FusionAuth Documentation

Release Notes

Version 1.14.0

Pending Release

New

  • Initial release of Kickstart.

Fixed

  • PATCH should merge all data fields

  • Should be able to login via SAMLv2 without any OAuth grants enabled

  • Added missing theme_manager role to the FusionAuth application

Version 1.13.2

December 30th, 2019

Fixed

  • During a reindex operation the status will properly be displayed on every node when viewing the User Search or the Reindex pages in the UI.

  • Improve Kafka configuration validation when using the Test button in the UI.

  • An exception may occur when using ReactNative with FusionAuth when an HTTP Origin header is sent to FusionAuth with a value of file://. The exception is caused because file:// without a value after the double slash is not a valid URI and cannot be parsed by java.net.URI. However the HTTP specification indicates that an origin header with a scheme of file:// is allowed and when used anything following the prefix is allowed. This fix follows a similar decision made by Apache Tomcat in their CORS filter, see Bugzilla #60008.

  • When an invalid code or expired code is used on a Passwordless login request an exception may occur.

  • When a user email is verified implicitly due to a change password action that originated via an email request the user.verified event is now sent.

Version 1.13.1

December 19th, 2019

Search Index Rebuild

As part of the upgrade the Elasticsearch index will be rebuilt due to a modification in the index to support searching on nested collections. This additional step may cause additional load on your system until it has completed. If you have less than 100,000 users in FusionAuth you will not likely observe any meaningful impact to your system. If your user count is > 1 million, the reindex may take minutes to complete, during this time you may still use FusionAuth normally. Until your search index is completely rebuilt the Search API or User Search feature in the UI may not provide complete results.

Fixed

  • The Elasticsearch migration required to complete the upgrade to 1.13.0 may not always run as intended. Upgrading to this release will kick off an Elasticsearch reindex operation to correct the search index state.

Version 1.13.0

December 18th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Known Issues

  • A search index rebuild is required to complete this upgrade, this operation may not automatically be started during upgrade. If you have already upgraded to this release you can either upgrade to the 1.13.1, or manually initiate a reindex request by navigating in the UI to System Reindex.

New

Fixed

  • The newly supported PATCH HTTP method cannot be selected from the API key endpoint security settings. This means that you need to allow all methods in order to utilize the PATCH method. This has been resolved.

  • The newly supported PATCH HTTP method is not configurable in the CORS filter.

  • An empty salt value is recommended in an error message but this was failing validation during Import using the User Import API.

  • An exception may occur when using the PATCH method on the User API when more than one tenant exists.

Enhancement

  • DELETE /api/user/bulk takes queryString and query parameters to search for users to delete by ElasticSearch query string and raw JSON query, and a dryRun parameter to preview the affected users. See the User Bulk Delete API documentation.

  • POST /api/user/search and GET /api/user/search take a query parameter to search for users by an ElasticSearch raw JSON query. See the User Search API documentation.

  • /api/user/search takes new sortFields for sorting search results. See the User Search API documentation.

  • The Webhook URL is no longer constrained to 191 characters. Prior to this version, this URL was considered unique and the length was constrained due to indexing limitations. The URL is no longer required to be unique and it is up to the user to limit duplicate webhooks.

Version 1.12.0

December 8th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Changes

  • In support of the OAuth Device Grant feature released in 1.11.0, a second template was added to separate the completion state.

    • New themed template OAuth device complete. Starting with version 1.12.0, templates will no longer be automatically migrated into an existing theme. We believe this is a safer choice overall. Instead your theme will be marked as requiring upgrade when viewed in the UI. You will be prompted to complete the missing templates when you edit and you will be provided with the option to copy in the default template as a starting point.

    • If FusionAuth attempts to render the missing template you will be prompted with a message indicating your theme needs to be upgraded. In generally this should happen when you are using a new feature and thus should occur at development time. Whenever a new template is added, it is recommended to edit and verify your theme right away after upgrade to ensure a smooth migration.

  • In support of the HYPR integration, a new template was added that will be used when waiting for the external HYPR authentication to complete.

    • New themed template OAuth2 wait. Starting with version 1.12.0, templates will no longer be automatically migrated into an existing theme. We believe this is a safer choice overall. Instead your theme will be marked as requiring upgrade when viewed in the UI. You will be prompted to complete the missing templates when you edit and you will be provided with the option to copy in the default template as a starting point.

  • The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization


wait-title=Complete login on your external device
waiting=Waiting

[ExternalAuthenticationExpired]=Your external authentication request has expired, please re-attempt authentication.

  • A change has been made to how an event is sent to Webhooks when the Transaction configuration does not require any webhooks to succeed. Prior to this version each webhook would be called in order and once the status was collected from each webhook a decision was made to return to the caller or fail the request. In order to increase the performance of webhooks, when the Transaction configuration does not require any webhooks to succeed each webhook will be called in a separate thread (asynchronously) and the request will return immediately. In this scenario any failed requests will not be retried. See Webhooks for more information.

New

  • Support HYPR IdP native integration. HYPR brings passwordless and biometric options to FusionAuth.

  • Administrative actions added to Users Manage panel.

    • Send password reset always available from the drop down menu.

    • Resend email verification available when the user’s email is not yet verified from the drop down menu.

