unknown scope policy
, and Scope handling policy
configurations.
If you are using IFRAMEs to access the FusionAuth hosted login pages please check that the IFRAME src
is from the same domain as the FusionAuth pages.
FusionAuth uses cookies to manage user state with the SameSite
attribute set to Lax
or Strict
. Browsers will block Set-Cookie
headers on cross-domain requests.
This release introduces a new redirect into the OAuth flows to /oauth2/consent
as part of the OAuth Scopes
feature. This redirect will occur during each browser-based interactive OAuth workflow. Prior to this version it was possible to complete an OAuth code grant
flow without cookies being set as long as there were no additional redirects to FusionAuth before the final redirect to the configured
redirect_url . As a result it did not matter if the Set-Cookie
headers were blocked. The redirect with the code would still work.
However, in this version the browser will not be able to send the FusionAuth cookies required to maintain user state along with the redirect to
/oauth2/consent
and the login flow will fail. The user will be redirected back to /oauth2/authorize
and will be unable to log in.
The use of JWT authentication for the /api/user
API is being deprecated. This functionality will be removed in a future release.
If you are using this API with JWT authentication, you will need to modify your integration to use the /oauth2/userinfo
endpoint if you have obtained your JWT using an OAuth2 grant, or authenticate the request to the User API using an API key.
Removal of this authentication type is targeted for the end of 2024.
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
This version of FusionAuth includes changes that may affect you if you have one more custom themes. Please read below to understand if this affects you, or if you need to take immediate action prior to upgrading.
The new consent prompt themed page requires the scopeConsentField
macro and resolveScopeMessaging
function to be defined in the Helpers template in order to render scope consent form fields. These must be added to a custom theme in order for it to function.
See Theme Upgrade Notes for details on updating an existing advanced theme specific to this release. See Theme Upgrades for additional information about the upgrade process.
Known Issues
- When using an SSO TTL of
0
seconds or a very small number, it is possible that a user may not be able to complete login using the FusionAuth hosted login pages. You may work around the issue by increasing the TTL to something larger than0
, ideally at least30
seconds.- Resolved in version
1.53.0
via GitHub Issue #2736
- Resolved in version
Changed
-
The
/oauth2/userinfo
endpoint now requires theaud
claim to be present on the provided access token, allowing for tighter compliance with the OIDC spec. See the UserInfo endpoint for more detail.If you are not using OAuth, and your JWT does not contain the
aud
claim, consider using the JWT validate API instead.- GitHub issue pending
- Resolves GitHub Issue #2725
-
Applications now offer an
Unknown Scope Policy
. This can be used to enhance security by rejected or removing unrecognized scopes during an OAuth workflow. See the application Scopes tab for more detail.- Delivered as part of the Custom OAuth Scopes body of work, which resolves GitHub Issue #275 (see below)
-
Applications now have a new Scope Handling Policy. The
Strict
option provides behaviors that are more compliant with the OIDC specification, while theCompatibility
option provides backwards-compatible behavior. Specifically,Strict
mode limits information in access tokens and populates Id tokens and UserInfo responses based on the requested OAuth scopes. This option also restricts the UserInfo endpoint to accepting only access tokens containing theopenid
scope.See Scope handling policy for more detail.
- New applications will default to the
Strict
option. If your integration requires theCompatibility
policy because you need backwards compatible behavior, please specify that option when creating the application. - Resolves GitHub Issue #1582 and GitHub Issue #1475, thanks to @awoodobvio for the suggestions!
- New applications will default to the
-
The Refresh Token Grant request now supports requesting a subset of the original scopes. The former behavior was to respond with an
invalid_scope
OAuth error.- Resolves GitHub Issue #2590
-
Support for optional expansion of the
application.roles
andapplication.scopes
properties on the Application Search API.This change is backwards compatible, but you may optionally request the Search API omit these properties on the response which may improve performance. See the Application Search API for additional details on using the
expand
request parameter, and theexpandable
response value.- Resolves GitHub Issue #2724
-
The
/oauth2/device/user-code
endpoint now returns thescope
parameter value that should be used in the interactive portion of the Device Code Grant workflow. See Device User Code for more detail.- Addressed as part of the Custom OAuth Scopes body of work, which resolves GitHub Issue #275 (see below)
Fixed
- FusionAuth will now limit passwords to 50 characters when using the bcrypt algorithm. This restriction is due to limitations in the bcrypt algorithm. This limit will be enforced even when the tenant policy allows for a maximum password length greater than 50. If the tenant policy requires a maximum password length of less than 50, the tenant policy will take precedence.
- Resolves GitHub Issue #2671
- There are several scenarios where implicit email verification can occur. They are, during registration verification, password change, passwordless authentication, and MFA code validation. In these cases, a configured email verification email was not being sent, and the email verification event was not being generated. The email and event will both be triggered during implicit verification now.
- Resolves GitHub Issue #1651 and GitHub Issue #2672. Thanks to @ashutoshningot and @mou, respectively, for the suggestions!
- When configuring MFA for an application, the
Trust policy
selector is not being shown when MFA is required for the application, but only shown when MFA enabled for optional use. The selector is now shown when theOn login policy
is set to eitherEnabled
orRequired
.- Resolves GitHub Issue #2593
- When using FusionAuth behind a proxy, a missing
X-Forwarded-Proto
header could incorrectly cause a warning of a missingX-Forwarded-Port
header. These warnings are now reported accurately. Additionally, FusionAuth will now be smarter about determining the forwarded port, taking it from one of multiple sources includingX-Forwarded-Host
,X-Forwarded-Port
, or inferring it fromX-Forwarded-Proto
. This should make FusionAuth work with more proxies out of the box without additional configuration.- Resolves GitHub Issue #2702
- When authentication with an identity provider fails due to misconfiguration, and a user falls back to logging in with a username and password, the
authenticationType
that is reported by FusionAuth is for the original identity provider despite the user having logged in with a username and password. FusionAuth now correctly reports the authentication type asPASSWORD
. Thanks to @charlesericjs for bringing this to our attention!- Resolves GitHub Issue #2670
Enhancements
- FusionAuth will now enforce a maximum password length of 256 characters in the tenant password policy. This decision was made to strike a balance between allowing for very secure passwords, but also for maintaining acceptable performance when using a large number of hash iterations.
- Resolves GitHub Issue #2688
New
-
Custom OAuth scopes are now supported for applications. Custom OAuth scopes come along with a number of related features, including support for third-party applications, themeable user consent, and much more.
See the API docs and OAuth Scopes documentation for more detail.
- Resolves GitHub Issue #275, thanks to @badaz for the suggestion!
