FusionAuth Release Notes

Removed all explicit mentions of “FusionAuth” from error message text.

Fixed a bug where one application’s SSO session could prevent login to another application when a user had not yet completed registration.

Fixed a bug where a reconcile lambda could fail to set a value for an IdP linking strategy when the IdP’s value is null.

Fixed an issue where the SAML metadata API returned a 500 response when the configuration specified a custom Name ID.

Added validation to fix a bug where nonfunctional signing keys could be successfully created by mismatching the type label with the PEM.

Enabled the deletion of Apple IdP-assigned keys, which previously failed to delete.

Fixed a bug introduced in 1.62.1 where the Simple Theme login page displayed a Face ID login graphic over content.

Fixed a bug where hosted login pages for universal applications sometimes showed IdPs scoped to another tenant.

Fixed a longstanding bug where the monthly active user table did not display data from the month of December.

Thanks to @Robert-Janeczek !

Fixed a bug in self-service registration where a user could alter a hidden field (using browser developer tools) and cause Failed decrypt registration state errors to appear in the event log.

Fixed a bug where autocomplete did not function correctly when accessing the Admin UI over HTTP (instead of HTTPS).

In the setup wizard, the checkbox for accepting the licensing agrement was not marked as required. It is indeed required, so now it is marked with an asterisk (*).

In System Settings > UI , a form field labeled “Menu font” controlled the menu font color. Added the suffix “color” to this label to clarify the field’s purpose.

Thanks to @brob !

API Key endpoint permissions didn’t allow for row selection, despite text that indicated otherwise.

Thanks to @brob !

In the setup wizard, marked “tell us more” field as required with an asterisk (*) when the “Other” acquisition channel is selected.

Thanks to @brob !

Fixed backwards toggle logic when requiring encrypted SAML assertions. When creating or editing a SAMLv2 and IdP-initiated SAML IdP, under the Options tab, the Require encrypted assertions toggle should expose the decryption key selector when it’s on and hide it when it’s off. The logic was backwards, hiding the selector when it’s on and exposing it when it’s off.

Fixed a bug where the SCIM create operation returned error code 400 (instead of 409) when both user.email and user.username are duplicated.

The logout button was not visible on account self-service pages.

When using database search mode, user searches could fail due to FreeMarker template errors introduced in the 1.62.0 UI update.

When a custom theme was missing a template, FusionAuth could fail to render the fallback template from the default theme. In some cases this could prevent a user from completing various workflows.

The setup wizard could generate an error if the browser could not provide a timezone.

Reports on the Admin UI could load slowly or time out during high user traffic or when a large number of applications exist.

IdP (federated) logins do not work for Universal Apps. Instead, shows the error message: Invalid_Request. Missing_tenant_id.

When family settings are enabled, including requiring a parent email, the parent email does not persisted after self-service registration by a child. This prevents an email from being sent to the parent email.

When creating a new lambda, changing the lambda type does not update the lambda body to the default body for that type.

When testing Email Templates in the FusionAuth admin UI, rendering some template types resulted in an error. All template types can now be tested in the admin UI.

When a Minimum Password Age is configured for the tenant, creating a user without a password resulted in an exception. You can now create users without a password in tenants with a minimum password age requirement; password age rules apply once the user sets a password.

Providing an expired Id Token to the /oauth2/logout endpoint using the id_token_hint parameter resulted in an OAuth error. The /oauth2/logout endpoint once again accepts expired Id Tokens in accordance with the specification.

In version 1.59.0 we started indexing the new user.phoneNumber field for searches. IndexUser had a new field added, but the doc annotation was missing the version.

The GET /api/user/change-password endpoint does not allow a loginId type of phoneNumber. Additionally, client libraries are incorrectly passing a username parameter instead of a loginId parameter in checkChangePasswordUsingLoginId calls. This API endpoint is also lacking documentation.

When federating with a Google IdP, there are situations where a user can be re-prompted for authentication when already having valid FusionAuth and Google IdP sessions. SSO should now be honored correctly in these cases.

After establishing MFA trust on a device, a user is being re-challenged during a voluntary password reset, even during the trust period. The user should be able to change their password without completing another MFA challenge.

During startup, FusionAuth can output duplicate log entries. This was especially present with silent mode enabled. Logging should now be more efficient.

When a user first logs into a tenant configured with a connector, they will see an error when MFA is required and/or an updated and stronger password policy is in place. Subsequent logins behave normally.

Searches for users using nested searches involving registration fields may return incomplete results in some cases.

When using SCIM PATCH to add a user field, exiting fields are being removed. PATCH should now be handled as expected.

Performing a user reindex intermittently results in an email, username, or phoneNumber being omitted from Elastic/OpenSearch and not being searchable.