    • Resend verification available as a new row button in the Registrations tab when a registration is not verified.

Fixed

  • Modifying user actions with multi tenants returns a missing tenant error.

  • The JWT Validate endpoint returns the wrong precision for iat and exp claims.

  • When using the one time password returned from the Change Password API when a Refresh Token was provided during the change request a Refresh Token is not returned from the Login API.

  • A "null" Origin header is allowed in the w3 spec, and when this occurs it may cause an exception when validating authorized origins.

  • Better handling on the Start Passwordless API when a user does not exist

Enhancement

  • The User Delete API will no longer delete User Actions taken by the user. Instead the API will now disassociate any UserActions created by the deleted user by removing them from the Actioning User. In this scenario, a user will remain in an Action taken by a user that has now been deleted.

  • A User Action may be applied to a user in a different tenant than the User taking the action. Prior to this release, using the admin UI to take an actioon on a user in a different tenant may fail.

  • The following apis now support the PATCH HTTP method. This enhancement completes GitHub Issue #121.

    • /api/application

    • /api/application/role

    • /api/consent

    • /api/email/template

    • /api/group

    • /api/identity-provider

    • /api/integration

    • /api/lambda

    • /api/system-configuration

    • /api/tenant

    • /api/theme

    • /api/user

    • /api/user-action

    • /api/user-action-reason

    • /api/user/consent

    • /api/user/registration

    • /api/webhook

  • The FusionAuth client libraries now also support the PATCH method.

  • When an encoded JWT is accepted in the Authorization header, FusionAuth will now accept the token in the Bearer or the JWT schema.

  • When you begin an external login such as Facebook, Google or Twitter an in progress indicator will be added to the login panel to indicate to the user that a request is in progress.

    • Resolves GitHub Issue #331, thanks to @davidmw for the suggestion!

    • If you are using a theme and want to take advantage of this indicator, you can compare the stock OAuth2 Authorize template, look for the note in the top JavaScript section.

Version 1.11.0

October 29th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Changes

  • Remove the sid and the iss request parameters on the URL provided by post_logout_redirect_uri. This feature was added in version 1.10.0 and because the redirect URL may be a previously configured Logout URL or a URL provided by the post_logout_redirect_uri we were always adding these additional request parameters to the URL. This change will rwemove them from the redirect URL and they will only be added to the URLs used to build the iframes in the logout template.

  • In support of the OAuth Device Grant feature, the following theme changes have been made.

    • New themed template OAuth device. This template has been added to each of your existing themes. As part of your migration please review this template to ensure it matches your intended style.

  • The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization


device-form-title=Device login
device-login-complete=Successfully connected device
device-title=Connect Your Device

userCode=Enter your user code

[blank]user_code=Required
[invalid]user_code=Invalid user code

  • The following hidden fields were added and you will need to update your [#macro oauthHiddenFields] in the theme "Helpers" of existing Themes if you intend to to utilize the Device Grant or response_mode in the Authorization grant:


[@hidden name="response_mode"/]
[@hidden name="user_code"/]

  • An update has been made to the [@link] macro in the Helpers template. If you intend to utilize the Device Grant you will need to add the missing parameters to your macro or copy the updated macro and usage from the default FusionAuth theme. The user_code request parameter has been added to this macro.

New

  • Device Authorization Grant

    • This satisfies GitHub Issue #320 - OAuth2 Device Authorization Grant

    • This grant type is commonly used to connect a set top box application to a user account. For example when you connect your HBO NOW Roku application to your account you are prompted with a 6 digit code on the TV screen and instructed to open a web browser to hbonow.com/tvcode to complete the sign-in process. This process is using the OAuth Device Grant or a variation of this workflow.

  • Support for the response_mode request parameter during the Authorization Code grant and the Implicit grant workflows.

  • An additional API is available in support of Passwordless Login to allow additional flexibility with third party integrations.

    • See GitHub Issue #175

    • This feature will be available in 3 steps, Start, Send and Complete. Currently the Send API generates a code and sends it to the user, and then a Login API completes the request. The change is backwards compatible, but a Start action will be provided so you may skip the Send and collect the code and send it to the user using a third party system.

    • See the Passwordless API documentation for additional information.

Preview

  • The PATCH HTTP method is available on some APIs in a developer preview. This is not yet documented and should only be used in development. The following APIs support the PATCH method, more to come.

Fixed

  • Return a 400 status code with a JSON response body on the Import API when a FK constraint causes the import to fail

  • Return a 401 status code on the Userinfo endpoint for invalid tokens

  • The Passwordless login external identifier complexity settings are not working

  • An error is incorrectly displayed on the Forgot Password form even when the code is valid

  • When a large number of tenants exist such as 3-5k, an exception may be thrown during a key cache reload request

  • When using the id_token_hint on the Logout endpoint, if the token was issued to a user that is not registered for the application it will not contain the applicationId claim. This claim was being used to resolve the client_id required to complete logout. An alternative strategy is now used so that an id_token issued to a user that is registered, or not registered will work as expected when provided on the Logout endpoint.

  • Support a SAML SP that does not send the <samlp:NameIDPolicy /> constraint in the AuthN request, in this case we will default to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Enhancement

  • Front-channel logout was made more flexible

    • Resolves GitHub Issue #324

    • A new attribute Logout behavior was added to the Application Oauth configuration

      • Redirect only - legacy behavior of only logging out of SSO and redirecting to either the registered logout URL in the application or the post_logout_redirect_uri.