-
Applications may now be designated as third-party applications. In addition to the prompting for authorization that comes with the
Custom OAuth Scopes
feature (see above), limitations are being added to how third-party applications may interact with FusionAuth.- Resolves GitHub Issue #2723
-
Applications can now be configured to prompt users to grant consent to requested OAuth scopes using the
/oauth2/consent
themed page. See the OAuth Scopes for more detail.- Resolves GitHub Issue #411
-
A new lambda function has been introduced that can be used to customize the UserInfo response for an application. See UserInfo Populate Lambda for more detail.
- Resolves GitHub Issue #1647 and GitHub Issue #659, thanks to @themobi and @soullivaneuh for the suggestions!
-
A new, optional First Time Setup wizard has been added, which guides a developer through the basic setup needed to integrate their first application. After installing FusionAuth, you’ll be able to access this from the main admin dashboard, as well as from the top of the left hand navigation.
- Resolves GitHub Issue #2717
Internal
- Update dependencies.
- Upgrade
ch.qos.logback:logback-*
1.4.14
to1.5.6
- Upgrade
com.fasterxml.jackson.*
2.15.3
to2.15.4
- Upgrade
io.fusionauth:java-http
0.2.10
to0.3.2
- Upgrade
org.mybatis:mybatis
3.5.15
to3.5.16
- Upgrade
org.primeframework:prime-mvc
4.22.0
to4.22.7
- Upgrade
org.postgresql:postgresql
42.7.2
to42.7.3
- Upgrade
org.slf4j:slf4j-api
2.0.7
to2.0.13
- Resolves GitHub Issue #2678
- Upgrade
Version 1.49.2
March 20th, 2024
New
- The search index default refresh interval may now be configured. In general this should not be modified, but the configuration option has been added and will default to
1s
. The new configuration is namedfusionauth-app.search.default-refresh-interval
. See the Configuration reference for additional detail.- Resolves GitHub Issue #2679
Fixed
-
When configured to use an email verification strategy of
Form Field
without setting the unverified behavior toGated
the verification strategy was always functionally usingClickable Link
which means the user would receive an email with a clickable URL instead of a short code.With this fix, you may now use an unverified behavior of
Allow
with a verification strategy ofForm Field
. When you configure FusionAuth this way, it is assumed that you will be handling the verification process in your own application.- Resolves GitHub Issue #1734
-
When using the Bulk User Import API
/api/user/import
the search index refresh interval is modified to improve performance. Specifically the indexrefresh_interval
is set equal to-1
. When this API is called in parallel, it is possible that this index setting is not reset and will stay configured as-1
. The symptom of this error is that changes to the index are not reflected by the Search API and the search results may no longer be accurate.- Resolves GitHub Issue #2679
-
When Advanced Threat Detection is enabled, an IP location database will be downloaded and used for IP address resolution. For these licensed customers, it is possible that a corrupted IP location database was downloaded and not correctly discarded and as a result the IP address location data may not be available.
You may have been impacted if you were using version
1.47.0
or later, between February 1st, 2024 and February 23rd, 2024. The observable symptom would be that your license status for the Advanced Threat Detection will showPending
instead ofActive
.This condition has already been corrected for FusionAuth Cloud. If you are self-hosting FusionAuth, upgrading will correct this condition. If you have a support contract and believe you are currently in this state and are not able to upgrade, please reach out to support for assistance.
- Resolves GitHub Issue #2673
Enhancements
- Add email and registration verification Ids to the User and Registration API responses when available for consistency and to better enable out of band management of these verification workflows.
- Resolves GitHub Issue#2681
Version 1.49.1 - Bugfix Beluga
March 6th, 2024
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Changed
- The Nashorn JavaScript engine has been removed from FusionAuth. All Lambda functions will now use the GraalJS engine which has been available since version
1.35.0
. No action is required, but please note that if you had any Lambda functions still configured to use the Nashorn engine they will be migrated to use GraalJS.- Resolves GitHub Issue #1828
- In prior versions of FusionAuth, if a new themed page was added, until you upgraded your theme by adding this new page, the end user may be shown a page indicate the page was missing. This was shown because it was assumed that a new page would only be shown for a new feature that had not been enabled, and this page would only ever been seen during development. In this release we are adding a new page that may be shown w/out any additional features being enabled. For this reason, we have removed this place holder page, and we will always fall back to the default theme when a page is missing. You will still want to upgrade your theme as part of your upgrade process, but this change will ensure that we will not break any new or existing workflows when a new page is added.
- Resolves GitHub Issue #2443
Security
- An incorrectly formatted SAML request may cause excessive CPU load.
- Resolves GitHub Issue #1681
- Disable additional JNDI settings in the LDAP connector. This update is proactive, there are no known exploits.
- Resolves GitHub Issue #2605
- Add additional protection against cross-site attacks when FusionAuth is acting as a SAML IdP.
- Resolves GitHub Issue #2611
- Audit log entries added by the FusionAuth admin application may contain sensitive information. Sensitive fields will now be masked when written to the audit log. Please note that this does not affect the Audit Log API, only the use of this API by the FusionAuth admin app.
- Resolves GitHub Issue #2623
- Added additional protection against cross-site attacks when using the self-service account pages.
- Resolves GitHub Issue #2626
Fixed
-
The default permissions in AWS RDS PostgreSQL version 15.2 caused the initial configuration of FusionAuth to fail to create the tables required to complete the initial configuration. The required permissions are now being explicitly granted, and the errors reported back to the user have been improved.
- Resolves GitHub Issue #2264
-
If a user starts a Forgot Password flow, and clicks on a change password link in an email after the link has expired, the redirect back to the original Forgot Password form will not include the locale parameter. This fix ensures that a locale parameter, when present in the change password link, is preserved through this workflow and allows for localization to remain consistent.
- Resolves GitHub Issue #2328
-
When setting up a Facebook IdP, an option was provided in the admin UI to select
Use vendor JavaScript
as a Login method. This option is not applicable and has been removed.- Resolves GitHub Issue #2351
-
Fix the SCIM filter when filtering on
userName eq {username}
to always return a single result.- Resolves GitHub Issue #2455
-
The LinkedIn APIs have changed, and the LinkedIn IdP no longer worked for new LinkedIn applications. This update allows FusionAuth to work with new and legacy LinkedIn applications.
- Resolves GitHub Issue #2496
-
The FusionAuth TypeScript client library was incorrectly encoding arrays values into query parameters. This bug was preventing a few specific search queries from working correctly.
