Logo / Docs

Archived Release Notes

Looking for release notes newer than 1.43.2? Look at the latest release notes.

Version 1.43.2

July 9th, 2023

Changed

  • The User and User Registration APIs will now restrict user.preferredLanguages and registration.preferredLanguages to a maximum of 20 values. Additionally each value can be no longer than 24 characters. This change is not expected to impact any existing integrations. Do let us know if you have a use case that is not compatible with this change.

Fixed

  • When an event fails to be sent to a Kafka topic, do not attempt to send an event-log.create event that results from the failed request. Correct an edge case that exists where an event-log.create event fails to be sent to a Kafka topic, and this error causes another event-log.create event to be triggered.
  • Limit the length of a valid value for user.preferredLanguages and registration.preferredLanguages to a maximum of 24 characters, and restrict the total number of values to 20 or less.

Internal

Version 1.43.1

March 6th, 2023

Fixed

  • Correct a potential FreeMarker render error caused by a missing CSRF token when performing an SAML v2 IdP initiated login to the FusionAuth admin UI. This error is a side effect of the caller not requesting the scope=offline_access parameter. With this fix, you should no longer encounter the error, and the offline_access scope is now optional on the request. A workaround is to request the offline_access scope.

Version 1.43.0

February 15th, 2023

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • Creating a new application from another application with sourceApplicationId returns a 500 error when the source application has SAML v2 enabled and configured. If you have not configured SAML v2, you will not be affected by this issue. Workaround is to call Create Application API without the sourceApplicationId parameter and supply all the parameters copied from the source application.

Fixed

  • Support importing an x.509 certificate with a private key into KeyMaster in the admin UI.
  • When using the Forgot Password workflow on the FusionAuth login page with a user without an email address, the page would refresh instead of redirecting to the success screen indicating an email had been sent.
  • The Change Password API was incorrectly failing indicating a Trust Token was required even when provided if the user has MFA enabled.
  • Ensure that we correctly terminate an SSO session when beginning a new passwordless login flow with a different user in the same browser.
  • Fix various limitations with adding a consent to a self-service account form.
  • An error may occur when logging into the FusionAuth admin UI with an IdP initiated request from a SAML v2 IdP.
  • An error may occur when logging into the FusionAuth admin UI with an IdP initiated request from a SAML v2 IdP and then navigating to your own profile page.
  • When taking a User Action, the duration is localized for the event. The localization is only available for a fixed number of locales. When an un-supported locale, such as Serbian is requested, an exception will occur. This has been fixed to avoid the exception, and if an un-supported Locale is requested, English will be used as the default.
  • When sending a test event to verify the Kafka configuration, the topic was not being validated as required.
  • When completing the forgot password workflow using the FusionAuth themed pages outside of an OAuth context, you may receive an error that says Oops. It looks like you've gotten here by accident..
  • Update the Email Template preview in the view dialog to be consistent with the preview in the edit page.
  • Restrict the Two Factor Trust during a Change Password request to be used for the workflow that started the request.
  • Fix the edit Form Field in the FusionAuth admin UI for a consent field.
  • Using password reset to unlock account may not work when MFA is enabled for the user. This is a bug in this new feature that was added in version 1.42.0.

Enhancements

  • Additional configuration for the Apple IdP to support login from Mobile and Desktop.
  • Update the System Log viewer in the FusionAuth admin UI to order logs for easier viewing pleasure.
  • Allow Forgot Password API usage when the Forgot Password Email template is not configured if sendForgotPasswordEmail is false.
  • Provide better developer feedback on the Change Password API when using an API key.
  • Allow the SAML v2 IdP to be used for both SP and IdP initiated login. Previously to utilize SP and IdP initiated login for the same SAML v2 IdP, you would have to create two separate configurations. It is still recommended to use the separate SAML v2 IdP initiated configuration if you will not be using an SP initiated login.
  • Support for PostgreSQL 15
  • Add an option to include archived logs in gzip format on the System Log Download API. This will be the default when downloading the logs in the FusionAuth admin UI.
  • Allow the login hint that is passed to a 3rd Party SAML v2 IdP to be configured. Previously this was always login_hint, but Azure will expect username, this can now be configured.
  • Add sourceApplicationId to the Application API to create an app from an existing Application to copy settings. This allows you to more easily use a single Application as a template, or to just make a copy.
  • Ship default email templates for Add and Remove Multi-Factor methods.
  • Add additional SAML IdP config to allow advanced assertion capabilities such as allow any destination, or alternate values. This is sort of a dangerous power user feature, but can be useful when migrating IdP configurations into FusionAuth w/out requiring each IdP to update their ACS.
  • Add additional detail to the edit registration form in the FusionAuth admin UI so you know which user you are editing. Seemed like a good idea.
  • Do not validate Content-Type when a payload has not been provided.

New

Version 1.42.1

January 8th, 2023

Fixed

  • A regression error in version 1.42.0 may cause a user to no longer be able to login after a successful login. In order to encounter this bug, you must have your tenant configured to re-hash passwords on login, and have a user login when their password encryption scheme or factor that does not match the configured tenant defaults. If you may have this type of configuration, please do not upgrade to version 1.42.0 and instead upgrade directly to this version.

Version 1.42.0

December 7th, 2022

Known Issues

  • In this release, you may now create a policy to allow a user to unlock their account after too many failed login attempts by completing a forgot password workflow. A bug was identified in this new feature that may cause this workflow to fail if the user also has 2FA enabled.
  • An error was introduced that may, after one successful login, cause subsequent logins to fail for a user. In order to encounter this bug, you must have your tenant configured to re-hash passwords on login, and have a user login when their password encryption scheme or factor that does not match the configured tenant defaults. If you may have this type of configuration, please do not upgrade to version 1.42.0 and instead upgrade directly to version 1.42.1.

Changed

  • When building a WebAuthn credential, the user’s current email address or username will now be used as the credential name. Previously this value was generated to be unique to help the user identify multiple credentials. However, Safari on macOS and Edge on Windows may display this value to the end user, so this will no longer be generated but set to a value the user should recognize.
  • New themed templates for enabling two-factor authentication during login. Please review your themes to ensure the new templates and localized messages are added.
    • theme.templates.oauth2TwoFactorEnable -> /oauth2/two-factor-enable
    • theme.templates.oauth2TwoFactorEnableComplete -> /oauth2/two-factor-enable-complete
    • Related GitHub Issue #197

Fixed

Enhancements

  • Allow a user to unlock their account after being locked due to too many failed authentication attempts by completing a password reset workflow. See the Cancel action on password reset in the Tenant configuration. Tenants > Edit > Password > Failed authentication settings.
  • Use the existing tenant configuration for modifyEncryptionSchemeOnLogin to also update the hash when changed.
  • Add additional configuration to the Failed authentication settings in the tenant configuration to optionally email the user when the configured action is also configured to allow emailing.
  • Update the System > About panel in the admin UI to report OpenSearch when using OpenSearch instead of Elasticsearch.

New

  • Additional Multi-Factor policy option to require a user to enable multi-factor during login if not yet configured. See Tenants > Edit > MFA > Policies > On login > Required.. Application specific configuration can also be configured, see Applications > Edit > MFA > Policies > On login > Required., using the application configuration requires an Enterprise plan.
  • Allow refresh tokens to be revoked for a user when enabling two-factor authentication. See Tenants > Edit > JWT > Refresh token settings > Refresh token revocation > On multi-factor enable.
  • A new lambda function can be assigned to perform custom validation for any step during a self-service registration. This feature is only available when using a custom form, and is not available when using basic self-service registration. This may be useful to perform advanced field validation, or to call a 3rd party API to perform additional identity verification.

Version 1.41.3

November 21st, 2022

Security

  • Mitigate a potential directory traversal attack. CloudFlare, AWS and similar cloud providers will generally block these requests by default.
    • Please note, FusionAuth Cloud customers are not vulnerable to this type of attack.

Version 1.41.2

November 17th, 2022

Fixed

  • Allow licensed features such as SCIM or WebAuthn to be configured during kickstart.

Version 1.41.1

November 16th, 2022

Security

Fixed

  • Improve synchronization of a user during a connector login. Specifically, allow previously obtained refresh tokens to be preserved during the user update procedures during a connector synchronization event.
  • Allow for invalid language values to be provided in the Accept-Language HTTP request header. When an invalid language is provided, the Accept-Language header will be discarded.
  • Better support for beginning a forgot password workflow using the API and completing the workflow in a themed page when a user also has 2FA enabled.
  • Resolves GitHub Issue #1965

Version 1.41.0

November 10th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • A change to the FusionAuth HTTP server may cause issues with reverse proxies that default upstream connections to HTTP/1.0. The HTTP server we are using no longer supports HTTP/1.0. We have identified that nginx defaults all upstream connections to HTTP/1.0, and the HTTP server we are using no longer supports HTTP/1.0. For nginx specifically, you will need to set the proxy version by adding proxy_http_version 1.1; to your proxy config.

Security

Changed

  • New themed pages added for WebAuthn. Please review your themes to ensure the new templates and localized messages are added.
    • See the Theme API and the Theme documentation for additional details. Review the Upgrading section for information on how to resolve potential breaking changes.
  • WebAuthn re-authentication requires a new hidden form field named userVerifyingPlatformAuthenticatorAvailable to detect compatible devices/browsers and prompt the user to register a passkey. You can view the default templates to determine in which form to insert this field into any customized templates. This field must be present on the following pages:
    • OAuth authorize
    • OAuth complete registration
    • OAuth passwordless
    • OAuth register
    • OAuth two-factor
    • OAuth WebAuthn (new)

Fixed

  • Correct signature verification of a SAML v2 AuthN response after the certificate has been removed from Key Master.
  • An exception may be thrown when there are no keys to be returned from the /api/jwt/public-key when requesting keys by an applicationId.
  • When using Firefox, using the SSO logout a zero byte file may be downloaded.
  • When multiple webhooks are configured, and more than one webhook is configured to receive the event-log.create event, a failed webhook may cause an event loop.
  • Correct deserialization of the userType and title fields in a SCIM resource.

Enhancements

  • Support passing the Assertion Consumer Service (ACS) in the RelayState query parameter.
  • Support using an appId and sessionTicket to complete login with the Steam Identity Provider.
  • Add back support for some legacy HTTP Servlet Request methods for use in themed templates.

New

  • WebAuthn! Passkeys, Touch ID, Face ID, Android fingerprint, Windows Hello!
  • Allow users to be provisioned into the FusionAuth app using an IdP
  • Allow FusionAuth to initiate a SAML v2 login request to a SAML v2 Service Provider.

Internal

Version 1.40.2

September 28th, 2022

Fixed

  • A two-factor trust may expire early causing a user to be prompted to complete two-factor during login. This issue was introduced in version 1.37.0.

Version 1.40.1

September 26th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • A SAML v2 IdP Initiated login request will fail if PKCE is configured as required.
  • The path attribute in some cookies may be set to the request path instead of / which may affect a SAML v2 IdP initiated login request.

Enhancements

  • Support Content-Type in Kickstart when using PATCH request to support application/json-patch+json and application/merge-patch+json.
  • Remove un-necessary logging when the Content-Type request header is invalid or unset.

Version 1.40.0

September 16th, 2022

Changed

  • If you are using MySQL or plan to use MySQL you will need to manually download the JDBC connector to allow FusionAuth to connect to a MySQL database. If you are using PostgreSQL, this change will not affect you. See the installation guide for additional information. We apologize in advance for the inconvenience this causes you, but the Oracle GPL licensing model makes it difficult for FusionAuth to easily delivery this capability.

Fixed

  • An exception may occur when you attempt to perform a PATCH request on a Group using a roleId that does not exist.
  • URL escape the identityProviderUser in the admin UI to correctly build the View and Delete actions links.

Enhancements

  • Support changes to user.active for PUT or PATCH on the SCIM User or Enterprise User endpoints.
  • Performance improvement for SAML v2 request parsing.

New

  • Native Windows support has been re-instated. We apologize for the gap in native Windows support, for those who have been waiting to upgrade since version 1.37.0 you may now upgrade with a native installer. Thank you for all of you who have voiced your opinions with how we are support a native Windows installation.

Version 1.39.0

September 11th, 2022

Fixed

  • When appending the locale request parameter on the Authorize request to pre-select the user’s locale, the locale may still be incorrect for validation errors. For example, appending locale=fr will allow the initial render of the page to be localized in French when available. However, because the user did not manually modify the locale selector on the page, if the login fails due to a validation error, the error messages will be returned in the default locale which is generally English.
  • Group application roles removed during a PATCH request to the Group API.
  • Corrections to the SAML v2 SP and IdP meta data.
    • The HTTP scheme was missing from the entityID. This issue was introduced in version 1.37.0.
    • The NameIdFormat found in the SP meta data was always showing urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress regardless of the value configured in the SAML v2 IdP.
    • Resolves GitHub Issue #1842
  • The potential exists to see an exception in the FusionAuth system logs when the internal login record service runs. It is unlikely you will experience this error unless you have very large login volumes.
  • There is the potential for the Elasticsearch index to become out of sync with respect to group memberships when groups are being deleted, or group members are being deleted from a group.
  • Add missing support for en_GB time and data format support in the FusionAuth admin UI when setting your preferred locale to en_GB.
    • Resolves GitHub Issue #1858, thanks to @adambowen for bringing this to our attention. It wasn’t our intention to force our friends in the United Kingdom 🇬🇧 to painfully read dates and times in the American 🇺🇸 format. Please accept our apologies. 😎

Enhancements

  • Better support for JSON Patch. Now supporting RFC 7386 application/merge-patch+json and RFC 6902 application/json-patch+json. Note that you may still make a request using the PATCH HTTP method using application/json and the current behavior should not be changed. All patch* methods found in the FusionAuth client libraries will still be using application/json for backwards compatibility. However, now that support for these new content types exists, we will be working to build support into our client libraries.
  • Better developer feedback when the Content-Type request header is missing or incorrect.
  • Additional SCIM support for the PATCH HTTP request method, and filter and excludedAttributes request attributes. The addition of these features allow the FusionAuth SCIM server to be compatible with Azure AD SCIM client and Okta SCIM client. The Group filter support has some limitations, see the SCIM Group API doc for additional details.
  • Add some missing message keys to default Theme message bundle.
  • Remove an un-necessary db request when validating the user security scheme for a user in the FusionAuth admin UI.

Version 1.38.1

August 22nd, 2022

Fixed

  • Static resources such as CSS and JS may be missing a Content-Type header which may cause a proxy using X-Content-Type-Options: nosniff to fail to load the resource. This issue was introduced in version 1.37.0.
  • Fix a potential error issue caused by a webhook handler calling back to FusionAuth which may trigger another webhook event. This fix should also improve the performance when sending many events for webhooks.
  • Correct behavior during login when both self-service registration and require registration features are enabled. This configuration may cause a user to be directed to the registration required page during login instead of being registered automatically. If you encounter this error, you may either upgrade or disable the require registration configuration. This appears to be a regression introduced in version 1.36.5.

Version 1.38.0

August 17th, 2022

Fixed

New

Version 1.37.2

August 11th, 2022

Fixed

  • A regression error was introduced in version 1.37.0 that causes HTTP request headers to be malformed when being sent to a Webhook, Generic Messenger or a Generic Connector.

Enhancements

  • In version 1.37.0 you may now create a user in the FusionAuth admin UI optionally performing email verification. The UI controls and messaging have been enhanced to remove potential confusion.

Version 1.37.1

August 10th, 2022

Fixed

  • An exception may occur while trying to capture the debug log event during an authentication request using a Connector.
  • When configuring a User Action to prevent login and using that event with the Failed Login configuration, if you configure the User Action to email the user, the email will not be sent.
  • Kickstart fails because it does not wait for FusionAuth to complete startup.
  • Creating an application in the FusionAuth admin UI may fail due to a licensing error if you do not have an Enterprise license.

Version 1.37.0

August 9th, 2022

This release contains some significant internal changes to our HTTP server. While we do not expect any issues, please be aware of this change as you test and prepare for upgrades. Please also be aware of changes to our Windows bundling options.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • Kickstart fails because it does not wait for FusionAuth to complete startup.
  • Creating an application in the FusionAuth admin UI may fail due to a licensing error if you do not have an Enterprise license.
  • A regression error was introduced in version 1.37.0 that causes HTTP request headers to be malformed when being sent to a Webhook, Generic Messenger or a Generic Connector.
  • Static resources such as CSS and JS may be missing a Content-Type header which may cause a proxy using X-Content-Type-Options: nosniff to fail to load the resource.
  • A two-factor trust may expire early causing a user to be prompted to complete two-factor during login.
  • A theme issue may exist on a form action and may cause breaking changes when upgrading to this version.
    • If you are upgrading, please verify your theme files accurately create a form action. The following themes should be updated as follows:
    • OAuth authorize -> action="/oauth2/authorize"
    • Child registration not allowed -> action="/oauth2/child-registration-not-allowed"
    • OAuth passwordless -> action="/oauth2/passwordless"
    • OAuth register -> action="/oauth2/register"
    • OAuth two factor -> action="/oauth2/two-factor"
    • Change password form -> action="/password/change"
    • Forgot password -> action="/password/forgot"

Security

  • Allow deprecated XML signature algorithms that were removed in Java 17. It is still not recommended that you use any of these legacy SHA1 algorithms, but if you are unable to utilize a modern algorithm, they will be allowed.

Changed

  • Windows install has been removed. Our strategy is to support Windows using WSL 2 with our provided Debian package. Please plan to utilize this strategy, and open a GitHub issue if you encounter issues with the installation.
    • Due to customer feedback, a native Windows installation option has been restored as of version 1.40.0.
  • Webhooks are no longer configured as “All applications” or limited to a single Application. They are now scoped to one or more tenants. If you previously had multiple webhooks configured within the same tenant, but scoped to separate Applications you will want to review your configuration and filter events in your own Webhook handler by the applicationId.
  • Deprecate Apache Tomcat specific configuration. See the Configuration reference for additional detail.
    • fusionauth-app.http.max-header-size The default maximum size is now 64k.
    • fusionauth-app.http.cookie-same-site-policy In most cases, cookies will be written using SameSite=Lax, and cookies used by the FusionAuth admin UI utilize SameSite=Strict. If you think there would be value in further customizing cookies by name, or security settings such as SameSite, please upvote GitHub Issue #1414 and describe your intended use-case.
    • fusionauth-app.management.port This was an Apache Tomcat specific port that is no longer required.
    • fusionauth-app.ajp.port is now deprecated, this was an Apache Tomcat specific binary protocol used by Java applications.
    • fusionauth-app.http.relaxed-path-chars This option was not likely documented or in-use by anyone.
    • fusionauth-app.http.relaxed-query-chars This option was not likely documented or in-use by anyone.
  • FastPath and normal startup commands have changed. For example, starting FusionAuth based upon Apache Tomcat used catalina.sh or catalina.bat, the startup process will now use start.sh. See install documentation for more details.
  • When using the FusionAuth Docker image with MySQL, you will need to bundle the MySQL connector jar in the image, or add a layer to the stock FusionAuth image to ensure that curl is installed so that the MySQL connector jar can be downloaded it during startup. It is recommended that you build the connector into the image. See our example Dockerfile on GitHub for an example.

Fixed

  • Add the appropriate feedback to the users when attempting to change an email during a gated email verification that is already in-use.
  • Correct the validation when deleting a key from Key Master when in use by a de-activated application.
  • Perform implicit email verification when enabled and a setup password email request is completed.
  • Handle URL encoded characters in the user-information part of the URL when connecting to Elasticsearch. This allows a username or password to be provided in the URL that have been URL encoded.
  • When using the Change Password workflow in the hosted login pages for a user that has enabled 2FA, if you are not adding the OAuth2 parameters found in the state on the Change Password link built in the email template an error may occur when the user tries to complete the workflow.
  • The Refresh Token retrieve API and the Session tab in admin UI will no longer show expired refresh tokens. While the previous behavior was working as designed, it was confusing to some clients, and an admin was not able to manually remove expired tokens.
  • Fix Lambda JS validation when using ES6 features with the GraalJS engine.

Enhancements

  • Administrative Email Verification using the API or FusionAuth admin UI. When creating a user in the admin UI, you may now optionally create the user with an un-verified email when Email verification is enabled. See the Verify Email API for additional details.
  • The Oauth2 Logout does not log a user out of FusionAuth app if logging out of another application in the same default tenant.
  • Updates to our initial SCIM Server implementation released in version 1.36.0.
  • Better options to capture debug information when troubleshooting an SMTP connection issue. You no longer need to specify mail.debug=true in the advanced SMTP settings, and instead when enabling debug on the SMTP configuration a debug Event Log will be produced with the SMTP debug information.
  • Support larger email templates on MySQL. Prior to this version the TEXT column data type was utilized which has a maximum size of 16k in MySQL, now we are using MEDIUMTEXT which supports up to 16M.
  • Improvements to the OAuth2 Logout endpoint. This endpoint now correctly supports the POST method in addition to the GET method, and you may now use an expired id_token in the id_token_hint parameter.
  • Webhooks are now scoped to one or more tenants. Webhooks will no longer receive all events, but only events for the configured tenants. There is still an option for “All tenants” if you still wish to preserve the previous behavior.
  • Any API response that returns a Refresh Token will now also return a refresh_token_id when in OAuth2 or a refreshTokenId in all other APIs. This may be useful to identify a refresh token for revocation when using a one-time use Refresh Token. This identifier is the primary key of the Refresh Token and can be used by the Refresh Token API.
  • The Access Token will contain a new claim named sid which is the immutable identifier Refresh Token. This claim is not reserved, so it can be removed and will only be present when a refresh token is requested. This is different from the sid claim that is already returned in the id_token, that sid or Session Identifier is the SSO session identifier and is primarily used by FusionAuth to validate a logout request.
  • When available the Refresh Token is now returned in the JWTRefreshTokenRevokeEvent event in the refreshToken field.
  • The Login Ping API may now optionally take the request as a POST body.