      • All applications - performs a front channel logout of all registered applications in the tenant. Optionally, the themable Oauth logout page can be modified to only logout of those applications the user is registered for.

  • In some cases the Facebook IdP configuration requires a permission of email to be configured in order for the email claim to be returned from the Facebook Me API even when email is also specified in the field parameter. FusionAuth will default both the fields and the permissions parameters to email on create if not provided to make the Facebook IdP work out of the box for more users. Defaults will not be applied if these fields are left blank or omitted on an update.

  • The Passwordless Send API now takes an optional code parameter which will be used as the Passwordless code sent in the email. This code can be generated by the new Passwordless Start API.

Version 1.10.1

October 1st, 2019

Fixed

  • When logging into Google or other external Identity Provider for an Application outside of the default tenant the login may not complete successfully. This issue was introduced in version 1.9.0. A work around is to use an application in the default tenant.

  • A status code of 500 may occur during the processing of the SAML v2 response from an SAML v2 IdP.

Version 1.10.0

September 30th, 2019

Changes

  • In support of the OpenID Connect Front Channel logout feature, the following theme changes have been made.

    • New themed template OAuth logout. This template has been added to each of your existing themes. As part of your migration please review this template to ensure it matches your intended style.

  • The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization


logging-out=Logging out&hellip;
logout-title=Logging out
or=Or

[ExternalAuthenticationException]=%1$s The login request failed.

New

  • Support for the OpenID Connect Front Channel logout

    • This updates the existing OAuth2 Logout endpoint to be compliant with the OpenID Connect Front-Channel Logout 1.0 - draft 02 specification

    • TL;DR The /oauth2/logout endpoint will call logout URLs of all tenant applications. A redirect URL can be requested on the URL via post_logout_redirect_uri.

    • Resolves GitHub Issue #256, thanks to all who up voted and provided valuable feedback.

    • The OpenId Connect discovery endpoint now returns the following attributes:

      • end_session_endpoint

      • frontchannel_logout_supported

      • backchannel_logout_supported

Fixed

  • Send email API may fail with a 500. This issue was introduced in version 1.9.0.

  • SAML v2 Invalid Redirect. This resolves GitHub Issue #287, thanks to @prasanna10021991 for reporting and helping!

Enhancement

Version 1.9.2

September 24rd, 2019

Fixed

Version 1.9.1

September 23rd, 2019

Fixed

  • Unable to modify the name of the default FusionAuth theme. If you attempt to edit the theme and save the form a validation error occurs that is not expected and will cause an exception. If you encounter this problem you can simply not edit the FusionAuth theme since you are not able to modify the templates anyway. Instead just duplicate the theme if you would like to view any of the default messages.

Version 1.9.0

September 23rd, 2019

New

Fixed

  • When editing a new email template that contained ${user.tenantId} the template validation may fail.

  • A locked account may still be able to login via Google or other external identity provider.

    • Resolves GitHub Issue #301, thanks to @jerryhopper (a FusionAuth MVP) for the bug report!

    • Previous to this change when using the OAuth2 login or the Login API, a locked account was treated as a "soft" lock and a 404 would be returned from the Login API which in turn displayed an Invalid credentials error. The account locked (soft delete) state will not return a 423 status code instead of a 404 which will result in a different message to the OAuth2 login.

Version 1.8.1 RC1

September 10th, 2019

Please Read

This is a release candidate. This means the version is stable and should work for most cases. However, due to the complexity of the database migration ensure you have adequately tested the upgrade prior to moving it into production. You may also wish to wait for the forthcoming full release of 1.8.1 or 1.9.0 before moving into production.

Fixed

  • The SQL issue described below in the warning message has been resolved.

  • Performing a clean install of 1.8.0-RC.1 may fail in some cases

  • When user.passwordChangeRequired is true and you login via an external identity provider you will be redirected to /password/change with an invalid code so you will not be able to complete the change password workflow. You may work around this change by navigating back to the login page and clicking the forgot password link.

Version 1.8.0 RC1

September 8th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Please Read

This is a release candidate. This means the version is stable and should work for most cases. However, due to the complexity of the database migration ensure you have adequately tested the upgrade prior to moving it into production. You may also wish to wait for the forthcoming full release of 1.8.0 before moving into production.  
 
 
Known Issues:  
 
Any rows in the user_external_ids table with a null value in the applications_id column may cause the migration to fail. Prior to upgrading run the following SQL command:  
DELETE from user_external_ids WHERE applications_id IS NULL; This issue will be resolved in the final release of 1.8.0.  

Community MVPs

Thanks to all of our community members who take the time to open features, report bugs, assist others and help us improve FusionAuth! For this release we would like to thank the following GitHub users who helped us out!

 
 

Changes

  • Most of the configuration previously available in the System Settings has been moved to the Tenant configuration to allow for additional flexibility. This is important if you will be utilizing more than one tenant, you may now configure password policies, email configuration, etc per tenant. If you are using the System Configuration or Tenant APIs, please be aware of this change and plan accordingly. If you were manually synchronizing these configurations between systems, you will need to update these processes.