- Resolves GitHub Issue #2513
-
When using MySQL, the default Admin user form was missing the
First name
field. The field could be added to the form, but was missing in the default version.- Resolves GitHub Issue #2529
-
When an invalid Tenant Id was provided on the
.well-known/openid-configuration
the default configuration was returned. This has been updated to return a404
status code.- Resolves GitHub Issue #2538
-
When creating a User with a group membership with a specified member Id that was already in use, the requested completed w/out a validation error and the membership was ignored. The API now correctly validates this condition and will return a
400
and a JSON response.- Resolves GitHub Issue #2586
-
When retrieving all refresh tokens for a user, the response may contain the user’s SSO token. The SSO token can be identified because it does not contain an
applicationId
and it may not be refreshed. Validation has been improved when using the Refresh Grant, or the Refresh API to ensure FusionAuth correctly fails indicating the token is invalid and may not be refreshed.- Resolves GitHub Issue #2594
-
A regression was introduced in version
1.47.0
to the Change Password themed page. The issue is that thepasswordValidationRules
variable may benull
on the first render. If you had been referencing this field in your template, the render may fail.- Resolves GitHub Issue #2616
-
The Identity Provider Link API states that a
token
parameter can be accepted during a create. When provided, the token was not being persisted on the link.- Resolves GitHub Issue #2622
-
Fix the “Getting Started” link found in the index page in the default theme.
- Resolves GitHub Issue #2625
-
When viewing a User’s Consents in the FusionAuth admin UI, if one or more of the consents have been granted by another user that is not a member of their family, an error is shown in the
Given by
column.- Resolves GitHub Issue #2639
-
When you have configured the JWT signing key with the
ES512
algorithm, the generated signature may be intermittently invalid. This means that JWTs may seemingly fail to validate randomly and you may think you are crazy. You are not crazy. If you are using this signing algorithm, it is recommended you use a different algorithm until you are able to upgrade.- Resolves GitHub Issue #2661
-
SCIM PATCH requests may fail to parse if an op path value contains a named schema containing a
.
(dot). This parsing error has been corrected.For example:
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
- Resolves GitHub Issue #2667
-
When an SCIM create or update request contains schemas for which no properties exist, subsequent PATCH requests to those schema namespaces may fail.
For example, if the initial request contains a schema
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
without any properties, the default lambda function used to map this request to FusionAuth was not persisting this schema namespace. Then a subsequent PATCH request to add a member to that namespace such asurn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department
would fail.The default SCIM request converter (Lambda function) has been updated to correct this behavior.
- Resolves GitHub Issue #2667
Enhancements
-
Link checkers are great. They aim to protect end users from malicious links and phishing attacks. However, they wreak havoc and pain on identity providers using email based workflows to complete passwordless login, or email verification. And FusionAuth is one of those identity providers!
FusionAuth has employed various tactics over the years to stay ahead of the techniques used by these 3rd party tools. Their techniques continue to evolve making it difficult or impossible to know the difference between a link checker and a real human interacting with the link.
A new confirmation page has been added that is intended to protect the user, and make our email workflows immune to link checkers.
For example, when a user initiates a request such as passwordless login, and then completes the request in the same browser, the user will not observe any change. If the user completes the request on a different browser, or completes a request they did not initiate - such as clicking on an email verification link sent when a use is provisioned by an administrator, the user will be prompted to confirm they wish to complete the request.
If you are using a custom theme, you will want to upgrade your theme to include this new page. Until you complete this upgrade, the default theme will be used for this new page. In the FusionAuth admin UI, the theme page will be named Confirmation required.
- Resolves GitHub Issue #2443
-
Ensure the Login API never fails validation due to a timing issue with an Application cache. This rarely affects runtime, but this can be useful for testing where you may create an application and immediately perform a login.
- Resolves GitHub Issue #2557
-
Add a trusted proxy configuration to the System Configuration. This new configuration allows you to define one or more trusted upstream proxies using an IP address, or range of addresses using a CIDR notation.
A client IP address will be captured in a login record, sent to webhooks, and used to provide access when IP ACLs are configured. To correctly resolve the client IP address, we often will need to use the
X-Forwarded-For
request header.This header is modified when it passes through a proxy. In order to trust the contents of this header and resolve the client IP address, FusionAuth must know if it can trust all proxies implicitly, or to only trust those that are explicitly configured as trusted. The change is to optionally configure FusionAuth to no longer trust any upstream proxy that is not explicitly configured as trusted.
This new configuration can be found in the FusionAuth admin UI by navigating to
Settings > System > Networking
, or on the System Configuration API.- Resolves GitHub Issue #2624
Internal
- Update dependencies.
- Upgrade
org.postgresql:postgresql
42.6.0
to42.7.2
- Upgrade
com.fasterxml.jackson.*
2.15.2
to2.15.3
- Upgrade
org.mybatis:mybatis
3.5.13
to3.5.15
- Resolves GitHub Issue #2534
- Upgrade
- During a reindex operation, log the progress based upon a fixed time interval instead of every 250k records. This ensures the output is predictable regardless of the reindex performance.
- Resolves GitHub Issue #2565
Version 1.48.3
December 6th, 2023
Fixed
- Update the refresh token TTL when using the sliding window with a maximum lifetime JWT Expiration Policy. The symptom of this bug is that a refresh token will expire before the maximum configured lifetime.
- Resolves GitHub Issue #2566
Version 1.48.2
November 21st, 2023
Fixed
- When paging beyond 10,000 in the FusionAuth admin UI for Users or Entities, the bottom set of pagination controls may not work. If you encounter an error when clicking on the pagination controls, use the top set of controls instead. This bug is specific to the new pagination introduced in version
1.48.0
.- Resolves GitHub Issue #2544
- In some cases when using with FusionAuth-hosted pages in an non-secure context, such as accessing FusionAuth on
localhost
, thePublicKeyCredential
JavaScript API will not be available. This may cause an error on your JavaScript consolePublicKeyCredential is not defined
. This error kept the form on the page from correctly submitting.- Resolves GitHub Issue #2500
- In version
1.48.0
a change was made to reject a link request from an OpenID Connect IdP when theemail_verified
claim is supplied with a value offalse
. An assumption was made that theemail
andemail_verified
claims would both be present in theUserinfo
response or theid_token
. Some providers may split these claims, so this assumption has been removed.- Resolves GitHub Issue #2542
Security
- Correct the validation of the
post_logout_redirect_uri
parameter on the OAuth2 Logout request for relative URIs intended for use for FusionAuth applications.- Resolves GitHub Issue #2539
Internal
- Improve our JWT validation for internal security schemes by failing faster on invalid tokens.
- Resolves GitHub Issue #2555
Version 1.48.1
October 29th, 2023
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Fixed
- A bug was identified in a change made in version
1.48.0
that may affect performance for those with > 1M users.- Resolves GitHub Issue #2535
Version 1.48.0 - Webhook Walrus
October 27th, 2023
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Known Issues
- A bug was identified in a change made in this version that may affect performance for those with > 1M users.