New

  • Application scoped Multi-Factor authentication. This feature allows an application choose to participate in Multi-Factor when enabled, and optionally specify a separate TTL for trust scoped to a single application.
  • You may optionally disable the IdP linking strategy for an Identity Provider. This allows you to restrict any automatic linking and manage all IdP linking through the API.
  • Added fusionauth-app.http.read-timeout to the configuration to optionally set the maximum read timeout when making requests to FusionAuth. See the Configuration reference for additional detail.

Internal

  • Remove Apache Tomcat as the underlying application server, in favor of a more modern HTTP server based upon Netty.

Version 1.36.8

July 4th, 2022

Fixed

  • Fix the placeholder text in the entity grants search field.
  • Correct the SCIM HTTP response code when a new resource is created to be 201.
  • Correct the SCIM HTTP response code when a duplicate resource is attempted to be created to be 409.

Version 1.36.7

June 23rd, 2022

Security

  • Ensure the provided client_id matches the Application represented by the Refresh Token when performing a Refresh grant. This is marked as a security fix because the intended design is to ensure the Refresh Token does indeed match the requested client_id. However, the risk is minimal due to the caller still being required to have a valid set of client credentials, and must still present a valid refresh token.

Fixed

  • The initial “start” phase of a user action triggered by a failed login configuration is not sent.
  • When a SAML v2 SP is using an HTTP redirect binding during the Logout request FusionAuth make fail to complete the logout request.
  • A timing issue exists where under load of creating logins and then deleting applications programatically, a login record for a now deleted application may get stuck in the queue causing exceptions when attempting to write the record to the database.
  • Correct the Content-Type HTTP response header returned from the SCIM endpoints.

Version 1.36.6

June 16th, 2022

Fixed

  • When using Rate Limiting for Failed logins, the user may be able to login successfully after being rate limited - but prior to the end of the configured time period.
  • When using a JWT Populate lambda and modifying the default value of the aud claim to be an array instead of a string value, this token can no longer be used by the Introspect endpoint. This fix allows you to modify the aud claim to be an array, and it may be used with the Introspect endpoint as long as the requested client_id is contained in the aud claim. The OAuth2 Logout endpoint was also updated to allow this same aud modification to be using an id_token as the id_token_hint. When using this style of token as an id_token_hint, the first value in the aud claim that is equal to a FusionAuth application Id will be utilized.

Version 1.36.5

June 13th, 2022

Security

  • Upgrade Java to get the patch for CVE-2022-21449. Note that in version 1.36.4 FusionAuth manually patched this vulnerability. To ensure you are not vulnerable to this vulnerability, upgrade to FusionAuth version 1.36.4 or later, or discontinue use of the Elliptic Curve algorithm.
  • Fix validation of the Oauth2 Logout endpoint when using the post_logout_redirect parameter. As documented here, you must ensure that any value for this parameter is in the Authorized URLs list for the application. This may be a breaking change if you do not.

Fixed

  • Fix a UI bug that caused the application column to show “Single sign-on” instead of the Application name in the Session tab of the user management panel.
  • If you have enabled Two-Factor authentication and self-service registration, a user may not be routed to the Complete Registration step correctly after completing the Two-Factor challenge.
  • Resolves GitHub Issue #1708, thanks to @chimericdream for reporting the issue!
  • The displayName property on the Link a User API is ignored. This is a regression bug that was introduced in version 1.36.0.
  • A 3rd party Web Application Firewall such as CloudFlare may inject JavaScript into the <head> element and this may cause a failure to properly initialize support for an Identity Provider such as Twitter.

Internal

  • Upgrade to the latest Java 17 LTS. Upgraded from 17.0.1+12 to 17.0.3+7.

Version 1.36.4

April 21st, 2022

Security

  • Proactive patch for Java CVE-2022-21449. This release will patch the vulnerability described in the referenced CVE until we are able to release a version of FusionAuth using the upcoming patched release of Java. If you are not able to upgrade to this release, discontinue use of ECDSA keys in FusionAuth for JWT or SAML signing.

Version 1.36.3

April 19th, 2022

Fixed

  • An additional edge case was identified in the issue resolved by GitHub Issue #1687. If you did encounter the issue resolved by GitHub Issue #1687, you should plan to upgrade to this patch version so that you can fully utilize the new auth_time claim introduced in 1.36.0.

Version 1.36.2

April 14th, 2022

Fixed

  • If you are using the openid scope which produces an id_token, and you utilize a 3rd party library that consumes the id_token to validate the signature, expiration or similar claims, the token may be incorrectly identified as expired. This is because after a refresh token is used to generate a new id_token the auth_time claim may have lost precision from the original value in the initial id_token.

Version 1.36.1

April 14th, 2022

Fixed

  • When building an entity grant in the UI for a user or other entity, the search results may contain entities from all tenants. If you attempt to select an entity in a tenant other than the tenant for which the user or entity belongs, an exception will occur.
  • If you create an empty directory in the FusionAuth plugin directory, or create a directory that does not contain any FusionAuth plugin jars, and have other plugin jars in the root of the plugin directory, the legitimate plugin jar may not be loaded. If you encounter this problem, either remove the empty directories, or make the empty directories read only.
  • If you are using the Client Credentials Grant and omit the permissions from the target-entity: scope, the expected permissions will not be returned as part of the access token claims.

Version 1.36.0

April 7th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you create an empty directory in the FusionAuth plugin directory, or create a directory that does not contain any FusionAuth plugin jars, and have other plugin jars in the root of the plugin directory, the legitimate plugin jar may not be loaded. If you encounter this problem, either remove the empty directories, or make the empty directories read only.
    • This has been resolved in version 1.36.1.
  • If you are using the Client Credentials Grant and omit the permissions from the target-entity: scope, the expected permissions will not be returned as part of the access token claims.
    • This has been resolved in version 1.36.1.
  • If you are using the openid scope which produces an id_token, and you utilize a 3rd party library that consumes the id_token to validate the signature, expiration or similar claims, the token may be incorrectly identified as expired. This is because after a refresh token is used to generate a new id_token the auth_time claim may have lost precision from the original value in the initial id_token.
    • This has been resolved in version 1.36.3.

Security

  • Ensure that the Change Password identifier is revoked if an API is used to change a user’s password after the user has initiated a change password request.

Changed

  • The JWT authorization method is no longer supported when using the GET method on the Retrieve Refresh Tokens API.
    • The reason for this potentially breaking change is due to concern of potential abuse. If you were previously using a JWT to authorize the request to the GET HTTP method, you will need to modify your integration to utilize an API key. See the Retrieve Refresh Tokens API for additional details.
    • Resolves GitHub Issue #1646
  • Updated reserved JWT claims by grant type. The amr claims is marked as reserved, and will be available in a future release.
    • Reserved for authorization code and implicit grant, amr, exp, iat, sub and tid. Only amr and tid are new for this release.
    • Reserved for Vending API amr, exp and iat. Only the amr claim is new for this release.
    • Reserved for Client Credentials grant, amr, aud, exp, iat, permissions, sub and tid.
    • Resolves GitHub Issue #1669

Fixed

  • The requested AssertionConsumerServiceURL in a SAML v2 AuthNRequest is ignored and the first URL configured is used instead.
  • Entities don’t support the use of : in the permission name, this limitation has been removed.
  • An application role may not be immediately available to assign to a user after initial creation. This issue was due to some additional caching introduced in version 1.32.1.
  • The Password Grant response is missing the Two Factor Method Ids when a Two-Factor challenge is required. This issue was introduced in version 1.26.0 when Two-Factor Method Ids were added to the Login API response.
  • The Tenant edit and add panel displays Webhook events that are not configured at the Tenant level.
  • FusionAuth may fail to start on Windows when using the startup.bat script. See linked issue for a workaround.
  • Enhance email validation to keep obviously incorrect emails from being used during self-service user registration.
  • When using the GraalJS Lambda engine, you cannot use ECMA 6 features such as const or let.
    • This only affects version 1.35.0 when using the new GraalJS engine, and does not represent a regression because prior to version 1.35.0 the only Lambda engine available was Nashorn which only supported ECMA 5.1.
    • Resolves GitHub Issue #1630
  • When using a Connector, a timing issue exists that could cause a login to fail. See the linked issue for an example exception that you may observe if you encounter this issue.
  • The Tenant View dialog may show the incorrect Event transaction setting for a Tenant created via the API.
  • When the openid scope is used along with the offline_access scope and then the resulting refresh token is used in a Refresh grant, the returned id_token may be signed with the key configured for the access_token.
  • Ignore read-only directories inside of the configured plugin directory instead of throwing an exception.

Enhancements

  • Add a separate execute thread pool in the Apache Tomcat configuration to separate incoming requests from localhost callback requests to reduce thread contention.
  • Allow for plugins that require dependent jars in their classpath.
    • To take advantage of this capability, create a sub-directory in the configured plugin directory. Place your plugin jar, and any dependant jars in the same directory or nested sub-directories. Each immediate sub-directory of the configured plugin directory will be considered a discrete classloader. Each of these class loaders will still share the parent classloader, so it is still advised to keep dependencies to a bare minimum such that you don’t conflict with existing dependencies of FusionAuth.
    • Resolves GitHub Issue #1663
  • Minimize the duration of the database Transaction during authentication. This should improve login performance, especially when using an LDAP or Generic Connector.
  • Alphabetize the Applications in Select form controls in the FusionAuth admin UI, this should make it easier for those are not robots to navigate when you have many applications.
  • Allow a login using a 3rd party IdP such as Google to succeed even if an Elasticsearch exception occurs when attempting to re-index the user.

New

  • Initial technology preview for SCIM Server, this feature is available in the Enterprise plan.
  • Nintendo Online Identity Provider, this feature is available with all licensed plans of FusionAuth.
  • New Identity Provider Link & Unlink Events
  • Default the Event Transaction Type in the Tenant configuration to None
  • New JWT claims
    • The tid claim is now being set in all JWTs. This is the FusionAuth Tenant Id, and is marked as reserved.
    • The JWT header will also now contain a gty claim which will represent the grant types in order of use for this token.
    • Resolves GitHub Issue #1669

Internal

Version 1.35.0

March 10th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • When using the FastPath installation for Windows, the startup may fail to download Java if you are using the startup.bat option for starting services.
  • Using the Identity Provider Link API when more than one tenant is configured may fail unless you are specifying the tenant Id using the X-FusionAuth-TenantId HTTP request header.
  • Self-service registration may fail to validate an email address beginning with @.
  • Using the Passwordless API without passing the OAuth2 state parameters on the URL such as client_id, and the user is not registered for the Application, the request may fail.

New

  • Initial technology preview for HTTP requests within a lambda function, termed Lambda HTTP Connect. All previously configured lambdas will continue to run on the legacy JS engine. Starting in this release the default engine for newly created lambdas will be GraalJS, but you have the ability to select the preferred engine. When using the GraalJS engine, you will be able to begin making HTTP requests within the lambda function. At some point in the future we will deprecate and fully remove the legacy JS engine (Nashorn). For the time being, use the new engine if you are able, and provide us feedback if you find anything is not working. If you do encounter a problem open an issue, and switch the lambda back to the Nashorn engine.

Version 1.34.1

February 23rd, 2022

Fixed

Version 1.34.0

February 21st, 2022

Known Issues

  • SAML v2 Login to FusionAuth may fail due to an exception. Please upgrade directly to FusionAuth version >= 1.34.1

Security

  • Resolve a potential vulnerability in the IdP Link API. If you are actively using any IdP configured to use the CreatePendingLink linking strategy, please upgrade at your earliest convenience.

Changed

  • When using the OpenID Connect identity provider, you have the option to select one of three client authentication options. You may select none, client_secret_basic or client_secret_post. Some 3rd party identity providers do not allow the client_id to be sent in the request body when using client_secret_basic. A strict reading of the OAuth2 and OpenID Connect specifications imply that the client_id should only be present in the request body when a client secret is not used, or you have selected none or client_secret_post for an authentication method. This change is to make FusionAuth more compliant with 3rd party IdPs that enforce this behavior. It is not expected that this change will have any negative impact on OpenID Connect configurations that have been working up until this release. However, please be aware of this change and verify existing OpenID Connect identity providers continue to behave as expected.
  • Utilize PKCE anytime FusionAuth is initiating an Authorization Code grant to FusionAuth. While most of this will be transparent and should not affect any of your integrations, there is one use case in which it is important for FusionAuth to utilize PKCE when performing an Authorization Code grant to FusionAuth. This use case is when you are using an application with PKCE configured as required, and you then use the Device grant using the themed FusionAuth pages. In this case FusionAuth must utilize PKCE in order to pass PKCE validation during the request.
  • When using the interactive Setup Wizard to perform initial setup of FusionAuth, the checkbox to sign up for the FusionAuth newsletter has been changed to be checked by default. This means that prior to this release you had to opt-in, and starting in this release, you will need to opt-out during this step. You also have the option to un-subscribe from the newsletter at any point in the future.

New

  • Native support for PBKDF2 using a 512-bit derived key length. The default PBKDF2 algorithm uses a 256-bit derived key length. Some IdPs such as KeyCloak use a 512-bit key, so this plugin should support an import from KeyCloak without using a custom plugin. This new algorithm is available using the value salted-pbkdf2-hmac-sha256-512 during the User Import API.

Version 1.33.0

February 7th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Security

  • Add -Dlog4j2.formatMsgNoLookups=true to the fusionauth-search bundled version of Elasticsearch.
    • Please note, that if you are running a standalone version of Elasticsearch, this will not affect you, and you should still complete any suggested mitigation steps for your Elasticsearch instance. This VM argument added to the fusionauth-search bundle is only added to make people feel warm and fuzzy. FusionAuth Cloud users are not vulnerable to CVE-2021-44228, and even if you are self-hosting FusionAuth and utilizing the Elasticsearch bundled with fusionauth-search you are not vulnerable if you have followed our suggested securing steps. Also due to the version of Java we are using to run Elasticsearch, you are not vulnerable. But we all like to put on our tinfoil hats sometimes, so we are making this change for good measure.
    • Resolves GitHub Issue #1520
  • Updated PostgreSQL JDBC driver from version 42.2.22 to 42.3.2.
    • This update is only pertinent to you if you are using a PostgreSQL database. If you are using MySQL, you are not vulnerable.
    • FusionAuth Cloud users are not affected. If you are self-hosting FusionAuth you are only vulnerable if you allow un-authorized modifications to your JDBC connection string used by FusionAuth to connect to the database. I hope you are not doing this. 😉 Please read the following CVE to better understand the vulnerability to see how it may or may not affect you.
    • CVE-2022-21724.
    • Resolves GitHub Issue #1535
  • Proactively upgrade Logback. Instead of Log4J, FusionAuth uses Logback. In response to the recent vulnerabilities in Log4J, the Logback team has proactively added some additional hardening to their library to ensure similar vulnerabilities are not found.
  • Better protection against malicious actors that have access to configuring Themed templates.
  • Ensure we enforce a Two-Factor challenge before changing a password using the Change Password API.

Changed

  • If you are using the Change Password API with users that have Two-Factor enabled you may need to adjust your integration. Beginning in this release, to use the Change Password API for a user with Two-Factor enabled, you will need to obtain a Trust Token from the Two Factor Login API in order to complete this request. This is potentially a breaking change, the decision was made to make this potentially breaking change due to the enhanced security provided by this change.

Fixed

  • The FastPath install may fail to download Java on versions >= 1.32.0. The issue was that the curl request needed to be configured to follow a redirect with the new URLs for the Java download. See the linked issue for a workaround if you want to use FastPath for an older version.
  • Ensure we are able to handle Login records that may contain more than one IP address. When passing through a proxy, the X-Forwarded-For HTTP request header may contain more than one IP address. This fix ensures we parse this header correctly and handle existing Login records that may have been recorded with more than one value.
  • Using the Login with Apple button on a themed login or registration page may fail when using Safari on iOS 12. A workaround is documented in the linked GitHub issue if you are unable to upgrade FusionAuth.
  • The Event Log, Audit Log, Login Records search feature in the FusionAuth admin UI may not reset the pagination correctly when beginning a new search request.
  • Group Membership may not be preserved after the first login request when using a Connector without migration.
  • The jwt.refresh-token.revoke event may not be sent during a request to the Logout API (/api/logout).
  • A consent added to a self-service registration form may show up incorrectly during a complete registration step during login.
  • Better support for user.birthDate when using Advanced self-service registration when Family is enabled with child registration.
  • When configuring more than one preferred language in the FusionAuth admin UI on the User or User Registration, the order may not be preserved. For example, if you configured French, English where French is the preferred languages, with a second option of English, when saving the form, the serialized value will become English, French and will not likely be saved in the order you expect.
  • Fix a potential memory leak in the Email services. If you are sending a lot of email through FusionAuth, this error may cause your FusionAuth service to run out of memory. Restarting the service periodically can mitigate this potential if you are unable to upgrade. This issue was most likely introduced in version 1.30.1.
  • When completing a Family workflow where a parent joins a child to a family, the parentEmail field may not be properly updated in the search index.
  • If you have previously configured Basic Self-Service registration, and then begin using Advanced Self-Service it is possible that a validation may occur that you did not expect.
  • Some edge cases exist when using the Async Tenant Delete API or deleting a Tenant in the FusionAuth admin UI where a tenant may get stuck in the Pending Delete state.

Enhancements

  • Add the underlying host architecture and operating system name and version to the About panel in the FusionAuth admin UI. See System -> About .
  • Add a tooltip to the Webhook Application configuration to help reduce some confusion until we deprecate this Application configuration.
  • Support longer Refresh Tokens on the Refresh Tokens Import API. The previous limitation was that the refresh token was less than or equal to 191 characters. The assumption was made that this token was opaque and that 191 was very adequate. Some IdPs utilize JWTs for Refresh Tokens and in this case, the length is likely to exceed the previous limitation. This enhancements allows for longer refresh tokens. In particular this will provide better support for importing Refresh Tokens from KeyCloak. See the Import Refresh Tokens API for additional details.
  • Use a better thread pooling strategy for Webhooks to better support a very large volume of events where the event recipient may not respond quickly enough. This allows more events to be queued up if we cannot send them fast enough while waiting for a response from the webhook.
  • Improve licensing errors on the API and FusionAuth admin UI to better differentiate between not licensed, and a feature that requires a specific licensed feature. In particular, some of the features introduced as part of the Threat Detection feature require an Enterprise License with this feature enabled. So you may have a licensed FusionAuth plan, and a feature may still not be available. This change should make it clearer why a particular feature cannot be enabled.
  • Add tokenExpirationInstant to the Login Response similar to how the Token endpoint response returns expires_in to indicate when the access token returned in the response will expire.
  • Additional User API validation in support of Family configuration with child registration restrictions.
  • Support for ARM 64, the Apple M1, AWS Graviton, etc. Docker images are now published for Intel, and various ARM architectures, and FastPath and other installation paths have support for downloading Java for the correct architecture.
  • Add the option to use the userId on the Start Two-Factor API ** Resolves GitHub Issue #1571
  • Move the changePasswordId to the request body during a POST request. For backwards compatibility, the changePasswordId will also be accepted on the URL segment.

Version 1.32.1

December 13th, 2021

Fixed

  • If you are modifying the user email or username in an Identity Provider Reconcile Lambda, the lambda may be invoked more than once after the initial link has been established. This may cause User registration data to be modified, or lost. If you have not yet upgraded to this version, it is advised that you wait until you can update to version 1.32.1.
  • The 1.32.0 version of the Docker image was initially released with a missing Java module that may cause the image to fail during startup. An updated version of the image has been released, if you encounter an issue, please delete your local version of the image and pull it again. The issue is also resolved in this version, so you may also pull the latest tag once this version is available.

Version 1.32.0

December 10th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • This version of FusionAuth will now run on Java 17. If you are using any SAML v2 IdP configurations that still utilize a legacy XML signature algorithm, this upgrade may break that integration.
    • It is recommended to test your SAML v2 IdP logins with this version prior to upgrading, or confirm that all of your IdPs are not using any of the following restricted XML signature algorithms:
      • http://www.w3.org/2000/09/xmldsig#sha1
      • http://www.w3.org/2000/09/xmldsig#dsa-sha1
      • http://www.w3.org/2000/09/xmldsig#rsa-sha1
    • See GitHub Issue #1202 for additional details and an optional workaround if you are unable to discontinue use of these algorithms.

Fixed

  • The global and application registration count rollup may fail when using PostgreSQL. This will cause the registration count reports to be incorrect.
  • When using the Development Reset feature (technical preview) and the FusionAuth application is configured to use a specific theme, the reset will fail.

Enhancements

  • Identity provider linking that was introduced in version 1.28.0 can now optionally be configured to limit the number of unique links to an IdP for a particular user.
  • Allow application URIs to be configured as an OAuth2 Authorized request origin URLs. For example, you may now configure android-app://com.example as a valid Authorized request origin.
  • Add configuration to allow implicit email verification to be disabled. For example, prior to this release, email based workflows such as Passwordless login, email based registration verification, email based password change, and verifying a two-factor code during login through an email would implicitly mark a user’s email as verified if email verification was enabled and the user had not yet completed email verification. In most cases this seems to be the best choice for the end user such that they do not perform redundant tasks to verify their email address once they have provided evidence they have access to the email address. This configuration allows this behavior to be disabled if you wish to require your end user to always go through a specific email verification process for legal or other similar reasons.
  • Add a notice on the Device workflow panel when an existing SSO session exists to allow the user to optionally logout prior to continuing.

