Release Notes

Fixed

• API validation fails on the Audit Log API when a JSON body is omitted from the HTTP request.

  • Resolves GitHub Issue #605

• Fixing a bug that prevents the Kafka integration from working correctly.

  • Resolves GitHub Issue #649, thanks to @joydeb28 for reporting and for the persistence!

• When selecting an Application in the user search controls in the UI an invalid Elasticsearch query causes an error on Elasticsearch version 7.7.0. The query seems to be working on versions 6.3.1, 6.8.1, and 7.6.1, as far as we can tell it only fails on the most recent versions of Elasticsearch.

  • Resolves GitHub Issue #710

Enhancement

• Add a return to login link to the default templates for Passwordless, Register, Forgot, and Password Sent.

  • Resolves GitHub Issue #666, thanks to @soullivaneuh for the request!

Fixed

• A JavaScript bug caused the device verification URL field to toggle to hidden when any grant was enabled or disabled in the UI. This is primarily a cosmetic issue, if you encounter it you may simply refresh the page.

  • Resolves GitHub Issue #692

• The Search API performs a validation step when using Elasticsearch, and if Elasticsearch returns valid: false we fail the request. We are now always including the explanation from the Elasticsearch response in our error message on the API to assist the developer to understand why the requested query is considered invalid.

  • Resolves GitHub Issue #697

• The Apple Service Id override that can be provided per application was not being used, instead the global value was utilized.

  • Resolves GitHub Issue #703, thanks to @ulybu for letting us know!

Enhancement

• When configuring an OpenID Connect Identity Provider, the claim that contains the user’s email address may now be modified. This allows the OpenID Connect Identity Provider to be more flexible when configured with non-standard OpenID Connect providers or other OAuth2 providers such as LinkedIn.

Fixed

• When using parent, child and few other references in an email template, the validation step may fail unless you provide a null safe usage.

  • Resolves GitHub Issue #685

Fixed

• In version 1.17.0 Key Master supports importing a standalone private key. If you attempt this request in the UI with an RSA private key an error will occur.

  • Resolves GitHub Issue #665, thanks to @mgetka who is quickly becoming one of our FusionAuth MVPs!

• When using an expired Forgot Password link if you have not added the client_id to the URL in the email template you will see an unexpected error when you attempt to begin the process again by entering your email address. You may also experience this error if you are sending users directly to /oauth2/forgot instead of the user clicking the link during an OAuth2 workflow.

  • Resolves GitHub Issue #671, thanks to @maurobennici for reporting!

Changed

• All Identity Provider configurations that did not have a lambda configured for User reconcile have been migrated to utilize a lambda to extract all optional user details from the IdP response. This allows you to have complete control over how these configurations work and what information is set or written to the user object during login. The business logic has not changed, but it has been moved from an internal FusionAuth service to a Lambda that can be modified. The following Identity Providers are affected:

  • All Facebook, Google and Twitter Identity Provider configurations

  • OpenID Connect and SAML v2 Identity Provider configurations without a configured lambda.

• OpenID Connect and SAML v2 Identity Providers that were already configured with a lambda may require some manual migration. The claims that were mapped into the User by FusionAuth prior to this version have been moved into a lambda so they may be modified. For each of your OpenID Connect or SAML v2 Identity Provider configurations that already had a Lambda configured for User reconcile, please review to ensure all of the claims you desire are handled by your lambda.

• For OpenID Connect Identity Provider configurations, review the new Lambda named Default OpenID Connect Reconcile provided by FusionAuth. Optionally copy any of the code you’d like to have executed into your configured Lambda and then test your integration. Specifically, the registered claims given_name, middle_name, family_name, name, picture, phone_number, birthdate, locale and preferred_username are now managed by the Lambda. If you would like these claims reconciled to the FusionAuth user, review the referenced Lambda function.

• For SAML v2 Identity Provider configurations, review the new Lambda named Default SAML v2 Reconcile provided by FusionAuth. Optionally copy any of the code you’d like to have executed into your configured Lambda and then test your integration. Specifically, the SAML claims for dateofbirth, givenname, surname, name, and mobilephone are now managed by the Lambda. If you would like these SAML claims reconciled to the FusionAuth user, review the referenced Lambda function.

New

• Sign in with Apple. A new Identity Provider of type Apple is now available to enable Sign in with Apple support.

  • Resolves GitHub Issue #336

  • See the Apple Identity Provider for additional details

• One time Use Refresh Tokens. A one time use refresh token means that each the time the refresh token is used to get a new access token (JWT) a new refresh token is returned. This feature must be enabled at the tenant level, and can optionally be overridden by the Application JWT configuration.