- Resolved in version
1.48.1
via GitHub Issue #2535
- Resolved in version
Changed
- We are officially announcing the end of life for the Nashorn JavaScript engine used by FusionAuth Lambda functions. All new functions have defaulted to the GraalJS since version
1.35.0
. The engine is not being removed in the release, but this is an official notice that we plan to remove this engine in early 2024. Please review your lambda functions and ensure theengineType
is set toGraalJS
.- Resolves GitHub Issue #1828
- We are officially announcing the end of life for the
fusionauth-search
package. This is currently available in a.deb
,.rpm
and.zip
bundle for various platforms. This package is still available, but the plan is to stop building this at the end of 2023. Please make plans to discontinue use of thefusionauth-search
package if you are currently using it.- Resolves GitHub Issue #2532
- When the OpenID Connect or External JWT Identity Provider is configured to Link by Email and the IdP returns a claim named
email_verified
and the value isfalse
, the link request will be rejected. This change is intended to reduce the risk of linking on an un-verified email address.- Resolves GitHub Issue #2423
Security
- When an IdP is configured to Link by Email or Link by Username and a user already exists with this email or username respectively, perform additional validation to ensure the user does not already have an existing link to the current Identity Provider. This only affects IdP that allow for one to many tenants to be accessed through a single IdP configuration. In practice this means that the IdP cannot guarantee that an email address is considered globally unique and only assigned to a single user.
- Resolves GitHub Issue #2512
- A bug was identified in the
multipart/form-data
parser that may cause elevated CPU usage in some specific cases.- Resolves GitHub Issue #2385
Fixed
- Enhance the widget used in multi-value select controls to accept a value when pasting. For example, you may now paste a value from the clipboard directly into the
Authorized redirect URLs
field. While previously the paste operation worked, the user would have to click the value to confirm. If you clicked off of the field, the value would not be saved.- Resolves GitHub Issue #1784
- Correct the error message when a user has enabled MFA and a webhook returns a non-200 status code for the
user.login.success
event. The message will now correctly indicate the webhook has failed instead of the previously incorrect error indicating an invalid token was used.- Resolves GitHub Issue #1955
- When viewing an Email Template in the FusionAuth admin UI, two dialogs open instead of one. This was the result of two event handlers being bound instead of one.
- Resolves GitHub Issue #2304
- When using the asynchronous tenant delete, it is possible for the delete job to fail if the system is under heavy load. When this occurs the delete job status may not be correctly updated and you are stuck in a
Deleting
state. The asynchronous job processor has been enhanced to account for this potential failure condition so the job can be correctly restarted if necessary.- Resolves GitHub Issue #2307
- Correct a potential race condition that could cause a request to the
/.well-known/jwks.json
endpoint to exception and return a500
status code when under heavy load.- Resolves GitHub Issue #2390
- The Lambda metrics introduced in version
1.47.0
may not always correctly increment the failed count when a lambda invocation failed. This affects thelambda.[*].failures
andlambda.[{webhookId}].failures
metric names.- Resolves GitHub Issue #2408
- When using the
PATCH
method on the Tenant API, if you previously had any explicit webhooks configured for this tenant, the association between the tenant and the webhook was lost. If you are not using webhooks, or all of your webhooks are configured forAll tenants
(webhook.global
), this bug would not affect you.- Resolves GitHub Issue #2411
- Improve the validation for the Entity API to correctly validate the
type.id
value. Because this value was not being correctly validated, it means the API caller may receive a500
status code instead of a400
with a developer friendly JSON response body to indicate how the input can be corrected.- Resolves GitHub Issue #2412
- A critical bug was identified that caused FusionAuth to incorrectly identify users eligible for deletion based upon the tenant policy to delete users with an unverified email address. Until you have upgraded to version
1.48.0
please disableDelete unverified users
if you currently have enabledEmail verification
,Verify email when changed
andDelete unverified users
.- Resolves GitHub Issue #2441
- A bug was identified that affected several APIs when using the
PATCH
method with fields that require custom deserializers in FusionAuth. Affected APIs included Application, Connector, Message Template and Identity Provider. The symptom you will observe is a failed request with a500
status code.- Resolves GitHub Issue #2454
- When using PostgreSQL, under heavy load, a potential deadlock conditions exists when attempting to write login metrics to the database. MySQL database was not affected by this bug. If you were to encounter this bug you may observe some exceptions in the log related to the LoginQueue.
- Resolves GitHub Issue #2465
- Fix a JavaScript error that was preventing Audit Log searches by user from returning results.
- Resolves GitHub Issue #2470
- Resolve an issue where users could not enable two-factor authentication during authentication when they were not registered for the application. Thanks to @wproffitt-elder for reporting!
- Resolves GitHub Issue #2474
- When using the Refresh Token API, un-expired SSO sessions may be incorrectly omitted from the API response. The result of this bug is that an active SSO session may not be displayed in the FusionAuth admin UI. This has now been corrected, and the FusionAuth admin UI and the Refresh Token API will correctly return all valid SSO sessions.
- Resolves GitHub Issue #2489
- If the
search.servers
configuration value was not added to thefusionauth.properties
configuration file, and you omit theSEARCH_SERVERS
environment value, FusionAuth would fail to start. The correct behavior is for FusionAuth to default tohttp://localhost:9021
.- Resolves GitHub Issue #2507
Enhancements
- Enhance the User and Entity Search APIs to paginate beyond 10,000 results. The Search API response will now include a
nextResults
value that can be used to ask for the next set of search results which enables the API to paginate through the entire available result set.- See the Entity Search APIs and User Search APIs for API details.
- Resolves GitHub Issue #494
- When using the Webhook test action in the FusionAuth admin UI, additional information will now be returned if the webhook returns a non-200 status code. This should make it simpler to debug your webhook integration. Prior to this change, the response would only indicate if the response was successful or not.
- Resolves GitHub Issue #793
- When using the Webhook test action in the UI, changes to the example request body were not preserved. Changes will now be preserved across send requests for the browser session. This means a test can be run repeatedly without having to perform the same edits to the default event request body.
- Resolves GitHub Issue #797
- Support specifying webhook SSL certificates from Key Master. Prior to this enhancement, if you needed to specify an SSL certificate, it had to be added to the webhook in PEM format. You may now store this certificate in Key Master and then use this same certificate between webhooks.
This change is backwards compatible, but the ability to manually specify X.509 certificates in PEM format on the webhook configuration has been deprecated and may be removed in the future. See the Webhook APIsslCertificateKeyId
field for additional details.- Resolves GitHub Issue #883
- Modal dialogs in the FusionAuth admin UI can now be closed by using the escape key or by clicking outside of the modal.
- Resolves GitHub Issue #903
- Add support for signing webhook events with a SHA-256 hash function. This feature will allow consumers of FusionAuth events to verify the message body has not been modified. The signature is contained in a JWT and will be sent using an HTTP request header named
X-FusionAuth-Signature-JWT
. You may use existing JWT verification strategies including consuming the public key from the JWKS endpoint.- See the Signing Webhooks and Webhooks APIs for signing and verification details.