Some unwanted JavaScript errors are reported in the browser console on some pages, including the maintenance mode page and the application scope management page. These errors should now be handled more gracefully.

SCIM group searches are not properly honoring the eq operator. This operator should be doing an exact (but case-insensitive) search, but instead is doing a wildcard search.

Webhook user.delete events were not populating email, username, or phoneNumber fields when users were deleted under certain circumstances.

When using FusionAuth as a SAML Service Provider (SP), receiving a SAML Response containing an Assertion with an attribute value of null or of an unsupported type will result in a failure to parse the Response.

This issue was introduced in version 1.60.0 and has been corrected.

When using FusionAuth as a SAML IdP with a SAML Populate lambda that reads or modifies the SAML assertion will fail causing the login request to fail.

This issue was introduced in version 1.60.0 and has been corrected.

When decommissioning a license in a FusionAuth cluster, the change may not be reflected in all cluster nodes immediately. This can provide intermittent and inconsistent access to licensed features, depending on which node is handling a request.

A user can be shown a rendering error while attempting to complete an email based MFA login.

The error occurs when send rate limiting has been enabled as part of Advanced Threat Detection. When the user reached the rate limit threshold for requesting emails to be sent to complete login, the intended error was not shown an instead a page rendering error was displayed.

When a user completes a forgot password workflow, the failed login count will be reset.

This should reduce frustration for a user that changed their password after exceeding the configured failed login count. In this scenario, if the user had entered the the incorrect password again they would be required to wait for the configured time period before attempting login again. This could be quite frustrating.

Now that the failed count has been reset, the user will at least be allowed to enter the wrong password a few more times before we thwart their efforts.

When running in dark mode, or using a dark theme with a FusionAuth simple theme, some QR code scanners are unable to read the QR code for setting up MFA. We have added a light border to ensure that the QR code is still readable on a dark background. The QR code should have a high-contrast border to allow these readers to work.

When previewing the Phone verification required, Complete registration, and Passwordless theme templates in an advanced theme preview window, a FreeMarker exception is displayed to the user.

This was introduced in version 1.59.0.

A race condition exists, when attempting to activate FusionAuth using an air-gapped license without any outbound network access that may cause the the request to fail and not correctly persist the license.

When this issue is encountered the system becomes un-licensed.

When regenerating Reactor’s encryption key, the Breached Password Detection status may take longer than expected to return to Active.

If you were to encounter this issue, deactivating and reactivating your license will also correct the state. You can also reach out to support if you see something like this as well.

Improved MFA configuration workflow during self-service registration when configured as required.

In version 1.59.0, changes were introduced that made it impossible to set webhooks for a handful of event types as transactional.

See release notes for 1.59.1 below for additional information.

An upgrade to FusionAuth version 1.58.2 or 1.59.0 fails if the Default Admin Registration provided by FusionAuth form (shipped in 1.20.0) is renamed or deleted prior to the upgrade.

An upgrade to FusionAuth version 1.58.2 or 1.59.0 fails if the Default Admin Registration provided by FusionAuth form (shipped in 1.20.0) is renamed or deleted prior to the upgrade.

When using a generic messenger in interactive workflows, no error is shown to the user if the message delivery attempt returns a non-200 response code. The user should be alerted to the fact that something went wrong.

During the slow migration of a user using a generic or LDAP connector, the known device cookie is not created. If the new device email or a new device webhook is configured, FusionAuth sends a second new device email and/or new device webhook the next time the user logs in.

There are cases where we are not returning appropriate errors for invalid inputs to APIs. Errors with appropriate and descriptive messages should be returned.

A race condition was identified in the 1.58.0 release that could affect a cluster of FusionAuth instances during the upgrade, preventing the upgrade from completing. This race condition has been addressed.

The SCIM create operation returns error code 400 (instead of 409) when both user.email and user.username are duplicated.

Resolved in version 1.63.0 via #3149 .

The Add Webhook page and the Login Records report can show errors in some circumstances. These error conditions should be handled more gracefully.

Searching for entities using the Entity Search API can produce results that have duplicate or missing items on response pages when a sort field isn’t specified. Results should have an implicit ordering when no sort field is specified.

In certain circumstances, the FusionAuth admin UI and self-service account applications can fail to refresh an expired access token, causing a user to be logged out.

Calling the Search Reindex API while a reindex is in progress yields a 500 error. This API now returns a 400 status if a reindex operation is already running.

Using PATCH calls from HTTPConnect in a lambda fails in some cases. PATCH should be generally supported.

Interacting with a date picker can generate errors in the broswer’s console. FusionAuth should handle these errors more gracefully.

A few forms in the FusionAuth admin UI are setting the input focus in nonstandard ways. These include the setup wizard, the add API key view, and the edit API key view.

