Release Notes

Fixed a cosmetic issue in our Lambda editor: code comments were previously rendered orange-red. Comments are now rendered as gray to de-emphasize them.

Improved advanced theme validation in the Admin UI:

• Added checks for missing messages. Previously, if a theme lacked messages, but included all required templates, it would not be flagged for requiring an update.
• The theme editor now associates error messages with template sections.

Improved the performance of PATCH and PUT calls to /api/identity-provider for deployments with thousands of tenants or applications. Additionally, this release of the Go and Java client libraries adds opt-in retry support with exponential backoff for these APIs.

Fixed a race condition where concurrent PATCH calls to /api/identity-provider/{id} could all return status code 200, but only one modification would persist. Now, only one call will succeed, and all others will return status code 409.

Since: 1.63.0

Fixed a broken link in Reactor that should have linked users to find their license key in their FusionAuth account.

Since: 1.63.0

Fixed an issue where image URLs were obscured while viewing IdP configuration.

Since: 1.62.1

Fixed an issue where GET requests to /api/jwt/issue could produce a JWT for a user without firing the JWT Populate lambda, for users registered for one application, when requesting a token for an application for which the user is not registered.

Since: 1.62.1

Fixed an issue where the Admin UI failed to display embedded maps.

Since: 1.56.0

Fixed an issue where Reactor and license data could be lost when migrating to a new version of FusionAuth.

Since: 1.60.0

Improved the performance and reliability of background jobs in multi-node clusters, reducing load by a factor of 3-9x.

Since: 1.64.1

In the FusionAuth .NET Core Client, fixed an issue where enumeration-based values like sendSetPasswordIdentityType() incorrectly defaulted to email when omitted. The client now omits the value entirely from requests instead of using a default value.

Fixed an issue where, during a password change, FusionAuth may have failed to detect that a new password was included in a data breach.

Fixed an issue where the phone verification page displayed a label without a message.

Since: 1.62.0

Fixed an issue where long-running Admin UI requests could sometimes duplicate actions.

Since: 1.61.0

Fixed an issue where the SCIM GET /api/scim/resource/v2/Groups endpoint failed with a 500 error when one of the groups in the response contains a large number of users.

Since: 1.62.0

Standardized inconsistent title casing of headings in the Admin UI.

In the Admin UI, linked users always show an error when you view the linked account at Users -> Manage -> Linked accounts -> View .

Since: 1.62.0

Fixed an issue where, in the Admin UI, the Twilio or Generic Messenger send test message button always produced an unexpected error.

Since: 1.62.0

Fixed an issue where connectors did not allow login via username or email when the connector returned a different username or email from what the request provided.

Since: 1.59.0

The id_token_hint field of the oauth2/logout endpoint was incompatible with Id tokens generated in 1.59.x and earlier. The oauth2/logout endpoint is once again backwards-compatible with those tokens.

Since: 1.60.0

Fixed a rare issue where maintenance mode errors could appear in the FusionAuth logs while maintenance mode was not active.

Since: 1.63.0

Fixed a rare issue where a version upgrade could deactivate a configured license.

Since: 1.64.0

Fixed an issue where FusionAuth could get stuck in a Maintenance Mode Failed state when a leftover test_create_table database table already existed.

Removed all explicit mentions of "FusionAuth" from error message text.

Fixed a bug where one application's SSO session could prevent login to another application when a user had not yet completed registration.

Fixed a bug where a reconcile lambda could fail to set a value for an IdP linking strategy when the IdP's value is null.

Fixed an issue where the SAML metadata API returned a 500 response when the configuration specified a custom Name ID.

Added validation to fix a bug where nonfunctional signing keys could be successfully created by mismatching the type label with the PEM.

Enabled the deletion of Apple IdP-assigned keys, which previously failed to delete.

Fixed a bug introduced in 1.62.1 where the Simple Theme login page displayed a Face ID login graphic over content.

Fixed a bug where hosted login pages for universal applications sometimes showed IdPs scoped to another tenant.

Fixed a longstanding bug where the monthly active user table did not display data from the month of December.

Thanks to @Robert-Janeczek !

Fixed a bug in self-service registration where a user could alter a hidden field (using browser developer tools) and cause Failed decrypt registration state errors to appear in the event log.

Fixed a bug where autocomplete did not function correctly when accessing the Admin UI over HTTP (instead of HTTPS).

In the setup wizard, the checkbox for accepting the licensing agrement was not marked as required. It is indeed required, so now it is marked with an asterisk (*).

In System Settings > UI , a form field labeled "Menu font" controlled the menu font color. Added the suffix "color" to this label to clarify the field's purpose.

Thanks to @brob !

API Key endpoint permissions didn't allow for row selection, despite text that indicated otherwise.

Thanks to @brob !

In the setup wizard, marked "tell us more" field as required with an asterisk (*) when the "Other" acquisition channel is selected.

Thanks to @brob !

Fixed backwards toggle logic when requiring encrypted SAML assertions. When creating or editing a SAMLv2 and IdP-initiated SAML IdP, under the Options tab, the Require encrypted assertions toggle should expose the decryption key selector when it's on and hide it when it's off. The logic was backwards, hiding the selector when it's on and exposing it when it's off.

Fixed a bug where the SCIM create operation returned error code 400 (instead of 409) when both user.email and user.username are duplicated.

The logout button was not visible on account self-service pages.

When using database search mode, user searches could fail due to FreeMarker template errors introduced in the 1.62.0 UI update.

When a custom theme was missing a template, FusionAuth could fail to render the fallback template from the default theme. In some cases this could prevent a user from completing various workflows.

The setup wizard could generate an error if the browser could not provide a timezone.

Reports on the Admin UI could load slowly or time out during high user traffic or when a large number of applications exist.

IdP (federated) logins do not work for Universal Apps. Instead, shows the error message: Invalid_Request. Missing_tenant_id.

When family settings are enabled, including requiring a parent email, the parent email does not persisted after self-service registration by a child. This prevents an email from being sent to the parent email.

When creating a new lambda, changing the lambda type does not update the lambda body to the default body for that type.

Fixed a JavaScript error on the user edit page caused by a stale reference to birthDatePicker in User.js that remained after the variable was removed.

Fixed an issue where the date picker did not work properly on iOS, preventing users from selecting a date on iOS devices.

When testing Email Templates in the FusionAuth admin UI, rendering some template types resulted in an error. All template types can now be tested in the admin UI.

When a Minimum Password Age is configured for the tenant, creating a user without a password resulted in an exception. You can now create users without a password in tenants with a minimum password age requirement; password age rules apply once the user sets a password.

Providing an expired Id Token to the /oauth2/logout endpoint using the id_token_hint parameter resulted in an OAuth error. The /oauth2/logout endpoint once again accepts expired Id Tokens in accordance with the specification.

In version 1.59.0 we started indexing the new user.phoneNumber field for searches. IndexUser had a new field added, but the doc annotation was missing the version.

The GET /api/user/change-password endpoint does not allow a loginId type of phoneNumber. Additionally, client libraries are incorrectly passing a username parameter instead of a loginId parameter in checkChangePasswordUsingLoginId calls. This API endpoint is also lacking documentation.