- Resolves GitHub Issue #1859
- Expose the
id_token
returned by the Identity Provider to the Reconcile Lambda function when available. If theid_token
is returned by the IdP and the signature can be verified it will be now be passed to the lambda function in thetokens
argument. Example:tokens.id_token
.- Resolves GitHub Issue #2189
- Add the
curl
command to the FusionAuth Docker image. This allows you to use thecurl
command for use in health checks or anytime you need to usecurl
!- Resolves GitHub Issue #2272
- Support for optional expansion of the
user.registrations
anduser.memberships
properties on the User Search API.
This change is backwards compatible, but you may optionally request the Search API omit these properties on the response which may improve performance. See the User Search API for additional details on using theexpand
request parameter, and theexpandable
response value.- Resolves GitHub Issue #2319
- Enhance the error messaging returned to the end user when using the Test SMTP button in the FusionAuth admin UI. This enhancement will make it easier to test your SMTP configuration.
- Resolves GitHub Issue #2373
- Reduce un-necessary logging when fuzzers send parameter names containing
class
.- Resolves GitHub Issue #2393
- When updating a theme, a validation error will be returned if you are missing messages. Currently the error response does include the missing message keys. This error response is now enhanced to return the keys and the default values from the default theme. This allows you to optionally parse the response for the missing keys and values.
- Resolves GitHub Issue #2427
- Expose the
access_token
returned by the Identity Provider to the Reconcile Lambda function. Theaccess_token
will now be passed to the lambda function in thetokens
argument. Example:tokens.access_token
.- Resolves GitHub Issue #2494
- When the
id_token
is returned from the IdP and the signature can be verified it will now be used to optionally resolve theuniqueIdClaim
in addition to theemailClaim
andusernameClaim
. This means you can configure theuniqueIdClaim
to a claim that is only available in theid_token
. Prior to this change, theid_token
could only be verified if it was signed using the an HMAC algorithm using theclient_secret
. With this change, if the IdP publishes public keys using the JWKS endpoint that is resolved from the.well-known/openid-configuration
FusionAuth will attempt to validate the signature.- Resolves GitHub Issue #2501
Internal
- Update dependencies to remove CVE scan warnings and to stay current. These upgrades are simply a precautionary measure to stay current.
- Upgrade
com.google.inject:guice
5.1.0
to6.0.0
- Upgrade
com.google.guava:guava
30.1.0
to32.1.2
- Upgrade
io.fusionauth:java-http
0.2.0
to0.2.9
- Upgrade
org.apache.kafka:kafka-clients
2.8.2
to3.6.0
- Upgrade
org.primeframework:prime-mvc
4.11.0
to4.17.1
- Upgrade
org.xerial.snappy:snappy-java
1.1.8.1
to1.1.10.4
- Resolves GitHub Issue #2385
- Upgrade
- Upgrade to the latest Java 17 LTS. Upgraded from
17.0.3+7
to17.0.8+1
.- Resolves GitHub Issue #2386
- Update the logging configuration when using the
fusionauth-search
distribution (.deb
,.rpm
, or.zip
) to be more consistent with thefusionauth-app
logging configuration. If you are using Elasticsearch or OpenSearch in Docker or other off the shelf installation of Elasticsearch or OpenSearch this change will not affect you.- Resolves GitHub Issue #2391
- Update the FusionAuth static file resolution configuration to further limit class path resolution. While no known security risks exist with the current behavior, it is not necessary.
- Resolves GitHub Issue #2462
Version 1.47.1
July 27th, 2023
Fixed
- Revert the GC (garbage collection) logging change introduced in version
1.47.0
for compatibility with the FusionAuth docker image.- Resolves GitHub Issue #2392, thanks to @pigletto and @patricknwn for reporting.
Version 1.47.0 - Performance Panther
July 25th, 2023
Please be sure to read the notes in the Changed section before upgrading.
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Known Issues
-
The garbage collection logging change introduced in version
1.47.0
was not compatible with the way the FusionAuth docker image was built. You will need to use version1.47.1
if you will be using the FusionAuth docker image.-
Resolved in version
1.47.1
via GitHub Issue #2392
-
Resolved in version
-
The
passwordValidationRules
variable may benull
on the first render of the Change Password themed page. If you had been referencing this field in your template, the render may fail.-
Resolved in version
1.49.1
via GitHub Issue #2616
-
Resolved in version
-
The CSRF token used with federated login is not being applied when all configured IdPs for an application use managed domains and an
/oauth2/authorize
request for the application includes anidp_hint
parameter.-
Resolved in version
1.53.3
via GitHub Issue #2764
-
Resolved in version
Security
- A race condition exists when using a refresh token with a one-time-use policy where the same token value could successfully be used twice to obtain a new access token. In practice this would be very difficult to replicate outside of a scripted example.
- Resolves GitHub Issue #1840 Thanks to @avitsrimer for reporting the issue!
- Use a CSRF token with all federated login requests. This change will add additional protection when using a federated login to ensure the login is completed from the same browser that started the login workflow. This mitigates an attack vector that can be used in phishing attacks where a victim could be convinced to click on a link that would cause the user to unknowingly complete a login.
- Resolves GitHub Issue #2238
Changed
- A change was made to the OAuth2 origin validation code. This change is not expected to cause any change in behavior for anyone with configured Authorized Origin URLs. The change is to inspect the port in addition to the schema and host when comparing the request and the
Referer
orHost
header to determine if the request has originated from FusionAuth. One possible edge case that could be affected is if you usinglocalhost
in development for both FusionAuth and another application. In this example, it is possible that FusionAuth was not validating the Origin of requests from your application running onlocalhost
correctly. If you encounter this case, you can either remove all Authorized Origin URLs from your configuration, or add the origin of your application so that it can be correctly validated. - Due to the necessary change related to adding a CSRF token when performing a federated login, a manual change may be required to your themed login pages. Please read through these details to understand if you will be affected.
If you are using any 3rd party IdP configurations such as OpenID Connect, SAML v2, Google, Facebook with a custom theme, you will need to make a modification to your template in order for federated login to continue to work correctly.
If you are not using any 3rd party IdP configurations, or you are not using a custom theme, no change will be necessary.
If you will be affected by this change, please review the following details and then make the update to your theme as part of your upgrade process.
- Find the
alternativeLogins
macro usage inoauth2Authorize
andoauth2Register
and addfederatedCSRFToken=federatedCSRFToken
as the last argument to this macro.