When handling an HTTP request with a content type of multipart/*, FusionAuth now more accurately returns an HTTP status code of 422 if the request contains a file and a file upload was not expected for the intended HTTP request path.

Fixed a bug introduced in version 1.56.0 that caused FusionAuth to fail to start after being installed using RPM and Debian packages.

The process for deleting webhook event logs according to retention rules was formerly turned off by default, causing all webhook event log entries to be retained forever. This will now be enabled by default in new FusionAuth installations. Existing installations that are being upgraded will retain their former setting.

The client libraries were missing PATCH support for Entities. Support for this operation has been added.

Client libraries are missing full support for PUT and PATCH operations for entity types, forms, form fields, IP ACLs, webhooks, and families. This fix adds support for these.

FusionAuth returns a 500 when supplying a malformed application Id in an IdP-initiated SAML login, making it hard to troubleshoot. The error should be handled more gracefully, and a more meaningful error message should be returned.

The Application > Multi-Factor > SMS Template tooltip incorrectly referenced an email template instead of an SMS template. Updated this to reference the correct template type.

Thanks to @JCelentano !

The passwordless API returns a 500 error when a non-existent application Id is provided. This should return a correct response code and meaningful error.

When posting an invalid grant type to the /oauth2/token endpoint, the list of supported grant types in the error message is missing the device grant type

Users are being prompted to re-submit a form when first logging into a new deployment using Firefox. The request should proceed on the first attempt.

When creating an entity grant for a user using the API, some invalid payloads will yield a 500 error. A more meaningful error should be returned.

FusionAuth shows a notification for getting a free license even after a license has been installed. This notification should disappear after a FusionAuth instance has been licensed.

Executing a manual system reset in development mode with a valid kickstart file fails. This should work as expected.

Supplying a malformed license key to Reactor is producing a generic error. A specific error would be more helpful.

The Daily Active Users report is missing data from the most recent day. The report should include this data.

After setting an application-level email verification template, the tenant-level template is still being used. The application-level setting should be honored.

The standard first name field intended for use in user edit forms has an incorrect name in MySQL installations, which is preventing it from showing up in the user edit form

The webhook event log can return fewer records per page than requested with the Results per page dropdown, even when more results are available. Ensure that the number of results equals the requested number.

A nondescript error is returned when trying to save system settings via the FusionAuth admin application. It is still possible to update system settings using the API.

The simple theme editor’s right-hand panel did not constrain content properly, allowing content to spill over the bottom border.

The confirmation page shown when users are completing verification and other workflows shows a FreeMarker error when some cookies are unavailable. This could happen when cookies are deleted by a user, removed by a proxy, or when running in an iframe.

When an OAuth workflow ends in redirecting with an error to a redirect_uri that contains query parameters, the resulting URL is being built incorrectly.

The SCIM ResourceTypes endpoint is returning resource type URLs with incorrect paths. The endpoint is returning a path prefix of /api/scim/v2/ when it should be /api/scim/resource/v2/.

Thanks to @runely !

The OAuth scopes consent form has text that cannot be localized. Hosted pages should be fully localizable for users.

When viewing user data in the Manage user view, a boolean value is always shown as -, regardless of its actual value.

Thanks to @rod-martens-alida !

The JWT populate lambda is not executed when a user is logged in using the login API, but only when that user does not have a registration for the application named in the API call. This could lead to inconsistent behavior between a login using the hosted OAuth pages and a login using the login API.

The PHP client library is not handling libcurl errors gracefully, making it difficult to troubleshoot integration problems when using this library. See the client library issue for more details.

When downloading login records from System -> Login Records , the exported file format contains a place for zip code, however the zip code values are not being populated in the export.

The POST /api/user/registration call is documented as returning a refreshTokenId, but this value is not being returned on the response.

Thanks to @cezarneaga !

When editing a user’s password in the FusionAuth admin UI after a new hashing scheme is set on the tenant, the password is not re-hashed using the new scheme. The re-hashing occurs as expected on a login or when the user changes their own password.

The SCIM Groups API does not properly perform atomic updates to groups and members. This can lead to consistency issues when multiple SCIM update requests are simultaneously processed requiring membership changes.

In order to better protect 3rd party logins via SAML v2, OpenID Connect, and other 3rd party identity providers, a CSRF (cross site request forgery) token was added in version 1.47.0. This token was not being used when all identity providers configured for the requested client_id were also configured to use managed domains, and the authorize request also contained the idp_hint request parameter.

In this specific configuration, because the token was not being utilized, the login workflow would fail with the error The request origin could not be verified. Unable to complete this login request.

When using the hosted login pages, the end user is generally shown a checkbox named Keep me signed in, which indicates whether the user wishes to create an SSO session after logging in.