  • Resolves GitHub Issue #394

• Sliding Window Refresh Token Expiration. By default the expiration of a refresh token is calculated from the time it was originally issued. Beginning in this release you may optionally configure the refresh token expiration to be based upon a sliding window. A sliding window expiration means that the expiration is calculated from the last time the refresh token was used. This expiration policy means that if you are using refresh tokens to maintain a user session, the session can be maintained as long as the user remains active. This expiration policy must be enabled at the tenant level, and may optionally be overridden by the Application JWT configuration.

• Facebook, Google, HYPR and Twitter Identity Providers may be assigned a User Reconcile Lambda.

  • Previously the user reconcile logic was built into FusionAuth. Now the User reconcile logic has been moved to a lambda to provide additional control over attributes are extracted from the Identity Provider response and set into the FusionAuth user.

Enhanced

• Some development and possibly runtime errors that are used during external logins such as Facebook were not localized. These values may not be localized in your theme configuration.

  • Resolves GitHub Issue #535, thanks to @mgetka for raising the issue.

• Large cookies may cause the default maximum header size of 8k to be exceeded. When this occurs the request will fail and you may see an exception with a 400 status code indicating java.lang.IllegalArgumentException: Request header is too large.

  • This value may now be modified via configuration. See the Configuration reference or additional information.

  • Resolves GitHub Issue #608, thanks to @shortstack for letting us know, providing great debug and confirming the fix.

• When a user is registered, a refresh token will not be returned. This makes this API response consistent with the User Create API.

  • Resolves GitHub Issue #626, thanks to @LohithBlaze for reporting and suggesting the change.

• When configuring a SAML v2 Identity Provider, a warning will be added to the Identity Provider index page if the CORS configuration is not adequate to allow the login request to complete. The configuration will generally require a POST request from a particular origin be allowed through the CORS filter.

  • This should help reduce CORS configuration issues causing a 403 during integration testing.

  • Resolves GitHub Issue #641

Fixed

• When importing a key using Key Master in the admin UI, when a key with an invalid length is imported the error was not being displayed.

  • Resolves GitHub Issue #587

• The hosted FusionAuth log page may fail to function properly after the user changes the locale using the locale selector on the themed page. Specifically, once you add more than one language to your theme, and the user continues past the first login panel to a subsequent themed page, if the user switches the locale the context will be lost and the user will see an OAuth error.

  • Resolves GitHub Issue #623, thanks to @flangfeldt and @yrammos for reporting.

• A non POSIX compliant function definition in setenv.sh caused FusionAuth to fail to start on Ubuntu 18.04.4 and 20.04 (possibly others). This could be on any Linux distribution that sym-links /bin/sh to dash which is a POSIX compliant shell. This was introduced in version 1.16.0.

  • Resolves GitHub Issue #645, thanks to @s-vlade and @yrammos for letting us know.

• When using the Facebook IdP and specifying picture as one of the requested fields an error occurs during the User reconcile process which causes the login to fail. If you encounter this issue, the work around is to remove picture from the field configuration, even with this change you will still get the picture back from Facebook as FusionAuth makes a second call to the Me Picture API.

  • Resolves GitHub Issue #648, thanks to @thekoding for reporting and helping us track down the issue.

Fixed

• When attempting to utilize a silent configuration to configure the database schema without using Elasticsearch, FusionAuth would enter maintenance mode.

  • Resolves GitHub Issue #618, thanks to @mgetka for reporting the issue!

Changes

• The favicon configuration in the default theme has been updated. If you have created your own theme and kept the default favicons using the FusionAuth logo you will want to either remove them or update them with the correct href paths. See the default theme for reference if you would like to use the FusionAuth favicons.

New

• The Identity Provider Lookup API will return a list of applicationIds to represent the enabled FusionAuth applications for the identity provider.

• The Identity Provider Lookup API will return the SAML v2 idpEndpoint value configured in the SAML v2 IdP.

Fixed

• Specifying an Elasticsearch URL containing basic auth credentials works properly. For example the URL https://user:password@myelasticsearchservice.com now functions as expected.

  • Tested against https://bonsai.io and https://aiven.io.

  • Resolves GitHub Issue #531, thanks to @joshuaavalon for reporting and @nscarlson for the additional details and assistance.

• Fixed a validation error when using the Import User API w/ an empty list of users. A 400 status code with a JSON response should have been returned.

  • Resolves GitHub Issue #520, thanks to @smcoll for reporting.