[#-- Updated macro usage. Line breaks added for readability. --]
[@helpers.alternativeLogins clientId=client_id
identityProviders=identityProviders
passwordlessEnabled=passwordlessEnabled
bootstrapWebauthnEnabled=bootstrapWebauthnEnabled
idpRedirectState=idpRedirectState
federatedCSRFToken=federatedCSRFToken/]
- Find the macro named
alternativeLogins
inhelpers
and addfederatedCSRFToken=""
as the last argument to this macro.
[#-- Updated macro in helpers. Line breaks added for readability. --]
[#macro alternativeLogins clientId
identityProviders
passwordlessEnabled
bootstrapWebauthnEnabled=false
idpRedirectState=""
federatedCSRFToken=""]
- Find the element
<div class="login-button-container">
in the macro namedalternativeLogins
inhelpers
and addid="login-button-container"
anddata-federated-csrf="${federatedCSRFToken}"
attributes.
[#-- Updated div in alternativeLogins macro. Line breaks added for readability. --]
<div id="login-button-container"
class="login-button-container"
data-federated-csrf="${federatedCSRFToken}">
Fixed
- Ensure a signed AuthN request always has the
Signature
element as the next sibling after theIssuer
element. This bug may cause some SAML v2 services provides to reject the signature of an AuthN request sent from FusionAuth.- Resolves GitHub Issue #2348
- Upgrade our phone number validation to include the Kosovo country code of
+383
. This upgrade will add support for various other country codes as well. See linked GitHub issue for more detail.- Resolves GitHub Issue #2355
- Defend against corporate link “checkers” such as Outlook Safe Links and Google Workspace during the Change Password email workflow. This fix resolves a specific symptom that may occur when a link sent to a user during a change password workflow and the user has multi-factor authentication enabled. The symptom the end user may encounter is that multiple codes may be sent to the user during this workflow. When the two-factor method is email, multiple emails may be received, and when two-factor method is SMS, multiple SMS messages may be received. The cause of this symptom is that the link is being inspected by an intermediate party prior to the user’s browser loading the link which functionally means the request is made more than once.
- Resolves GitHub Issue #2360
- Improve locale validation, and restrict the number of preferred languages per user to 20. This should not have any practical impact on users of FusionAuth, but it will better protect FusionAuth from storing erroneous values for the user’s preferred languages. If you have users that speak more than 20 languages, you will need to ask them to pick their top 20 favorites. 😎
- Resolves GitHub Issue #2363
- Improve username validation. This length limitation was already enforced by the schema, but the error message was not developer friendly. This change will add a proper validation error in the API response.
- Resolves GitHub Issue #2368
- Update the Tenant view dialog in the admin UI to reflect the changes made to the
/.well-known/openid-configuration
endpoint in version1.46.0
. This is a cosmetic change only, and does not include any functional fixes.- Resolves GitHub Issue #2333
- Fix Tenant select control on Group index page in the admin UI when only a single tenant is configured. This is just a cosmetic fix to how the form was being rendered.
- Resolves GitHub Issue #2338
- Reduce Kafka logging. So noisy.
- Resolves GitHub Issue #2359
- Protect the Kafka event sender from sending events related to it’s own failure. This protects us from overloading the Kafka topic.
- Resolves GitHub Issue #2362
- Fix the
user.registration.update.complete
event to include the updates roles if applicable.- Resolves GitHub Issue #1898, thanks to @sjswami for reporting the issue!
- Better defense against a truncated
oauth_context
request parameter. This parameter is passed around during various OAuth2 workflows to maintain context. This changes allows FusionAuth to fail more gracefully if this is value is intentionally or un-intentionally modified by a 3rd party.- Resolves GitHub Issue #2382
Enhancements
- Add
user.preferredLanguages
to the basic self-service registration to allow a user’s preferred language to be collected and then utilized to send localized emails without using advanced self-service registration.- Resolves GitHub Issue #1738, thanks to @glen-84 and @geoalexidis for their input and patience while we delivered this enhancement.
- Improve handling of cache reload requests under heavy load. This should improve system performance at scale when mass creating or deleting of various items such as applications and keys.
- Resolves GitHub Issue #2318
- Add timers and metrics around lambda invocations and the use of HTTP Connect within a lambda function. This should help customers tune and manage lambdas by providing additional insight into the total execution time.
- Resolves GitHub Issue #2389
- Add configuration to accept any named parameter as a login hint coming from the SAML v2 SP when FusionAuth is acting as the SAML v2 IdP. Prior to this change, FusionAuth would accept
login_hint
if provided on the request. However, this value can not be configured or optionally disabled.- Resolves GitHub Issue #2222
- Add
identityProviderName
to the IdP Link API response.- Resolves GitHub Issue #2337
New
- Support SAML v2 assertion encryption when FusionAuth is acting as the SAML v2 IdP. This means FusionAuth is now compatible with a SAML v2 SP that requires encrypted assertions.
- Resolves GitHub Issue #1741, thanks @annismckenzie for the request! This is a great addition to FusionAuth.
Internal
- Add aggregate HTTP request timers and metrics that can be retrieved by the Status API and Prometheus Metrics API.
- Resolves GitHub Issue #2369
- Update dependencies.
- Resolves GitHub Issue #2344
- Resolves GitHub Issue #2384
- Enable GC (garbage collection) logging. A new log named
fusionauth-app.gc.log
will be found in the log directory.- Resolves GitHub Issue #2388
- Improve performance and overhead when downloading and storing the IP location database required for resolving location meta-data for logins by IP address.
- Resolves GitHub Issue #2195
Version 1.46.0
June 19th, 2023
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Security
- An edge case exists where the CAPTCHA may be bypassed when using Advanced Registration forms.
- Resolves GitHub Issue #2221
- Perform additional validation on the
user_code
when completing a Device Grant by way of the Authorization Code Grant, Implicit Grant, or Password Credentials Grant.- Resolves GitHub Issue #2228
- Perform additional defensive validation on self-service edit form.
- Resolves GitHub Issue #2234
- Mitigate a potential directory traversal attack. CloudFlare, AWS and similar cloud providers will generally block these requests by default.
- Please note, FusionAuth Cloud customers are not vulnerable to this type of attack.
- Resolves GitHub Issue #2299
Fixed
- Always send email verification on user email change when configured for user self-service
- Resolves GitHub Issue #2210
- Resolve a JavaScript bug when enabling MFA during login. The bug caused an error to be written to the JavaScript console, but no functional errors occurred.
- Resolves GitHub Issue #2296
- When the
user.login.success
is configured to be transactional and the webhook returns a non200
status code when the event is fired during the final step of the change password workflow, the failed webhook may not fail the login attempt.- Resolves GitHub Issue #2288
- When enabling IdP initiated login on a SAMLv2 IdP, the base ACS URL is hidden in the view dialog
- Resolves GitHub Issue #2146
- When an
applicationId
is provided on a Two Factor Start or Send APIs, the application variable may not available in the email template.- Resolves GitHub Issue #2149
- APIs that optionally take a
sourceId
to indicate you wish to copy will now fail validation if you provide additional parameters in the body that will otherwise be ignored.- Resolves GitHub Issue #2004, thanks to @Pycnomerus for the suggestion!