    • SMTP configuration

    • Event configuration

    • Password configuration

    • Failed Authentication configuration

    • Password configuration

    • JWT configuration

    • Theme

  • When using a theme, whenever possible provide the tenantId on the request using an HTTP request parameter. This will help ensure FusionAuth will render the page using your chosen theme. In most cases FusionAuth can identify the correct tenant and theme based upon other parameters in the request, but in some circumstances there is not enough information and FusionAuth will default to the stock theme if the tenantId is not explicitly provided.

    • For example in each of the shipped email templates the following has been added to the generated URL ?tenantId=${tenantId}. You may wish to add this to your email templates if you’re using themes.

  • If you were previously accessing a themed stylesheet in your template as ${loginTheme.stylesheet} it is now accessed like this ${theme.stylesheet()}.

New

Fixed

  • Tenant scoped SMTP configuration, password rules, event transactions, JWT signing configuration, etc.

  • When viewing Refresh token expiration in the Manage User panel under the Sessions tab, the expiration may be displayed incorrectly if the Refresh Token Time to Live has been set at the Application level. The actual time to live was still correctly enforced, but this display may have been incorrect.

  • In some cases an Id Token signed by FusionAuth may not be able to be verified if it is sent back to FusionAuth. This issue was introduced in version 1.6.0.

  • If the host operating system is not configured for UTF-8 and you specify multi-byte characters in an email template subject, the subject text may not be rendered correctly when viewed by the recipient.

  • Toggle rendering issue in Firefox. Resolves GitHub issue #260, thanks to @snmed for the assist!

  • When creating users and applications programatically, due to a timing issue, you may receive an unexpected error indicating the Application does not exist. Resolves GitHub Issue $252, thanks to @johnmaia for reporting the issue.

  • An exception may occur when using the Login with Google feature if the picture claim returned is not a valid URI. Resolves GitHub Issue #249, thanks to @damienherve for reporting the issue.

  • A tenant may fail to be deleted. Resolves GitHub Issue #221, thanks to @johnmaia for the assist! If you encounter this issue, ensure the search index is updated, generally this will only happen if you programatically create users and then immediately attempt to delete a tenant.

  • The relative link on the Change Password themed template to restart the Forgot Password workflow when the code has expired is broken. Resolves GitHub Issue #280, thanks to @flangfeldt for letting us know!

  • The Import API may fail due to a false positive during password salt validation. Resolves GitHub Issue #272, thanks to @tombeany for reporting the issue.

  • Modifying an Identity Provider configuration when an Application has been disabled may cause an error in the UI. Resolves GitHub Issue #245, thanks to @fabiojvalente for reporting the issue.

  • When the FusionAuth schema exists in the database and you reconnect FusionAuth using the database maintenance mode, depending upon the version of PostgreSQL we may not properly detect that the schema exists and return an error instead of continuing. Resolves GitHub Issue #237, thanks to @whiskerch for reporting the issue.

  • A typo in the Java FusionAuth client causes the to fail the generateEmailVerificationId request. Resolves GitHub Issue #282, thanks to @petechungtuyco for reporting the issue and pointing out the solution!

Enhancement

  • JWT Refresh Token Revoke event will contain a User object when available

  • In a themed template that may have the passwordValidationRules available after a password validation field error will now always have the passwordValidationRules available if you choose to display them. Resolves GitHub Issue #263, thanks to @AlvMF1 for the suggestion!

  • Updated PostgresSQL connector to support SCRAM-SHA-256. Thanks to @colundrum for letting us know and assisting in testing. Resolves GitHub Issue #209

  • The OpenId Connect discovery endpoint now accepts optional tenantId request parameter.

  • A User object is returned in the jwt.refresh-token.revoke event JSON.

  • The field tenantId is returned in event JSON.

Version 1.7.4

August 22th, 2019

Fixed

  • When configuring a SAML v2 IdP relying party using the FusionAuth SP metadata, the configured ACS may not work properly. If you encounter this issue you may manually modify the relying party configuration to change the ACS endpoint to /oauth2/callback.

Version 1.7.3

August 15th, 2019

New

  • SAML v2, OpenID Connect, Google, Facebook, Twitter and External JWT Identity Provider configurations now have a debug flag. When enabled a debug Event Log will be created during each request to the Identity Provider to assist in debugging integration issues that may occur. In addition, error cases will be logged in the Event log instead of to the product log.

  • SAML v2 Service Provider (Relaying Party) Metadata URL

Fixed

  • In some cases when running FusionAuth behind a proxy without setting the X-Forwarded-Port header the URLs returned in the OpenID Configuration discovery document may contain an https URL that is suffixed with port 80. If this is encountered prior to this version you may simply add the X-Forwarded-Port header in your proxy configuration.

  • SAML v2 fix when using urn:oasis:names:tc:SAML:2.0:nameid-format:transient or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Name Id formats.

  • SAML v2 fix in the IdP Metadata. The IDPSSODescriptor was missing the protocolSupportEnumeration which may cause some SAML metadata parsers to fail processing.

  • SAML v2 fix in the IdP Metadata. The value returned in the issuer attribute was not the same as the entityId provided in the metadata which may cause some SAML metadata parsers to fail processing.