• Some JavaScript may fail on Internet Explorer version 11. Specifically the Helper.js which is used to handle the external login providers on the login page.

  • Resolves GitHub Issue #423, thanks to @downagain for reporting this issue and for the excellent debug.

• A validation error in the OAuth2 Token endpoint returns a general error instead of the appropriate validation error.

  • Resolves GitHub Issue #546, thanks to @mgetka for reporting the issue.

• When using the Facebook login, it is possible that Facebook will send back an Image URL from the /me/picture API that will exceed 255 characters. If this occurs the login failed and an an exception was logged.

  • Resolves GitHub Issue #583, thanks to our friends at famous.co and frontdoorhome.com for letting us know.

• Attempting to validate or save an Email template that contains a reference to a value stored in user data may cause an exception. For example ${user.data.company_name} is a valid usage, but this would fail validation or cause an exception during validation.

  • Resolves GitHub Issue #598

• In some cases, when a webhook fails to respond and subsequently fails the request do to the configured transaction setting the Elasticsearch index will be out of sync.

  • Resolves GitHub Issue #600, thanks to our Icelandic friend @arni-inaba for letting us know and providing excellent recreate steps.

• An extra curly bracket caused the SQL migration to fail if you are running PostgreSQL and performed an upgrade without modifying the default tenant.

  • Resolves GitHub Issue #606, thanks to @nscarlson for reporting the issue.

Fixed from RC.1

The following issues were fixed that only affect those running version 1.16.0-RC.1.

• An unexpected request parameter may cause an exception due to the incorrect runtime mode.

  • Resolves GitHub Issue #595, thanks to @ceefour

Changes

• Email Send API no longer requires a from email or a default from name, defaults may be taken from the tenant. See the Emails API documentation for reference.

• The OpenID Connect JSON Web Key Set API endpoint returns only public keys generated by FusionAuth. This endpoint previously also returned imported public keys, for which we do not hold the private key.

Security

• Updated default CORS configuration for clean installs, see the CORS Reference for details. It is highly recommended you modify your CORS configuration to match our new default values unless you have a technical requirement for your existing CORS configuration.

• Upgrade Handlebars to version 4.7.6 due to a known vulnerability. There is no known exploit of this vulnerability in FusionAuth, this is a pro-active upgrade. FusionAuth uses this JavaScript library in the administrative UI to build dynamic table roles.

  • https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534988

  • Resolves GitHub Issue #564, thanks to @michael-burt for alerting us to this vulnerability.

Enhancement

• The OpenID Connect and SAML v2 Reconcile Lambda may now modify the assigned user roles. Prior to this version any changes to the roles were intentionally not preserved. This restriction has been lifted.

  • Resolves GitHub Issue #536, thanks to @sedough for opening the request.

• In some cases the state parameter returning from external SAML v2 & OpenID Connect identity providers is decoded incorrectly. We are now Base64 encoding this value to preserve it’s integrity.

New

• Support for Elasticsearch version 7

  • FusionAuth maintains backward-compatibility with Elasticsearch 6.3.x clusters and indexes.

  • fusionauth-app.search-engine-type configuration property and FUSIONAUTH_SEARCH_ENGINE_TYPE environment variable exposed for configuring the search engine, see the Configuration documentation for reference.

  • A reindex may be necessary depending on how you have upgraded your Elasticsearch cluster. You may issue a reindex in the FusionAuth Admin UI under System → Reindex.

  • Resolves GitHub Issue #199

• Support for using the database as the user search engine. This is now the default configuration. See the Core Concepts - Users documentation for details.

  • Use of the database search engine provides limited search capabilities, and has limitations for the Users API, see the Bulk Delete Users API and Search for Users API documentation for details.

  • Resolves GitHub Issue #427

• The Registration API returns an access token within the token field of responses to POST requests. See the Registrations API documentation for reference.

  • Application registration records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI.

• The applicationId is now optional for PUT requests (update login instants) to the Login API. See the Login API documentation for reference.

  • PUT requests to the Login API records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI.

• The User API returns an access token within the token field of responses to POST requests creating a user. See the User API documentation for reference.

  • User creation records a login and will be reflected in the Login, Daily Active User, and Monthly Active User reports within the FusionAuth admin UI.

• System logs can be viewed from the Admin interface. Navigate to System → Log to view and download the system logs.

  • This feature is available in the UI and via a new API.

  • Resolves GitHub Issue #540

• System log export API has been added for retrieving a node’s system logs as a compressed zip file. See the System Logs API documentation for reference.

• There is a Test SMTP button that you can utilize during an Edit or Add Tenant operation to ensure the correct SMTP configuration.