- When adding a user to multiple Groups using the
/api/group/member
API, the request may fail.- Resolves GitHub Issue #2197
- When using a wildcard for authorized origin URL, you may receive an invalid origin error.
- Resolves GitHub Issue #2227, thanks to @beezerk23 for letting us know!
- The memory value for
fusionauth-app.memory
set in thefusionauth.properties
file may not be set correctly.- Resolves GitHub Issue #2284
- When using custom data with nested values such as
user.data.company.name
anduser.data.company.id
in an Advanced Registration form the nested values may not be properly persisted.- Resolves GitHub Issue #2239
- When using the admin UI to update an IdP with >6k applications the request may cause a database error.
- Resolves GitHub Issue #2262
- Add index
entity_user_grants
to increaseSELECT
performance- Resolves GitHub Issue #2245
- When using the
validateJWT
method in the FusionAuth Java REST Client, theexp
oriat
claims may have the incorrect precision.- Resolves GitHub Issue #2275
- OpenAPI spec missing some endpoints
- Resolves GitHub Issue #2247
- A change in behavior was introduced in version
1.41.0
that may cause an error when accessing FusionAuth in Docker. The change was how theHost
header was being parsed to pick up the local port.- Resolves GitHub Issue #2250, thanks to @MarekUniq for his report, persistence and contribution to java-http!
- The
user.create.complete
anduser.registration.create.complete
events may be sent before the transaction has closed during IdP Login.- Resolves GitHub Issue #2233
- Correct the internal authentication to receive an internal webhook between FusionAuth service nodes. If you encounter this error, you may see errors in the event log that mention
returned response code [401] when sending [JWTRefreshTokenRevoke] event
. This error was introduced in version1.37.0
and the error only occurs when you have more than one FusionAuth service node.- Resolves GitHub Issue #2257
- When you have enabled Implicit Email Verification, when completing a Multi-Factor login, a
user.email.verified
event may be sent even if the user has already verified their email address.- Resolves GitHub Issue #2258
- When the
user.reactivate
event is configured to be transactional and the webhook returns a non200
status code, the transaction may not be correctly rolled back.- Resolves GitHub Issue #2281
- When making a request to the self-service pages, such as
/account/
ensure any additional query parameters are preserved through a login workflow.- Resolves GitHub Issue #2282
- When the
user.create
event is configured to be transactional, ensure the Setup Password email is not sent if auser.create
webhook returns a non200
status code.- Resolves GitHub Issue #2287
- When using the Device Grant with the
/oauth2/device
themed page, you may be shown a Logout button if an SSO session exists during this workflow. Clicking this button will log the user out of the SSO session and return to this page. This fixes the logout link so that you do not receive an error when returning to the/oauth2/device
page. A workaround is documented in the linked GitHub issue.- Resolves GitHub Issue #2331
Enhancements
- The OAuth2 Introspect endpoint now optionally takes a
client_secret
.- Resolves GitHub Issue #1100
- A token obtained from the Client Credentials Grant may now be used with the OAuth2 Introspect endpoint.
- Resolves GitHub Issue #1434
- An additional JWT Expiration Policy is now available to configure a sliding window with a maximum lifetime.
- Resolves GitHub Issue #1729
- The OpenID Connect discovery endpoint will now accept the
tenantId
as a URL segment. This should make it easier to integrate with providers that would not otherwise allow a query parameter on this URL to specify thetenantId
.- Resolves GitHub Issue #2259
- Provide a validation error when using the
/api/jwt/reconcile
API with any IdP typeExternalJWT
.- Resolves GitHub Issue #2074
- Add configuration to allow unauthenticated access to
/api/status
and/api/prometheus/metrics
APIs from localhost.- Resolves GitHub Issue #2310
- Add additional support in the default theme to use Google reCAPTCHA v2 in an invisible mode w/ CAPTCHA fallback.
- Resolves GitHub Issue #2237
- Allow any string value in the
metaData.device.type
property on various APIs.
New
- Allow Device Grant to be completed out of band.
- New API
/oauth2/device/approve
- New API
/oauth2/device/user-code
- Resolves GitHub Issue #2218
- New API
- New API to retrieve a pending IdP link.
- New API
/api/identity-provider/link/pending
- Resolves GitHub Issue #2218
- New API
Internal
- Upgrade Apache FreeMarker from version
2.3.30
to2.3.32
.- Resolves GitHub Issue #2214
- Upgrade FusionAuth Java HTTP dependency from version
0.1.13
to0.1.14
.- Resolves GitHub Issue #2299
- Upgrade Prime MVC dependency from version
4.7.1
to4.9.10
.- Resolves GitHub Issue #2299
Version 1.45.4
July 25th, 2023
Fixed
- Ensure we correctly handle a truncated or malformed
oauth_context
request parameter when using the hosted login pages.- Resolves GitHub Issue #2382
Version 1.45.3
May 31st, 2023
Fixed
-
Update
fusionauth/java-http
to the most recent version to pick up a bug fix.This fixes a very low level HTTP server bug. In some rare cases, the HTTP response handler may not identify the end of the stream and effectively truncate the response body. It is difficult to say how may affect your integration if you were to encounter it. If you were to make an API call with a large response body, it may be possible the response would not include a valid JSON object if the response is truncated. When this error occurs, the HTTP status code will be valid, but the response will be truncated or non-existent. For additional detail see the linked commit in the linked GitHub issue.
- Resolves GitHub Issue #2292
Version 1.45.2
May 8th, 2023
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Fixed
-
If you have configured an access token signing key specific to an entity type, the signing key configuration may revert to the tenant configuration after upgrading to this version.
It is recommended to upgrade to this version at a minimum if you are coming from a version prior to version
1.45.0
.- For more information on this issue, see the Known Issues in the
1.45.0
release notes. - Resolves GitHub Issue #2249
- For more information on this issue, see the Known Issues in the
Version 1.45.1
April 14th, 2023
Changed
- Add additional validation when adding authorized origin to the OAuth2 configuration to ensure the values do not include a path or query string. This change will only affect validation when adding or editing the application configuration. This change will not affect existing configured origins or their use at runtime.
- Resolves GitHub Issue #2185
Fixed
- Support for wildcard configuration when using
post_logout_redirect_uri
parameter on the OAuth2 Logout request.- Resolves GitHub Issue #2164
- Fix salt validation for the
phpass-md5
orphpass-sha512
. This will allow the import of users with this password hash when the salt includes a.