When federating with a Google IdP, there are situations where a user can be re-prompted for authentication when already having valid FusionAuth and Google IdP sessions. SSO should now be honored correctly in these cases.

After establishing MFA trust on a device, a user is being re-challenged during a voluntary password reset, even during the trust period. The user should be able to change their password without completing another MFA challenge.

During startup, FusionAuth can output duplicate log entries. This was especially present with silent mode enabled. Logging should now be more efficient.

When a user first logs into a tenant configured with a connector, they will see an error when MFA is required and/or an updated and stronger password policy is in place. Subsequent logins behave normally.

Searches for users using nested searches involving registration fields may return incomplete results in some cases.

When using SCIM PATCH to add a user field, exiting fields are being removed. PATCH should now be handled as expected.

Performing a user reindex intermittently results in an email, username, or phoneNumber being omitted from Elastic/OpenSearch and not being searchable.

Some unwanted JavaScript errors are reported in the browser console on some pages, including the maintenance mode page and the application scope management page. These errors should now be handled more gracefully.

SCIM group searches are not properly honoring the eq operator. This operator should be doing an exact (but case-insensitive) search, but instead is doing a wildcard search.

Webhook user.delete events were not populating email, username, or phoneNumber fields when users were deleted under certain circumstances.

Fixed an issue where the user.update webhook event triggered by an Identity Provider login did not include the user's registrations in the original field of the event payload.

When using FusionAuth as a SAML Service Provider (SP), receiving a SAML Response containing an Assertion with an attribute value of null or of an unsupported type will result in a failure to parse the Response.

This issue was introduced in version 1.60.0 and has been corrected.

When using FusionAuth as a SAML IdP with a SAML Populate lambda that reads or modifies the SAML assertion will fail causing the login request to fail.

This issue was introduced in version 1.60.0 and has been corrected.

When decommissioning a license in a FusionAuth cluster, the change may not be reflected in all cluster nodes immediately. This can provide intermittent and inconsistent access to licensed features, depending on which node is handling a request.

A user can be shown a rendering error while attempting to complete an email based MFA login.

The error occurs when send rate limiting has been enabled as part of Advanced Threat Detection. When the user reached the rate limit threshold for requesting emails to be sent to complete login, the intended error was not shown an instead a page rendering error was displayed.

When a user completes a forgot password workflow, the failed login count will be reset.

This should reduce frustration for a user that changed their password after exceeding the configured failed login count. In this scenario, if the user had entered the the incorrect password again they would be required to wait for the configured time period before attempting login again. This could be quite frustrating.

Now that the failed count has been reset, the user will at least be allowed to enter the wrong password a few more times before we thwart their efforts.

When running in dark mode, or using a dark theme with a FusionAuth simple theme, some QR code scanners are unable to read the QR code for setting up MFA. We have added a light border to ensure that the QR code is still readable on a dark background. The QR code should have a high-contrast border to allow these readers to work.

When previewing the Phone verification required, Complete registration, and Passwordless theme templates in an advanced theme preview window, a FreeMarker exception is displayed to the user.

This was introduced in version 1.59.0.

A race condition exists, when attempting to activate FusionAuth using an air-gapped license without any outbound network access that may cause the the request to fail and not correctly persist the license.

When this issue is encountered the system becomes un-licensed.

When regenerating Reactor's encryption key, the Breached Password Detection status may take longer than expected to return to Active.

If you were to encounter this issue, deactivating and reactivating your license will also correct the state. You can also reach out to support if you see something like this as well.

Improved MFA configuration workflow during self-service registration when configured as required.

In version 1.59.0, changes were introduced that made it impossible to set webhooks for a handful of event types as transactional.

See release notes for 1.59.1 below for additional information.

An upgrade to FusionAuth version 1.58.2 or 1.59.0 fails if the Default Admin Registration provided by FusionAuth form (shipped in 1.20.0) is renamed or deleted prior to the upgrade.

An upgrade to FusionAuth version 1.58.2 or 1.59.0 fails if the Default Admin Registration provided by FusionAuth form (shipped in 1.20.0) is renamed or deleted prior to the upgrade.

When using a generic messenger in interactive workflows, no error is shown to the user if the message delivery attempt returns a non-200 response code. The user should be alerted to the fact that something went wrong.

During the slow migration of a user using a generic or LDAP connector, the known device cookie is not created. If the new device email or a new device webhook is configured, FusionAuth sends a second new device email and/or new device webhook the next time the user logs in.

There are cases where we are not returning appropriate errors for invalid inputs to APIs. Errors with appropriate and descriptive messages should be returned.

A race condition was identified in the 1.58.0 release that could affect a cluster of FusionAuth instances during the upgrade, preventing the upgrade from completing. This race condition has been addressed.

The SCIM create operation returns error code 400 (instead of 409) when both user.email and user.username are duplicated.

Resolved in version 1.63.0 via #3149 .

The Add Webhook page and the Login Records report can show errors in some circumstances. These error conditions should be handled more gracefully.

Searching for entities using the Entity Search API can produce results that have duplicate or missing items on response pages when a sort field isn't specified. Results should have an implicit ordering when no sort field is specified.

In certain circumstances, the FusionAuth admin UI and self-service account applications can fail to refresh an expired access token, causing a user to be logged out.

Calling the Search Reindex API while a reindex is in progress yields a 500 error. This API now returns a 400 status if a reindex operation is already running.

Using PATCH calls from HTTPConnect in a lambda fails in some cases. PATCH should be generally supported.

Interacting with a date picker can generate errors in the broswer's console. FusionAuth should handle these errors more gracefully.

A few forms in the FusionAuth admin UI are setting the input focus in nonstandard ways. These include the setup wizard, the add API key view, and the edit API key view.

When handling an HTTP request with a content type of multipart/*, FusionAuth now more accurately returns an HTTP status code of 422 if the request contains a file and a file upload was not expected for the intended HTTP request path.

Fixed a bug introduced in version 1.56.0 that caused FusionAuth to fail to start after being installed using RPM and Debian packages.

The process for deleting webhook event logs according to retention rules was formerly turned off by default, causing all webhook event log entries to be retained forever. This will now be enabled by default in new FusionAuth installations. Existing installations that are being upgraded will retain their former setting.

The client libraries were missing PATCH support for Entities. Support for this operation has been added.

Client libraries are missing full support for PUT and PATCH operations for entity types, forms, form fields, IP ACLs, webhooks, and families. This fix adds support for these.

FusionAuth returns a 500 when supplying a malformed application Id in an IdP-initiated SAML login, making it hard to troubleshoot. The error should be handled more gracefully, and a more meaningful error message should be returned.

The Application > Multi-Factor > SMS Template tooltip incorrectly referenced an email template instead of an SMS template. Updated this to reference the correct template type.

Thanks to @JCelentano !

The passwordless API returns a 500 error when a non-existent application Id is provided. This should return a correct response code and meaningful error.

When posting an invalid grant type to the /oauth2/token endpoint, the list of supported grant types in the error message is missing the device grant type

Users are being prompted to re-submit a form when first logging into a new deployment using Firefox. The request should proceed on the first attempt.