New

  • You may optionally specify custom SMTP headers in the Tenant email configuration. These configured headers will be added to all outbound messages.

Internal

  • Java 17 LTS. Upgrade from Java 14, to the latest long term support (LTS) version of Java which is 17.

Version 1.31.0

November 18th, 2021

Known Issues

  • If you are modifying the user email or username in an Identity Provider Reconcile Lambda, the lambda may be invoked more than once after the initial link has been established. This may cause User registration data to be modified, or lost. If you have not yet upgraded to this version, it is advised that you wait until you can update to version 1.32.1.

Changed

  • You may now modify, or fabricate an email or username in the Identity Provider Reconcile Lambda regardless of the Identity Provider type.
    • Some of this capability has been provided in the past for the OpenID Connect Identity Provider. This capability was removed in version 1.28.0 when Identity Provider Linking was introduced due to the additional use cases now supported through linking strategies. Due to high demand, and many real world use-cases presented by our users, this decision has been reversed in favor of flexibility for the developer. Please use caution when using this capability, and note that if you create or modify a username or email in the Reconcile lambda, the lambda will be invoked twice during a single login request.
    • Resolves GitHub Issue #1425

Fixed

  • Requiring a birthdate on a self-service registration form when also requiring a parent email may cause an exception.
  • Improvements to locale handling to expand beyond ISO 639 support to support locales such as es_419, aghem and others.
  • Disabling webhooks on the tenant configuration by clicking on the Enabled table header doesn’t work as expected.
  • Fix general message template issues when using the preview action for a message template, or a localized version of the template.
  • An API key created using Kickstart is not validated for length correctly.
  • The error message returned to the end user when a webhook fails during a Self-Service Registration is not able to be customized through a theme.
  • The Theme preview may not render the Account Edit themed page when a Self-Service form is configured
  • Unable to delete an email template when an email template is not assigned to a Consent.
  • A timing issue exists when creating a new Application role, and then immediately attempting to register a user with that role.
  • Using an expired Passwordless link may result in an infinite redirect
  • Missing validation on the Registration API to ensure the User exists by Id when passing the userId on the HTTP request URL segment
  • When copying a Tenant in the FusionAuth admin UI when the source Tenant has Blocked domain configuration present, the Blocked domain configuration is not copied to the new tenant.
  • When using the OAuth2 Password grant (Resource Owner Credentials grant), and the client_id is provided in the HTTP Basic Authorization header, but not in the HTTP post body, the resulting JWT will not contain the aud claim.
  • A database foreign key violation may occur in the Registration Count aggregation service if you delete a Tenant before the aggregator runs.
  • Enabling Two-Factor in the Self-Service themed forms, or in the admin UI may fail to render the QR code if the encoded string used to build the QR code is between 192 and 220 characters in length.
  • When a user is assigned roles explicitly through a User Registration in addition to a Group membership, the roles assigned by the Group membership will not be returned.
  • When using the Setup Password email template provided by FusionAuth with the User Registration API to create a User and a Registration in a single API call the URL generated and sent to the user may not be usable. A client_id will have been added to the URL which will result in an error when the FusionAuth page is rendered. To work around the issue prior to this release, please remove the client_id from the Email template.
  • A SAML v2 SP using an HTTP Redirect Binding that has URL encoded the query string using lower case percent encoding may cause FusionAuth to fail to validate the signature.

Enhancements

  • You may now access the id_token when available during an OpenID Connect Reconcile lambda
  • Add additional support for idp_hint for Apple and Twitter Identity Providers.
  • Add an example use and changed user to the Audit Log Test event when using the Webhook Tester in the FusionAuth admin UI
  • When FusionAuth is unable to discover OpenID endpoints using the configured Issuer during configuration of an OpenID Connect Identity Provider an Event Log will be produced to assist you in debugging the connection.

Internal

Version 1.30.2

October 13th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • When logging in with an anonymous user from an IdP that now has a linking strategy other than Anonymous an exception occurs. This can occur if you change your linking strategy from Anonymous to something else, and users that were created while configured as Anonymous log in again.
  • The view dialog may not completely render for an SAML v2 IdP Initiated IdP configuration. The dialog fails to completely render due to a FreeMarker exception.
  • If you are activating FusionAuth Reactor during initial startup via Kickstart, and you have CAPTCHA enabled for the FusionAuth admin application, you may not be able to login until the Threat Detection feature comes online. Depending upon your network connection, this may take a few seconds, or a few minutes.
  • The .NET client library handled exp and other JWT timestamp values incorrectly.
  • When using the duplicate Application button in the admin UI, if the source Application has SAML v2 configured, but not enabled, the copy may fail with an exception.
  • Updating a connector will add an additional * domain configuration. This is a regression issue introduced in version 1.28.0.
  • When generating an RSA Key, a user cannot specify a certain Id.
  • If using kickstart to activate a licensed instance with advanced threat detection enabled, it is possible to get stuck in the Setup Wizard.
  • A user can add new entries to an access control list, but can’t delete them using the administrative user interface.
  • Default lambdas are no longer available in Kickstart environment variables. This is a regression introduced in version 1.30.0.
  • The event payload for a user deactivation was not complete when the deactivation happened via the administrative user interface. It lacked some information such as the IP address of the request.
  • When both Kickstart and maintenance mode occur during an upgrade, a NullPointerException could occur if the default tenant Id was being modified.
  • The IP address can be missing from login records in certain circumstances.
  • Requests with IPv6 addresses cause NumberFormatExceptions.
  • CAPTCHA may not work on the email verification required page.
  • Rendering the passwordValidationRules object on the register page in theme preview does not work.
  • User search widget has an empty value if the user does not have a name.
  • Filling out a CAPTCHA through self service registration or other paths does not save device trust; the user will be prompted a second time.
  • Setup Wizard may be shown in a multi-node environment after it has completed.
  • When using advanced threat detection rate limiting, users are unable to set the rate limit configuration to 1 to allow a limited action be performed only once.
  • Custom data for webhooks not displayed in the admin UI.
  • A truncated deflated SAML AuthN request was not handled as well as it should have been.
  • Some key pairs capable of signing a SAML request are not eligible in the UI.
  • Custom data for connectors not displayed in the admin UI.

Enhancements

  • When using MySQL with a large number of applications, and application roles, it may become slow to retrieve a user. This change should improve performance when using MySQL.
  • Improve the performance of using the Public Key API endpoint when you have a lot of applications and keys.
  • Display the database version and elastic search versions in the administrative user interface.
  • Improve User and Registration API performance at scale.
  • Try to support SAML POST bindings with SSO even when cookie SameSite policy is set to SameSite=Lax.
  • Add a default NameID format when one is not provided on SAML AuthN or Logout requests.

Internal

Version 1.30.1

August 25th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • Registration counts may fail to be rolled up into reports when using PostgreSQL. Updating to 1.30.2 should resolve the issue.
  • A potential memory leak was introduced in this version. Updating to 1.33.0 should resolve the issue, if you are unable to upgrade, restarting the service periodically can mitigate this potential issue.

Fixed

  • The Text MIME type of an email may not render Unicode correctly when the host system does not have UTF-8 set as the default character set.
  • Unable to assign an IP ACL to an application if one is not already assigned to the tenant.
  • Unable to delete an IP ACL in use by a tenant

Enhancements

  • General performance improvements for login, OAuth2 grants, and user create and registration.
  • Add the User Two Factor methods to the Elasticsearch index.
    • If you have existing users with Two-Factor enabled, you will want to perform a re-index in order to search on two-factor configuration.
    • Resolves GitHub Issue #1352, thanks to one of our favorite FusionAuth users @flangfeldt for making the request.

Internal

  • Performance improvements

Version 1.30.0

August 12th, 2021

Features that require the Threat Detection feature:

  • CAPTCHA
  • Domain blocking in registration
  • IP access control lists
  • IP location
  • Some of the new events and transactional emails
  • Rate limiting

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you are referencing any Reconcile Lambda Ids using the syntax FUSIONAUTH_LAMBDA{type}_ID - this may no longer work due to a change in how these default lambdas are initialized.
    • The current work around is to modify your kickstart to build your own version of this lambda instead of using the FusionAuth default.
    • You will find a copy of the default lambdas shipped with FusionAuth in the Lambda documentation that you may use to copy into your kickstart.
    • The issue is being tracked here GitHub Issue #1373

Fixed

  • Unable to enable user.action event at the tenant using the UI. If you encounter this issue, you may work around it by using the Tenant API.
  • If you make an API request to /api/two-factor/login with an empty JSON body, an exception will occur instead of a validation error being returned with a 400 status code.
  • When using an IdP with a linking mode other than Create Pending Link, the token may not correctly be stored. If you previously had been using the token stored on the User Registration, and are now looking for it in the Identity Provider Link, you may not find it. This fix resolves the issue.
  • When you are using FusionAuth as a SAML v2 IdP with Redirect bindings, you were unable to use idp_hint to bypass the login page to federate to another provider.

Changed

  • New themed page added for Unauthorized access.
    • See the Theme API and the Theme documentation for additional details.
  • A macro available to themes named [@helpers.input] was modified to be able to build a checkbox. This change could affect you if you try to copy and paste the checkbox usage without modifying the macro definition in your Helper file. Review the Upgrading section for information on how to resolve potential breaking changes.

New

  • JWT Vending machine
    • This allows a JWT to be created for a not-yet-existing user with a payload defined by the API caller.
    • Resolves GitHub Issue #525
  • FusionAuth wasn’t awesome enough, so we added a robust Threat Detection feature for enterprise customers. This feature includes:
  • IP Access Control for API keys
    • This allows support for an API key to be further restricted by the origin IP address.
    • Resolves GitHub Issue #933
  • IP Access Control for SSO and self service forms
    • This allows you to limit access to the FusionAuth SSO or a particular application login through SSO by IP address
  • Blocked domain configuration to limit registrations from specific email domains
  • Rate limiting per user for the following requests:
    • Failed login (only used if Failed Login configuration is not in use)
    • Forgot password
    • Send email verification
    • Send passwordless
    • Send registration verification
    • Send two-factor
  • CAPTCHA - add CAPTCHA to login and other end user forms to help ensure only humans are submitting forms.
    • This feature is in tech preview and is subject to change.
    • Support for Google ReCaptcha v2, Google ReCaptcha v3, HCaptcha and HCaptcha Enterprise
    • Resolves GitHub Issue #278
  • IP location.
    • When possible, an IP address will be resolved to include city, country, region, zip code, longitude and latitude.
    • IP location will be included in login records and will be available in some email templates and webhook events
    • Used to calculate impossible travel between login locations
  • New Webhook events:
    • Audit Log Create audit-log.create
    • Event Log Create event-log.create
    • Kickstart Success kickstart.success
    • User Create Complete user.create.complete
    • User Delete Complete user.delete.complete
    • User Update Complete user.update.complete
    • User LoginId Duplicate On Create user.loginId.duplicate.create
    • User LoginId Duplicate Update user.loginId.duplicate.update
    • User Email Update user.email.update
    • User Login New Device user.login.new-device
    • User Login Suspicious user.login.suspicious
    • User Password Reset Success user.password.reset.success
    • User Password Reset Send user.password.reset.send
    • User Password Reset Start user.password.reset.start
    • User Password Update user.password.update
    • User Registration Create Complete user.registration.create.complete
    • User Registration Delete Complete user.registration.delete.complete
    • User Registration Update Complete user.registration.update.complete
    • User Two Factor Method Added user.two-factor.method.add
    • User Two Factor Method Removed user.two-factor.method.remove
    • See the Event Webhooks documentation for additional details.
    • Resolves GitHub Issue #1308, thanks to @adoliver for the suggestion!
    • Resolves GitHub Issue #1178
    • Resolves GitHub Issue #1128
    • Resolves GitHub Issue #1129
  • New transactional emails:
    • Email update
    • Login Id duplicate on create
    • Login Id duplicate on update
    • Login with new device
    • Suspicious login
    • Password reset success
    • Password update
    • Two-factor method added
    • Two-factor method removed

Enhancements

  • Search on oldValue, newValue and reason in the Audit Log.
    • See the Audit Log Search API for additional details on searching on oldValue, newValue and reason in the audit log.
  • When using IdP linking in conjunction with the Oauth2 Device grant, the recently completed links will be available on the Device complete themed page by using the completedLinks variable.
    • See the Device Complete themed page documentation for additional details.
  • More themed pages will have access to the currently logged in user using the currentUser variable.
    • See the Theme documentation for additional details.

Version 1.29.4

August 12th, 2021

Fixed

  • When a user is required to complete registration after login, the user may no longer be able to login w/out a password reset. This is a regression from version 1.28.0, and only affects those using self-service registration that will have existing users that do not have all required fields on their account.

Version 1.29.3

August 6th, 2021

Fixed

  • A 404 may be returned when attempting to update a user with PUT or PATCH on the User API if the user has an unverified email and email verification has been disabled.

Version 1.29.2

July 31st, 2021

Fixed

  • When using a SAML v2 IdP that does not send back a KeyInfo element in the XML response, an exception may occur when attempting to parse the response.

Version 1.29.1

July 26th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • In a multi-tenant configuration, SSO sessions may be pre-maturely terminated if one tenant has a lower TTL configuration than the other tenants. To work around this issue prior to this release, ensure all SSO TTL configurations are equal.
  • The arg names in the LambdaType enum were not all correct.
  • An IdP Debug event log may not get produced when a unique Id could not be resolved.
  • When enabling the SAML v2 IdP debug log an exception may be taken when attempting to produce the debug event log. The result is that the debug log will not be produced.

Version 1.29.0

July 10th, 2021

Fixed

  • When viewing the theme preview for the oauth2/start-idp-link.ftl template, and error may be logged.
  • When a webhook transaction fails to create a user or registration on a themed page, a non-themed error page may be displayed

Enhancements

  • Enhance the Link API to retrieve a user by a 3rd party unique Id to identify a FusionAuth user is linked to the user. See the Link API for additional details.
  • During a device link request which contains a device linking token, show an intermediate page asking the user if they would like to sign in with an existing user or create a new user.
  • Allow the IdP Login API to optionally be passed a request parameter to indicate a link should not be established and a 404 should be returned instead. This is useful if you wish to identify if a link exists first before starting an auxiliary workflow such as a device grant with a linking token. See the Login API for additional details.
  • Add additional configuration to the unique username configuration to support always appending a suffix even when the username is not in use. See the Tenant API for additional details.
  • Add an additional debug event log when for the SAML IdP to debug the AuthN request sent to the SAML IdP
  • In version 1.28.0 the resolution of the value returned by the SAML v2 IdP in the NameID was modified. If the IdP returns a format of unspecified with a value of email then after upgrading to version 1.28.0 your SAML IdP will not function properly. Ideally you would ask your IdP to return you a NameID format of emailAddress, but if that is not possible this enhancement will allow FusionAuth to accept the value returned in the NameID if the format is returned as unspecified.
  • Instead of logging FreeMarker exceptions to the system log and producing a stack trace that may end up in the UI, an event log will be produced. The message in the UI will be condensed based upon the runtime mode. When in development mode some details will be provided to assist in debugging your themed template. If in production runtime mode only a message indicating an error occurred will be displayed to the user.

Internal

  • Update HikariCP from 3.4.1 to 4.0.3, and update PostgreSQL JDBC driver from 42.2.14 to 42.2.22

Version 1.28.1

June 21st, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • Allow self-consent form field on a self-service form.
  • Correct validation of a consent form field on edit. Control type was failing validation on edit.
  • An imported user requiring password change, and email verification may fail to verify email verification with an email verification gate.
  • Better parsing of the X-Fowarded-For HTTP request header. This header may contain one to many IP addresses, and only the first value should be preserved for the login record. Prior to this fix, it would be possible to see a login record that contained multiple IP addresses separated by a comma.
  • Correctly show the Verification URL in the OAuth2 configuration when the Device grant is selected. This issue was introduced in 1.28.0.
  • Use the correct FusionAuth redirect URL when using the Sony PlayStation Network IdP.
  • Use the correct FusionAuth redirect URL when using the Steam IdP. This IdP uses an Implicit grant and should be using the /oauth2/callback/implicit callback URL.
  • Allow the Epic Games IdP to function properly when omitting the scope configuration property.

Tech Preview

  • You may optionally start an account link when beginning a Device grant.

Version 1.28.0

June 7rd, 2021

The FusionAuth identity providers have undergone a significant improvement to add additional flexibility and support for 3rd parties. Please take time to test this upgrade with your existing configuration to ensure compatibility. Some of the features in this release are in tech-preview.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you are using self-service registration there is a possibility that a user may be required to complete registration by adding additional fields to their account after they login. In this scenario it is possible that they will no longer be able to login and will be required to reset their password. The fix for this was added in 1.29.4.
  • If you are using the SAML v2 Populate Lambda or the SAML v2 Reconcile Lambda the NameID field has been changed to an array. You will need to update your lambda code if you are using this field.

Changed

  • You may no longer build a synthetic email address using a lambda for an OpenID Connect identity provider. This has been removed because you may now link a user by username or create a link w/out a username or an email to an existing FusionAuth user. If you are using this feature, you may need to plan for a migration to this new behavior. If you have a support contract with FusionAuth, please reach out and ask for additional information.
  • When using FusionAuth as a SAML IdP, FusionAuth will now accept urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in addition to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. This should allow FusionAuth to work with SAML v2 service providers that only support the persistent NameID format.
  • Tokens returned by IdPs are no longer stored on the User Registration object in the tokens field. Each token is now stored with the IdP link for the User and the IdP. See the Link API for additional details.

New

  • Reindex API
  • Account Link API
    • This API will allow you to link and un-link users in 3rd party identity providers with a FusionAuth user.
    • See the Link API for usage.
  • IdP Linking options
    • Each Identity Provider may now be configured with a linking strategy. The strategies will include linking by email, username, anonymous or a link to an existing user.
    • Linking by username is now supported. There is a higher risk of account takeover using this strategy, you should use caution when using this feature.
    • Tokens from identity providers should now be retrieved from the link, rather than the registration. More information can be found under identityProviderLink.token response value here
  • Email Send API allows an email address in the To field instead of only allowing FusionAuth userIds
  • SAML Identity Provider can now be configured to use any NameID format. Previously only the Email NameID format was utilized.
    • This should allow the SAML identity provider configuration to be more flexible and work with additional SAML identity providers.

Enhanced

  • When FusionAuth is acting as a SAML Identity Provider, you may now send a NameID format of Email or Persistent.
    • This should allow FusionAuth to work with additional SAML service providers such as Slack.
    • Resolves GitHub Issue #522
  • The Email Send API now allows you to send to a user that does not yet exist in FusionAuth by allowing you to specify an email address for the To: field.
  • The Facebook and Google Identity Providers will now default to using a redirect instead of a popup for login. All existing configurations will be migrated to use the popup dialog to remain consistent with the previous behavior. With this update you may now also use the idp_hint parameter to login with Facebook and Google.
  • Additional PKCE and Client Authentication configuration
    • You may now optionally configure PKCE as required, not required, or required when not using a confidential client. This offers better compatibility when multiple client types (a webapp and a mobile app, for example) are authenticating against a single FusionAuth application.
    • Resolves GitHub Issue #1152
  • Add the currently selected Two Factor method object to the Themed Two Factor page /oauth2/two-factor
  • Allow using IdP buttons on the Themed registration page
  • When using email verification required with the gated configuration, optionally send the user another email before entering the gated page if the user does not have an existing verification email that is not expired.

Fixed

  • Do not add the NotBefore assertion on the SAML AuthN response on the subject confirmation.
  • When importing users with passwordChangeRequired=true w/out specifying the change reason an exception may occur during login.
  • When using the email verification gate and self-service registration if a user requires their email to be verified and is forced through the complete registration flow they will not be correctly gated.
  • Fix a JavaScript bug that may cause some of the themed pages to render incorrectly in the view window.

Tech Preview

  • New IdPs for EpicGames, Nintendo, Sony PlayStation Network, Steam, Twitch, Xbox - see link for more information
  • Development kickstart reset. When you are running in development runtime mode, you’ll see a Reset menu item in the System navigation menu.
    • See System -> Reset
  • There is now a JWT populate lambda for the Client Credentials grant. See link for more information.

Version 1.27.2

May 10th, 2021

Changed

  • In version 1.26.0 the ability to use user.data.email for Forgot Password and Passwordless login flows was removed. Support for this behavior has been restored in this patch.

Fixed

  • When building a new theme starting with 1.27.0, you may encounter a JavaScript error during page render. This error should not cause any end user failures, but the login may not properly capture the browser type.

Version 1.27.1

May 7th, 2021

Fixed

  • When migrating from 1.26.0 or earlier to version 1.27.0 the initial render of the add Tenant panel in the admin UI may fail to render. If you encounter this issue, you may upgrade or edit the FusionAuth tenant first and then try the request again.
  • Make the verification flow simpler when you enable both email and registration verification during self-service registration.
  • The view dialog for the SAML v2 IdP Initiated configuration may not render correctly.
  • When configuring the SAML v2 IdP Initiated Login configuration for an IdP that has a issuer that is not a URL the configuration will fail because we are expecting a URL for this field.

Version 1.27.0

May 5th, 2021

Some of the features in this release are in tech-preview. Please give us feedback and let us know how they work for you!