(period) character.- Resolves GitHub Issue #2206
Version 1.45.0
April 10th, 2023
Known Issues
-
When importing users using the
phpass-md5
orphpass-sha512
schemes shipped in this release, if the salt contains a period (.
) the import will fail validation.- Resolved in version
1.45.1
via GitHub Issue #2206
- Resolved in version
-
If you have configured an access token signing key specific to an entity type, the signing key configuration may revert to the tenant configuration after upgrading to this version.
If you wish to upgrade before a fix is available, please document your access token signing key configuration for each entity type that has provided a specific signing configuration. Then, once the upgrade has completed, review each entity type and confirm the correct signing key configuration. If the configuration is not correct, set the signing key to the previously documented signing key.
To verify if this issue may affect you during upgrade, confirm your signing configuration for each configured entity type.
- Navigate to Entity Management -> Entity Types -> Edit -> JWT .
- If you have not enabled Entity Type specific JWT signing, this section will be collapsed and this entity type will not be affected during upgrade. If the signing configuration is enabled and you have configured a key for the
Access token signing key
field, you may be affected. Please record this setting and ensure it has not changed after the upgrade has completed.
If you have not yet upgraded to version
1.45.0
, it is recommended to move to version1.45.2
or later at a minimum and skip this version if you have confirmed you may be affected by this issue.- Resolved in
1.45.2
via GitHub Issue #2249
Security
- Update usage of
verificationId
on gated email or registration verification pages when configured to use a clickable link instead of a short code.- Resolves GitHub Issue #2182
- Update 3rd party dependencies to remove CVE scan warnings. No known exploits are vulnerabilities exist in FusionAuth as the result of using these 3rd party clients. These upgrades are simply a precautionary measure to stay current.
- Upgrade Elasticsearch client from version
7.10.2
to7.13.4
. - Upgrade GraalJS from version
22.3.0
to22.3.1
. - Resolves GitHub Issue #2183
- Upgrade Elasticsearch client from version
Fixed
- Validate the length of an entity name in order to provide a more friendly validation error message.
- Resolves GitHub Issue #2089
- Updates to the OpenAPI spec to correct an error related to
BaseSAMLv2IdentityProvider
.- Resolves GitHub Issue #2103
- Review and correct tooltips in the admin UI for Application specific email templates.
- Resolves GitHub Issue #2163
Enhancements
-
De-couple the self-service themed account pages from SSO. You may now use the self-service account pages even if you choose not to preserve your SSO session. For example, you can un-check the “Keep me signed in” checkbox and still use the self-service pages.
Also allow the self-service account session to be bootstrapped from a mobile application using token authentication, also known as the
Bearer
authentication scheme. This mechanism provides access to the self-service themed pages even if you are unable to share cookies with the web view used to complete login.Example request header:
Authorization: Bearer <access_token>
- Resolves GitHub Issue #1546, thanks to @ansonallard for the suggestion!
- Resolves GitHub Issue #1860
New
-
Add a policy to require a user to provide their current password when changing a password on the self-service account pages. See Applications -> Edit -> Registration -> Form settings -> Require current password .
- Resolves GitHub Issue #1578
-
Integrate the Authorization Code grant workflow into FusionAuth for use with single page web applications. This feature may be used with the FusionAuth React or Angular SDKs to support the use of the Authorization Code grant without having to write any backend code.
And there was much rejoicing. 😅
- Resolves GitHub Issue #1943
-
New Search APIs. These new APIs provide search and pagination capability across more APIs and may increase performance when using the FusionAuth admin UI with larger numbers of Tenants and Applications.
Applications, Consents, Groups, Tenants, Themes, Keys, API keys, User Comments, Email Templates, Identity Providers, Webhooks, and Lambdas. (🦁 🐯 🐻 … oh my!)
- Resolves GitHub Issue #2055
- Resolves GitHub Issue #2056
- Resolves GitHub Issue #2057
- Resolves GitHub Issue #2058
- Resolves GitHub Issue #2059
- Resolves GitHub Issue #2060
- Resolves GitHub Issue #2061
- Resolves GitHub Issue #2064
- Resolves GitHub Issue #2065
- Resolves GitHub Issue #2066
- Resolves GitHub Issue #2067
- Resolves GitHub Issue #2068
-
Add support for Drupal MD5, SHA-512 hashes for easier import
- New schemes include
phpass-md5
andphppass-sha512
. - See phpass MD5 and phpass SHA-512 for additional details.
- Resolves GitHub Issue #2165
- New schemes include
Internal
- Fix JSON exclusions for ignoring foreign keys.
- Resolves GitHub Issue #2198
Version 1.44.0
March 13th, 2023
Additional details
This migration will add an index to the identity_provider_links
table. It is not expected to negatively impact the migration time during upgrade, but please be aware that deployments with millions of Identity Provider Links may experience additional processing time during the migration.]
The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.
See Database Upgrades for more information about database migrations.
Fixed
- A Lambda invocation may incorrectly fail indicating a recursive call was attempted. This is unlikely to occur, but under heavy load, it is possible.
- Resolves GitHub Issue #2102
- The Application API was failing to make a copy when using
sourceApplicationId
when the source Application has enabled and configured the SAML v2 IdP. This is a bug in a new feature that was added in version1.43.0
.- Resolves GitHub Issue #2118
Enhancements
- Add default configuration for read and connect timeouts to the SMTP server configuration. This helps protect FusionAuth against an SMTP server that never closes a socket. From time to time we observed an SMTP server hold open a socket, and tie up a send thread which may block other senders. This includes the
mail.smtp.timeout
andmail.smtp.connectiontimeout
settings. The default value is2000
for each. These may be overridden by navigating to theAdvanced
tab in your tenant and adding them to theSMTP settings
section.- Resolves GitHub Issue #1742
- Change Link API request body to match the response. Backwards compatibility is maintained, but this provides a more consistent API feel.
- Resolves GitHub Issue #1747
- Update the Google IdP JavaScript in the themed pages. This change removes the deprecated Google JavaScript library, and adds support for One Tap.
- Resolves GitHub Issue #1939, thanks to @Brunom50, @harishreddy-m, @forteilgmbh for their contribution.
- Return a
404
with status only for anything under/api/*
instead of rendering a404
page with HTML. It just seems like the right thing to do. Nobody wants HTML in their APIs!- Resolves GitHub Issue #2109
- Add a new index to the
identity_provider_links
table to increase performance. Better. Faster. Stronger.- Resolves GitHub Issue #2122
- Add
apiMode: [Public|Partner]
to allow the user to select between the public or partner Steam API. The Partner API is preferred if you have access to it because it is not rate limited.- Resolves GitHub Issue #2127
Internal
- Use
Cache-Control: no-store
more broadly in the FusionAuth admin application.- Resolves GitHub Issue #2097