When creating an entity grant for a user using the API, some invalid payloads will yield a 500 error. A more meaningful error should be returned.

FusionAuth shows a notification for getting a free license even after a license has been installed. This notification should disappear after a FusionAuth instance has been licensed.

Executing a manual system reset in development mode with a valid kickstart file fails. This should work as expected.

Supplying a malformed license key to Reactor is producing a generic error. A specific error would be more helpful.

The Daily Active Users report is missing data from the most recent day. The report should include this data.

After setting an application-level email verification template, the tenant-level template is still being used. The application-level setting should be honored.

The standard first name field intended for use in user edit forms has an incorrect name in MySQL installations, which is preventing it from showing up in the user edit form

The webhook event log can return fewer records per page than requested with the Results per page dropdown, even when more results are available. Ensure that the number of results equals the requested number.

A nondescript error is returned when trying to save system settings via the FusionAuth admin application. It is still possible to update system settings using the API.

The simple theme editor's right-hand panel did not constrain content properly, allowing content to spill over the bottom border.

The confirmation page shown when users are completing verification and other workflows shows a FreeMarker error when some cookies are unavailable. This could happen when cookies are deleted by a user, removed by a proxy, or when running in an iframe.

When an OAuth workflow ends in redirecting with an error to a redirect_uri that contains query parameters, the resulting URL is being built incorrectly.

The SCIM ResourceTypes endpoint is returning resource type URLs with incorrect paths. The endpoint is returning a path prefix of /api/scim/v2/ when it should be /api/scim/resource/v2/.

Thanks to @runely !

The OAuth scopes consent form has text that cannot be localized. Hosted pages should be fully localizable for users.

When viewing user data in the Manage user view, a boolean value is always shown as -, regardless of its actual value.

Thanks to @rod-martens-alida !

The JWT populate lambda is not executed when a user is logged in using the login API, but only when that user does not have a registration for the application named in the API call. This could lead to inconsistent behavior between a login using the hosted OAuth pages and a login using the login API.

The PHP client library is not handling libcurl errors gracefully, making it difficult to troubleshoot integration problems when using this library. See the client library issue for more details.

When downloading login records from System -> Login Records , the exported file format contains a place for zip code, however the zip code values are not being populated in the export.

The POST /api/user/registration call is documented as returning a refreshTokenId, but this value is not being returned on the response.

Thanks to @cezarneaga !

When editing a user's password in the FusionAuth admin UI after a new hashing scheme is set on the tenant, the password is not re-hashed using the new scheme. The re-hashing occurs as expected on a login or when the user changes their own password.

The SCIM Groups API does not properly perform atomic updates to groups and members. This can lead to consistency issues when multiple SCIM update requests are simultaneously processed requiring membership changes.

In order to better protect 3rd party logins via SAML v2, OpenID Connect, and other 3rd party identity providers, a CSRF (cross site request forgery) token was added in version 1.47.0. This token was not being used when all identity providers configured for the requested client_id were also configured to use managed domains, and the authorize request also contained the idp_hint request parameter.

In this specific configuration, because the token was not being utilized, the login workflow would fail with the error The request origin could not be verified. Unable to complete this login request.

When using the hosted login pages, the end user is generally shown a checkbox named Keep me signed in, which indicates whether the user wishes to create an SSO session after logging in.

When using an external identity provider along with an idp_hint or login_hint parameter, a user may be taken directly to the identity provider, bypassing the page with this checkbox. In this case, the user will not have the option of making a choice to establish or not establish an SSO session.

This behavior has been improved in order to provide additional control on how the SSO session should be created.

FusionAuth will now use the following order of operations in this non-interactive workflow to decide if the SSO session should be created:

1. The user's previous selection, if available. This past choice will have been stored in an HTTP only cookie.
2. The optionally supplied rememberDevice query parameter.

In the event that the user has never seen the login page, the value of the rememberDevice query parameter will be the deciding factor. A value of true indicates that an SSO session should be created and a value of false indicates that an SSO session should not be created. If this parameter is omitted, the default behavior will be to create the SSO session.

For more information on using the idp_hint and login_hint parameters, see the Identity Providers Overview documentation.

When using the login validation lambda with a 3rd party identity provider such as OpenID Connect, when the validation lambda causes the login to fail, the end user will not see the specific error returned by the lambda. Instead the user will see the following generic error (unless this message has been modified in a theme):

A validation error occurred during the login attempt. An event log was created for the administrator to review.

The reason for this generic message is that in most cases if FusionAuth cannot complete a login request to a 3rd party we do not want to show the end user the technical reason. When a login validation lambda is the cause of the login failure, we do intend to the show the end user a more specific message. This issue has been corrected and if the login validation lambda was the cause of the failure, the event log is created when the identity provider has enabled debug.

The kickstart.success event may not fire correctly after Kickstart completes due to a timing issue when creating the webhook in your Kickstart definition.

Navigating to the System -> About page in the FusionAuth admin UI may fail to render if you start up without an internet connection.

Navigating to the System -> Webhook Log in the FusionAuth admin UI may display a general error and fail to return search results if there are any events of type user.login.failed displayed.

You may work around this issue by selecting a specific event type, or narrowing the scope of the results by using any of the additional search criteria found in the Advanced search controls.

A user may fail to enroll a new Passkey (WebAuthn credential) used for reauthentication during a login workflow. Previously configured Passkeys should continue to work as expected. This bug was introduced in version 1.53.0.

When using the start and end times in the Advanced search criteria in the Admin UI for the Audit Log, Event Log, and Login Records the selected values were incorrectly adjusted. This bug was introduced in version 1.52.0.

Thanks to @runely !

An SSO TTL of 0 seconds or a very small number may make it impossible to complete login using hosted login pages. To work around this issue in prior versions, increase the TTL to something larger than 0, ideally at least 30 seconds.

The potential for this issue has existed for some time, but some changes made in version 1.50.0 made it more likely for this to occur.

The SCIM Patch operation now properly handles removing multiple array elements, such as group memberships, in a single request.

Clicking the toggle checkbox element in the admin UI quickly caused the checkbox state to be inverted. This can be easily fixed by refreshing the page. You should now be able to click as fast as you want!

Attempting to sort API keys by key value in the admin UI by clicking the key value header resulted in an error.

Attempting to create a tenant-scoped API key with an invalid tenantId failed with a 500 status code. This error has been corrected, and an appropriate validation error is now returned.

The date picker used for birthdates and custom date fields was not styled correctly based upon the selected theme. The date picker has been changed to the browser-default date picker, which should work much better on mobile devices. This picker style will now be used in themed hosted login pages, as well as the admin UI for searching a date range or selecting a birthdate. This change should not affect any existing advanced theme that may still use the older style date picker. See theme upgrade notes for details on updating an existing advanced theme to use this new option.

Adding custom message keys to theme messages using the Admin UI failed to persist these changed messages. The UI for editing messages in the simple theme editor has also been improved to make it easier to understand which messages have been modified.