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • Login API now returns 213 for Registration Not Verified.
    • See the Login API response for additional details.
  • The Login API and the User API may optionally return a emailVerificationId or registrationVerificationId to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long “clickable” link.
    • See the Login API response for additional details.
  • The Verify Email API now takes the verificationId in the request body instead of a URL segment. See the Verify Email API for additional details.
    • This change is backwards compatible, but the deprecated use of the API may be removed in the future.
    • The client libraries methods have also been preserved, but a new method has been added to accept a request body.
  • The Verify Registration API now takes the verificationId in the request body instead of a URL segment.
    • This change is backwards compatible, but the deprecated use of the API may be removed in the future.
    • The client libraries methods have also been preserved, but a new method has been added to accept a request body.
  • When calling PUT on the Login API (ping) the response may optionally return an emailVerificationId or registrationVerificationId to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long “clickable” link.
    • See the Login API response for additional details.
  • The User API and Registration API may optionally return an emailVerificationId or a map of registration verification Ids to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long “clickable” link.
    • See the User and Registration API response examples for additional details.

Fixed

  • CleanSpeak username filtering may not always work when using advanced self-service registration forms with only one step.
  • Link to SAML v2 IdP Initiated Add in the admin UI was missing. See GH issue for a work around.
  • Fixes for the new API Key API - usages in the admin UI. Allow the admin UI to upgrade and downgrade API keys for Key Manager.

Tech Preview

  • Application Themes. You may optionally assign a theme per application which will then be utilize instead of the tenant configuration.
  • Email verification gate. When using the FusionAuth themed pages, you may force a user to verify their email address before being redirected back to your application.
  • Configurable verification strategies to use an interactive form instead of a clickable link.
    • May require a change to your email template, see the updated Email Verification documentation for additional details.
    • GitHub Issue #1191
  • Unique usernames. Allow more than one user to select the same username and allow FusionAuth to manage a unique suffix.

New

  • Product Version API.
    • Resolves GitHub Issue #1193
    • Thanks to @jegger for the request!
    • See Version API for additional details or find retrieveVersion in your FusionAuth client library.

Enhancements

  • Try to support Microsoft Outlook Safe Links
  • Support HTTP Basic Auth using an API key for the Prometheus Metrics endpoint added in 1.26.0.
    • See Prometheus endpoint documentation for additional details on authenticating this endpoint.
    • Resolves GitHub Issue #1189

Version 1.26.1

April 20th, 2021

Fixed

  • If you use a non default theme for the FusionAuth default tenant, you may see an error when trying to log in to the admin UI after upgrading to version 1.25.0. You can workaround this by appending ?&bypassTheme=true to your login URL, or append /admin/ to your base FusionAuth URL to log into the admin UI.

Known Issues

  • You cannot create a “SAML v2 IdP Initiated” Identity Provider in the admin UI; it isn’t present in the “Add Identity Providers” dropdown. You can workaround this by entering the URL to add an Identity Provider manually: \[GitHub Issue #1181](https://auth.example.com/admin/identity-provider/add/SAMLv2IdPInitiated (append /admin/identity-provider/add/SAMLv2IdPInitiated to your FusionAuth base URL). Tracking in https://github.com/FusionAuth/fusionauth-issues/issues/1181).

Version 1.26.0

April 20th, 2021

Lots of changes ahead! Read carefully to see how this release may affect you.

Two Factor APIs

Breaking changes. If you use this functionality, please review the API changes and test before upgrading. The Two-Factor API, two-factor fields on the User and Import User APIs and the Integrations API have changed and are not backwards compatible. If you use this functionality, please review the API changes and test before upgrading.

Upgrading from < 1.7.0

If you are upgrading from a version less than 1.7.0, you must do a two stage upgrade. Upgrade to a version greater than or equal to 1.7.0 but less than 1.26.0, then upgrade from that version to 1.26.0. There were internal migration changes which necessitate this two stage process.

Accessing the admin Login after upgrading:

The / path of FusionAuth no longer automatically forwards to the admin login. To access the admin UI to complete this configuration append /admin/ to the URL. Once the theme configuration is complete, this root page will contain links to login and instructions on how to utilize this root landing page.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you use a non default theme for the FusionAuth default tenant, you may see an error when trying to log in to the admin UI. You can workaround this by appending ?&bypassTheme=true to your login URL.

Changed

  • The Two-Factor API has changed which allows you to enable and disable Two-Factor methods as well as send codes.
  • The Two-Factor Login API now returns 409 for too many attempts. This allows the Two-Factor Login API to provide the same locking capability as the Login API when too many failed attempts occur.
  • The Import API has changed for enabling Two-Factor.
  • The User API has changed for enabling and disabling Two-Factor. See the User API for changes.
    • See the User API for changes.
  • Email and SMS Two-Factor methods will now require a paid FusionAuth plan. Learn more about paid plans.
    • If you are only using Authenticator/TOTP for Two-Factor, this functionality will continue to work properly in the Community plan.
  • If you are upgrading from a version less than 1.7.0, you must do a two stage upgrade. Upgrade to a version greater than or equal to 1.7.0 but less than 1.26.0, then upgrade from that version to 1.26.0. There were internal migration changes which necessitate this two stage process.

Fixed

  • You can now delete a user registration for an inactive application
  • Spurious text ‘[object Object]’ on FusionAuth admin UI screen when certain Chrome extensions present.

Tech Preview

New

  • Prometheus Metrics endpoint
  • IdP initiated SSO
  • An API key to create API keys!
  • Portions of GitHub Issue #960 were delivered, including features such as:
    • Two-Factor step-up API
    • SMS Two-Factor with configurable delivery methods
    • Localized Message Templates which can be used for SMS Two-Factor messages
  • Self service user profile page
  • Themeable root page
  • Messengers which are used to send SMS messages through Twilio, Kafka or a generic JSON REST API
  • Licensing now supports air-gapped deployments
  • Client Credentials grant

Enhancements

Version 1.25.0

March 10th, 2021

SAML v2 Logout is now fully supported. No action should be required. If you are currently using FusionAuth as a SAML v2 IdP, please verify your configuration as you may want to provide additional configuration to take full advantage of the SAML v2 Logout configuration. The additional of SAML v2 Logout means there is a new themed page to manage the user experience for SAML v2 Logout. Please review your theme to ensure your user experience is not interrupted. See additional details in the New section below.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • In support of the SAML v2 Logout feature, the following theme changes have been made.
    • New themed template SAMLv2 logout template. This template will be rendered when you utilize the SAML v2 Logout feature, it is nearly identical to the existing OAuth2 logout themed page. If you are using themes, please review your theme to ensure your user experience is not interrupted.

Fixed

  • If you are using Elasticsearch version 6 you may encounter an error when using the Search API. This is due to a change in how we optionally request the document hit count in the search request to Elasticsearch. The change is not compatible with Elasticsearch version 6. As a work around, you can set accurateTotal=true in the API request. See the User Search API for additional details on using this parameter.
  • Using the HTTP PATCH method on the FusionAuth application may produce erroneous validation errors.
  • Adding additional Java options in the configuration file when the value contains a space may not work correctly.
  • A NullPointerException may occur when you have users registered for an application in a non default tenant and you create a login report for only that application. Thanks to @NikolayMetchev for filing this.
  • When you omit the state parameter on the Authorization request, you may receive a state parameter on the redirect_uri that you did not expect.

New

Enhancements

  • Add a button to the Sessions tab in the FusionAuth admin UI to delete all user sessions at once, this action is also available from the drop down action list when managing a user.
  • Add Debug to OAuth2 grants, this will primarily assist in debugging the Authorization Code grant auth code exchange with the Token endpoint.
  • Add CORS Debug, this will assist you in debugging CORS related 403 HTTP status codes.
  • Better SMTP debug for specific scenarios. This should assist with async connection issues and provide context to the tenant and template being rendered during the exception.
  • Allow the Registration API to accept the applicationId as a URL segment
  • Twitter IdP Login API can optionally accept an access token. When building your own login page, if you complete the initial step with Twitter and utilize the oauth_verifier to perform some initial processing of the Twitter user, you may now still send the access token in the form of oauth_token and oauth_token_secret to FusionAuth to complete the login. This is done by omitting the oauth_verifier on the Login request. See Complete the Twitter Login for additional information.
  • When Key Master generates a kid because one is not provided on the request, if there is a public key, generate the kid as a JWK thumbprint instead of a randomly generated value.
  • When using the Search feature in the FusionAuth admin UI, once you begin searching using a specific term or any of the advanced controls, the pagination result total will be an accurate representation of the number of matches returned by Elasticsearch. When no search criteria is provided, the number of matches will cap at the default value of 10,000 and the pagination results will indicate 10,000+ which means at least 10,000 users match the search criteria.

Internal

Version 1.24.0

February 11th, 2021

Known Issues

  • If you are using Elasticsearch version 6 you may encounter an error when using the Search API. This is due to a change in how we optionally request the document hit count in the search request to Elasticsearch. The change is not compatible with Elasticsearch version 6. As a work around, you can set accurateTotal=true in the API request.

Security

  • More consistent usage of the Cache-Control HTTP response header. The default for all pages will be Cache-Control: no-cache, and some pages that may contain potentially sensitive information such as the API key add, edit or index pages will use a Cache-Control: no-store. No known vulnerability exists with the previous behavior, this is just a proactive change to limit the possible mis-use of cached pages in the FusionAuth admin UI.
  • A vulnerability in an underlying SAML v2 library was resolved. If you are using SAML please upgrade FusionAuth to 1.24.0 or later as soon as possible.

Changed

  • The applicationId and roles claims are no longer returned in the id_token issued when requesting the openid scope. The id_token should not be used for authorization, this change makes it less likely to mis-use this token. If you have a requirement for these claims (you shouldn’t), you can add them back by using a JWT Populate lambda. See Id Token claims for additional information.

Fixed

  • When using the Add or Edit Identity Provider forms in the admin UI, if you have ~2,000 or more applications it is possible for the form request to be truncated by the underlying application server. This error is caused by the maximum number of request parameters being exceeded. This form in particular, along with the Group Add/Edit and Webhook Add/Edit contains a number of fields that is a function of the number of applications configured. An informational error may be written to the system log indicating this truncation has occurred, but no hard error would have occurred. The symptom will be that depending upon your configuration, a portion of it may be lost during this form submit. The entry in the log will contain this message org.apache.tomcat.util.http.Parameters.processParameters More than the maximum number of request parameters (GET plus POST) for a single request ([10,000]) were detected. Any parameters beyond this limit have been ignored..
  • When you have registered a custom plugin for password hashing, using the View Tenant dialog may fail to render.
  • Unable to remove a User from a Group using the admin UI dialog. This was a regression issue introduced in version 1.23.0.
  • If a user was not currently in the Elasticsearch index, the user delete request may fail.
  • The JWT returned from the Register API when you are creating a User and a Registration in one request may not contain the roles claim. This occurs when you do not assign the roles explicitly on the request, and instead are using default role assignment in the application configuration.
  • Updating a User that has existing group memberships may no longer be searchable in Elasticsearch by their Group memberships until the next time the user logs into FusionAuth.
  • A Kafka Producer configuration that contains an equals sign = in the property value will fail to parse. This was identified in attempting to configure credentials to connect to CloudKarafka.

Enhancements

  • Support a Kickstart file with only a licenseId. Previously at least one API key was required because the intent of Kickstart is to call one or more APIs. While there is not a very practical use case for only providing a licenseId and no API requests, this minimal configuration will no longer fail indicating an API key is required. See Set your License Id in the Kickstart documentation.
  • You may now import an RSA certificate with a key bit length less than 2048 into Key Master. The minimum supported RSA key length for signing a JWT is 2048, so this was previously the minimum requirement to import anything into Key Master. However, we have several configurations now that require a certificate that is only used to verify a signature from a third party. In these cases, we are not using the certificate to sign anything, and @trevorr rightly pointed out that we should allow smaller keys to be imported to support these use cases. Thank you for the (now obvious) insight! We really appreciate our community members that provide us value for value.
  • Added an additional Search API parameter to allow you to obtain the actual hit count from Elasticsearch. For performance reasons, the default behavior of an Elasticsearch query is to limit the hit count to 10,000. This means that if your query matched more than 10,000 records, the API response will only indicate that at least 10,000 records matched. This is very adequate for pagination purposes, or general queries. There are times where you are building a very specific query and the intent is to identify an accurate number of matching records. You may now provide an additional parameter to the search request named accurateTotal which will then return an accurate hit count on the API response. See the User Search API for additional details.
  • Allow the user to click on the Enabled column in the Webhook event configuration in the Webhook and Tenant configurations to enable or disable all events at once. This is just a usability enhancement to save you from clicking over and over. You’re welcome.
  • For pages with potentially a lot of items such as Applications, Tenants, etc - that do not currently have pagination, add a count at the bottom of the panel. This allows you to look smart by knowing how many “things” you have without having to count them yourself.

Internal

  • Some enhancements to JavaScript event handlers to perform better on pages with 2-3k+ applications. Pretty boring.

Version 1.23.3

January 21th, 2021

Fixed

  • A tenant delete request may fail. See details in the linked GH issue for a work around. This issue was introduced in version 1.22.0.

Version 1.23.2

January 20th, 2021

Fixed

  • A bug in the PostgreSQL migration will cause you to lose your SAML v2 IdP configuration. If you are using MySQL or you are not using the SAML v2 IdP configuration, this bug will not affect you. The issue was introduced in version 1.21.0, so if you are upgrading from a version prior to 1.21.0 to 1.23.2 you will not be affected. If you have already upgraded to 1.21.0 or any version greater than 1.21.0 prior to this patch, you will have already encountered the issue. If you do encounter this issue, you will need to update the SAML v2 IdP configuration found in each affected Application configuration.

Version 1.23.1

January 13th, 2021

Fixed

  • When configured to sign the SAML v2 AuthN requests to the SAML v2 IdP, the SAML v2 SP metadata does not correctly reflect this settings. The attribute AuthnRequestsSigned should now reflect the signing configuration.
    • When configured to sign requests, the SP metadata response will now also contain the KeyDescriptor element to describe the X.509 certificate used to verify the signature.
    • Resolves GitHub Issue #1067

Version 1.23.0

January 11th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you are upgrading to this version, are using PostgreSQL, and you intend to use the provided LinkedIn Reconcile lambda, you will need to make a small adjustment prior to using it.
    • Navigate to Customizations -> Lambdas and edit the lambda named Default LinkedIn Reconcile provided by FusionAuth and click edit. You will see an error indicated by a red dot on line 23 of the function body. To fix this error, delete the two empty lines between the end of line 23 and 25, once the error indicator is gone, save the lambda.
  • Unable to remove a User from a group using the admin UI dialog.

Fixed

  • A validation error may not be visible when selecting self service registration options when the FusionAuth license has not been activated.
  • The User Action API was returning a 200 status code instead of a 404 when requesting an action by Id that did not exist.
  • The IP address shown on the About panel may be the same for each node when viewed on a multi-node FusionAuth instance. This address is shown for informational purposes and was only a cosmetic defect w/out any functional issues.
  • The SAML Response XML was failing XSD validation for the Signature element location when the request was not successful, or FusionAuth was configured to sign the response instead of the assertion.
  • Fix a possible NPE when making an Update request to a group in a multi-tenant environment. With this fix, the correct API response will be returned.
  • When creating an IdP from the API for Google, Facebook, Twitter, or HYPR - the API was allowing an Id to be provided. Each of these IdP types of which only one are allowed, have a fixed Id that is managed by FusionAuth. The API should ignore the requested Id and set the correct Id instead. If you encounter this issue, the work around is to omit the Id on the API request.
  • Kickstart fails when using a variable in the tenantId field for an API key.

New

  • Sign in with LinkedIn. A new identity provider type is available for LinkedIn.
  • New FusionAuth roles oriented for Level 1 support personnel. These new roles are named user_support_viewer and user_support_manager, see FusionAuth application roles for additional detail.

Enhancements

  • Updates to the User and Import API to provide validation on the length of an email address. This will provide a developer a better error when the provided email address is too long.

Client libraries

  • Enhancements to the .NET Core client library to better support requests in a multi-tenant environment and to use the IDictionary reference instead of Dictionary.

Version 1.22.2

December 10th, 2020

Fixed

  • When using a connector, if the provided password does not meet the configured password constraints the login attempt will fail. This is by design, however because FusionAuth is not the Source of Record (SoR) it should not be required that the password to meet the configured password constraints. The current SoR should enforce their own password constraints. If the connector is configured to migrate the user, and the tenant policy is configured to validate password constraints on login, the password will be validated according to this policy.
  • Using the Verify Email workflow on the FusionAuth themed pages when the email address has a plus sign (+) in the local part of the address may fail to send the user an email.

Version 1.22.1

December 8th, 2020

Fixed

  • When endpoint discovery is disabled, OpenID Connect endpoint validation errors may be hidden when editing the OpenID Connect IdP configuration in the UI.
  • The Manage User page may fail to render when the user has an action or comment made by a user without an email address.
  • The tenantId parameter may not be preserved correctly in a multi-tenant configuration during the Device authorization grant.

Enhancements

Version 1.22.0

December 1st, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • The Application and Tenant domain objects now contain a state field that will be returned on the API response.
    • This new state field replaces the active boolean on the Application object and API. The active field is now deprecated, and backwards compatibility will be preserved.

Fixed

  • When viewing a form in the UI, the required column value may not be correct.
  • Unable to request a second 2FA code on the themed login page during a 2FA login request. See the linked GitHub isssue for a work around.
  • A missing message may cause an exception during a login attempt when using an LDAP connector.
  • Incorrect message shown on a registration form when no fields have been added, this is purely a cosmetic issue.
  • The view dialog for an a Google IdP incorrectly shows the client secret for both the Client Id and the Client secret fields.
  • Selecting a preferred language during login may append this value to the user’s configuration allowing for possible duplicate locales.
  • Using the Import API to import users to a tenant other than the default tenant when more than one tenant is configured may fail validation. This issue was introduced in version 1.20.0 under GitHub Issue #915.
  • Logging out of FusionAuth SSO when you have a webhook configured to receive the Refresh Token Revoke event, may cause an exception that will be found in an event log.

New

  • The Elasticsearch index name can now be configured. This may be helpful if you wish to run multiple instances of FusionAuth on the same Elasticsearch cluster. See fusionauth-app.user-search-index.name in the FusionAuth configuration for additional details.
  • Add async support for the Delete Tenant API. Deleting a tenant can take a very long time, so when deleting a tenant from the UI, FusionAuth will use the new async option. If you are making an API request to delete a tenant with many users, you may wish to use the async option. See the Tenant API for additional details.

Enhancements

  • The Elasticsearch reindex operation is now much faster, especially when re-indexing more than 1 million users. On a reasonably fast system, 1 million users can be re-indexed in approximately 3 minutes, this time is linear as you increase the user count. In general there is no need to re-index in production, but in a development phase or as part of a database migration it may be necessary to re-index the FusionAuth users.
  • When configuring an IdP that requires additional CORS configuration to operate properly, FusionAuth will display a warning message in the UI. This message has been updated to make it clearer that additional user action isn’t required to complete the configuration.
  • Increase the read timeout to third party identity providers. It has been reported that the Apple identity provider in particular may experience a read timeout for particular accounts.

Version 1.21.0

November 10th, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you are using PostgreSQL and you are using FusionAuth as a SAML v2 IdP, upgrading to this version will break your SAML v2 IdP configuration. Resolved in 1.23.2.
    • If you are running FusionAuth prior to this version, skip to 1.23.2 to avoid the issue. If you need to update to this version or any version after this version but prior to 1.23.2, you will want to record your existing SAML v2 IdP configuration for each application with SAML v2 IdP enabled so that you can re-configure after the upgrade has completed.

Fixed

  • Beginning in version 1.9.0, if you are using the SAML IdP configuration to connect to a third party SAML v2 IdP and you are not using the FusionAuth login pages, you must initiate this request with FusionAuth by using the Start Login Request API. When making this start request w/out any additional custom data on the API request, an exception may occur. Review the linked issue for a workaround if you are unable to update to this patch release.
  • Using Bcrypt as the default hashing scheme may cause an exception to occur in some circumstances.
  • Add custom data on the Consent object to the view dialog in the UI, and fix some possible issues with editing Consent and other similar objects with custom data in the UI. In some cases, editing an object such as a Consent in the UI will cause you to lose any custom data you had previously stored.

Enhancements

  • The location of the XML signature in the SAML response may be configured to be a child of the Assertion element, or the Response. The default location is Assertion which is the same as the previous behavior to ensure backwards compatibility. In most cases the default configuration is adequate, if you have a SAML v2 Service Provider that requires the signature as a child element of the Response use this configuration to satisify this requirement.
  • The PKCE extension will now be used by the OpenID Connect IdP configuration that allows you to connect to third party OpenID Connect identity providers. This allows FusionAuth to be compatible with identity providers that may require PKCE. This change is compatible even if your identity provider does not require or does not support PKCE.
  • Add the application domain object to email templates when available. This will allow you to use the Application name using ${application.name} in your template.

Version 1.20.1

October 30th, 2020

Fixed

  • UI sorting preferences were not preserved after a page refresh
  • Update a tooltip to better describe the use of Require authentication in the OAuth settings
  • A exception may occur if you attempt to change your password immediately after installation before modifying the Tenant configuration to configure email, JWT settings etc.
  • Providing duplicate connector policies on the Tenant API may cause an exception
  • Set the Twitter tokens in the User Registration after logging in with Twitter
  • Allow the Refresh Token meta data fields to be set during the Password Grant

Enhancements

  • Add additional Kickstart settings to modify the default timeouts used to make API calls to FusionAuth.
  • Expose default Lambda and Form Ids to Kickstart so you can assign one of the default Lambdas to an identity provider configuration.
  • Return the encryptionScheme on the User API response when authenticated using an API key.

Version 1.20.0

October 23rd, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • Updated base image for Docker from alpine to ubuntu:focal. This is a non-functional change, but please be aware of this change if you’re building Docker images using ours as a base.