When using an external identity provider along with an idp_hint or login_hint parameter, a user may be taken directly to the identity provider, bypassing the page with this checkbox. In this case, the user will not have the option of making a choice to establish or not establish an SSO session.

This behavior has been improved in order to provide additional control on how the SSO session should be created.

FusionAuth will now use the following order of operations in this non-interactive workflow to decide if the SSO session should be created:

1. The user’s previous selection, if available. This past choice will have been stored in an HTTP only cookie.
2. The optionally supplied rememberDevice query parameter.

In the event that the user has never seen the login page, the value of the rememberDevice query parameter will be the deciding factor. A value of true indicates that an SSO session should be created and a value of false indicates that an SSO session should not be created. If this parameter is omitted, the default behavior will be to create the SSO session.

For more information on using the idp_hint and login_hint parameters, see the Identity Providers Overview documentation.

When using the login validation lambda with a 3rd party identity provider such as OpenID Connect, when the validation lambda causes the login to fail, the end user will not see the specific error returned by the lambda. Instead the user will see the following generic error (unless this message has been modified in a theme):

A validation error occurred during the login attempt. An event log was created for the administrator to review.

The reason for this generic message is that in most cases if FusionAuth cannot complete a login request to a 3rd party we do not want to show the end user the technical reason. When a login validation lambda is the cause of the login failure, we do intend to the show the end user a more specific message. This issue has been corrected and if the login validation lambda was the cause of the failure, the event log is created when the identity provider has enabled debug.

The kickstart.success event may not fire correctly after Kickstart completes due to a timing issue when creating the webhook in your Kickstart definition.

Navigating to the System -> About page in the FusionAuth admin UI may fail to render if you start up without an internet connection.

Navigating to the System -> Webhook Log in the FusionAuth admin UI may display a general error and fail to return search results if there are any events of type user.login.failed displayed.

You may work around this issue by selecting a specific event type, or narrowing the scope of the results by using any of the additional search criteria found in the Advanced search controls.

A user may fail to enroll a new Passkey (WebAuthn credential) used for reauthentication during a login workflow. Previously configured Passkeys should continue to work as expected. This bug was introduced in version 1.53.0.

When using the start and end times in the Advanced search criteria in the Admin UI for the Audit Log, Event Log, and Login Records the selected values were incorrectly adjusted. This bug was introduced in version 1.52.0.

Thanks to @runely !

An SSO TTL of 0 seconds or a very small number may make it impossible to complete login using hosted login pages. To work around this issue in prior versions, increase the TTL to something larger than 0, ideally at least 30 seconds.

The potential for this issue has existed for some time, but some changes made in version 1.50.0 made it more likely for this to occur.

The SCIM Patch operation now properly handles removing multiple array elements, such as group memberships, in a single request.

Clicking the toggle checkbox element in the admin UI quickly caused the checkbox state to be inverted. This can be easily fixed by refreshing the page. You should now be able to click as fast as you want!

Attempting to sort API keys by key value in the admin UI by clicking the key value header resulted in an error.

Attempting to create a tenant-scoped API key with an invalid tenantId failed with a 500 status code. This error has been corrected, and an appropriate validation error is now returned.

The date picker used for birthdates and custom date fields was not styled correctly based upon the selected theme. The date picker has been changed to the browser-default date picker, which should work much better on mobile devices. This picker style will now be used in themed hosted login pages, as well as the admin UI for searching a date range or selecting a birthdate. This change should not affect any existing advanced theme that may still use the older style date picker. See theme upgrade notes for details on updating an existing advanced theme to use this new option.

Adding custom message keys to theme messages using the Admin UI failed to persist these changed messages. The UI for editing messages in the simple theme editor has also been improved to make it easier to understand which messages have been modified.

When the Browser preview button was used to open a new tab for simple themes in the Admin UI, the page would render without any applied CSS when using the Firefox browser. Sorry Firefox users, we ask for your forgiveness.

The default orderBy parameter value for the Group Member Search API did not provide a consistent ordering of results because the default sort was on insertInstant ASC which may not always be unique. This API is used by the SCIM Groups Resource API which then can cause inconsistent results for the SCIM client. The default orderBy is now set to insertInstant ASC, userId ASC, groupId ASC to ensure a consistent result between API calls.

When using the simple theme editor in the admin UI, the color picker did not always render next to the input field. The color picker will now always correctly render adjacent to the input field you select.

Newlines and tabs were not rendered when viewing audit entries in the view dialog from the admin UI. If you use new lines or tabs in your audit log messages, you may now enjoy viewing them in all their intended glory!

It sometimes required two Submit button clicks to exit interactive maintenance mode to upgrade your database schema. We are sorry if you had to click the Submit button twice.