When the Browser preview button was used to open a new tab for simple themes in the Admin UI, the page would render without any applied CSS when using the Firefox browser. Sorry Firefox users, we ask for your forgiveness.

The default orderBy parameter value for the Group Member Search API did not provide a consistent ordering of results because the default sort was on insertInstant ASC which may not always be unique. This API is used by the SCIM Groups Resource API which then can cause inconsistent results for the SCIM client. The default orderBy is now set to insertInstant ASC, userId ASC, groupId ASC to ensure a consistent result between API calls.

When using the simple theme editor in the admin UI, the color picker did not always render next to the input field. The color picker will now always correctly render adjacent to the input field you select.

Newlines and tabs were not rendered when viewing audit entries in the view dialog from the admin UI. If you use new lines or tabs in your audit log messages, you may now enjoy viewing them in all their intended glory!

It sometimes required two Submit button clicks to exit interactive maintenance mode to upgrade your database schema. We are sorry if you had to click the Submit button twice.

For users in FusionAuth Cloud, attempting to save a Simple theme may result in an error.

Query parameter values containing an equals sign (=) were not parsed correctly. Typically, query parameter values URL encode equals signs as %3D, but since there are legal uses of the un-encoded character, we have added support for (=).

An HTTP request sent to FusionAuth with non-ASCII characters in request header values caused the request to be rejected and caused the connection to be closed without a response. Generally speaking values outside of the ASCII character set are not allowed, but in practice they may be used, and so these values are now treated as opaque and ignored by the HTTP request parser.

Fixed a typo on the Tenant edit page in the description of the user.password.reset.send event.

The SCIM API did not properly handle reading, creating, and updating groups with more than one hundred memberships. Responses containing groups with more than one hundred memberships only returned the first one hundred. Create and update operations only created or updated one hundred, deleting the remainder. This defect also caused the FusionAuth event for group.member.update and group.member.update.complete to contain the same truncated list of members.

In version 1.45.0 we added a hosted OAuth backend capability, allowing a developer to write a front end-only application, but still take advantage of an authorization code grant workflow by leveraging the backend provided by FusionAuth. Multi-segment domain suffixes (e.g. .co.uk) are not handled correctly by this hosted backend when setting the domain on cookies. Cookie domains are now set properly.

A SAML login request that is missing a Content-Type header yields a cryptic error message. A more meaningful error message is now provided. Additionally, sending a binding parameter would lead to an error message, when this parameter is not one we process. We now ignore this parameter if it is provided.

A SMS two factor messages template can be set at the Tenant level and should be overridable at the Application level. When a template is set at the Application level it is not being honored and the Tenant-level template is always used. Application overrides of SMS two-factor templates are now used correctly.

Fixes usability items related to the First Time Setup wizard (introduced in 1.50.0):

• Items related to the first time setup wizard were shown after upgrades, when the intent was to only show them for new installations. These are now only being shown for unconfigured FusionAuth instances.
• The First Time Setup summary page displayed sample configuration for various quickstarts. The configuration for the React quickstart corresponded to a previous version of the quickstart and was incompatible with the current version. The React quickstart configuration is now formatted for the current quickstart version.

The bcrypt algorithm now limits passwords to 50 characters. This restriction is due to limitations in the bcrypt algorithm. This limit will be enforced even when the tenant policy allows for a maximum password length greater than 50.

There are several scenarios where implicit email verification can occur. They are, during registration verification, password change, passwordless authentication, and MFA code validation. In these cases, a configured email verification email was not being sent, and the email verification event was not being generated. The email and event will both be triggered during implicit verification now.

Thanks to @ashutoshningot and @mou !

When configuring MFA for an application, the Trust policy selector was not shown when MFA is required for the application, but only shown when MFA enabled for optional use. The selector is now shown when the On login policy is set to either Enabled or Required.

When using FusionAuth behind a proxy, a missing X-Forwarded-Proto header could incorrectly cause a warning of a missing X-Forwarded-Port header. These warnings are now reported accurately. Additionally, FusionAuth will now be smarter about determining the forwarded port, taking it from one of multiple sources including X-Forwarded-Host, X-Forwarded-Port, or inferring it from X-Forwarded-Proto. This should make FusionAuth work with more proxies out of the box without additional configuration.

When authentication with an identity provider fails due to misconfiguration, and a user falls back to logging in with a username and password, the authenticationType reported by FusionAuth is for the original identity provider despite the user having logged in with a username and password. FusionAuth now correctly reports the authentication type as PASSWORD.

Thanks to @charlesericjs !

When configured to use an email verification strategy of Form Field without setting the unverified behavior to Gated the verification strategy was always functionally using Clickable Link which means the user would receive an email with a clickable URL instead of a short code.

With this fix, you may now use an unverified behavior of Allow with a verification strategy of Form Field. When you configure FusionAuth this way, it is assumed that you will be handling the verification process in your own application.

When using the Bulk User Import API /api/user/import the search index refresh interval is modified to improve performance. Specifically the index refresh_interval is set equal to -1. When this API is called in parallel, it is possible that this index setting is not reset and will stay configured as -1. The symptom of this error is that changes to the index are not reflected by the Search API and the search results may no longer be accurate.

When Advanced Threat Detection is enabled, an IP location database will be downloaded and used for IP address resolution. For these licensed customers, it is possible that a corrupted IP location database was downloaded and not correctly discarded and as a result the IP address location data may not be available.

You may have been impacted if you were using version 1.47.0 or later, between February 1st, 2024 and February 23rd, 2024. The observable symptom would be that your license status for the Advanced Threat Detection will show Pending instead of Active.

This condition has already been corrected for FusionAuth Cloud. If you are self-hosting FusionAuth, upgrading will correct this condition. If you have a support contract and believe you are currently in this state and are not able to upgrade, please reach out to support for assistance.

Previously, an incorrectly formatted SAML request could cause excessive CPU load.

The default permissions in AWS RDS PostgreSQL version 15.2 caused the initial configuration of FusionAuth to fail to create the tables required to complete the initial configuration. The required permissions are now being explicitly granted, and the errors reported back to the user have been improved.

If a user starts a Forgot Password flow, and clicks on a change password link in an email after the link has expired, the redirect back to the original Forgot Password form will not include the locale parameter. This fix ensures that a locale parameter, when present in the change password link, is preserved through this workflow and allows for localization to remain consistent.

When setting up a Facebook IdP, an option was provided in the admin UI to select Use vendor JavaScript as a Login method. This option is not applicable and has been removed.

Fixed the SCIM filter when filtering on userName eq {username} to always return a single result.

The LinkedIn APIs have changed, and the LinkedIn IdP no longer worked for new LinkedIn applications. This update allows FusionAuth to work with new and legacy LinkedIn applications.

The FusionAuth TypeScript client library was incorrectly encoding arrays values into query parameters. This bug was preventing a few specific search queries from working correctly.

When using MySQL, the default Admin user form was missing the First name field. The field could be added to the form, but was missing in the default version.

When an invalid Tenant Id was provided on the .well-known/openid-configuration the default configuration was returned. This has been updated to return a 404 status code.