    In order to run on alpine without including the GNU C Library (glibc) we had to use a custom build of OpenJDK compiled using the musl C library. Due to some possible performance concerns, we have moved to an official build of JDK provide by AdoptOpenJDK compiled using glibc. The ubuntu:focal base image added ~ 30 MB in size compared to our previous (compressed) image size, but until we can obtain builds from AdoptOpenJDK based upon the musl C library, we will not likely ship an official image on alpine.

Fixed

  • Resolve a warning message about an upcoming deprecated use of reflection in a FusionAuth dependency. This warning message was not causing any failures, it was just noisy.
  • A negative count may be displayed in the FusionAuth dashboard and other reports. This was primarily due to how the delete tenant was handled as it related to keeping track of total user counts. The delete tenant code path no longer utilizes the Elasticsearch index and takes a safer approach to deleting users and keeping track of total counts.
  • Better user experience for advanced self service forms once a license has been de-activated.
  • Fix self service registration form validation when using custom options with a select, radio or checkbox.
  • Fix UI form validation when adding and removing fields from an existing self service registration from.
  • The applicationId was not validated on the Import User API, the import would still correctly fail, just not in a developer friendly way.
  • Fix a typo the Activate Reactor page in the UI.
  • When using self service registration, the authenticationType claim found in the resulting JWT was always PASSWORD even if the authentication was performed using Facebook, Google or other identity provider.

New

  • Support for SAML v2 POST bindings to a third party SAML v2 Identity Provider (IdP) when FusionAuth is acting as the SAML v2 Service Provider (SP).
  • Add the SAML v2 SessionIndex in the SAML v2 AuthN request.
  • You may now customize the Add and Edit form used to manage users in the FusionAuth admin UI. You may add or remove existing fields found on the User form, or add new fields to allow n admin to manage custom user data. This can be used with advanced self service registration, or as a standalone feature.
  • You may now customize the Add and Edit User Registration form used to manage user registration in the FusionAuth admin UI. You may add or remove existing fields found on the User Registration form, or add new fields to allow an admin to manage custom registration data. This can be used with advanced self service registration, or as a standalone feature.

Enhancements

  • When configuring FusionAuth as the SAML v2 IdP, you may not configure one to many redirect URLs, also referred to as Assertion Consumer Service (ACS) URLs. This will allow you to support more than one redirect configuration per FusionAuth application.

  • When using more then one tenant the tenantId is documented to be required when using the OAuth2 endpoints. However, in some cases it may not be provided, this enhancement allows the correct tenant to be identified during logout when only the id_token_hint is provided on the request to /oauth2/logout endpoint. This issue only affects FusionAuth versions 1.19.0 and greater due to the addition to multi-tenant SSO. Prior to version 1.19.0, it was not possible to be logged into more than one tenant at once using FusionAuth SSO.

  • Initial build support for multi-arch Docker images. FusionAuth is not yet publishing images for these additional arch types, but we are trying to better support these builds in our base image definition. This should help those running FusionAuth on IBM z(s390x), IBM Power(64 bit PowerPC) and various ARM platforms including AWS Graviton, Apple Bionic and embedded platforms such as Raspberry Pi.

    Thanks to a bunch of our FusionAuth MVPs including, but not limited to @jerryhopper, @arslanakhtar61, and @ceefour, for helping with this work through code, advice and domain knowledge that we don’t have!

Version 1.19.8

September 28th, 2020

Fixed

  • The documented configuration parameter fusionauth-app.http.port is not picked up by FusionAuth. If you were to override the default value of 9011, the server will properly bind to the correct port, but FusionAuth will not use this local port to connect to itself.
  • When importing users using the Import API on PostgreSQL, if you have a wide distribution of values for the insertInstant on the User object, you may encounter a PostgreSQL exception.
  • Disable Elasticsearch Sniffer by default. The Elasticsearch Sniffer was enabled in version 1.19.0 to allow a single connection to Elasticsearch discover the other nodes in the cluster by the Elasticsearch REST client. This causes problems for cloud managed services or Elasticsearch running within a container service such as k8s. Turn this off by default, and allow it to be enabled if desired. See new configuration property search.sniffer.

Enhancements

  • Add a referrer meta tag to provide a default policy for the browser. Most browsers are now providing a decent default value, but this will ensure a secure default value is utilized. New Themes will default to strict-origin but this can be modified in the Helper template, and can also be added to existing themes.

Version 1.19.7

September 23rd, 2020

Fixed

  • The default exception handling in the Elasticsearch REST client allows for some expected exceptions to go un-handled which may fail the search request. Add an exception handler to keep these underlying HTTP exceptions from causing failures.
  • Some LDAP exception messages will include an embedded null in the message body. PostgreSQL does not allow for embedded null characters in a text field, so this may cause FusionAuth to exception when using PostgreSQL.
  • When selecting Re-validate password on login when also restricting usage of previous passwords, the user may end up in a loop of being required to change their during login.
  • In the 1.19.0 MySQL migration script, if you have many refresh tokens, it is possible that a duplicate key will be generated due to a poor random Id generator.

Enhancements

Version 1.19.6

September 16th, 2020

Fixed

Version 1.19.5

September 15th, 2020

Fixed

Enhancements

Version 1.19.4

September 12th, 2020

Fixed

  • When using a JWT populate, the JWT returned during a combination User + Registration API request may not have the registration or roles arguments available in the lambda. This issue was introduced in version 1.16.0.
  • When using MySQL and Silent Mode database configuration, you may encounter an error indicating java.lang.IllegalStateException: Unable to capture database lock. or Caused by: java.sql.SQLException: No suitable driver found for jdbc:mysql://.... This issue was introduced in version 1.19.0, if you encounter this error, please upgrade. If you are unable to upgrade, attempt to startup w/out silent mode and go through maintenance mode interactively.

Version 1.19.3

September 10th, 2020

Security

Changes

  • Upgraded Kafka client to 2.6.0
  • Upgrade MySQL connector to 8.0.21
    • If you are using MySQL, and are currently re-packaging the MySQL connector in a Docker image or similar strategy to keep this jar from being downloaded at runtime, you will need to update your version to match FusionAuth.
    • Upgrade your MySQL connector to 8.0.21, the mysql-connector-java-8.0.21.jar will be expected to be found here /usr/local/fusionauth/fusionauth-app/apache-tomcat/lib.
  • Upgrade PostgreSQL connector to 42.2.14

Fixed

  • The clock skew calculation used then verifying a SAML AuthN response from a SAML v2 IdP may incorrectly cause a validation error. If you encounter this error you may see something like this Unable to verify the [audience] attribute. The attribute cannot be confirmed until [2020-09-01T16:01:31+0000]. in the Debug or Error Event Log associated with the SAML v2 login request.

Enhancements

  • Better email address validation to ensure the address will be deliverable.

Version 1.19.2

September 6th, 2020

Fixed

  • Using the External JWT Identity Provider with the Lookup API may fail to validate a JWT

Version 1.19.1

September 4th, 2020

Fixed

  • If you are using the database search engine, FusionAuth may fail to start up correctly.
  • The legacy environment variable named FUSIONAUTH_SEARCH_SERVERS is not honored ahead of the named configuration file property.

Version 1.19.0

September 3rd, 2020

This release includes a database migration that may require a few minutes to complete. If you have 1M+ refresh tokens you should plan for a few minutes to allow the schema update to complete. This time will vary significantly based upon the size and performance of your database. Testing upgrades with 2M+ refresh tokens took approximately 2-3 minutes on bare metal with an SSD. If you're running on a managed database that limits IOPS the migration may be longer. For larger instances it is advised you test the migration ahead of time to identify the downtime required to complete the upgrade.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Our development team works so hard to bring you cool features and enhancements. Many of the features we build, or the enhancements we make come from the feedback and bug reports we receive from our community.

Thank you to each of you that has taken the time to open a GitHub issue, or raise a concern on our forum. All of this input and feedback is valued, and it makes FusionAuth better!

Known Issues

  • When running MySQL and it is possible you may encounter an issue logging into the FusionAuth admin console after updating to version 1.19.0. The symptom is that upon login you are redirected to an empty page that asks you to return to login.

Changed

There a few changes in this release that you will need to be aware of, please read these carefully. If you have a support contract, please reach out if you have questions or concerns.

  • If you using the SAML v2 Identity Provider Login API directly you will need to update your integration. If you are using the SAML v2 Identity Provider configuration with the FusionAuth themed pages, there is no change required.
    • The Start Identity Provider API must now be used prior to sending the SAML v2 AuthN request to the SAML IdP. You may optionally build your own Request Id, or use one generated by FusionAuth. See the Start API for additional details.
  • The FusionAuth SSO and admin UI are now stateless and no longer require session pinning to maintain an HTTP session. Leaving existing session pinning in place should not cause any harm, but you may remove it at your earliest convenience.
  • Silent Mode may be used while in production runtime mode. This allows you to leverage the FusionAuth maintenance mode to upgrade the database schema for production and development runtime modes.
  • The Status API no longer returns a full JSON response unless the request is authenticated by an API key or a FusionAUth admin user.
    • The API also now returns several status codes to provide additional insight into possible issues. See Status API documentation for additional information.
  • When building customized field error messages for custom Registration forms, a field error such as [missing]user.data.foo may now be [blank].user.data.foo. Note the prefix may have changed from [missing] to [blank]. If you have created customized values for Registration Forms, please review your error messages and test your existing validation to ensure the correct text is displayed.
  • The Linux Debian and RPM packages now ship with a systemd service definition instead of the legacy Sys V init scripts. If the distribution of Linux you are using does not support systemd you will need to plan to upgrade. In most cases this should not affect anyone running FusionAuth on Linux using the provided RPM or Debian packages as bridge scripts generally allow you to start and stop the commands using a Sys V wrapper. See the Starting and Stopping documentation for additional information.
  • When using the python client library, the signature for the exchange_o_auth_code_for_access_token method which takes an authorization code has changed. The client_id and redirect_uri parameters flipped positions. This was done to make the signature consistent with the other client libraries. Instead of exchange_o_auth_code_for_access_token(self, code, redirect_uri, client_id=None, client_secret=None), the method signature is now exchange_o_auth_code_for_access_token(self, code, client_id, redirect_uri, client_secret=None). If you don’t flip around the arguments, you’ll receive a 401 error, similar to this issue.

Known Issues

  • If you are using the database search engine, FusionAuth may fail to start up correctly. Resolved in 1.19.1.
  • The legacy environment variable named FUSIONAUTH_SEARCH_SERVERS is not honored ahead of the named configuration file property. Resolved in 1.19.1.

New

  • FusionAuth admin UI and FusionAuth pages are now stateless. As of this version you will no longer need to provide session pinning in a multi-node configuration. If you currently have session pinning configured, it should be ok to leave it, but you should plan to remove it at your earliest convenience.
  • Multi-tenant SSO. This was a limitation prior to this released due to the way we managed the HTTP session. This limitation has been removed… and there was much rejoicing. With multi-tenant SSO you may now optionally use the same browser and utilize SSO for users within different tenants, this is often only a dev time issue, but there are some production use cases for this behavior.
  • Expanded and improved configuration options. All config options are not consistent and can be set using fusionauth.properties, environment variables or Java -D system properties. This will make life much easier for those running in Docker or Kubernetes. All previously named configuration options will be backwards compatible and you will receive warnings on how you can correct your naming of configuration values or environment variables, because that’s how we roll.
  • IdP and Email hinting for the FusionAuth login pages. This feature will allow you to optionally bypass the login page and go directly to the third party IdP based upon the user’s email address or a suggested Identity Provider Id. An Identity Provider Id may be provided on the URL using the idp_hint request parameter, and an email address or domain may be provided in the login_hint request parameter.
  • A new API to import Refresh Tokens. See Import Refresh Tokens API for additional details.
  • Application specific email templates for Passwordless, Email Verification, Setup Password, and Change Password. See updates to the Application API and the Application configuration in the FusionAuth admin.
  • A new icon in cornflower blue.
    • I am Jack’s complete lack of surprise.

Enhancements

  • Enhanced Maintenance Mode support for initial DB schema setup on 3rd Party cloud managed database services such as Digital Ocean, Azure, etc.
  • The FusionAuth log fusionauth-app.log now ships with a log rotation strategy. This will not affect those running FusionAuth in Docker.
  • All configuration is not available in the fusionauth.properties file, environment variable or Java System Property to allow for additional flexibility in configuration regardless of your deployment model. See the Configuration reference for additional information.
  • Restrict the response body on the Status API unless authenticated. Provide more granular HTTP response codes to provide insight into the issue.

Fixed

  • When using the View dialog for a custom form field in the FusionAuth admin UI, form Control type was not displayed.
  • When submitting a custom Registration Form with non-required fields of type number, date or bool, you may receive a validation error indicating the value is invalid.
  • Unable to configure database.mysql.enforce-utf8mb4 through an environment variable for use in Docker.
  • A 404 status code is returned from the Start Passwordless API when more than one tenant exists in FusionAuth.
  • Normalize the use of the aud claim between the OAuth2 grants, Login API and other APIs that may return a JWT. The aud claim should always be even when the User is not registered for the application.
  • Custom Form validation errors and related fixes.
  • Both the Login Success and Login Failed events are triggered during a failed login attempt. This bug was likely introduced in version 1.18.0.

Version 1.18.8

August 25th, 2020

Security

  • Improve SAML AuthN Response validation

Version 1.18.7

August 12th, 2020

Fixed

  • HYPR IdP related fixes.
    • When the HYPR authentication workflow begins the provided loginId was not properly validated to exist in FusionAuth. All other IdP configurations allow this scenario, but because HYPR provides MFA and is not itself considered by FusionAuth to be a SoR (source or record) the user must first exist in FusionAuth.
    • Because HYPR is not a traditional SoR and does not provide user claims to FusionAuth, a username or email address should behave exactly the same when used to initiate the HYPR MFA workflow.
    • Resolves GitHub Issue #808
    • Resolves GitHub Issue #809

Version 1.18.6

August 10th, 2020

Fixed

  • When using self service registration, a JWT populate lambda and the Implicit Grant, the registration parameter to the JWT Populate lambda will be null.

Version 1.18.5

August 3rd, 2020

Fixed

  • A JavaScript bug may cause some of the reports not to render correctly in the admin UI.
  • A poor performing SQL query was found when using MySQL. The query performance will largely be dependant upon your server configuration, but once you exceed 2M+ login records you may realize some performance issues when logging into the FusionAuth admin UI due to the charts displayed on the main dashboard.

Enhancements

  • Add localized number formatting on the y-axis of charts in the FusionAuth admin UI.

Version 1.18.4

July 30th, 2020

Fixed

  • An exception occurs when you attempt to use a refresh token from tenant A with tenant B.
  • An exception may occur when using self service registration that will disrupt the user registration workflow.
  • The registration object is null in the JWT Populate function when used with self service registration.
  • A SAML response that includes an attribute element with the attribute of xsi:nil="true" will cause an exception when we try to parse the XML document.

Version 1.18.3

July 24th, 2020

Fixed

  • When attempting to add a registration for an user in the admin UI, if there are no available registrations to assign after the form has been rendered an exception may occur when you submit the form.
  • When you have enabled verify email on change and you update a user’s email address that was previously undefined, a verification email is not sent.
  • When removing a user’s registration, the search index is not updated correctly until the next user index event.
  • Fixes form field name validation to limit spaces and other special characters.
  • Form and field fixes including some JavaScript errors and the complete registration workflow when a custom form is used.
  • The use of ${tenant.issuer} is failing validation when used in an email template.
    • Resolves GitHub Issue #770, this to @seanadkinson for reporting the bug.
    • Email template validation has been relaxed to allow the Preview API and UI action to report errors and warnings but still allow the changes to be saved. Due to the complexity of validating the email template without the exact data to be used at runtime, validation has been relaxed to ensure we do not prohibit a valid template from being saved. When using the UI to manage your templates, you will now find a test button which will allow you to send a template to an end user to test the rendering and delivery with a real user.

Version 1.18.2

July 20th, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • When running with PostgreSQL database and migrating from pre 1.18.0 with existing users, the table sequence may not be set correctly causing new users to fail to be created.

Version 1.18.1

July 19th, 2020

Fixed

  • An issue introduced in version 1.18.0 may cause the edit Application action in the admin UI to fail with a 500 message. Review the known issues of 1.18.0 for a workaround if you are unable to upgrade to version 1.18.1.

Version 1.18.0

July 19th, 2020

This release includes a fairly significant database schema upgrade. If you have 1M+ users you should plan for a few minutes to allow the schema update to complete. This time will vary significantly based upon the size and performance of your database. Testing upgrades with 3M+ users took approximately 3-5 minutes on bare metal with an SSD. If you're running on a managed database that limits IOPS the migration may be longer. For larger instances it is advised you test the migration ahead of time to identify the downtime required to complete the upgrade.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • When editing an application in the admin UI you may encounter a 500 Internal Server Error error message when attempting to save your changes. As a work around, you may use the API to modify the application. To resolve the issue, please upgrade to version 1.18.1.
  • If running PostgreSQL database a database sequence may not be set correctly causing a 500 status code when creating new users.
  • An exception may occur when using self service registration that will disrupt the user registration workflow.
  • A JWT populate lambda that uses the registration parameter may fail when using self service registration.

Changed

  • In the FusionAuth admin UI, Email Templates and Themes are now found under the Customizations menu.

New

  • Advanced Forms. Self service registration just got a huge upgrade! Now custom forms may be configured with one to many steps, each step consisting of one to many fields. A registration form may then be assigned to an application in the Self service registration configuration found in the Registration tab. Assigning a custom form to an application will require a licensed plan of FusionAuth. More details and documentation coming soon.
  • Initial Tech Preview of Connectors. Connectors allow you to authenticate against external systems such as LDAP. A generic connector can also be configured to authenticate against any third party system. More details and documentation coming soon. When using a connector, you will utilize the Login API or OAuth frontend of FusionAuth as you normally would and the tenant may configure policies that would cause users to be authenticated against these external databases.

Enhancement

  • When viewing the Application view dialog, an additional property named Registration URL will be provided in the OAuth2 & OpenID Connect Integration details section. You may use this value to copy/paste a URL for testing a direct link to the registration page.
  • When viewing the About panel found in the administrative UI, the node IP address will be reported.
  • The JSON Web Tokens issued by FusionAuth will now include the jti claim.
  • All objects now have an insertInstant and a lastUpdateInstant property in the JSON API response.
  • Public keys stored with a certificate will have the x5t property provided in the JSON Web Key Set response.

Fixed

  • The user registration event may be missing the registration property.
  • A user with one or more consents granted fails to be deleted.
  • When using COPPA consent with Email+, the second email is not sent to the parent.
  • The Refresh Token cookie is written without a Max-Age attribute on the JWT Refresh API response. This causes the cookie to be treated as a session cookie.

Version 1.17.5

July 3rd, 2020

Fixed

  • API validation fails on the Audit Log API when a JSON body is omitted from the HTTP request.
  • Fixing a bug that prevents the Kafka integration from working correctly.
  • When selecting an Application in the user search controls in the UI an invalid Elasticsearch query causes an error on Elasticsearch version 7.7.0. The query seems to be working on versions 6.3.1, 6.8.1, and 7.6.1, as far as we can tell it only fails on the most recent versions of Elasticsearch.

Enhancement

  • Add a return to login link to the default templates for Passwordless, Register, Forgot, and Password Sent.

Version 1.17.4

June 25rd, 2020

Fixed

  • A JavaScript bug caused the device verification URL field to toggle to hidden when any grant was enabled or disabled in the UI. This is primarily a cosmetic issue, if you encounter it you may simply refresh the page.
  • The Search API performs a validation step when using Elasticsearch, and if Elasticsearch returns valid: false we fail the request. We are now always including the explanation from the Elasticsearch response in our error message on the API to assist the developer to understand why the requested query is considered invalid.
  • The Apple Service Id override that can be provided per application was not being used, instead the global value was utilized.

Version 1.17.3

June 23rd, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Enhancement

  • When configuring an OpenID Connect Identity Provider, the claim that contains the user’s email address may now be modified. This allows the OpenID Connect Identity Provider to be more flexible when configured with non-standard OpenID Connect providers or other OAuth2 providers such as LinkedIn.

Version 1.17.2

June 17nd, 2020

Fixed

  • When using parent, child and few other references in an email template, the validation step may fail unless you provide a null safe usage.

Version 1.17.1

June 15nd, 2020

Fixed

  • In version 1.17.0 Key Master supports importing a standalone private key. If you attempt this request in the UI with an RSA private key an error will occur.
  • When using an expired Forgot Password link if you have not added the client_id to the URL in the email template you will see an unexpected error when you attempt to begin the process again by entering your email address. You may also experience this error if you are sending users directly to /oauth2/forgot instead of the user clicking the link during an OAuth2 workflow.

Version 1.17.0

June 2nd, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

This change includes some modifications to the way Lambdas are used with Identity Providers. If you are using an OpenID Connect or SAML v2 Identity Provider with a custom Lambda, please read all of the release notes to ensure a smooth upgrade.