  • Resolves GitHub Issue #539

• Production runtime mode disables maintenance mode, database migrations must be applied manually in this runtime mode. See the FusionAuth App Installation Guide documentation for reference.

• Advanced configuration exposed for search engine type, runtime mode, and Same-Site cookie policy. See the Configuration documentation for reference.

• JWT Refresh webhook event, issued when an access token is refreshed by refresh token, see the Events documentation for reference.

• Tenant email configuration provides a default from email and a default from name. See the Tenants API documentation for reference.

  • Resolves GitHub Issue #262, thanks to @engineertdog for the request!

Docker

• Next time a release candidate is built, the latest tag will be preserved to always be the latest stable release. This way if you are always using the latest tag you will not automatically upgrade to a release candidate.

  • Resolves GitHub Issue #596, thanks to @ceefour for the request.

• The reference docker-compose.yml provided by the fusionauth-containers project has been modified to install leveraging database as the User search engine. You will need to include the reference docker-compose.override.yml in order to install and configure Elasticsearch as the User search engine. See the Docker installation guide for reference.

Internal

• The FusionAuth Java runtime has been upgraded to version 14. All external Java packages such as the Java REST client and the Plugin interface are all still compiled against Java 8 so this upgrade should not impact any users.

  • Resolves GitHub Issue #481

• Upgrade Apache Tomcat to the latest patch version 8.5.53.

• Much smaller Docker images based upon Alpine Linux! Compressed size changed from ~ 150 MB to 76 MB. More features, less size? Yeah, that’s right.

  • Check it out for yourself. See the fusionauth/fusionauth-app repo.

Fixed

• When more than one tenant is defined, the redirect to /oauth2/callback which is used for 3rd Party SAML v2 or OpenId Connect identity providers will fail unless the corresponding application is in the default tenant. This issue was introduced in 1.15.6 which means it only affects version 1.15.6. If you encounter this issue you may be shown an error on the login page indicating A validation error occurred during the login attempt. An event log was created for the administrator to review..

  • Resolves GitHub Issue #548, thanks so much to @lamuertepeluda for reporting and providing excellent technical details to assist in tracking down the bug.

• A callback from a Social IdP configuration may fail to complete the login workflow. This issue was introduced in 1.15.6 which means it only affects version 1.15.6 and 1.15.7.

  • Resolves GitHub Issue #553, thanks to @ulybu for reporting the issue!

Enhancements

• When a user attempts to utilize an expired Passwordless or Forgot Password link, FusionAuth will now still be able to allow the user to restart the login workflow.

  • Resolves GitHub Issue #468, thanks to @davidmw for suggesting this enhancement.

  • In order to take advantage of this enhancement, you will need to upgrade your email template for one or both of these workflows. See the Email Templates documentation for a reference usage.

Fixed

• Due to a change in how FusionAuth encodes the RelayState value when redirecting to a 3rd party SAML v2 identity providers, the authentication request will fail with an OAuth2 error. This issue was introduced in 1.15.6 which means it only affects version 1.15.6.

Fixed

• Handle tabs and other control characters in an included text file when parsing the Kickstart configuration files.

  • Resolves GitHub Issue #524, thanks to @mgetka for reporting.

• When the FusionAuth Reactor is enabled, a breach detection is incorrectly requested during a user update when the password is not being modified. You may see errors in the Event Log indicating Reactor returned a status code of 400, this error is just noise and it did not affect the requested action.

  • Resolves GitHub Issue #533.

• When running FusionAuth on an un-secured connection during development, newer versions of the Chrome browser will reject the Set-Cookie request in the HTTP response because the SameSite attribute is not set.

  • Resolves GitHub Issue #537.

Enhancement

• When integrating with 3rd Party Identity Providers FusionAuth will build a state parameter in order to complete the FusionAuth OAuth2 or SAML v2 request on the callback from the 3rd Party IdP. There are times when a 3rd Party IdP may un-intentionally modify the state parameter by decoding the value. When the state parameter is not returned to FusionAuth the way it was sent the integration breaks. FusionAuth will now Bas64 encode the state value to better defend against 3rd Party IdP integrations.

  • Resolves GitHub Issue #538.

Fixed

• Adding a Consent to a User that does not have a First or Last Name. This was causing an error in the UI where the Add Consent dialog was not rendering and instead displaying a stack trace.

  • Resolves GitHub Issue #512, thanks to @mgetka for reporting.

• When Reactor is enabled and more than one user requires action due to a breached password the Reactor index page will fail to render.