When creating a User with a group membership with a specified member Id that was already in use, the requested completed w/out a validation error and the membership was ignored. The API now correctly validates this condition and will return a 400 and a JSON response.

When retrieving all refresh tokens for a user, the response may contain the user's SSO token. The SSO token can be identified because it does not contain an applicationId and it may not be refreshed. Validation has been improved when using the Refresh Grant, or the Refresh API to ensure FusionAuth correctly fails indicating the token is invalid and may not be refreshed.

A regression was introduced in version 1.47.0 to the Change Password themed page. The issue is that the passwordValidationRules variable may be null on the first render. If you had been referencing this field in your template, the render may fail.

The Identity Provider Link API states that a token parameter can be accepted during a create. When provided, the token was not being persisted on the link.

Fixed the "Getting Started" link found in the index page in the default theme.

When viewing a User's Consents in the FusionAuth admin UI, if one or more of the consents have been granted by another user that is not a member of their family, an error is shown in the Given by column.

When you have configured the JWT signing key with the ES512 algorithm, the generated signature may be intermittently invalid. This means that JWTs may seemingly fail to validate randomly and you may think you are crazy. You are not crazy. If you are using this signing algorithm, it is recommended you use a different algorithm until you are able to upgrade.

SCIM PATCH requests may fail to parse if an op path value contains a named schema containing a . (dot). This parsing error has been corrected.

For example: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

When an SCIM create or update request contains schemas for which no properties exist, subsequent PATCH requests to those schema namespaces may fail.

For example, if the initial request contains a schema urn:ietf:params:scim:schemas:extension:enterprise:2.0:User without any properties, the default lambda function used to map this request to FusionAuth was not persisting this schema namespace. Then a subsequent PATCH request to add a member to that namespace such as urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department would fail.

The default SCIM request converter (Lambda function) has been updated to correct this behavior.

Updated the refresh token TTL when using the sliding window with a maximum lifetime JWT Expiration Policy. The symptom of this bug is that a refresh token will expire before the maximum configured lifetime.

When paging beyond 10,000 in the FusionAuth admin UI for Users or Entities, the bottom set of pagination controls may not work. If you encounter an error when clicking on the pagination controls, use the top set of controls instead. This bug is specific to the new pagination introduced in version 1.48.0.

In some cases when using with FusionAuth-hosted pages in an non-secure context, such as accessing FusionAuth on localhost, the PublicKeyCredential JavaScript API will not be available. This may cause an error on your JavaScript console PublicKeyCredential is not defined. This error kept the form on the page from correctly submitting.

In version 1.48.0, a change was made to reject a link request from an OpenID Connect IdP when the email_verified claim is supplied with a value of false. An assumption was made that the email and email_verified claims would both be present in the Userinfo response or the id_token. Some providers may split these claims, so this assumption has been removed.

Enhanced the widget used in multi-value select controls to accept a value when pasting. For example, you may now paste a value from the clipboard directly into the Authorized redirect URLs field. While previously the paste operation worked, the user would have to click the value to confirm. If you clicked off of the field, the value would not be saved.

Corrected the error message when a user has enabled MFA and a webhook returns a non-200 status code for the user.login.success event. The message will now correctly indicate the webhook has failed instead of the previously incorrect error indicating an invalid token was used.

When viewing an Email Template in the FusionAuth admin UI, two dialogs open instead of one. This was the result of two event handlers being bound instead of one.

When using the asynchronous tenant delete, it is possible for the delete job to fail if the system is under heavy load. When this occurs the delete job status may not be correctly updated and you are stuck in a Deleting state. The asynchronous job processor has been enhanced to account for this potential failure condition so the job can be correctly restarted if necessary.

Corrected a potential race condition that could cause a request to the /.well-known/jwks.json endpoint to exception and return a 500 status code when under heavy load.

The Lambda metrics introduced in version 1.47.0 may not always correctly increment the failed count when a lambda invocation failed. This affects the lambda.[*].failures and lambda.[{webhookId}].failures metric names.

When using the PATCH method on the Tenant API, if you previously had any explicit webhooks configured for this tenant, the association between the tenant and the webhook was lost. If you are not using webhooks, or all of your webhooks are configured for All tenants (webhook.global), this bug would not affect you.

Improved the validation for the Entity API to correctly validate the type.id value. Because this value was not being correctly validated, it means the API caller may receive a 500 status code instead of a 400 with a developer friendly JSON response body to indicate how the input can be corrected.

A critical bug was identified that caused FusionAuth to incorrectly identify users eligible for deletion based upon the tenant policy to delete users with an unverified email address. Until you have upgraded to version 1.48.0 please disable Delete unverified users if you currently have enabled Email verification, Verify email when changed and Delete unverified users.

A bug was identified that affected several APIs when using the PATCH method with fields that require custom deserializers in FusionAuth. Affected APIs included Application, Connector, Message Template and Identity Provider. The symptom you will observe is a failed request with a 500 status code.

When using PostgreSQL, under heavy load, a potential deadlock conditions exists when attempting to write login metrics to the database. MySQL database was not affected by this bug. If you were to encounter this bug you may observe some exceptions in the log related to the LoginQueue.

Fixed a JavaScript error that was preventing Audit Log searches by user from returning results.

Resolved an issue where users could not enable two-factor authentication during authentication when they were not registered for the application.

Thanks to @wproffitt-elder !

When using the Refresh Token API, un-expired SSO sessions may be incorrectly omitted from the API response. The result of this bug is that an active SSO session may not be displayed in the FusionAuth admin UI. This has now been corrected, and the FusionAuth admin UI and the Refresh Token API will correctly return all valid SSO sessions.

If the search.servers configuration value was not added to the fusionauth.properties configuration file, and you omit the SEARCH_SERVERS environment value, FusionAuth would fail to start. The correct behavior is for FusionAuth to default to http://localhost:9021.

Resolved a bug in the multipart/form-data parser that may cause elevated CPU usage in some specific cases.

A bug was identified in a change made in version 1.48.0 that may affect performance for those with > 1M users.

Revert the GC (garbage collection) logging change introduced in version 1.47.0 for compatibility with the FusionAuth Docker image.

Thanks to @pigletto and @patricknwn !

Fixed handling of truncated or malformed oauth_context request parameters when using the hosted login pages.

Ensure a signed AuthN request always has the Signature element as the next sibling after the Issuer element. This bug may cause some SAML v2 services provides to reject the signature of an AuthN request sent from FusionAuth.

Upgraded phone number validation to include the Kosovo country code of +383 as well as various other country codes.

Defend against corporate link "checkers" such as Outlook Safe Links and Google Workspace during the Change Password email workflow. This fix resolves a specific symptom that may occur when a link sent to a user during a change password workflow and the user has multi-factor authentication enabled. The symptom the end user may encounter is that multiple codes may be sent to the user during this workflow. When the two-factor method is email, multiple emails may be received, and when two-factor method is SMS, multiple SMS messages may be received. The cause of this symptom is that the link is being inspected by an intermediate party prior to the user's browser loading the link which functionally means the request is made more than once.

Improved locale validation, and restrict the number of preferred languages per user to 20. This should not have any practical impact on users of FusionAuth, but it will better protect FusionAuth from storing erroneous values for the user's preferred languages.