For users in FusionAuth Cloud, attempting to save a Simple theme may result in an error.

Query parameter values containing an equals sign (=) were not parsed correctly. Typically, query parameter values URL encode equals signs as %3D, but since there are legal uses of the un-encoded character, we have added support for (=).

An HTTP request sent to FusionAuth with non-ASCII characters in request header values caused the request to be rejected and caused the connection to be closed without a response. Generally speaking values outside of the ASCII character set are not allowed, but in practice they may be used, and so these values are now treated as opaque and ignored by the HTTP request parser.

Fixed a typo on the Tenant edit page in the description of the user.password.reset.send event.

The SCIM API did not properly handle reading, creating, and updating groups with more than one hundred memberships. Responses containing groups with more than one hundred memberships only returned the first one hundred. Create and update operations only created or updated one hundred, deleting the remainder. This defect also caused the FusionAuth event for group.member.update and group.member.update.complete to contain the same truncated list of members.

In version 1.45.0 we added a hosted OAuth backend capability, allowing a developer to write a front end-only application, but still take advantage of an authorization code grant workflow by leveraging the backend provided by FusionAuth. Multi-segment domain suffixes (e.g. .co.uk) are not handled correctly by this hosted backend when setting the domain on cookies. Cookie domains are now set properly.

A SAML login request that is missing a Content-Type header yields a cryptic error message. A more meaningful error message is now provided. Additionally, sending a binding parameter would lead to an error message, when this parameter is not one we process. We now ignore this parameter if it is provided.

A SMS two factor messages template can be set at the Tenant level and should be overridable at the Application level. When a template is set at the Application level it is not being honored and the Tenant-level template is always used. Application overrides of SMS two-factor templates are now used correctly.

Fixes usability items related to the First Time Setup wizard (introduced in 1.50.0):

• Items related to the first time setup wizard were shown after upgrades, when the intent was to only show them for new installations. These are now only being shown for unconfigured FusionAuth instances.
• The First Time Setup summary page displayed sample configuration for various quickstarts. The configuration for the React quickstart corresponded to a previous version of the quickstart and was incompatible with the current version. The React quickstart configuration is now formatted for the current quickstart version.

The bcrypt algorithm now limits passwords to 50 characters. This restriction is due to limitations in the bcrypt algorithm. This limit will be enforced even when the tenant policy allows for a maximum password length greater than 50.

There are several scenarios where implicit email verification can occur. They are, during registration verification, password change, passwordless authentication, and MFA code validation. In these cases, a configured email verification email was not being sent, and the email verification event was not being generated. The email and event will both be triggered during implicit verification now.

Thanks to @ashutoshningot and @mou !

When configuring MFA for an application, the Trust policy selector was not shown when MFA is required for the application, but only shown when MFA enabled for optional use. The selector is now shown when the On login policy is set to either Enabled or Required.

When using FusionAuth behind a proxy, a missing X-Forwarded-Proto header could incorrectly cause a warning of a missing X-Forwarded-Port header. These warnings are now reported accurately. Additionally, FusionAuth will now be smarter about determining the forwarded port, taking it from one of multiple sources including X-Forwarded-Host, X-Forwarded-Port, or inferring it from X-Forwarded-Proto. This should make FusionAuth work with more proxies out of the box without additional configuration.

When authentication with an identity provider fails due to misconfiguration, and a user falls back to logging in with a username and password, the authenticationType reported by FusionAuth is for the original identity provider despite the user having logged in with a username and password. FusionAuth now correctly reports the authentication type as PASSWORD.

Thanks to @charlesericjs !

When configured to use an email verification strategy of Form Field without setting the unverified behavior to Gated the verification strategy was always functionally using Clickable Link which means the user would receive an email with a clickable URL instead of a short code.

With this fix, you may now use an unverified behavior of Allow with a verification strategy of Form Field. When you configure FusionAuth this way, it is assumed that you will be handling the verification process in your own application.

When using the Bulk User Import API /api/user/import the search index refresh interval is modified to improve performance. Specifically the index refresh_interval is set equal to -1. When this API is called in parallel, it is possible that this index setting is not reset and will stay configured as -1. The symptom of this error is that changes to the index are not reflected by the Search API and the search results may no longer be accurate.

When Advanced Threat Detection is enabled, an IP location database will be downloaded and used for IP address resolution. For these licensed customers, it is possible that a corrupted IP location database was downloaded and not correctly discarded and as a result the IP address location data may not be available.

You may have been impacted if you were using version 1.47.0 or later, between February 1st, 2024 and February 23rd, 2024. The observable symptom would be that your license status for the Advanced Threat Detection will show Pending instead of Active.