  • And audit log entry may not be created for a FusionAuth admin that does not have an email address when modifying configuration with the FusionAuth UI.

Enhancement

  • Integration details have been moved to a view dialog for each Identity Provider configuration. Previously these values were provided as read only fields on the edit panel in the UI.

    • See the View action for your Identity Provider configurations by navigating to Settings Identity Providers.

Version 1.7.2

June 19th, 2019

Fixed

Version 1.7.1

June 13th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Fixed

  • Possible migration error for PostgreSQL users

Version 1.7.0

June 13th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Changes

  • The timezone field in the User and UserRegistration must be a IANA time zone. This was previously assumed, but not always enforced. If a timezone is set for a User or UserRegistration that is not a valid IANA timezone, null will be returned when retrieving the User or UserRegistration timezone.

New

  • Family and relationship modeling. Yeah, everyone has users, but does your IdP manage family relationships?

  • Consent management. Need to record parental consent, or track opt-in for your users? Look no further.

    • Consent concepts

    • Consent APIs

    • We will ship FusionAuth with COPPA VPC, and COPPA Email+ consents, additional consents may be added through the Consent management interface and through the Consent APIs.

  • Export of Audit Logs to a zipped CSV in the UI and via the Export API

  • Export of Login Records to a zipped CSV in the UI and via the Export API

  • Login Record view that contains limited search and pagination capability. In the UI see System Login Records

  • Retention policy for Audit Logs. This feature is disabled by default and may be enabled to retain a configured number of days worth of Audit Logs.

  • Retention policy for Login Records. This feature is disabled by default and may be enabled to retain a configured number of days worth of Login Records.

Fixed

  • Some timezones may not be correctly discovered during login. When this occurs an undefined value is set which may cause an error during login to the FusionAuth UI.

  • Support importing Bcrypt hashes that contain a . (dot). The Bcrypt Base64 encoding uses a non standard character set which includes a . (dot) instead of a + (plus) as in the standard character set. Thank you to Diego Souza Rodrigues for discovering this issue and letting us know!.

  • Better support for third party 2FA devices such as an RSA key fob. When providing FusionAuth with a secret to enable Two Factor authentication we will accept a string in a Bas32 or Base64 encoded format. The documentation has been updated to further clarify this behavior. Previously if you brought your own secret to FusionAuth to enable 2FA, depending upon the format of the key, you may not have been successful in enabling 2FA for a user.

  • Managed domains were not being returned properly for a SAML v2 IdP configuration. This means that that you could not limit the SAML v2 IdP configuration to users with a specific email domain.

Enhancement

Version 1.6.1

May 2nd, 2019

Fixed

Version 1.6.0

April 28th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Please Read

The SAML specification is complex and not all SAML v2 Service Providers are specification compliant. This means your mileage may vary as you utilize the FusionAuth SAML v2 IdP to allow services such as Zendesk, Pivotal and Google G-Suite to log into FusionAuth using SAML v2. If you run into problems open a GitHub issue and we will try to help.

Changes

  • Deprecated the following properties SystemConfiguration and Application domain. This is all now managed through Key Master, and existing keys have been migrated into Key Master.

    • jwtConfiguration.issuer

    • jwtConfiguration.algorithm

    • jwtConfiguration.secret

    • jwtConfiguration.publicKey

    • jwtConfiguration.privateKey

  • Deprecated the following property SystemConfiguration.jwtConfiguration.issuer, it has moved to SystemConfiguration.issuer.

  • A new macro was added to the _helpers.ftl that may be managed by your theme. If you have modified the _helpers.ftl template as part of your theme, you will either need to reset that template and merge your changes back in, or add the following code to your _helpers.ftl managed by your theme. If you encounter an issue with this, you will still likely be able to login to correct the issue, if you do get stuck you may disable your theme to login. See https://fusionauth.io/docs/v1/tech/themes/#handling-failures.

[#macro link url text extraParameters=""]
<a href="${url}?tenantId=${(tenantId)!''}&client_id=${(client_id?url)!''}&nonce=${(nonce?url)!''}&redirect_uri=${(redirect_uri?url)!''}&response_type=${(response_type?url)!''}&scope=${(scope?url)!''}&state=${(state?url)!''}&timezone=${(timezone?url)!''}&metaData.device.name=${(metaData.device.name?url)!''}&metaData.device.type=${(metaData.device.type?url)!''}${extraParameters!''}">
${text?html}
</a>
[/#macro]

New

  • Support for SAMLv2 IdP. This satisfies GitHub Issue #3

  • Support for SAMLv2 Service Provider to support federated authentication to a SAMLv2 Identity Provider. This satisfies GitHub Issue #104

  • Lambda support. Lambdas are user defined JavaScript functions that may be executed at runtime to perform various functions. In the initial release of Lambda support they can be used to customize the claims returned in a JWT, reconcile a SAML v2 response or an OpenID Connect response when using these Identity Providers.

    • See the Lambda API and the new Lambda settings in the UI Settings Lambdas.

  • Event Log. The event log will assist developers during integration to debug integrations. The event log will be found in the UI under System Event Log.

    • SMTP Transport errors

    • Lambda execution exceptions

    • Lambda debug output

    • SAML IdP integration errors and debug

    • Runtime exceptions due to email template rendering issues

    • And more!