Changed

  • All Identity Provider configurations that did not have a lambda configured for User reconcile have been migrated to utilize a lambda to extract all optional user details from the IdP response. This allows you to have complete control over how these configurations work and what information is set or written to the user object during login. The business logic has not changed, but it has been moved from an internal FusionAuth service to a Lambda that can be modified. The following Identity Providers are affected:
    • All Facebook, Google and Twitter Identity Provider configurations
    • OpenID Connect and SAML v2 Identity Provider configurations without a configured lambda.
  • OpenID Connect and SAML v2 Identity Providers that were already configured with a lambda may require some manual migration. The claims that were mapped into the User by FusionAuth prior to this version have been moved into a lambda so they may be modified. For each of your OpenID Connect or SAML v2 Identity Provider configurations that already had a Lambda configured for User reconcile, please review to ensure all of the claims you desire are handled by your lambda.
  • For OpenID Connect Identity Provider configurations, review the new Lambda named Default OpenID Connect Reconcile provided by FusionAuth. Optionally copy any of the code you’d like to have executed into your configured Lambda and then test your integration. Specifically, the registered claims given_name, middle_name, family_name, name, picture, phone_number, birthdate, locale and preferred_username are now managed by the Lambda. If you would like these claims reconciled to the FusionAuth user, review the referenced Lambda function.
  • For SAML v2 Identity Provider configurations, review the new Lambda named Default SAML v2 Reconcile provided by FusionAuth. Optionally copy any of the code you’d like to have executed into your configured Lambda and then test your integration. Specifically, the SAML claims for dateofbirth, givenname, surname, name, and mobilephone are now managed by the Lambda. If you would like these SAML claims reconciled to the FusionAuth user, review the referenced Lambda function.

New

  • Sign in with Apple. A new Identity Provider of type Apple is now available to enable Sign in with Apple support.
  • One time Use Refresh Tokens. A one time use refresh token means that each the time the refresh token is used to get a new access token (JWT) a new refresh token is returned. This feature must be enabled at the tenant level, and can optionally be overridden by the Application JWT configuration.
  • Sliding Window Refresh Token Expiration. By default the expiration of a refresh token is calculated from the time it was originally issued. Beginning in this release you may optionally configure the refresh token expiration to be based upon a sliding window. A sliding window expiration means that the expiration is calculated from the last time the refresh token was used. This expiration policy means that if you are using refresh tokens to maintain a user session, the session can be maintained as long as the user remains active. This expiration policy must be enabled at the tenant level, and may optionally be overridden by the Application JWT configuration.
  • Facebook, Google, HYPR and Twitter Identity Providers may be assigned a User Reconcile Lambda.
    • Previously the user reconcile logic was built into FusionAuth. Now the User reconcile logic has been moved to a lambda to provide additional control over attributes are extracted from the Identity Provider response and set into the FusionAuth user.

Enhancements

  • Some development and possibly runtime errors that are used during external logins such as Facebook were not localized. These values may not be localized in your theme configuration.
  • Large cookies may cause the default maximum header size of 8k to be exceeded. When this occurs the request will fail and you may see an exception with a 400 status code indicating java.lang.IllegalArgumentException: Request header is too large.
    • This value may now be modified via configuration. See the Configuration reference or additional information.
    • Resolves GitHub Issue #608, thanks to @shortstack for letting us know, providing great debug and confirming the fix.
  • When a user is registered, a refresh token will not be returned. This makes this API response consistent with the User Create API.
  • When configuring a SAML v2 Identity Provider, a warning will be added to the Identity Provider index page if the CORS configuration is not adequate to allow the login request to complete. The configuration will generally require a POST request from a particular origin be allowed through the CORS filter.
    • This should help reduce CORS configuration issues causing a 403 during integration testing.
    • Resolves GitHub Issue #641

Fixed

  • When importing a key using Key Master in the admin UI, when a key with an invalid length is imported the error was not being displayed.
  • The hosted FusionAuth log page may fail to function properly after the user changes the locale using the locale selector on the themed page. Specifically, once you add more than one language to your theme, and the user continues past the first login panel to a subsequent themed page, if the user switches the locale the context will be lost and the user will see an OAuth error.
  • A non POSIX compliant function definition in setenv.sh caused FusionAuth to fail to start on Ubuntu 18.04.4 and 20.04 (possibly others). This could be on any Linux distribution that sym-links /bin/sh to dash which is a POSIX compliant shell. This was introduced in version 1.16.0.
  • When using the Facebook IdP and specifying picture as one of the requested fields an error occurs during the User reconcile process which causes the login to fail. If you encounter this issue, the work around is to remove picture from the field configuration, even with this change you will still get the picture back from Facebook as FusionAuth makes a second call to the Me Picture API.

Version 1.16.1

May 18th, 2020

Fixed

  • When attempting to utilize a silent configuration to configure the database schema without using Elasticsearch, FusionAuth would enter maintenance mode.

Version 1.16.0

May 8th, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Security

  • A vulnerability in an underlying SAML v2 library was resolved. If you are using SAML please upgrade FusionAuth to 1.16.0 or later as soon as possible.

Changed

  • The favicon configuration in the default theme has been updated. If you have created your own theme and kept the default favicons using the FusionAuth logo you will want to either remove them or update them with the correct href paths. See the default theme for reference if you would like to use the FusionAuth favicons.

New

  • The Identity Provider Lookup API will return a list of applicationIds to represent the enabled FusionAuth applications for the identity provider.
  • The Identity Provider Lookup API will return the SAML v2 idpEndpoint value configured in the SAML v2 IdP.

Fixed

  • Specifying an Elasticsearch URL containing basic auth credentials works properly. For example the URL https://user:password@myelasticsearchservice.com now functions as expected.
  • Fixed a validation error when using the Import User API w/ an empty list of users. A 400 status code with a JSON response should have been returned.
  • Some JavaScript may fail on Internet Explorer version 11. Specifically the Helper.js which is used to handle the external login providers on the login page.
  • A validation error in the OAuth2 Token endpoint returns a general error instead of the appropriate validation error.
  • When using the Facebook login, it is possible that Facebook will send back an Image URL from the /me/picture API that will exceed 255 characters. If this occurs the login failed and an exception was logged.
  • Attempting to validate or save an Email template that contains a reference to a value stored in user data may cause an exception. For example ${user.data.company_name} is a valid usage, but this would fail validation or cause an exception during validation.
  • In some cases, when a webhook fails to respond and subsequently fails the request do to the configured transaction setting the Elasticsearch index will be out of sync.
  • An extra curly bracket caused the SQL migration to fail if you are running PostgreSQL and performed an upgrade without modifying the default tenant.

Fixed from RC.1

The following issues were fixed that only affect those running version 1.16.0-RC.1.

  • An unexpected request parameter may cause an exception due to the incorrect runtime mode.

Version 1.16.0-RC.1

April 21st, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

This is a release candidate. This release is not intended for production use. If you encounter issues please open a GitHub issue to let us know.

Changed

  • Email Send API no longer requires a from email or a default from name, defaults may be taken from the tenant. See the Emails API documentation for reference.
  • The OpenID Connect JSON Web Key Set API endpoint returns only public keys generated by FusionAuth. This endpoint previously also returned imported public keys, for which we do not hold the private key.

Security

  • Updated default CORS configuration for clean installs, see the CORS Reference for details. It is highly recommended you modify your CORS configuration to match our new default values unless you have a technical requirement for your existing CORS configuration.
  • Upgrade Handlebars to version 4.7.6 due to a known vulnerability. There is no known exploit of this vulnerability in FusionAuth, this is a pro-active upgrade. FusionAuth uses this JavaScript library in the administrative UI to build dynamic table roles.

Enhancement

  • The OpenID Connect and SAML v2 Reconcile Lambda may now modify the assigned user roles. Prior to this version any changes to the roles were intentionally not preserved. This restriction has been lifted.
  • In some cases the state parameter returning from external SAML v2 & OpenID Connect identity providers is decoded incorrectly. We are now Base64 encoding this value to preserve it’s integrity.

New

  • Support for Elasticsearch version 7
    • FusionAuth maintains backward-compatibility with Elasticsearch 6.3.x clusters and indexes.
    • fusionauth-app.search-engine-type configuration property and FUSIONAUTH_SEARCH_ENGINE_TYPE environment variable exposed for configuring the search engine, see the Configuration documentation for reference.
    • A reindex may be necessary depending on how you have upgraded your Elasticsearch cluster. You may issue a reindex in the FusionAuth admin UI under System -> Reindex.
    • Resolves GitHub Issue #199
  • Support for using the database as the user search engine. This is now the default configuration. See the Core Concepts - Users documentation for details.
  • The Registration API returns an access token within the token field of responses to POST requests. See the Registrations API documentation for reference.
    • Application registration records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI.
  • The applicationId is now optional for PUT requests (update login instants) to the Login API. See the Login API documentation for reference.
    • PUT requests to the Login API records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI.
  • The User API returns an access token within the token field of responses to POST requests creating a user. See the User API documentation for reference.
    • User creation records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI.
  • System logs can be viewed from the Admin interface. Navigate to System -> Log to view and download the system logs.
  • System log export API has been added for retrieving a node’s system logs as a compressed zip file. See the System Logs API documentation for reference.
  • There is a Test SMTP button that you can utilize during an Edit or Add Tenant operation to ensure the correct SMTP configuration.
  • Production runtime mode disables maintenance mode, database migrations must be applied manually in this runtime mode. See the FusionAuth App Installation Guide documentation for reference.
  • Advanced configuration exposed for search engine type, runtime mode, and Same-Site cookie policy. See the Configuration documentation for reference.
  • JWT Refresh webhook event, issued when an access token is refreshed by refresh token, see the Events documentation for reference.
  • Tenant email configuration provides a default from email and a default from name. See the Tenants API documentation for reference.

Docker

  • Next time a release candidate is built, the latest tag will be preserved to always be the latest stable release. This way if you are always using the latest tag you will not automatically upgrade to a release candidate.
  • The reference docker-compose.yml provided by the [fusionauth-containers project](Docker installation guide has been modified to install leveraging database as the User search engine. You will need to include the reference docker-compose.override.yml in order to install and configure Elasticsearch as the User search engine. See the )(/docs/get-started/download-and-install/docker) for reference.

Internal

  • Java 14. Upgrade from Java 8. The FusionAuth Java runtime has been upgraded to version 14. All external Java packages such as the Java REST client and the Plugin interface are all still compiled against Java 8 so this upgrade should not impact any users.
  • Upgrade Apache Tomcat to the latest patch version 8.5.53.
  • Much smaller Docker images based upon Alpine Linux! Compressed size changed from ~ 150 MB to 76 MB. More features, less size? Yeah, that’s right.

Version 1.15.8

April 10th, 2020

Fixed

  • When more than one tenant is defined, the redirect to /oauth2/callback which is used for 3rd Party SAML v2 or OpenId Connect identity providers will fail unless the corresponding application is in the default tenant. This issue was introduced in 1.15.6 which means it only affects version 1.15.6. If you encounter this issue you may be shown an error on the login page indicating A validation error occurred during the login attempt. An event log was created for the administrator to review..
  • A callback from a Social IdP configuration may fail to complete the login workflow. This issue was introduced in 1.15.6 which means it only affects version 1.15.6 and 1.15.7.

Enhancements

  • When a user attempts to utilize an expired Passwordless or Forgot Password link, FusionAuth will now still be able to allow the user to restart the login workflow.
    • Resolves GitHub Issue #468, thanks to @davidmw for suggesting this enhancement.
    • In order to take advantage of this enhancement, you will need to upgrade your email template for one or both of these workflows. See the Email Templates documentation for a reference usage.

Version 1.15.7

March 30th, 2020

Fixed

  • Due to a change in how FusionAuth encodes the RelayState value when redirecting to a 3rd party SAML v2 identity providers, the authentication request will fail with an OAuth2 error. This issue was introduced in 1.15.6 which means it only affects version 1.15.6.

Version 1.15.6

March 27th, 2020

Fixed

  • Handle tabs and other control characters in an included text file when parsing the Kickstart configuration files.
  • When the FusionAuth Reactor is enabled, a breach detection is incorrectly requested during a user update when the password is not being modified. You may see errors in the Event Log indicating Reactor returned a status code of 400, this error is just noise and it did not affect the requested action.
  • When running FusionAuth on an un-secured connection during development, newer versions of the Chrome browser will reject the Set-Cookie request in the HTTP response because the SameSite attribute is not set.

Enhancement

  • When integrating with 3rd Party Identity Providers FusionAuth will build a state parameter in order to complete the FusionAuth OAuth2 or SAML v2 request on the callback from the 3rd Party IdP. There are times when a 3rd Party IdP may un-intentionally modify the state parameter by decoding the value. When the state parameter is not returned to FusionAuth the way it was sent the integration breaks. FusionAuth will now Bas64 encode the state value to better defend against 3rd Party IdP integrations.

Version 1.15.5

March 16th, 2020

Fixed

  • Adding a Consent to a User that does not have a First or Last Name. This was causing an error in the UI where the Add Consent dialog was not rendering and instead displaying a stack trace.
  • When Reactor is enabled and more than one user requires action due to a breached password the Reactor index page will fail to render.
    • Resolves GitHub Issue #514, thanks to our friends at Frontdoor for reporting the issue.
  • When adding a new Tenant in the UI you may encounter a 500 status code with a FusionAuth encountered an unexpected error. message. If you encounter this error, edit the default tenant, click save and then retry the add operation.
  • A JavaScript exception was causing the ExternalJWT identity mapping dialog to fail. A work around is to use the API to add these claim mappings. This bug was introduced in version 1.15.3.

Version 1.15.4

March 10th, 2020

Fixed

  • When using PostgreSQL and using the Import User API with a large amount of roles assigned to user FusionAuth may exceed the maximum allowed parameterized values in a prepared statement causing a SQL exception. If you encounter this issue you may work around the issue by reducing the size of your import request to 200-500 users per request.
  • When creating a user through Kickstart with passwordChangeRequired set to true and exception will occur during the next login request. This issue was introduced in version 1.15.0.
  • When a Kickstart file contains multi-byte characters the string value may not be encoded properly if the default file encoding is not UTF-8. This has now been resolved by explicitly requesting UTF-8 encoding during file I/O.
  • When using the SAML IdP configuration where FusionAuth is the SAML service provider if the base64 encoded SAML response from the IdP contains line returns FusionAuth will fail to parse the request and the login request will fail.

Version 1.15.3

February 27th, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • The External JWT Identity Provider now manages keys used for token verification in the Key Master. All keys have been migrated to Key Master, and going forward all keys can be managed through the Key Master.
  • Prior to this version the OpenID Connect IdP would send the client secret using the client_secret_basic and the client_secret_post method. This was done for compatibility with providers that did not utilize the client_secret_basic method. Now this configuration is now provided and only the configured client authentication method will be used.

Fixed

  • Using the JWT Refresh API with a JWT issued from one tenant for a user in another tenant. This error was causing an exception instead of the proper validation error being returned to the caller. A 404 will now properly be returned when this scenario occurs.
  • Missing API validation on the /oauth2/passwordless endpoint. A 500 was returned instead of the correct validation errors.
  • On systems running MySQL, the SQL migration for 1.15.0 on the DELIMITER command and causes the instance table to have a null license_id. If you have previously connected your support contract Id with your instance and upgraded to a previous 1.15.x version, you will need to reconnect your license Id in the Reactor tab. This issue was introduced in version 1.15.0.
  • The CancelAction method in the .NET Core client returning field error due to incorrect method definition.
  • The OpenID Connect IdP client authentication method is now configurable as client_secret_basic, client_secret_post, or none and will authenticate solely with the configured method. See the OIDC spec concerning Client Authentication for more information.
    • The 1.15.3 database migration configures the client authentication method to client_secret_basic for identity provider configurations with a client secret defined, and none for those without a client secret defined. If your OpenID Connect provider requires client_secret_post you will need to update your configuration to ensure the integration continues to function properly. Discord is one of the known IdPs that requires the client_secret_post client authentication method.
    • See the OpenID Connect Identity Providers APIs, the OpenID Connect Identity Provider Overview and the Discord OIDC integration tutorial for more detail.
    • Resolves GitHub Issue #445, thanks to @ovrdoz for reporting.
  • When you have enabled Self Service Registration and Registration Verification FusionAuth will fail to send the email to the end user during this workflow.
    • Resolves GitHub Issue #496, thanks to our great Slack community for letting us know and assisting with debug.
  • If a Two Factor Trust has been established with a particular browser through the user of a cookie, it was not being honored during the Passwordless Email workflow and the user would be prompted for the Two Factor challenge during each login attempt.
  • When using managed domains with the OpenID Connect or SAML v2 Identity Provider configurations the callback to FusionAuth may fail with an error.
  • When a stylesheet in your theme contains > the new HTML escaping strategy introduced in version X causes this value in the CSS to be incorrectly escaped. If you encounter this problem in your current them, update the usage of the stylesheet to ${theme.stylesheet()?no_esc} instead of the previous usage of ${theme.stylesheet()}.
  • Fix a Kickstart bug, when a variable is used in the very first API key the replacement was not honored.

Enhancements

  • When the External JWT Identity Provider does not have any managed domains defined, allow a JWT from any domain to be reconciled. This change makes this IdP configuration more consistent with our IdP configurations that allow for managed domains.

Version 1.15.2

February 19th, 2020

Known Issues

  • Fixed in 1.15.3, on systems running MySQL, the 1.15.0 migration fails on a DELIMITER command and causes the instance table to have a null license_id. If you upgraded to 1.15.2, have connected our instance to a support contract, and ran the 1.15.0 migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab.
    • A workaround for this issue is to download the fusionauth-database-schema-1.15.0.zip from our direct download page, unzip and manually apply the migrations/mysql/1.15.0.sql migration. You may also wait to upgrade until 1.15.3 is available and allow maintenance mode to run the fixed migration.

Fixed

  • Password breached fixes. On some systems running PostgreSQL a portion of the breach detections features may not function properly. If you are running MySQL this will not affect you, and only certain PostgreSQL versions are affected. If you are not using FusionAuth Reactor this issue will not affect you.

Version 1.15.1

February 18th, 2020

Known Issues

  • Fixed in 1.15.3, on systems running MySQL, the 1.15.0 migration fails on a DELIMITER command and causes the instance table to have a null license_id. If you upgraded to 1.15.1, have connected our instance to a support contract, and ran the 1.15.0 migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab.
    • A workaround for this issue is to download the fusionauth-database-schema-1.15.0.zip from our direct download page, unzip and manually apply the migrations/mysql/1.15.0.sql migration. You may also wait to upgrade until 1.15.3 is available and allow maintenance mode to run the fixed migration.

Fixed

  • A SQL statement in PostgreSQL may cause some 9.x versions to fail to store breach metrics once FusionAuth Reactor has been enabled. If you are running MySQL this will not affect you, and only certain PostgreSQL versions are affected. If you are not using FusionAuth Reactor this issue will not affect you.

Version 1.15.0

February 17th, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • Fixed in 1.15.1, some versions of PostgreSQL may cause an exception when storing breach metrics after enabling FusionAuth Reactor. If you are not using FusionAuth Reactor or you are using MySQL instead of PostgreSQL this issue will not affect you.
  • Fixed in 1.15.3, on systems running MySQL, the 1.15.0 migration fails on a DELIMITER command and causes the instance table to have a null license_id. If you upgraded to 1.15.0, have connected our instance to a support contract, and ran the 1.15.0 migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab.
    • A workaround for this issue is to download the fusionauth-database-schema-1.15.0.zip from our direct download page, unzip and manually apply the migrations/mysql/1.15.0.sql migration. You may also wait to upgrade until 1.15.3 is available and allow maintenance mode to run the fixed migration.

Changed

  • In the FusionAuth admin UI you will notice that User, Groups, Applications and Tenants are all now at the top level of the left navigation sidebar. This change has been done to provide quicker access to these frequently accessed menus.

New

  • FusionAuth Reactor ™. FusionAuth Reactor is available with all paid plans of FusionAuth. The first feature in the Reactor suite will be breached password detection. All passwords will be checked against a breached list during all password change events, and optionally during login based upon your configuration.
  • New webhook event for use with FusionAuth Reactor breached password detection. This event when enabled will be fired during login if the user is using a vulnerable password.
    • User Password Breach (user.password.breach), see Webhook Events for additional information.
  • New Tenant configuration in support of FusionAuth Reactor and additional password validation rules. This configuration can be found in the Password tab of the Tenant configuration on the Tenant API.
    • tenant.passwordValidationRules.validateOnLogin - When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password. Prior to this release password validation was only ever performed during a change event, you may now optionally enforce your password policy during login.
    • tenant.passwordValidationRules.breachDetection - A new object to provide configuration per tenant for password breach detection.
  • During login, if the user is required to change their password, the Login API, Authorization Code Grant, Implicit Grant and Password Grant will now also return a change reason. This additional value in the response will indicate why the user is being required to change their password.

Security

  • A small window exists after a Refresh Token has expired when this token can still be used under specific circumstances. This symptom only occurs when using the /api/jwt/refresh API, and not when using the Refresh Grant using the /oauth/token endpoint. In a worst case scenario the Refresh Token may be honored up to 5 hours after the expiration date, in most circumstances it will be much less. This only applies to expired Refresh Tokens, revoking a Refresh Token is not affected.

Fixed

  • Editing a Group in a Tenant that does not yet have any Applications created causes and exception when you attempt to save the edit form in the FusionAuth admin UI.
  • When Self Service Registration, if Registration Verification is enabled and Email Verification is disabled the user will not receive a Registration Verification email.
  • An exception may occur when using the Import User API if you are missing the applicationId property in a User Registration. This error should have been found as a validation error and instead an exception occurred.
    • Resolves GitHub Issue #479, thanks to our friends at Integra Financial Services for reporting the error.

Enhancements

  • Allow Kickstart to better handle varying startup times and delays. A few users reported scenarios where Kickstart would begin before FusionAuth was ready causing Kickstart to fail.