This condition has already been corrected for FusionAuth Cloud. If you are self-hosting FusionAuth, upgrading will correct this condition. If you have a support contract and believe you are currently in this state and are not able to upgrade, please reach out to support for assistance.

Previously, an incorrectly formatted SAML request could cause excessive CPU load.

The default permissions in AWS RDS PostgreSQL version 15.2 caused the initial configuration of FusionAuth to fail to create the tables required to complete the initial configuration. The required permissions are now being explicitly granted, and the errors reported back to the user have been improved.

If a user starts a Forgot Password flow, and clicks on a change password link in an email after the link has expired, the redirect back to the original Forgot Password form will not include the locale parameter. This fix ensures that a locale parameter, when present in the change password link, is preserved through this workflow and allows for localization to remain consistent.

When setting up a Facebook IdP, an option was provided in the admin UI to select Use vendor JavaScript as a Login method. This option is not applicable and has been removed.

Fixed the SCIM filter when filtering on userName eq {username} to always return a single result.

The LinkedIn APIs have changed, and the LinkedIn IdP no longer worked for new LinkedIn applications. This update allows FusionAuth to work with new and legacy LinkedIn applications.

The FusionAuth TypeScript client library was incorrectly encoding arrays values into query parameters. This bug was preventing a few specific search queries from working correctly.

When using MySQL, the default Admin user form was missing the First name field. The field could be added to the form, but was missing in the default version.

When an invalid Tenant Id was provided on the .well-known/openid-configuration the default configuration was returned. This has been updated to return a 404 status code.

When creating a User with a group membership with a specified member Id that was already in use, the requested completed w/out a validation error and the membership was ignored. The API now correctly validates this condition and will return a 400 and a JSON response.

When retrieving all refresh tokens for a user, the response may contain the user’s SSO token. The SSO token can be identified because it does not contain an applicationId and it may not be refreshed. Validation has been improved when using the Refresh Grant, or the Refresh API to ensure FusionAuth correctly fails indicating the token is invalid and may not be refreshed.

A regression was introduced in version 1.47.0 to the Change Password themed page. The issue is that the passwordValidationRules variable may be null on the first render. If you had been referencing this field in your template, the render may fail.

The Identity Provider Link API states that a token parameter can be accepted during a create. When provided, the token was not being persisted on the link.

Fixed the “Getting Started” link found in the index page in the default theme.

When viewing a User’s Consents in the FusionAuth admin UI, if one or more of the consents have been granted by another user that is not a member of their family, an error is shown in the Given by column.

When you have configured the JWT signing key with the ES512 algorithm, the generated signature may be intermittently invalid. This means that JWTs may seemingly fail to validate randomly and you may think you are crazy. You are not crazy. If you are using this signing algorithm, it is recommended you use a different algorithm until you are able to upgrade.

SCIM PATCH requests may fail to parse if an op path value contains a named schema containing a . (dot). This parsing error has been corrected.

For example: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

When an SCIM create or update request contains schemas for which no properties exist, subsequent PATCH requests to those schema namespaces may fail.

For example, if the initial request contains a schema urn:ietf:params:scim:schemas:extension:enterprise:2.0:User without any properties, the default lambda function used to map this request to FusionAuth was not persisting this schema namespace. Then a subsequent PATCH request to add a member to that namespace such as urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department would fail.

The default SCIM request converter (Lambda function) has been updated to correct this behavior.

Updated the refresh token TTL when using the sliding window with a maximum lifetime JWT Expiration Policy. The symptom of this bug is that a refresh token will expire before the maximum configured lifetime.

When paging beyond 10,000 in the FusionAuth admin UI for Users or Entities, the bottom set of pagination controls may not work. If you encounter an error when clicking on the pagination controls, use the top set of controls instead. This bug is specific to the new pagination introduced in version 1.48.0.

In some cases when using with FusionAuth-hosted pages in an non-secure context, such as accessing FusionAuth on localhost, the PublicKeyCredential JavaScript API will not be available. This may cause an error on your JavaScript console PublicKeyCredential is not defined. This error kept the form on the page from correctly submitting.

In version 1.48.0, a change was made to reject a link request from an OpenID Connect IdP when the email_verified claim is supplied with a value of false. An assumption was made that the email and email_verified claims would both be present in the Userinfo response or the id_token. Some providers may split these claims, so this assumption has been removed.

Enhanced the widget used in multi-value select controls to accept a value when pasting. For example, you may now paste a value from the clipboard directly into the Authorized redirect URLs field. While previously the paste operation worked, the user would have to click the value to confirm. If you clicked off of the field, the value would not be saved.

Corrected the error message when a user has enabled MFA and a webhook returns a non-200 status code for the user.login.success event. The message will now correctly indicate the webhook has failed instead of the previously incorrect error indicating an invalid token was used.