  • Key Master, manage HMAC, Elliptic and RSA keys, import, download, generate, we do it all here at Key Master.

  • New events

    • user.login.failed

    • user.login.success

    • user.registration.create

    • user.registration.update

    • user.registration.delete

  • Easily duplicate email templates using the Duplicate action.

  • Manage Access Token and Id Token signing separately

Enhancement

  • Insert instant provided on the Import API for Users and Registrations will be reflected in the historical registration reports

  • Additional node information will be available on the About panel when running multiple FusionAuth nodes in a cluster. See System About.

Fixed

  • If Passwordless login is disabled because no email template has been configured the button will not be displayed on the login panel. If a user attempts to use the passwordless login and the feature has been disabled or the user does not have an email address a error will be displayed to alert the user.

  • If you are using the Implicit Grant and you have Self Service Registration enabled for the same application, the redirect after the registration check will assume you are using the Authorization Code grant. To work around this issue prior to this release, disable Self Service Registration. Thanks to @whiskerch for reporting this issue in GitHub Issue #102.

  • Fixed OpenID Connect federated login. Our JavaScript code was throwing an exception due to the removal of the device field from OAuth. This code wasn’t updated and therefore would not perform the redirect to the third-party Open ID Connect IdP. To fix this issue in 1.5.0 or below, you can remove this line from OpenIDConnect.js on or near line 48: + '&device=' + Prime.Document.queryFirst('input[name=device]').getValue().

  • When you use the Refresh Grant with a Refresh Token that was obtained using the Authorization Code grant using the openid scope, the response will not contain an id_token as you would expect. This fixes GitHub Issue #110 - OIDC and Refresh Tokens. Thanks to @fabiosimeoni for reporting this issue

  • When using the OpenID Connect Identity Provider that requires client authentication may fail even when you provide a client secret in your OpenID Connect configuration.

  • https://github.com/FusionAuth/fusionauth-issues/issues/118

  • https://github.com/FusionAuth/fusionauth-issues/issues/119

  • https://github.com/FusionAuth/fusionauth-issues/issues/122

Version 1.5.0

March 25th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Changed

  • Removed /oauth2/token from the CORS configuration. This change will cause the CORS filter to reject a POST request to the /oauth2/token endpoint when the request originates in JavaScript from a different domain. This will effectively prohibit the use of the OAuth2 Password grant from JavaScript.

  • The device parameter is no longer required on the Login API or the Authorized endpoint in order to receive a Refresh Token. If the device parameter is provided it will be ignored.

  • Correct the Refresh API response body to match the documentation. If you are currently consuming the JSON body of this API using the POST method, you will need to update your integration to match the documented response body.

New

  • Support for Passwordless login via email. See Passwordless API if you’ll be integrating with this API to build your own login form. To use this feature using the provided FusionAuth login form, enable Passwordless by navigating to your FusionAuth Application Settings Applications and selecting the Security tab.

  • Support for the OAuth2 Implicit Grant. See the OAuth 2.0 & OpenID Connect Overview and OAuth 2.0 Endpoints for additional information.

  • The Authorization Code, Password, Implicit and Refresh Token grants maybe enabled or disabled per application. See oauthConfiguration.enabledGrants property in the Application API, or the OAuth tab in the Application configuration in the FusionAuth UI.

  • The Change Password API can be called using a JWT. This provides additional support for the Change Password workflow in a single page web application. See the Change Password API for additional details.

  • The Change Password API in some cases will return a One Time password (OTP). This password may then be exchanged for a new JWT and a Refresh Token on the Login API. This allows for a more seamless user experience when performing a change password workflow. See the Change Password and Login API for additional details.

  • The Login API can now be restricted to require an API key. The default for new applications will require authentication which can be disabled. Existing applications will not require authentication via API to preserve the existing behavior. The Login API may also be restricted from return Refresh Tokens are allowing an existing Refresh Token be used to refresh an Access Token. These settings will be configurable per Application, see the Application API for additional details, or the Security tab in the Application configuration in the UI. If using the Application API, see the application.loginConfiguration parameters.

  • The c_hash, at_hash and nonce claims will be added to the id_token payload for the appropriate grants.

  • Add support for client_secret_post to the already provided client_secret_basic Client Authentication method. This means that in addition to using HTTP Basic Authentication, you may also provide the client_id and client_secret in the request body.

Enhancement

  • Better ECDSA private and public key validation to ensure the algorithm selected by the user matches the provided key.

  • When using the Change Password workflow in the OAuth2 Implicit or Authorization Code grants, the user will be automatically logged in upon completing a change password that is required during login.

  • The Two Factor Login API will return the twoFactorTrustId as an HTTP Only secure cookie in addition to being returned in the JSON response body. This provides additional support and ease of use when making use of this API in a single page web application. See the Two Factor Login API for additional details.

Fixed

  • When using the Login Report in the UI and searching by user, if you have more than one tenant you will encounter an error.

  • Validation errors are not displayed in the Add Claim dialog when configuring claim mapping for an External JWT Identity Provider

  • Calling the Tenant API with the POST or PUT methods w/out a request body will result in a 500 instead of a 400 with an error message.

  • When a locale preference has not been set for a FusionAuth admin and the English locale is used the user may see dates displayed in d/M/yyyy instead of M/d/yyyy.