Improved username validation. This length limitation was already enforced by the schema, but the error message was not developer friendly. This change will add a proper validation error in the API response.

Updated the Tenant view dialog in the admin UI to reflect the changes made to the /.well-known/openid-configuration endpoint in version 1.46.0. This is a cosmetic change only, and does not include any functional fixes.

Fixed Tenant select control on Group index page in the admin UI when only a single tenant is configured. This is just a cosmetic fix to how the form was being rendered.

Reduced Kafka logging. So noisy.

Protected the Kafka event sender from sending events related to it's own failure. This protects us from overloading the Kafka topic.

Fixed the user.registration.update.complete event to include the updates roles if applicable.

Thanks to @sjswami !

Improved defense against truncated oauth_context request parameters. This parameter is passed around during various OAuth2 workflows to maintain context. This changes allows FusionAuth to fail more gracefully if this is value is intentionally or un-intentionally modified by a 3rd party.

Enabled queries of the username and fullName fields using the .exact suffix on these fields which does an exact match.

Thanks to @patrickvalle !

Corrected an edge case that exists where an event-log.create event fails to be sent to a Kafka topic, and this error causes another event-log.create event to be triggered.

Limited the length of a valid value for user.preferredLanguages and registration.preferredLanguages to a maximum of 24 characters, and restrict the total number of values to 20 or less.

Always send email verification on user email change when configured for user self-service

Resolved a JavaScript bug when enabling MFA during login. The bug caused an error to be written to the JavaScript console, but no functional errors occurred.

When the user.login.success is configured to be transactional and the webhook returns a non 200 status code when the event is fired during the final step of the change password workflow, the failed webhook may not fail the login attempt.

When enabling IdP initiated login on a SAMLv2 IdP, the base ACS URL is hidden in the view dialog

When an applicationId is provided on a Two Factor Start or Send APIs, the application variable may not available in the email template.

APIs that optionally take a sourceId to indicate you wish to copy will now fail validation if you provide additional parameters in the body that will otherwise be ignored.

Thanks to @Pycnomerus !

When adding a user to multiple Groups using the /api/group/member API, the request may fail. Fixed.

When using a wildcard for authorized origin URL, you may receive an invalid origin error. Fixed.

Thanks to @beezerk23 !

Ensured that the memory value for fusionauth-app.memory set in the fusionauth.properties file is always set correctly.

When using custom data with nested values such as user.data.company.name and user.data.company.id in an Advanced Registration form the nested values may not be properly persisted. Fixed.

Using the admin UI to update an IdP with over 6k applications the request may cause a database error. Fixed.

Added index entity_user_grants to increase SELECT performance

When using the validateJWT method in the FusionAuth Java REST Client, the exp or iat claims may have the incorrect precision.

Added missing endpoints to the OpenAPI spec.

A change in behavior was introduced in version 1.41.0 that may cause an error when accessing FusionAuth in Docker. The change was how the Host header was being parsed to pick up the local port.

Thanks to @MarekUniq and @java-http !

The user.create.complete and user.registration.create.complete events may be sent before the transaction has closed during IdP Login.

Corrected the internal authentication to receive an internal webhook between FusionAuth service nodes. If you encounter this error, you may see errors in the event log that mention returned response code [401] when sending [JWTRefreshTokenRevoke] event. This error was introduced in version 1.37.0 and the error only occurs when you have more than one FusionAuth service node.

When you have enabled Implicit Email Verification, when completing a Multi-Factor login, a user.email.verified event may be sent even if the user has already verified their email address.

When the user.reactivate event is configured to be transactional and the webhook returns a non 200 status code, the transaction may not be correctly rolled back.

When making a request to the self-service pages, such as /account/ ensure any additional query parameters are preserved through a login workflow.

When the user.create event is configured to be transactional, ensure the Setup Password email is not sent if a user.create webhook returns a non 200 status code.

When using the Device Grant with the /oauth2/device themed page, you may be shown a Logout button if an SSO session exists during this workflow. Clicking this button will log the user out of the SSO session and return to this page. This fixes the logout link so that you do not receive an error when returning to the /oauth2/device page. A workaround is documented in the linked GitHub issue.

Update fusionauth/java-http to the most recent version to pick up a bug fix.

This fixed a very low level HTTP server bug. In some rare cases, the HTTP response handler may not identify the end of the stream and effectively truncate the response body. It is difficult to say how may affect your integration if you were to encounter it. If you were to make an API call with a large response body, it may be possible the response would not include a valid JSON object if the response is truncated. When this error occurs, the HTTP status code will be valid, but the response will be truncated or non-existent.

Access token signing keys specific to an entity type may revert to the tenant configuration after upgrading to this version.

It is recommended to upgrade to this version at a minimum if you are coming from a version prior to version 1.45.0. For more information on this issue, see the Known Issues in the 1.45.0 release notes.

Added support for wildcard configuration when using post_logout_redirect_uri parameter on the OAuth2 Logout request.

Fixed salt validation for the phpass-md5 or phpass-sha512. This will allow the import of users with this password hash when the salt includes a . (period) character.

Added validation for the length of an entity name in order to provide a more friendly validation error message.

Updated to the OpenAPI spec to correct an error related to BaseSAMLv2IdentityProvider.

Reviewed and corrected tooltips in the admin UI for Application specific email templates.

A Lambda invocation may incorrectly fail indicating a recursive call was attempted. This is unlikely to occur, but under heavy load, it is possible.

The Application API was failing to make a copy when using sourceApplicationId when the source Application has enabled and configured the SAML v2 IdP. This is a bug in a new feature that was added in version 1.43.0.

Corrected a potential FreeMarker render error caused by a missing CSRF token when performing an SAML v2 IdP initiated login to the FusionAuth admin UI. This error is a side effect of the caller not requesting the scope=offline_access parameter. With this fix, you should no longer encounter the error, and the offline_access scope is now optional on the request. To work around this issue, request the offline_access scope.

When using the Forgot Password workflow on the FusionAuth login page with a user without an email address, the page would refresh instead of redirecting to the success screen indicating an email had been sent.

Thanks to @epbensimpson !

The Change Password API was incorrectly failing, indicating a Trust Token was required, even when provided if the user has MFA enabled.

Thanks to @timyourivh !

Ensured that we correctly terminate an SSO session when beginning a new passwordless login flow with a different user in the same browser.

Fixed various limitations with adding a consent to a self-service account form.

Thanks to @epbensimpson !

Fixed an error that may occur when logging into the FusionAuth admin UI with an IdP initiated request from a SAML v2 IdP.

Thanks to @jon-at-advarra !

Fixed an error that may occur when logging into the FusionAuth admin UI with an IdP initiated request from a SAML v2 IdP and then navigating to your own profile page.

Thanks to @jon-at-advarra !

Fixed an error where, when taking a User Action, the duration is localized for the event. The localization is only available for a fixed number of locales. When an unsupported locale, such as Serbian is requested, an exception will occur. This has been fixed to avoid the exception, and if an unsupported Locale is requested, English will be used as the default.