Version 1.14.0

January 22th, 2020

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

This change may affect you if you are performing advanced HTML escaping in your themed templates. During upgrade, any usage of ?html in a themed template will removed because it is now handled automatically and it is no longer valid to use the FreeMarker built-in ?html.
If any of your translated messages include an HTML entity such as \&amp;hellip; and you are including this message using the theme message helper theme.message you may need to make a small adjustment in order for the entity to render properly. For example, on the Logout template the default text is Logging out&hellip; but if you see it rendered as Logging out\&amp;hellip; you will need to add an the FreeMarker suffix ?no_esc so that the usage looks like this theme.message('logging-out')?no_esc.
It is recommended that you audit your theme for any usage of ?html and ensure you test your theme after migration. In the FusionAuth UI if you navigate to Settings -> Themes you can use the View action to render each template and ensure they render properly.]

Changed

  • A JWT Populate Lambda now has fewer reserved claims. All claims can now be removed or modified except for exp, iat and the sub claims by the JWT Populate Lambda. You remove or modify claims added by FusionAuth at your own peril.
  • Add additional fields that can be merged by the PATCH HTTP method. The following fields were not being merge, but replaced. The limitation of this change is that it is difficult to remove fields from values from arrays. A future enhancement may be to support the JSON Patch specification which provides semantics for add, replace and remove.
    • User.preferredLanguages
    • User.memberships
    • User.registrations
    • User.data
    • UserRegistration.data
    • UserRegistration.preferredLanguages
    • UserRegistration.roles
    • Application.data
    • Resolves GitHub Issue #424

New

  • Kickstart™ allows you bypass the Setup Wizard in order to FusionAuth up and running quickly. Deploy development or production instances of FusionAuth using a pre-defined configuration of Users, Groups, Applications, Tenants, Templates, API keys, etc.
    • Resolves GitHub Issue #170 🤘
    • This feature is in *Tech Preview * which means if we find shortcomings with the design as we gather feedback from end users it is possible we will make breaking changes to the feature to correct or enhance the functionality. Any such changes will be documented in future release notes as appropriate.
  • The Tenant API can optionally take a new sourceTenantId parameter to allow you to create a new Tenant using the values from an existing Tenant. Using the sourceTenantId limits the required parameters to the Tenant name.
  • Add a View action to a Group Membership in the Membership tab of the Manage User panel in the UI.

Fixed

  • A memory leak in the Nashorn JavaScript engine used to execute FusionAuth Lambdas has been resolved.
  • The OAuth2 Authorization Code grant was required to complete a SAMLv2 login, this grant is no longer required to be enabled.
  • Added missing theme_manager role to the FusionAuth application

Version 1.13.2

December 30th, 2019

Fixed

  • During a reindex operation the status will properly be displayed on every node when viewing the User Search or the Reindex pages in the UI.
  • Improve Kafka configuration validation when using the Test button in the UI.
  • An exception may occur when using ReactNative with FusionAuth when an HTTP Origin header is sent to FusionAuth with a value of file://. The exception is caused because file:// without a value after the double slash is not a valid URI and cannot be parsed by java.net.URI. However the HTTP specification indicates that an origin header with a scheme of file:// is allowed and when used anything following the prefix is allowed. This fix follows a similar decision made by Apache Tomcat in their CORS filter, see Bugzilla #60008.
  • When an invalid code or expired code is used on a Passwordless login request an exception may occur.
  • When a user email is verified implicitly due to a change password action that originated via an email request the user.verified event is now sent.

Version 1.13.1

December 19th, 2019

Search Index Rebuild

As part of the upgrade the Elasticsearch index will be rebuilt due to a modification in the index to support searching on nested collections. This additional step may cause additional load on your system until it has completed. If you have less than 100,000 users in FusionAuth you will not likely observe any meaningful impact to your system. If your user count is > 1 million, the reindex may take minutes to complete, during this time you may still use FusionAuth normally. Until your search index is completely rebuilt the Search API or User Search feature in the UI may not provide complete results.

Fixed

  • The Elasticsearch migration required to complete the upgrade to 1.13.0 may not always run as intended. Upgrading to this release will kick off an Elasticsearch reindex operation to correct the search index state.

Version 1.13.0

December 18th, 2019

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • A search index rebuild is required to complete this upgrade, this operation may not automatically be started during upgrade. If you have already upgraded to this release you can either upgrade to the 1.13.1, or manually initiate a reindex request by navigating in the UI to System -> Reindex.

New

Fixed

  • The newly supported PATCH HTTP method cannot be selected from the API key endpoint security settings. This means that you need to allow all methods in order to utilize the PATCH method. This has been resolved.
  • The newly supported PATCH HTTP method is not configurable in the CORS filter.
  • An empty salt value is recommended in an error message but this was failing validation during Import using the User Import API.
  • An exception may occur when using the PATCH method on the User API when more than one tenant exists.

Enhancement

  • DELETE /api/user/bulk takes queryString and query parameters to search for users to delete by Elasticsearch query string and raw JSON query, and a dryRun parameter to preview the affected users. See the User Bulk Delete API documentation.
  • POST /api/user/search and GET /api/user/search take a query parameter to search for users by an Elasticsearch raw JSON query. See the User Search API documentation.
  • /api/user/search takes new sortFields for sorting search results. See the User Search API documentation.
  • The Webhook URL is no longer constrained to 191 characters. Prior to this version, this URL was considered unique and the length was constrained due to indexing limitations. The URL is no longer required to be unique and it is up to the user to limit duplicate webhooks.

Version 1.12.0

December 8th, 2019

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • In support of the OAuth Device Grant feature released in 1.11.0, a second template was added to separate the completion state.
    • New themed template OAuth device complete. Starting with version 1.12.0, templates will no longer be automatically migrated into an existing theme. We believe this is a safer choice overall. Instead your theme will be marked as requiring upgrade when viewed in the UI. You will be prompted to complete the missing templates when you edit and you will be provided with the option to copy in the default template as a starting point.
    • If FusionAuth attempts to render the missing template you will be prompted with a message indicating your theme needs to be upgraded. In generally this should happen when you are using a new feature and thus should occur at development time. Whenever a new template is added, it is recommended to edit and verify your theme right away after upgrade to ensure a smooth migration.
  • In support of the HYPR integration, a new template was added that will be used when waiting for the external HYPR authentication to complete.
    • New themed template OAuth2 wait. Starting with version 1.12.0, templates will no longer be automatically migrated into an existing theme. We believe this is a safer choice overall. Instead your theme will be marked as requiring upgrade when viewed in the UI. You will be prompted to complete the missing templates when you edit and you will be provided with the option to copy in the default template as a starting point.
  • The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization
wait-title=Complete login on your external device
waiting=Waiting

[ExternalAuthenticationExpired]=Your external authentication request has expired, please re-attempt authentication.
  • A change has been made to how an event is sent to Webhooks when the Transaction configuration does not require any webhooks to succeed. Prior to this version each webhook would be called in order and once the status was collected from each webhook a decision was made to return to the caller or fail the request. In order to increase the performance of webhooks, when the Transaction configuration does not require any webhooks to succeed each webhook will be called in a separate thread (asynchronously) and the request will return immediately. In this scenario any failed requests will not be retried. See Webhooks for more information.

New

  • Support HYPR IdP native integration. HYPR brings passwordless and biometric options to FusionAuth.
  • Administrative actions added to Users -> Manage panel.
    • *Send password reset * always available from the drop down menu.
    • Addresses GitHub Issue #351, thanks to @nicholasbutlin for the suggestion!
    • *Resend email verification * available when the user’s email is not yet verified from the drop down menu.
    • *Resend verification * available as a new row button in the *Registrations * tab when a registration is not verified.

Fixed

  • Modifying user actions with multi tenants returns a missing tenant error.
  • The JWT Validate endpoint returns the wrong precision for iat and exp claims.
  • When using the one time password returned from the Change Password API when a Refresh Token was provided during the change request a Refresh Token is not returned from the Login API.
  • A “null” Origin header is allowed in the w3 spec, and when this occurs it may cause an exception when validating authorized origins.
  • Better handling on the Start Passwordless API when a user does not exist

Enhancement

  • The User Delete API will no longer delete User Actions taken by the user. Instead the API will now disassociate any UserActions created by the deleted user by removing them from the Actioning User. In this scenario, a user will remain in an Action taken by a user that has now been deleted.
  • A User Action may be applied to a user in a different tenant than the User taking the action. Prior to this release, using the admin UI to take an action on a user in a different tenant may fail.
  • The following APIs now support the PATCH HTTP method. This enhancement completes GitHub Issue #121.
    • /api/application
    • /api/application/role
    • /api/consents
    • /api/email/template
    • /api/group
    • /api/identity-provider
    • /api/integration
    • /api/lambda
    • /api/system-configuration
    • /api/tenant
    • /api/theme
    • /api/user
    • /api/user-action
    • /api/user-action-reason
    • /api/user/consent
    • /api/user/registration
    • /api/webhook
  • The FusionAuth client libraries now also support the PATCH method.
  • When an encoded JWT is accepted in the Authorization header, FusionAuth will now accept the token in the Bearer or the JWT schema.
  • When you begin an external login such as Facebook, Google or Twitter an in progress indicator will be added to the login panel to indicate to the user that a request is in progress.
    • Resolves GitHub Issue #331, thanks to @davidmw for the suggestion!
    • If you are using a theme and want to take advantage of this indicator, you can compare the stock OAuth2 Authorize template, look for the note in the top JavaScript section.

Version 1.11.0

October 29th, 2019

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Security

  • A change was made to the FreeMarker template engine to remove the possibility of malicious code execution through a FreeMarker template. To exploit this vulnerability, one of two scenarios must occur. The first scenario is a user with an API key capable of adding or editing Email or Theme templates, the second scenario is a user with access to the FusionAuth admin UI that has the necessary authority to add or edit Email or Theme templates. In these two scenarios the user would need to add code to the template with the intention of executing a malicious system command. There is a low probably of this exploitation to occur if you have trusted applications and administrative users.

Changed

  • Remove the sid and the iss request parameters on the URL provided by post_logout_redirect_uri. This feature was added in version 1.10.0 and because the redirect URL may be a previously configured Logout URL or a URL provided by the post_logout_redirect_uri we were always adding these additional request parameters to the URL. This change will remove them from the redirect URL and they will only be added to the URLs used to build the iframes in the logout template.
  • In support of the OAuth Device Grant feature, the following theme changes have been made.
    • New themed template OAuth device. This template has been added to each of your existing themes. As part of your migration please review this template to ensure it matches your intended style.
  • The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization
device-form-title=Device login
device-login-complete=Successfully connected device
device-title=Connect Your Device

userCode=Enter your user code

[blank]user_code=Required
[invalid]user_code=Invalid user code
  • The following hidden fields were added and you will need to update your [#macro oauthHiddenFields] in the theme “Helpers” of existing Themes if you intend to utilize the Device Grant or response_mode in the Authorization grant:
[@hidden name="response_mode"/]
[@hidden name="user_code"/]
  • An update has been made to the [@link] macro in the Helpers template. If you intend to utilize the Device Grant you will need to add the missing parameters to your macro or copy the updated macro and usage from the default FusionAuth theme. The user_code request parameter has been added to this macro.

New

  • Device Authorization Grant
    • This satisfies GitHub Issue #320 - OAuth2 Device Authorization Grant
    • This grant type is commonly used to connect a set top box application to a user account. For example when you connect your HBO NOW Roku application to your account you are prompted with a 6 digit code on the TV screen and instructed to open a web browser to hbonow.com/tvcode to complete the sign-in process. This process is using the OAuth Device Grant or a variation of this workflow.
  • Support for the response_mode request parameter during the Authorization Code grant and the Implicit grant workflows.
  • An additional API is available in support of Passwordless Login to allow additional flexibility with third party integrations.
    • See GitHub Issue #175
    • This feature will be available in 3 steps, Start, Send and Complete. Currently the Send API generates a code and sends it to the user, and then a Login API completes the request. The change is backwards compatible, but a Start action will be provided so you may skip the Send and collect the code and send it to the user using a third party system.
    • See the Passwordless API documentation for additional information.

Preview

  • The PATCH HTTP method is available on some APIs in a developer preview. This is not yet documented and should only be used in development. The following APIs support the PATCH method, more to come.

Fixed

  • Return a 400 status code with a JSON response body on the Import API when a foreign key constraint causes the import to fail
  • Return a 401 status code on the Userinfo endpoint for invalid tokens
  • The Passwordless login external identifier complexity settings are not working
  • An error is incorrectly displayed on the Forgot Password form even when the code is valid
  • When a large number of tenants exist such as 3-5k, an exception may be thrown during a key cache reload request
  • When using the id_token_hint on the Logout endpoint, if the token was issued to a user that is not registered for the application it will not contain the applicationId claim. This claim was being used to resolve the client_id required to complete logout. An alternative strategy is now used so that an id_token issued to a user that is registered, or not registered will work as expected when provided on the Logout endpoint.
  • Support a SAML SP that does not send the <samlp:NameIDPolicy /> constraint in the AuthN request, in this case we will default to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Enhancement

  • Front-channel logout was made more flexible
    • Resolves GitHub Issue #324
    • A new attribute Logout behavior was added to the Application -> OAuth configuration
      • Redirect only - legacy behavior of only logging out of SSO and redirecting to either the registered logout URL in the application or the post_logout_redirect_uri.
      • All applications - performs a front channel logout of all registered applications in the tenant. Optionally, the themeable Oauth logout page can be modified to only logout of those applications the user is registered for.
  • In some cases the Facebook IdP configuration requires a permission of email to be configured in order for the email claim to be returned from the Facebook Me API even when email is also specified in the field parameter. FusionAuth will default both the fields and the permissions parameters to email on create if not provided to make the Facebook IdP work out of the box for more users. Defaults will not be applied if these fields are left blank or omitted on an update.
  • The Passwordless Send API now takes an optional code parameter which will be used as the Passwordless code sent in the email. This code can be generated by the new Passwordless Start API.

Version 1.10.1

October 1st, 2019

Fixed

  • When logging into Google or other external Identity Provider for an Application outside of the default tenant the login may not complete successfully. This issue was introduced in version 1.9.0. A work around is to use an application in the default tenant.
  • A status code of 500 may occur during the processing of the SAML v2 response from an SAML v2 IdP.

Version 1.10.0

September 30th, 2019

Changed

  • In support of the OpenID Connect Front Channel logout feature, the following theme changes have been made.
    • New themed template OAuth logout. This template has been added to each of your existing themes. As part of your migration please review this template to ensure it matches your intended style.
  • The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization
logging-out=Logging out&amphellip;
logout-title=Logging out
or=Or

[ExternalAuthenticationException]=&#37;1&#36;s The login request failed.

New

  • Support for the OpenID Connect Front Channel logout
    • This updates the existing OAuth2 Logout endpoint to be compliant with the OpenID Connect Front-Channel Logout 1.0 - draft 02 specification
    • TL;DR The /oauth2/logout endpoint will call logout URLs of all tenant applications. A redirect URL can be requested on the URL via post_logout_redirect_uri.
    • Resolves GitHub Issue #256, thanks to all who up voted and provided valuable feedback.
    • The OpenId Connect discovery endpoint now returns the following attributes:
      • end_session_endpoint
      • frontchannel_logout_supported
      • backchannel_logout_supported

Fixed

  • Send email API may fail with a 500. This issue was introduced in version 1.9.0.
  • SAML v2 Invalid Redirect. This resolves GitHub Issue #287, thanks to @prasanna10021991 for reporting and helping!

Enhancement

Version 1.9.2

September 24rd, 2019

Fixed

Version 1.9.1

September 23rd, 2019

Fixed

  • Unable to modify the name of the default FusionAuth theme. If you attempt to edit the theme and save the form a validation error occurs that is not expected and will cause an exception. If you encounter this problem you can simply not edit the FusionAuth theme since you are not able to modify the templates anyway. Instead just duplicate the theme if you would like to view any of the default messages.

Version 1.9.0

September 23rd, 2019

New

Fixed

  • When editing a new email template that contained ${user.tenantId} the template validation may fail.
  • A locked account may still be able to login via Google or other external identity provider.
    • Resolves GitHub Issue #301, thanks to @jerryhopper (a FusionAuth MVP) for the bug report!
    • Previous to this change when using the OAuth2 login or the Login API, a locked account was treated as a “soft” lock and a 404 would be returned from the Login API which in turn displayed an Invalid credentials error. The account locked (soft delete) state will not return a 423 status code instead of a 404 which will result in a different message to the OAuth2 login.

Version 1.8.1 RC1

September 10th, 2019

This is a release candidate. This means the version is stable and should work for most cases. However, due to the complexity of the database migration ensure you have adequately tested the upgrade prior to moving it into production. You may also wish to wait for the forthcoming full release of 1.8.1 or 1.9.0 before moving into production.

Fixed

  • The SQL issue described below in the warning message has been resolved.
  • Performing a clean install of 1.8.0-RC.1 may fail in some cases
  • When user.passwordChangeRequired is true and you login via an external identity provider you will be redirected to /password/change with an invalid code so you will not be able to complete the change password workflow. You may work around this change by navigating back to the login page and clicking the forgot password link.

Version 1.8.0 RC1

September 8th, 2019

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues:
Any rows in the user_external_ids table with a null value in the applications_id column may cause the migration to fail. Prior to upgrading run the following SQL command:
DELETE from user_external_ids WHERE applications_id IS NULL; This issue will be resolved in the final release of 1.8.0.
]

Community MVPs

Thanks to all of our community members who take the time to open features, report bugs, assist others and help us improve FusionAuth! For this release we would like to thank the following GitHub users who helped us out!

Changed

  • Most of the configuration previously available in the System Settings has been moved to the Tenant configuration to allow for additional flexibility. This is important if you will be utilizing more than one tenant, you may now configure password policies, email configuration, etc per tenant. If you are using the System Configuration or Tenant APIs, please be aware of this change and plan accordingly. If you were manually synchronizing these configurations between systems, you will need to update these processes.
    • SMTP configuration
    • Event configuration
    • Password configuration
    • Failed Authentication configuration
    • Password configuration
    • JWT configuration
    • Theme
  • When using a theme, whenever possible provide the tenantId on the request using an HTTP request parameter. This will help ensure FusionAuth will render the page using your chosen theme. In most cases FusionAuth can identify the correct tenant and theme based upon other parameters in the request, but in some circumstances there is not enough information and FusionAuth will default to the stock theme if the tenantId is not explicitly provided.
    • For example in each of the shipped email templates the following has been added to the generated URL ?tenantId=${tenantId}. You may wish to add this to your email templates if you’re using themes.
  • If you were previously accessing a themed stylesheet in your template as ${loginTheme.stylesheet} it is now accessed like this ${theme.stylesheet()}.

New

Fixed

  • Tenant scoped SMTP configuration, password rules, event transactions, JWT signing configuration, etc.
  • When viewing Refresh token expiration in the Manage User panel under the Sessions tab, the expiration may be displayed incorrectly if the Refresh Token Time to Live has been set at the Application level. The actual time to live was still correctly enforced, but this display may have been incorrect.
  • In some cases an Id Token signed by FusionAuth may not be able to be verified if it is sent back to FusionAuth. This issue was introduced in version 1.6.0.
  • If the host operating system is not configured for UTF-8 and you specify multi-byte characters in an email template subject, the subject text may not be rendered correctly when viewed by the recipient.
  • Toggle rendering issue in Firefox. Resolves GitHub issue #260, thanks to @snmed for the assist!
  • When creating users and applications programatically, due to a timing issue, you may receive an unexpected error indicating the Application does not exist. Resolves GitHub Issue $252, thanks to @johnmaia for reporting the issue.
  • An exception may occur when using the Login with Google feature if the picture claim returned is not a valid URI. Resolves GitHub Issue #249, thanks to @damienherve for reporting the issue.
  • A tenant may fail to be deleted. Resolves GitHub Issue #221, thanks to @johnmaia for the assist! If you encounter this issue, ensure the search index is updated, generally this will only happen if you programatically create users and then immediately attempt to delete a tenant.
  • The relative link on the Change Password themed template to restart the Forgot Password workflow when the code has expired is broken. Resolves GitHub Issue #280, thanks to @flangfeldt for letting us know!
  • The Import API may fail due to a false positive during password salt validation. Resolves GitHub Issue #272, thanks to @tombeany for reporting the issue.
  • Modifying an Identity Provider configuration when an Application has been disabled may cause an error in the UI. Resolves GitHub Issue #245, thanks to @fabiojvalente for reporting the issue.
  • When the FusionAuth schema exists in the database and you reconnect FusionAuth using the database maintenance mode, depending upon the version of PostgreSQL we may not properly detect that the schema exists and return an error instead of continuing. Resolves GitHub Issue #237, thanks to @whiskerch for reporting the issue.
  • A typo in the Java FusionAuth client causes the to fail the generateEmailVerificationId request. Resolves GitHub Issue #282, thanks to @petechungtuyco for reporting the issue and pointing out the solution!

Enhancement

  • JWT Refresh Token Revoke event will contain a User object when available
  • In a themed template that may have the passwordValidationRules available after a password validation field error will now always have the passwordValidationRules available if you choose to display them. Resolves GitHub Issue #263, thanks to @AlvMF1 for the suggestion!
  • Updated PostgresSQL connector to support SCRAM-SHA-256. Thanks to @colundrum for letting us know and assisting in testing. Resolves GitHub Issue #209
  • The OpenId Connect discovery endpoint now accepts optional tenantId request parameter.
  • A User object is returned in the jwt.refresh-token.revoke event JSON.
  • The field tenantId is returned in event JSON.

Version 1.7.4

August 22th, 2019

Fixed

  • When configuring a SAML v2 IdP relying party using the FusionAuth SP metadata, the configured ACS may not work properly. If you encounter this issue you may manually modify the relying party configuration to change the ACS endpoint to /oauth2/callback.