  • Fix some form validation errors during self-registration.

  • The Action user action on the Manage User panel was opening the Comment dialog instead of the Action user dialog

  • When a user has 2FA enabled and a password change is required during login, the 2FA will now occur before the change password workflow

  • When more than one tenant exists, the Forgot Password link on the FusionAuth login page will not function properly.

  • The Logout API may not always delete the access_token and refresh_token cookies if they exist on the browser.

  • The id_token will be signed with the client_secret when HS256, HS384 or HS512 is selected as the signing algorithm. This is necessary for compliance with OpenID Connect Core 3.1.3.7 ID Token Validation. This fixes GitHub issue GitHub Issue #57, thanks to @Garogat for reporting this issue. If you encounter this issue prior to this version, copy the Client Secret found in the UI on the OAuth tab of your Application configuration into the HMAC secret on the JWT configuration tab.

  • The Login API will now return a 400 with an error JSON response body if the applicationId parameter does not belong to any configured applications. Previous to this release, this was treated the same as if the User was not registered to the requested application.

  • A change to the Docker build for permissions reduced the overall fusionauth-app image by ~ 200 MB.

Version 1.4.0

February 4th, 2019

Please Read

The FusionAuth System Requirements have been updated. Please review the updated requirements to ensure you have met the minimum supported versions of operating system and database.

Changed

  • Renamed Type enum in DeviceInfo class to DeviceType. This will only affect you if you are using the Java or C# client and reference this enum directly. If you are using this class directly, you may need to update an import in your client code.

  • More than one authorization code may exist for a single user at a given time. This will allow multiple asynchronous requests to begin an OAuth2 Authorization Grant workflow and succeed regardless of order.

New

  • Self service registration. You may optionally enable this feature per application and allow users to create a new account or register for new applications without building your own registration forms.

  • JSON Web Key set support. This endpoint will be exposed at /.well-known/jwks.json and will be published in the OpenID Configuration metadata endpoint as well. Prior to this release the public keys used to sign JSON Web Tokens were only available in PEM format using the Public Key API, this endpoint will still be available and supported.

  • Added Elliptic Curve signature support for JSON Web Tokens, ES256, ES384 and ES512.

  • Added Typescript client library https://github.com/FusionAuth/fusionauth-typescript-client

  • The Login Report may now be optionally filtered to a particular User in the UI, and the Login Report API will now take loginId or userId.

Fixed

  • When using Docker compose, if you start up with --pull to update to the latest version of FusionAuth and there happens to be a database schema update, the silent configuration mode may fail. This occurs because the silent configuration was not performing the database schema update automatically. If you encounter this issue, you will need to manually update the schema.

    • This will only occur if you are running a version of FusionAuth prior to 1.1.0 and upgrade using --pull during docker-compose up.

  • When you have multiple tenants created, a tenant may be deleted with an API key that is not assigned to the tenant. This has been corrected and a tenant may only be deleted using an API key that is not assigned to any tenant. This issue will only affect you if you have more than one tenant.

  • Updated Maintenance Mode (setup wizard) to work with MySQL version 8.0.13 and above. MySQL has changed their SSL/TLS handling and our connections were not correctly handling public keys. This has been fixed by allowing FusionAuth to perform a secondary request to MySQL to fetch the public key.

  • Logging in with a Social Login provider such as Google for an existing FusionAuth user may cause them to be unable to login to FusionAuth directly using their original credentials.

  • When using the OpenID Connect Identity Provider, the incoming claim given_name was being saved in the fullName field instead of the firstName.

  • When a user is soft deleted, actioned to prevent login, expired, or they have changed their password since their last login, their SSO session will be invalidated instead of waiting for the session to expire.

Internal

  • Upgrade to fusionauth-jwt 3.0.1 in support of Elliptic Curve crypto support.

Version 1.3.1

December 19th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Changed

  • API key will take precedence for API authentication if both a JWT and an API key are provided on the request. For example, when making a GET request to the User API, if a JWT is provided in a cookie, and a valid API key is also provided in the Authorization HTTP header, the previous design was to prefer the JWT. This design point meant that even when an API key was provided, even when providing a valid API key, you would be unable to retrieve any user but the one represented by the JWT.

  • The client_id is no longer required on the OAuth Token endpoint when client authentication is configured as required, in this scenario the client Id is provided in the HTTP Basic Authorization header.

Fixed

  • When editing the JWT settings in the FusionAuth application the UI a JavaScript error may cause some of the settings to not render properly. This error was introduced in version 1.3.0.

  • Added missing properties to the Application view dialog in the FusionAuth UI.

  • The openid scope may not be honored during login when a user has Two Factor authentication enabled. The symptom of this issue is that the response from the Token endpoint will not contain an id_token even when the openid scope was requested.

  • Validation for the OAuth2 Token endpoint may fail when the client_id request body parameter is omitted and return a 500 instead of a 400 status code.

  • When a OAuth2 redirect URI is registered with a query parameter, the resulting redirect URI will not be built correctly.