Fixed an error where, when sending a test event to verify the Kafka configuration, the topic was not being validated as required.

Thanks to @sixhobbits !

Fixed an error where, when completing the forgot password workflow using the FusionAuth themed pages outside of an OAuth context, you may receive an error that says Oops. It looks like you've gotten here by accident..

Updated the Email Template preview in the view dialog to be consistent with the preview in the edit page.

Thanks to @lancegliser !

Restricted the Two Factor Trust during a Change Password request to be used for the workflow that started the request.

Fixed the edit Form Field in the FusionAuth admin UI for a consent field.

Using password reset to unlock account may not work when MFA is enabled for the user.

Since: 1.42.0

A regression error in version 1.42.0 may cause a user to no longer be able to login after a successful login. In order to encounter this bug, you must have your tenant configured to re-hash passwords on login, and have a user login when their password encryption scheme or factor that does not match the configured tenant defaults. If you may have this type of configuration, please do not upgrade to version 1.42.0 and instead upgrade directly to this version.

Since: 1.42.0

Minor WebAuthn related fixes.

When providing both the entityId and userId on the Entity Search API, an exception will occur.

Removed SCIM endpoints from the API key configuration in the admin UI, these endpoints do not use API keys.

Fixed various rendering issues with the Theme preview in the admin UI

Thanks to @Steve-MP !

Enabled licensed features such as SCIM or WebAuthn to be configured during kickstart.

Improved synchronization of a user during a connector login. Specifically, allow previously obtained refresh tokens to be preserved during the user update procedures during a connector synchronization event.

Thanks to @yuezhou1998 !

Allowed for invalid language values to be provided in the Accept-Language HTTP request header. When an invalid language is provided, the Accept-Language header will be discarded.

Improved support for starting a forgot password workflow using the API and completing the workflow in a themed page when a user also has 2FA enabled.

Corrected signature verification of a SAML v2 AuthN response after the certificate has been removed from Key Master.

Fixed an issue where, when requesting keys by an applicationId, an exception may be thrown when there are no keys to be returned from the /api/jwt/public-key.

Fixed an issue where, SSO logout in Firefox may result in downloading a zero byte file.

Fixed an issue where, when multiple webhooks are configured, and more than one webhook is configured to receive the event-log.create event, a failed webhook may cause an event loop.

Corrected de-serialization of the userType and title fields in a SCIM resource.

Fixed an issue where a two-factor trust may expire early causing a user to be prompted to complete two-factor during login.

Since: 1.37.0

Fixed an issue where a SAML v2 IdP Initiated login request will fail if PKCE is configured as required.

Fixed an issue where the path attribute in some cookies may be set to the request path instead of / which may affect a SAML v2 IdP initiated login request.

Fixed an issue where an exception could occur when you attempt to perform a PATCH request on a Group using a roleId that does not exist.

Added URL escapes to the identityProviderUser in the admin UI to correctly build the View and Delete actions links.

Thanks to @epbensimpson !

Fixed an issue where, when appending the locale request parameter on the Authorize request to pre-select the user's locale, the locale could be incorrect for validation errors. For example, appending locale=fr will allow the initial render of the page to be localized in French when available. However, because the user did not manually modify the locale selector on the page, if the login fails due to a validation error, the error messages will be returned in the default locale which is generally English.

Group application roles removed during a PATCH request to the Group API.

Thanks to @paul-fink-silvacom !

Corrected the following issues with SAML v2 SP and IdP metadata:

• The HTTP scheme was missing from the entityID. This issue was introduced in version 1.37.0.
• The NameIdFormat found in the SP meta data was always showing urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress regardless of the value configured in the SAML v2 IdP.

Fixed an issue that could lead to an exception in the FusionAuth system logs when the internal login record service runs. Only seen in instances with very large login volumes.

Fixed an issue that could cause the Elasticsearch index to drift out of sync with group memberships when deleting groups or group members.

Added missing support for en_GB time and data format support in the FusionAuth admin UI when setting your preferred locale to en_GB. It wasn't our intention to force our friends in the United Kingdom 🇬🇧 to painfully read dates and times in the American 🇺🇸 format. Please accept our apologies. 😎

Thanks to @adambowen !

Fixed an issue where static resources such as CSS and JS could lack a Content-Type header, which may cause a proxy using X-Content-Type-Options: nosniff to fail to load the resource.

Since: 1.37.0

Thanks to @singinc and @Aaron-Ritter !

Fixed a potential error issue caused by a webhook handler calling back to FusionAuth which may trigger another webhook event. This fix should also improve the performance when sending many events for webhooks.

Corrected behavior during login when both self-service registration and require registration features are enabled. This configuration may cause a user to be directed to the registration required page during login instead of being registered automatically. If you encounter this error, you may either upgrade or disable the require registration configuration.

Since: 1.36.5

Removed dead Tomcat files from Docker image. No cats were harmed in the making of this fix.

Thanks to @kevcube !

Fixed an issue that caused HTTP request headers to be malformed when being sent to a Webhook, Generic Messenger or a Generic Connector.

Since: 1.37.0

Resolved an exception that could occur while trying to capture the debug log event during an authentication request using a Connector.

Fixed an issue where a User Action configured to email a user on Failed Login would not send the email as intended.

Fixed an issue where Kickstart failed because it does not wait for FusionAuth to complete startup.

Fixed an issue where creating an application in the Admin UI could fail due to a licensing error if you do not have an Enterprise license.

Add the appropriate feedback to the users when attempting to change an email during a gated email verification that is already in-use.

Correct the validation when deleting a key from Key Master when in use by a de-activated application.

Perform implicit email verification when enabled and a setup password email request is completed.

Handle URL encoded characters in the user-information part of the URL when connecting to Elasticsearch.

When using the Change Password workflow in the hosted login pages for a user that has enabled 2FA, adding the OAuth2 parameters found in the state resolves an error when the user completes the workflow.

The Refresh Token retrieve API and the Session tab in admin UI will no longer show expired refresh tokens.

Fix Lambda JS validation when using ES6 features with the GraalJS engine.

Thanks to @theogravity !

Fixed the placeholder text in the entity grants search field.

Corrected the SCIM HTTP response code when a new resource was created to be 201.

Corrected the SCIM HTTP response code when a duplicate resource was attempted to be created to be 409.

Fixed an issue where the initial "start" phase of a user action triggered by a failed login configuration was not sent.

Fixed an issue where FusionAuth failed to complete the logout request when a SAML v2 SP used an HTTP redirect binding.

Fixed a timing issue where under the load of creating logins and deleting applications programmatically, a login record got stuck in the queue.

Corrected the Content-Type HTTP response header returned from the SCIM endpoints.

Fixed an issue where a user was able to login successfully after being rate limited, but prior to the end of the configured time period.

Fixed an issue when using a JWT Populate lambda and modifying the default value of the aud claim to be an array instead of a string value.

Fixed a UI bug that caused the application column to show "Single sign-on" instead of the Application name in the Session tab.

Fixed an issue where a user was not routed to the Complete Registration step correctly after completing the Two-Factor challenge.

Thanks to @chimericdream !