When viewing an Email Template in the FusionAuth admin UI, two dialogs open instead of one. This was the result of two event handlers being bound instead of one.

When using the asynchronous tenant delete, it is possible for the delete job to fail if the system is under heavy load. When this occurs the delete job status may not be correctly updated and you are stuck in a Deleting state. The asynchronous job processor has been enhanced to account for this potential failure condition so the job can be correctly restarted if necessary.

Corrected a potential race condition that could cause a request to the /.well-known/jwks.json endpoint to exception and return a 500 status code when under heavy load.

The Lambda metrics introduced in version 1.47.0 may not always correctly increment the failed count when a lambda invocation failed. This affects the lambda.[*].failures and lambda.[{webhookId}].failures metric names.

When using the PATCH method on the Tenant API, if you previously had any explicit webhooks configured for this tenant, the association between the tenant and the webhook was lost. If you are not using webhooks, or all of your webhooks are configured for All tenants (webhook.global), this bug would not affect you.

Improved the validation for the Entity API to correctly validate the type.id value. Because this value was not being correctly validated, it means the API caller may receive a 500 status code instead of a 400 with a developer friendly JSON response body to indicate how the input can be corrected.

A critical bug was identified that caused FusionAuth to incorrectly identify users eligible for deletion based upon the tenant policy to delete users with an unverified email address. Until you have upgraded to version 1.48.0 please disable Delete unverified users if you currently have enabled Email verification, Verify email when changed and Delete unverified users.

A bug was identified that affected several APIs when using the PATCH method with fields that require custom deserializers in FusionAuth. Affected APIs included Application, Connector, Message Template and Identity Provider. The symptom you will observe is a failed request with a 500 status code.

When using PostgreSQL, under heavy load, a potential deadlock conditions exists when attempting to write login metrics to the database. MySQL database was not affected by this bug. If you were to encounter this bug you may observe some exceptions in the log related to the LoginQueue.

Fixed a JavaScript error that was preventing Audit Log searches by user from returning results.

Resolved an issue where users could not enable two-factor authentication during authentication when they were not registered for the application.

Thanks to @wproffitt-elder !

When using the Refresh Token API, un-expired SSO sessions may be incorrectly omitted from the API response. The result of this bug is that an active SSO session may not be displayed in the FusionAuth admin UI. This has now been corrected, and the FusionAuth admin UI and the Refresh Token API will correctly return all valid SSO sessions.

If the search.servers configuration value was not added to the fusionauth.properties configuration file, and you omit the SEARCH_SERVERS environment value, FusionAuth would fail to start. The correct behavior is for FusionAuth to default to http://localhost:9021.

Resolved a bug in the multipart/form-data parser that may cause elevated CPU usage in some specific cases.

A bug was identified in a change made in version 1.48.0 that may affect performance for those with > 1M users.

Revert the GC (garbage collection) logging change introduced in version 1.47.0 for compatibility with the FusionAuth Docker image.

Thanks to @pigletto and @patricknwn !

Fixed handling of truncated or malformed oauth_context request parameters when using the hosted login pages.

Ensure a signed AuthN request always has the Signature element as the next sibling after the Issuer element. This bug may cause some SAML v2 services provides to reject the signature of an AuthN request sent from FusionAuth.

Upgraded phone number validation to include the Kosovo country code of +383 as well as various other country codes.

Defend against corporate link “checkers” such as Outlook Safe Links and Google Workspace during the Change Password email workflow. This fix resolves a specific symptom that may occur when a link sent to a user during a change password workflow and the user has multi-factor authentication enabled. The symptom the end user may encounter is that multiple codes may be sent to the user during this workflow. When the two-factor method is email, multiple emails may be received, and when two-factor method is SMS, multiple SMS messages may be received. The cause of this symptom is that the link is being inspected by an intermediate party prior to the user’s browser loading the link which functionally means the request is made more than once.

Improved locale validation, and restrict the number of preferred languages per user to 20. This should not have any practical impact on users of FusionAuth, but it will better protect FusionAuth from storing erroneous values for the user’s preferred languages.

Improved username validation. This length limitation was already enforced by the schema, but the error message was not developer friendly. This change will add a proper validation error in the API response.

Updated the Tenant view dialog in the admin UI to reflect the changes made to the /.well-known/openid-configuration endpoint in version 1.46.0. This is a cosmetic change only, and does not include any functional fixes.

Fixed Tenant select control on Group index page in the admin UI when only a single tenant is configured. This is just a cosmetic fix to how the form was being rendered.

Reduced Kafka logging. So noisy.

Protected the Kafka event sender from sending events related to it’s own failure. This protects us from overloading the Kafka topic.