Version 1.7.3

August 15th, 2019

New

  • SAML v2, OpenID Connect, Google, Facebook, Twitter and External JWT Identity Provider configurations now have a debug flag. When enabled a debug Event Log will be created during each request to the Identity Provider to assist in debugging integration issues that may occur. In addition, error cases will be logged in the Event log instead of to the product log.
  • SAML v2 Service Provider (Relaying Party) Metadata URL

Fixed

  • In some cases when running FusionAuth behind a proxy without setting the X-Forwarded-Port header the URLs returned in the OpenID Configuration discovery document may contain an https URL that is suffixed with port 80. If this is encountered prior to this version you may simply add the X-Forwarded-Port header in your proxy configuration.
  • SAML v2 fix when using urn:oasis:names:tc:SAML:2.0:nameid-format:transient or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Name Id formats.
  • SAML v2 fix in the IdP Metadata. The IDPSSODescriptor was missing the protocolSupportEnumeration which may cause some SAML metadata parsers to fail processing.
  • SAML v2 fix in the IdP Metadata. The value returned in the issuer attribute was not the same as the entityId provided in the metadata which may cause some SAML metadata parsers to fail processing.
  • And audit log entry may not be created for a FusionAuth admin that does not have an email address when modifying configuration with the FusionAuth UI.

Enhancement

  • Integration details have been moved to a view dialog for each Identity Provider configuration. Previously these values were provided as read only fields on the edit panel in the UI.
    • See the View action for your Identity Provider configurations by navigating to Settings -> Identity Providers.

Version 1.7.2

June 19th, 2019

Fixed

Version 1.7.1

June 13th, 2019

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • Possible migration error for PostgreSQL users

Version 1.7.0

June 13th, 2019

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • The timezone field in the User and UserRegistration must be a IANA time zone. This was previously assumed, but not always enforced. If a timezone is set for a User or UserRegistration that is not a valid IANA timezone, null will be returned when retrieving the User or UserRegistration timezone.

New

  • Family and relationship modeling. Yeah, everyone has users, but does your IdP manage family relationships?
  • Consent management. Need to record parental consent, or track opt-in for your users? Look no further.
    • Consent concepts
    • Consent APIs
    • We will ship FusionAuth with COPPA VPC, and COPPA Email+ consents, additional consents may be added through the Consent management interface and through the Consent APIs.
  • Export of Audit Logs to a zipped CSV in the UI and via the Export API
  • Export of Login Records to a zipped CSV in the UI and via the Export API
  • Login Record view that contains limited search and pagination capability. In the UI see System -> Login Records
  • Retention policy for Audit Logs. This feature is disabled by default and may be enabled to retain a configured number of days worth of Audit Logs.
  • Retention policy for Login Records. This feature is disabled by default and may be enabled to retain a configured number of days worth of Login Records.

Fixed

  • Some timezones may not be correctly discovered during login. When this occurs an undefined value is set which may cause an error during login to the FusionAuth UI.
  • Support importing Bcrypt hashes that contain a . (dot). The Bcrypt Base64 encoding uses a non standard character set which includes a . (dot) instead of a + (plus) as in the standard character set. Thank you to Diego Souza Rodrigues for discovering this issue and letting us know!.
  • Better support for third party 2FA devices such as an RSA key fob. When providing FusionAuth with a secret to enable Two Factor authentication we will accept a string in a Bas32 or Base64 encoded format. The documentation has been updated to further clarify this behavior. Previously if you brought your own secret to FusionAuth to enable 2FA, depending upon the format of the key, you may not have been successful in enabling 2FA for a user.
  • Managed domains were not being returned properly for a SAML v2 IdP configuration. This means that you could not limit the SAML v2 IdP configuration to users with a specific email domain.

Enhancement

Version 1.6.1

May 2nd, 2019

Fixed

Version 1.6.0

April 28th, 2019

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Please Read

The SAML specification is complex and not all SAML v2 Service Providers are specification compliant. This means your mileage may vary as you utilize the FusionAuth SAML v2 IdP to allow services such as Zendesk, Pivotal and Google G-Suite to log into FusionAuth using SAML v2. If you run into problems open a GitHub issue and we will try to help.

Changed

  • Deprecated the following properties SystemConfiguration and Application domain. This is all now managed through Key Master, and existing keys have been migrated into Key Master.
    • jwtConfiguration.issuer
    • jwtConfiguration.algorithm
    • jwtConfiguration.secret
    • jwtConfiguration.publicKey
    • jwtConfiguration.privateKey
  • Deprecated the following property SystemConfiguration.jwtConfiguration.issuer, it has moved to SystemConfiguration.issuer.
  • A new macro was added to the _helpers.ftl that may be managed by your theme. If you have modified the _helpers.ftl template as part of your theme, you will either need to reset that template and merge your changes back in, or add the following code to your _helpers.ftl managed by your theme. If you encounter an issue with this, you will still likely be able to login to correct the issue, if you do get stuck you may disable your theme to login. See Troubleshooting themes.
[#macro link url text extraParameters=""]
  <a href="${url}?tenantId=${(tenantId)!''}&client_id=${(client_id?url)!''}&nonce=${(nonce?url)!''}&redirect_uri=${(redirect_uri?url)!''}&response_type=${(response_type?url)!''}&scope=${(scope?url)!''}&state=${(state?url)!''}&timezone=${(timezone?url)!''}&metaData.device.name=${(metaData.device.name?url)!''}&metaData.device.type=${(metaData.device.type?url)!''}${extraParameters!''}">
    ${text?html}
  </a>
[/#macro]

New

  • Support for SAMLv2 IdP. This satisfies GitHub Issue #3
  • Support for SAMLv2 Service Provider to support federated authentication to a SAMLv2 Identity Provider. This satisfies GitHub Issue #104
  • Lambda support. Lambdas are user defined JavaScript functions that may be executed at runtime to perform various functions. In the initial release of Lambda support they can be used to customize the claims returned in a JWT, reconcile a SAML v2 response or an OpenID Connect response when using these Identity Providers.
    • See the Lambda API and the new Lambda settings in the UI Settings -> Lambdas.
  • Event Log. The event log will assist developers during integration to debug integrations. The event log will be found in the UI under System -> Event Log.
    • SMTP Transport errors
    • Lambda execution exceptions
    • Lambda debug output
    • SAML IdP integration errors and debug
    • Runtime exceptions due to email template rendering issues
    • And more!
  • Key Master, manage HMAC, Elliptic and RSA keys, import, download, generate, we do it all here at Key Master.
  • New events
    • user.login.failed
    • user.login.success
    • user.registration.create
    • user.registration.update
    • user.registration.delete
  • Easily duplicate email templates using the Duplicate action.
  • Manage Access Token and Id Token signing separately

Enhancement

  • Insert instant provided on the Import API for Users and Registrations will be reflected in the historical registration reports
  • Additional node information will be available on the About panel when running multiple FusionAuth nodes in a cluster. See System -> About.

Fixed

  • If Passwordless login is disabled because no email template has been configured the button will not be displayed on the login panel. If a user attempts to use the passwordless login and the feature has been disabled or the user does not have an email address a error will be displayed to alert the user.
  • If you are using the Implicit Grant and you have Self Service Registration enabled for the same application, the redirect after the registration check will assume you are using the Authorization Code grant. To work around this issue prior to this release, disable Self Service Registration. Thanks to @whiskerch for reporting this issue in GitHub Issue #102.
  • Fixed OpenID Connect federated login. Our JavaScript code was throwing an exception due to the removal of the device field from OAuth. This code wasn’t updated and therefore would not perform the redirect to the third-party Open ID Connect IdP. To fix this issue in 1.5.0 or below, you can remove this line from OpenIDConnect.js on or near line 48: + '&device=' + Prime.Document.queryFirst('input[name=device]').getValue().
  • When you use the Refresh Grant with a Refresh Token that was obtained using the Authorization Code grant using the openid scope, the response will not contain an id_token as you would expect. This fixes GitHub Issue #110 - OIDC and Refresh Tokens. Thanks to @fabiosimeoni for reporting this issue
  • When using the OpenID Connect Identity Provider that requires client authentication may fail even when you provide a client secret in your OpenID Connect configuration.
  • https://github.com/FusionAuth/fusionauth-issues/issues/118
  • https://github.com/FusionAuth/fusionauth-issues/issues/119
  • https://github.com/FusionAuth/fusionauth-issues/issues/122

Version 1.5.0

March 25th, 2019

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • Removed /oauth2/token from the CORS configuration. This change will cause the CORS filter to reject a POST request to the /oauth2/token endpoint when the request originates in JavaScript from a different domain. This will effectively prohibit the use of the OAuth2 Password grant from JavaScript.
  • The device parameter is no longer required on the Login API or the Authorized endpoint in order to receive a Refresh Token. If the device parameter is provided it will be ignored.
  • Correct the Refresh API response body to match the documentation. If you are currently consuming the JSON body of this API using the POST method, you will need to update your integration to match the documented response body.

New

  • Support for Passwordless login via email. See [Passwordless API] if you’ll be integrating with this API to build your own login form. To use this feature using the provided FusionAuth login form, enable Passwordless by navigating to your FusionAuth Application breadcrumb#Settings -> Applications# and selecting the Security tab.
  • Support for the OAuth2 Implicit Grant. See the OAuth 2.0 & OpenID Connect Overview and OAuth 2.0 Endpoints for additional information.
  • The Authorization Code, Password, Implicit and Refresh Token grants maybe enabled or disabled per application. See oauthConfiguration.enabledGrants property in the Application API, or the OAuth tab in the Application configuration in the FusionAuth UI.
  • The Change Password API can be called using a JWT. This provides additional support for the Change Password workflow in a single page web application. See the Change Password API for additional details.
  • The Change Password API in some cases will return a One Time password (OTP). This password may then be exchanged for a new JWT and a Refresh Token on the Login API. This allows for a more seamless user experience when performing a change password workflow. See the Change Password and Login API for additional details.
  • The Login API can now be restricted to require an API key. The default for new applications will require authentication which can be disabled. Existing applications will not require authentication via API to preserve the existing behavior. The Login API may also be restricted from return Refresh Tokens are allowing an existing Refresh Token be used to refresh an Access Token. These settings will be configurable per Application, see the Application API for additional details, or the Security tab in the Application configuration in the UI. If using the Application API, see the application.loginConfiguration parameters.
  • The c_hash, at_hash and nonce claims will be added to the id_token payload for the appropriate grants.
  • Add support for client_secret_post to the already provided client_secret_basic Client Authentication method. This means that in addition to using HTTP Basic Authentication, you may also provide the client_id and client_secret in the request body.

Enhancement

  • Better ECDSA private and public key validation to ensure the algorithm selected by the user matches the provided key.
  • When using the Change Password workflow in the OAuth2 Implicit or Authorization Code grants, the user will be automatically logged in upon completing a change password that is required during login.
  • The Two Factor Login API will return the twoFactorTrustId as an HTTP Only secure cookie in addition to being returned in the JSON response body. This provides additional support and ease of use when making use of this API in a single page web application. See the Two Factor Login API for additional details.

Fixed

  • When using the Login Report in the UI and searching by user, if you have more than one tenant you will encounter an error.
  • Validation errors are not displayed in the Add Claim dialog when configuring claim mapping for an External JWT Identity Provider
  • Calling the Tenant API with the POST or PUT methods w/out a request body will result in a 500 instead of a 400 with an error message.
  • When a locale preference has not been set for a FusionAuth admin and the English locale is used the user may see dates displayed in d/M/yyyy instead of M/d/yyyy.
  • Fix some form validation errors during self-registration.
  • The Action user action on the Manage User panel was opening the Comment dialog instead of the Action user dialog
  • When a user has 2FA enabled and a password change is required during login, the 2FA will now occur before the change password workflow
  • When more than one tenant exists, the Forgot Password link on the FusionAuth login page will not function properly.
  • The Logout API may not always delete the access_token and refresh_token cookies if they exist on the browser.
  • The id_token will be signed with the client_secret when HS256, HS384 or HS512 is selected as the signing algorithm. This is necessary for compliance with OpenID Connect Core 3.1.3.7 ID Token Validation. This fixes GitHub issue GitHub Issue #57, thanks to @anbraten for reporting this issue. If you encounter this issue prior to this version, copy the Client Secret found in the UI on the OAuth tab of your Application configuration into the HMAC secret on the JWT configuration tab.
  • The Login API will now return a 400 with an error JSON response body if the applicationId parameter does not belong to any configured applications. Previous to this release, this was treated the same as if the User was not registered to the requested application.
  • A change to the Docker build for permissions reduced the overall fusionauth-app image by ~ 200 MB.

Version 1.4.0

February 4th, 2019

Please Read

The FusionAuth System Requirements have been updated. Please review the updated requirements to ensure you have met the minimum supported versions of operating system and database.

Changed

  • Renamed Type enum in DeviceInfo class to DeviceType. This will only affect you if you are using the Java or C# client and reference this enum directly. If you are using this class directly, you may need to update an import in your client code.
  • More than one authorization code may exist for a single user at a given time. This will allow multiple asynchronous requests to begin an OAuth2 Authorization Grant workflow and succeed regardless of order.

New

  • Self service registration. You may optionally enable this feature per application and allow users to create a new account or register for new applications without building your own registration forms.
  • JSON Web Key set support. This endpoint will be exposed at /.well-known/jwks.json and will be published in the OpenID Configuration metadata endpoint as well. Prior to this release the public keys used to sign JSON Web Tokens were only available in PEM format using the Public Key API, this endpoint will still be available and supported.
  • Added Elliptic Curve signature support for JSON Web Tokens, ES256, ES384 and ES512.
  • Added Typescript client library https://github.com/FusionAuth/fusionauth-typescript-client
  • The Login Report may now be optionally filtered to a particular User in the UI, and the Login Report API will now take loginId or userId.

Fixed

  • When using Docker compose, if you start up with --pull to update to the latest version of FusionAuth and there happens to be a database schema update, the silent configuration mode may fail. This occurs because the silent configuration was not performing the database schema update automatically. If you encounter this issue, you will need to manually update the schema.
    • This will only occur if you are running a version of FusionAuth prior to 1.1.0 and upgrade using --pull during docker compose up.
  • When you have multiple tenants created, a tenant may be deleted with an API key that is not assigned to the tenant. This has been corrected and a tenant may only be deleted using an API key that is not assigned to any tenant. This issue will only affect you if you have more than one tenant.
  • Updated Maintenance Mode (setup wizard) to work with MySQL version 8.0.13 and above. MySQL has changed their SSL/TLS handling and our connections were not correctly handling public keys. This has been fixed by allowing FusionAuth to perform a secondary request to MySQL to fetch the public key.
  • Logging in with a Social Login provider such as Google for an existing FusionAuth user may cause them to be unable to login to FusionAuth directly using their original credentials.
  • When using the OpenID Connect Identity Provider, the incoming claim given_name was being saved in the fullName field instead of the firstName.
  • When a user is soft deleted, actioned to prevent login, expired, or they have changed their password since their last login, their SSO session will be invalidated instead of waiting for the session to expire.

Internal

  • Upgrade to fusionauth-jwt 3.0.1 in support of Elliptic Curve crypto support.

Version 1.3.1

December 19th, 2018

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • API key will take precedence for API authentication if both a JWT and an API key are provided on the request. For example, when making a GET request to the User API, if a JWT is provided in a cookie, and a valid API key is also provided in the Authorization HTTP header, the previous design was to prefer the JWT. This design point meant that even when an API key was provided, even when providing a valid API key, you would be unable to retrieve any user but the one represented by the JWT.
  • The client_id is no longer required on the OAuth Token endpoint when client authentication is configured as required, in this scenario the client Id is provided in the HTTP Basic Authorization header.

Fixed

  • When editing the JWT settings in the FusionAuth application the UI a JavaScript error may cause some of the settings to not render properly. This error was introduced in version 1.3.0.
  • Added missing properties to the Application view dialog in the FusionAuth UI.
  • The openid scope may not be honored during login when a user has Two Factor authentication enabled. The symptom of this issue is that the response from the Token endpoint will not contain an id_token even when the openid scope was requested.
  • Validation for the OAuth2 Token endpoint may fail when the client_id request body parameter is omitted and return a 500 instead of a 400 status code.
  • When a OAuth2 redirect URI is registered with a query parameter, the resulting redirect URI will not be built correctly.
  • When trying to configure Elasticsearch engine during maintenance mode the index may get created but fail to leave maintenance mode. FusionAuth makes a HEAD request to Elasticsearch to check if the required indexes exist during startup and prior to leaving maintenance mode. When connected to an AWS Elasticsearch cluster this request does not behave as expected which causes FusionAuth to stay in maintenance mode. This issue has been resolved and should allow FusionAuth to properly connect to and utilize Elasticsearch running in an AWS cluster.

Version 1.3.0

December 5th, 2018

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

New

  • An Application may disable the issue of refresh tokens through configuration. See oauthConfiguration.generateRefreshTokens in the Application API or the Generate refresh tokens toggle in the FusionAuth UI when editing an application.
  • The OAuth2 client secret may be optionally regenerated using the FusionAuth UI during Application edit.
  • Support for OAuth2 confidential clients, this is supported by optionally requiring client authentication via configuration. See oauthConfiguration.requireClientAuthentication in the Application API or the Require authentication toggle in the FusionAuth UI when editing an application.

Fixed

  • Calling the Introspect endpoint with a JWT returned from the Issue API may fail due to the missing aud claim.
  • The MySQL schema previously was using random_bytes which is not available in MariaDB. These usages have been replaced with an equivalent that will function the same in MySQL and MariaDB.
  • When editing or adding a new user in the FusionAuth UI, the Birthdate field may get set automatically before the date selector is utilized. A JavaScript error was causing this condition and it has been fixed.

Version 1.2.2

November 27th, 2018

Fixed

  • Add X-FusionAuth-TenantId to allowed CORS headers.
  • When FusionAuth is running behind a proxy such as an AWS ALB / ELB the redirect URI required to complete login may not be resolved correctly. This may cause the redirect back to the FusionAuth UI login to fail with a CSRF exception. If you encounter this issue you may see an error message that says Something doesn't seem right. You have been logged out of FusionAuth. The work-around for this issue if you encounter it will be to perform the redirect from HTTP to HTTPS in your load balancer.
  • Some minor usability issues in the Identity Provider configuration UI.

Version 1.2.1

November 16th, 2018

Enhancement

  • Better error handling when an API caller sends invalid JSON messages. Prior to this enhancement if FusionAuth did not provide a specific error message for a particular field a 500 HTTP status code was returned if the JSON could not be parsed properly. This enhancement will ensure that sending a FusionAuth API invalid JSON will consistently result in a 400 status code with a JSON body describing the error.
  • Allow an Identity Provider to be enabled and disabled from the UI. You may still choose to enable or disable a specific Application for use with an Identity Provider, but with this enhancement you may not turn off an Identity Provider for all Applications with one switch.

Fixed

  • Preserve Application Identity Provider configuration for disabled Applications when editing a Identity Provider from the UI.

Version 1.2.0

November 15th, 2018

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

New

  • Add TTL configuration for Refresh Tokens to the Application configuration. When you enable JWT configuration per Application this value will override the global setting.

Fixed

  • An error in the Twitter OAuth v1 workflow has been resolved.

Version 1.1.1

November 13th, 2018

Fixed

  • If you were to have an Identity Provider for federated third party JSON Web Tokens configured prior to upgrading to 1.1.0 FusionAuth may fail during the database migration to version 1.1.0.

Version 1.1.0

November 13th, 2018

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will be prompted to upgrade the database by maintenance mode before you may login. In a production runtime mode, or with silent configuration enabled, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

New

  • Social login support
  • Full theme support for login. See the Login Theme tutorial for additional information and examples.
  • Better localization support in the FusionAuth UI. You now have the option to set or modify your preferred language for use in the FusionAuth UI. Providing a preferred language will cause dates to be formatted based upon your preference. For example, the default data format is M/D/YYYY, but if you are not in the United States this may not be the way you expect a date to be formatted. If you set your locale to French you will now see a more appropriate format of D/M/YYYY. This value is stored on the User Registration for FusionAuth in the preferredLanguages field.

Enhancement

  • When viewing sessions (refresh tokens) on the Manage User panel, the start and expiration times will be displayed.

Version 1.0.18

October 29th, 2018

Fixed

  • If FusionAuth starts up in maintenance mode and stays there for an extended period of time without the User completing the configuration from the web browser, FusionAuth may get stuck in maintenance mode. If you encounter this issue, where you seemingly are entering the correct credentials on the Database configuration page and are unable to continue, restart FusionAuth and the issue will be resolved.

Version 1.0.17

October 5th, 2018

Fixed

Version 1.0.16

October 5th, 2018

Enhancement

  • Better support for running in Docker. Enhanced silent configuration capability for database and search engine boot strap configuration in Docker Compose to be more resilient.

Fixed

  • If custom data is added to an Application, Group or Tenant before editing the corresponding object in the UI, the custom data may be lost.

Version 1.0.15

October 1st, 2018

New

  • Better support for running in Docker. Configuration can be override using environment variables. See Docker Install for additional information.

Fixed

  • The first time a user reached the failed login threshold and a 409 response code was returned the response body was empty. Subsequent login requests correctly returned the JSON response body with the 409, now the JSON response body is correctly returned the first time the user reaches the failed login threshold.

Version 1.0.14

September 17th, 2018

Fixed

  • When using PostgreSQL an exception may occur during an internal cache reload request. If you encounter this issue you will see a stack trace in the fusionauth-app.log. If you see this error and need assistance, please open an issue in the FusionAuth Issues GitHub project.
Unexpected error. We're missing an internal API key to notify distributed caches.

Version 1.0.13

September 12th, 2018

New

  • General availability release