  • When trying to configure Elasticsearch engine during maintenance mode the index may get created but fail to leave maintenance mode. FusionAuth makes a HEAD request to Elasticsearch to check if the required indexes exist during startup and prior to leaving maintenance mode. When connected to an AWS Elasticsearch cluster this request does not behave as expected which causes FusionAuth to stay in maintenance mode. This issue has been resolved and should allow FusionAuth to properly connect to and utilize Elasticsearch running in an AWS cluster.

Version 1.3.0

December 5th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

New

  • An Application may disable the issue of refresh tokens through configuration. See oauthConfiguration.generateRefreshTokens in the Application API or the Generate refresh tokens toggle in the FusionAuth UI when editing an application.

  • The OAuth2 client secret may be optionally regenerated using the FusionAuth UI during Application edit.

  • Support for OAuth2 confidential clients, this is supported by optionally requiring client authentication via configuration. See oauthConfiguration.requireClientAuthentication in the Application API or the Require authentication toggle in the FusionAuth UI when editing an application.

Fixed

  • Calling the Introspect endpoint with a JWT returned from the Issue API may fail due to the missing aud claim.

  • The MySQL schema previously was using random_bytes which is not available in MariaDB. These usages have been replaced with an equivalent that will function the same in MySQL and MariaDB.

  • When editing or adding a new user in the FusionAuth UI, the Birthdate field may get set automatically before the date selector is utilized. A JavaScript error was causing this condition and it has been fixed.

Version 1.2.2

November 27th, 2018

Fixed

  • Add X-FusionAuth-TenantId to allowed CORS headers.

  • When FusionAuth is running behind a proxy such as an AWS ALB / ELB the redirect URI required to complete login may not be resolved correctly. This may cause the redirect back to the FusionAuth UI login to fail with a CSRF exception. If you encounter this issue you may see an error message that says Something doesn’t seem right. You have been logged out of FusionAuth. The work-around for this issue if you encounter it will be to perform the redirect from HTTP to HTTPS in your load balancer.

  • Some minor usability issues in the Identity Provider configuration UI.

Version 1.2.1

November 16th, 2018

Enhancement

  • Better error handling when an API caller sends invalid JSON messages. Prior to this enhancement if FusionAuth did not provide a specific error message for a particular field a 500 HTTP status code was returned if the JSON could not be parsed properly. This enhancement will ensure that sending a FusionAuth API invalid JSON will consistently result in a 400 status code with a JSON body describing the error.

  • Allow an Identity Provider to be enabled and disabled from the UI. You may still choose to enable or disable a specific Application for use with an Identity Provider, but with this enhancement you may not turn off an Identity Provider for all Applications with one switch.

Fixed

  • Preserve Application Identity Provider configuration for disabled Applications when editing a Identity Provider from the UI.

Version 1.2.0

November 15th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

New

  • Add TTL configuration for Refresh Tokens to the Application configuration. When you enable JWT configuration per Application this value will override the global setting.

Fixed

  • An error in the Twitter OAuth v1 workflow has been resolved.

Version 1.1.1

November 13th, 2018

Fixed

  • If you were to have an Identity Provider for federated third party JSON Web Tokens configured prior to upgrading to 1.1.0 FusionAuth may fail during the database migration to version 1.1.0.

Version 1.1.0

November 13th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

New

  • Social login support

  • Full theme support for login. See the Login Theme tutorial for additional information and examples.

  • Better localization support in the FusionAuth UI. You now have the option to set or modify your preferred language for use in the FusionAuth UI. Providing a preferred language will cause dates to be formatted based upon your preference. For example, the default data format is M/D/YYYY, but if you are not in the United States this may not be the way you expect a date to be formatted. If you set your locale to French you will now see a more appropriate format of D/M/YYYY. This value is stored on the User Registration for FusionAuth in the preferredLanguages field.

Enhancement

  • When viewing sessions (refresh tokens) on the Manage User panel, the start and expiration times will be displayed.

Version 1.0.18

October 29th, 2018

Fixed

  • If FusionAuth starts up in maintenance mode and stays there for an extended period of time without the User completing the configuration from the web browser, FusionAuth may get stuck in maintenance mode. If you encounter this issue, where you seemingly are entering the correct credentials on the Database configuration page and are unable to continue, restart FusionAuth and the issue will be resolved.

Version 1.0.17

October 5th, 2018

Fixed

Version 1.0.16

October 5th, 2018

Enhancement

  • Better support for running in Docker. Enhanced silent configuration capability for database and search engine boot strap configuration in Docker Compose to be more resilient.

Fixed

  • If custom data is added to an Application, Group or Tenant before editing the corresponding object in the UI, the custom data may be lost.

Version 1.0.15

October 1st, 2018

New

  • Better support for running in Docker. Configuration can be override using environment variables. See Docker Install for additional information.

Fixed

  • The first time a user reached the failed login threshold and a 409 response code was returned the response body was empty. Subsequent login requests correctly returned the JSON response body with the 409, now the JSON response body is correctly returned the first time the user reaches the failed login threshold.

Version 1.0.14

September 17th, 2018

Fixed

  • When using PostgreSQL an exception may occur during an internal cache reload request. If you encounter this issue you will see a stack trace in the fusionauth-app.log. If you see this error and need assistance, please open an issue in the FusionAuth Issues GitHub project.

Unexpected error. We’re missing an internal API key to notify distributed caches.

Version 1.0.13

September 12th, 2018

New

  • General availability release