Fixed an issue where the displayName property on the Link a User API was ignored.

Since: 1.36.0

Fixed an issue where a 3rd party Web Application Firewall such as CloudFlare injected JavaScript into the head element.

Thanks to @atakane !

Identified and resolved an additional edge case regarding the auth_time claim precision fix.

Since: 1.36.2

Fixed an issue where selecting an entity in a tenant other than the user's tenant caused an exception when building an entity grant in the UI.

Fixed an issue where creating an empty directory in the FusionAuth plugin directory caused the legitimate plugin jar to fail to load.

Fixed an issue where expected permissions were not returned as part of the access token claims when using the Client Credentials Grant.

Fixed an issue where 3rd party libraries validating the id_token incorrectly identified it as expired due to auth_time claim precision loss.

Fixed an issue where the requested AssertionConsumerServiceURL in a SAML v2 AuthNRequest was ignored.

Thanks to @pakomp !

Removed the limitation where Entities did not support the use of : in the permission name.

Thanks to @matthewhartstonge !

Fixed an issue where an application role was not immediately available to assign to a user after initial creation.

Fixed an issue where the Password Grant response was missing the Two Factor Method Ids when a Two-Factor challenge was required.

Fixed an issue where the Tenant edit and add panel displayed Webhook events that were not configured at the Tenant level.

Fixed an issue where FusionAuth failed to start on Windows when using the startup.bat script.

Thanks to @James-M-Oswald !

Enhanced email validation to prevent obviously incorrect emails from being used during self-service user registration.

Thanks to @pablomadrigal !

Fixed an issue where ECMA 6 features such as const or let could not be used with the GraalJS Lambda engine.

Fixed a timing issue with Connectors that caused a login to fail.

Fixed an issue where the Tenant View dialog showed the incorrect Event transaction setting for a Tenant created via the API.

Fixed an issue where the resulting id_token was signed with the key configured for the access_token when the openid scope was used.

Ignored read-only directories inside of the configured plugin directory instead of throwing an exception.

Fixed an issue where the FastPath install failed to download Java on Windows when using the startup.bat script.

Thanks to @gkrothammer !

Fixed an issue where using the Identity Provider Link API with multiple tenants failed unless the tenant Id was specified.

Fixed an issue where self-service registration failed to validate an email address beginning with @.

Thanks to @pablomadrigal !

Fixed an issue where using the Passwordless API failed if OAuth2 state parameters were omitted and the user was not registered.

Fixed an exception that caused SAML v2 Logins to FusionAuth to fail.

Thanks to @kristianvld !

Fixed an issue where the FastPath install failed to download Java due to missing redirect support in curl.

Ensured proper handling of Login records containing more than one IP address from the X-Forwarded-For header.

Fixed an issue where the Login with Apple button failed on Safari iOS 12.

Fixed pagination resets in the Event Log, Audit Log, and Login Records search feature.

Ensured Group Membership was preserved after the first login request when using a Connector without migration.

Fixed an issue where the jwt.refresh-token.revoke event was not sent during a request to the Logout API.

Thanks to @TimVanHerwijnen !

Fixed display issues for consents during the complete registration step.

Provided better support for user.birthDate when using Advanced self-service registration with Family child registration.

Fixed an issue where the order of multiple preferred languages was not preserved.

Fixed a potential memory leak in the Email services.

Fixed an issue where the parentEmail field was not properly updated in the search index during a Family workflow.

Fixed unexpected validation errors when transitioning from Basic to Advanced Self-Service registration.

Fixed edge cases where a tenant got stuck in the Pending Delete state.

Fixed an issue where Identity Provider Reconcile Lambdas were invoked more than once, potentially modifying or losing User registration data.

Thanks to @Oceanswave !

Fixed a missing Java module in the 1.32.0 Docker image that caused startup failures.

Fixed an issue where global and application registration count rollups failed when using PostgreSQL.

Fixed an issue where the Development Reset feature failed when a specific theme was configured.

Fixed an exception that occurred when requiring a birthdate and a parent email on a self-service registration form.

Improved locale handling to support locales beyond ISO 639 (e.g., es_419, aghem).

Fixed an issue where disabling webhooks from the tenant configuration table header did not work.

Fixed general message template issues when previewing templates or localized versions.

Corrected length validation for API keys created via Kickstart.

Thanks to @miaucl !

Allowed theme customization for the error message returned when a webhook failed during Self-Service Registration.

Fixed an issue where the Theme preview failed to render the Account Edit page for Self-Service forms.

Fixed the inability to delete an email template when it was not assigned to a Consent.

Fixed a timing issue when registering a user immediately after creating a new Application role.

Since: 1.30.2

Thanks to @johnmaia !

Fixed an infinite redirect loop caused by using an expired Passwordless link.

Since: 1.27.0

Thanks to @rscheuermann !

Added missing validation to ensure the User existed by Id on the Registration API.

Ensured Blocked domain configurations were preserved when copying a Tenant in the admin UI.

Ensured the resulting JWT contained the aud claim when using the OAuth2 Password grant with client_id in the HTTP Basic Authorization header.

Fixed a database foreign key violation in the Registration Count aggregation service if a Tenant was deleted before the aggregator ran.

Since: 1.30.2

Fixed QR code rendering failures for Two-Factor authentication when the encoded string length was between 192 and 220 characters.

Ensured roles assigned by Group membership were returned when users were also explicitly assigned roles.

Since: 1.30.2

Fixed an issue where the Setup Password email template included an erroneous client_id when used via the User Registration API.

Fixed a signature validation failure when a SAML v2 SP used lower case percent encoding in the query string.

Thanks to the engineering team at HAProxy for the assist!

Fixed an exception occurring when logging in with an anonymous user from an IdP that had its linking strategy changed.

Fixed a FreeMarker exception that prevented the view dialog for a SAML v2 IdP Initiated configuration from completely rendering.

Fixed an issue where activating FusionAuth Reactor via Kickstart with CAPTCHA enabled prevented login until Threat Detection came online.

Fixed the .NET client library's handling of exp and other JWT timestamp values.

Thanks to @RyanDennis2018 !

Fixed an exception when duplicating an Application that had SAML v2 configured but not enabled.

Since: 1.28.0

Fixed a regression where updating a connector added an additional * domain configuration.

Fixed the inability to specify a certain Id when generating an RSA Key.

Fixed an issue where users got stuck in the Setup Wizard if advanced threat detection was enabled via kickstart.

Fixed the inability to delete entries from an access control list using the admin UI.

Since: 1.30.0

Restored default lambdas in Kickstart environment variables (regression introduced in 1.30.0).

Ensured complete event payloads for user deactivations initiated via the admin UI.

Fixed a NullPointerException occurring during an upgrade if Kickstart, maintenance mode, and default tenant Id modification coincided.

Fixed an issue where the IP address was missing from login records in certain circumstances.

Fixed NumberFormatExceptions caused by IPv6 addresses.

Fixed CAPTCHA functionality on the email verification required page.

Fixed rendering of the passwordValidationRules object on the register page in theme preview.

Fixed an empty value in the User search widget if the user lacked a name.