Fixed the user.registration.update.complete event to include the updates roles if applicable.

Thanks to @sjswami !

Improved defense against truncated oauth_context request parameters. This parameter is passed around during various OAuth2 workflows to maintain context. This changes allows FusionAuth to fail more gracefully if this is value is intentionally or un-intentionally modified by a 3rd party.

Enabled queries of the username and fullName fields using the .exact suffix on these fields which does an exact match.

Thanks to @patrickvalle !

Always send email verification on user email change when configured for user self-service

Resolved a JavaScript bug when enabling MFA during login. The bug caused an error to be written to the JavaScript console, but no functional errors occurred.

When the user.login.success is configured to be transactional and the webhook returns a non 200 status code when the event is fired during the final step of the change password workflow, the failed webhook may not fail the login attempt.

When enabling IdP initiated login on a SAMLv2 IdP, the base ACS URL is hidden in the view dialog

When an applicationId is provided on a Two Factor Start or Send APIs, the application variable may not available in the email template.

APIs that optionally take a sourceId to indicate you wish to copy will now fail validation if you provide additional parameters in the body that will otherwise be ignored.

Thanks to @Pycnomerus !

When adding a user to multiple Groups using the /api/group/member API, the request may fail. Fixed.

When using a wildcard for authorized origin URL, you may receive an invalid origin error. Fixed.

Thanks to @beezerk23 !

Ensured that the memory value for fusionauth-app.memory set in the fusionauth.properties file is always set correctly.

When using custom data with nested values such as user.data.company.name and user.data.company.id in an Advanced Registration form the nested values may not be properly persisted. Fixed.

Using the admin UI to update an IdP with over 6k applications the request may cause a database error. Fixed.

Added index entity_user_grants to increase SELECT performance

When using the validateJWT method in the FusionAuth Java REST Client, the exp or iat claims may have the incorrect precision.

Added missing endpoints to the OpenAPI spec.

A change in behavior was introduced in version 1.41.0 that may cause an error when accessing FusionAuth in Docker. The change was how the Host header was being parsed to pick up the local port.

Thanks to @MarekUniq and @java-http !

The user.create.complete and user.registration.create.complete events may be sent before the transaction has closed during IdP Login.

Corrected the internal authentication to receive an internal webhook between FusionAuth service nodes. If you encounter this error, you may see errors in the event log that mention returned response code [401] when sending [JWTRefreshTokenRevoke] event. This error was introduced in version 1.37.0 and the error only occurs when you have more than one FusionAuth service node.

When you have enabled Implicit Email Verification, when completing a Multi-Factor login, a user.email.verified event may be sent even if the user has already verified their email address.

When the user.reactivate event is configured to be transactional and the webhook returns a non 200 status code, the transaction may not be correctly rolled back.

When making a request to the self-service pages, such as /account/ ensure any additional query parameters are preserved through a login workflow.

When the user.create event is configured to be transactional, ensure the Setup Password email is not sent if a user.create webhook returns a non 200 status code.

When using the Device Grant with the /oauth2/device themed page, you may be shown a Logout button if an SSO session exists during this workflow. Clicking this button will log the user out of the SSO session and return to this page. This fixes the logout link so that you do not receive an error when returning to the /oauth2/device page. A workaround is documented in the linked GitHub issue.

Update fusionauth/java-http to the most recent version to pick up a bug fix.

This fixed a very low level HTTP server bug. In some rare cases, the HTTP response handler may not identify the end of the stream and effectively truncate the response body. It is difficult to say how may affect your integration if you were to encounter it. If you were to make an API call with a large response body, it may be possible the response would not include a valid JSON object if the response is truncated. When this error occurs, the HTTP status code will be valid, but the response will be truncated or non-existent.

Access token signing keys specific to an entity type may revert to the tenant configuration after upgrading to this version.

It is recommended to upgrade to this version at a minimum if you are coming from a version prior to version 1.45.0. For more information on this issue, see the Known Issues in the 1.45.0 release notes.

Added support for wildcard configuration when using post_logout_redirect_uri parameter on the OAuth2 Logout request.

Fixed salt validation for the phpass-md5 or phpass-sha512. This will allow the import of users with this password hash when the salt includes a . (period) character.

Added validation for the length of an entity name in order to provide a more friendly validation error message.

Updated to the OpenAPI spec to correct an error related to BaseSAMLv2IdentityProvider.

Reviewed and corrected tooltips in the admin UI for Application specific email templates.

A Lambda invocation may incorrectly fail indicating a recursive call was attempted. This is unlikely to occur, but under heavy load, it is possible.

The Application API was failing to make a copy when using sourceApplicationId when the source Application has enabled and configured the SAML v2 IdP. This is a bug in a new feature that was added in version 1.43.0.