  • Resolves GitHub Issue #514, thanks to our friends at Frontdoor for reporting the issue.

• When adding a new Tenant in the UI you may encounter a 500 status code with a FusionAuth encountered an unexpected error. message. If you encounter this error, edit the default tenant, click save and then retry the add operation.

  • Resolves GitHub Issue #517, thanks to @vburghelea for reporting.

• A JavaScript exception was causing the ExternalJWT identity mapping dialog to fail. A work around is to use the API to add these claim mappings. This bug was introduced in version 1.15.3.

  • Resolves GitHub Issue #518, thanks to @irzhywau for reporting.

Fixed

• When using PostgreSQL and using the Import User API with a large amount of roles assigned to user FusionAuth may exceed the maximum allowed parameterized values in a prepared statement causing a SQL exception. If you encounter this issue you may work around the issue by reducing the size of your import request to 200-500 users per request.

  • Resolves GitHub Issue #505, thanks to @leafknode for reporting and helping debug!

• When creating a user through Kickstart with passwordChangeRequired set to true and exception will occur during the next login request. This issue was introduced in version 1.15.0.

  • Resolves GitHub Issue #509, thanks to @mgetka for reporting!

• When a Kickstart file contains multi-byte characters the string value may not be encoded properly if the default file encoding is not UTF-8. This has now been resolved by explicitly requesting UTF-8 encoding during file I/O.

  • Resolves GitHub Issue #510, thanks to @mgetka for reporting!

• When using the SAML IdP configuration where FusionAuth is the SAML service provider if the base64 encoded SAML response from the IdP contains line returns FusionAuth will fail to parse the request and the login request will fail.

  • Resolves GitHub Issue #511

Changes

• The External JWT Identity Provider now manages keys used for token verification in the Key Master. All keys have been migrated to Key Master, and going forward all keys can be managed through the Key Master.

• Prior to this version the OpenID Connect IdP would send the client secret using the client_secret_basic and the client_secret_post method. This was done for compatibility with providers that did not utilize the client_secret_basic method. Now this configuration is now provided and only the configured client authentication method will be used.

Fixed

• Using the JWT Refresh API with a JWT issued from one tenant for a user in another tenant. This error was causing an exception instead of the proper validation error being returned to the caller. A 404 will now properly be returned when this scenario occurs.

  • Resolves GitHub Issue #399, thanks to @johnmaia for helping us track it down.

• Missing API validation on the /oauth2/passwordless endpoint. A 500 was returned instead of the correct validation errors.

  • Resolves GitHub Issue #450, thanks to @GraafG for reporting.

• On systems running MySQL, the SQL migration for 1.15.0 on the DELIMITER command and causes the instance table to have a null license_id. If you have previously connected your support contract Id with your instance and upgraded to a previous 1.15.x version, you will need to reconnect your license Id in the Reactor tab. This issue was introduced in version 1.15.0.

  • Resolves GitHub Issue #482, thanks to @nulian for reporting!

• The CancelAction method in the .NETCore client returning field error due to incorrect method definition.

  • Resolves GitHub Issue #11, thanks to @minjup for reporting.

• The OpenID Connect IdP client authentication method is now configurable as client_secret_basic, client_secret_post, or none and will authenticate solely with the configured method. See the OIDC spec concerning Client Authentication for more information.

  • The 1.15.3 database migration configures the client authentication method to client_secret_basic for identity provider configurations with a client secret defined, and none for those without a client secret defined. If your OpenID Connect provider requires client_secret_post you will need to update your configuration to ensure the integration continues to function properly. Discord is one of the known IdPs that requires the client_secret_post client authentication method.

  • See the OpenID Connect Identity Providers APIs, the OpenID Connect Identity Provider Overview and the Discord OIDC integration tutorial for more detail.

  • Resolves GitHub Issue #445, thanks to @ovrdoz for reporting.

• When you have enabled Self Service Registration and Registration Verification FusionAuth will fail to send the email to the end user during this workflow.

  • Resolves GitHub Issue #496, thanks to our great Slack community for letting us know and assisting with debug.

• If a Two Factor Trust has been established with a particular browser through the user of a cookie, it was not being honored during the Passwordless Email workflow and the user would be prompted for the Two Factor challenge during each login attempt.

  • Resolves GitHub Issue #495, thanks to our great Slack community for reporting!

• When using managed domains with the OpenID Connect or SAML v2 Identity Provider configurations the callback to FusionAuth may fail with an error.

  • Resolves GitHub Issue #488, thanks to @sedough for reporting.

• When a stylesheet in your theme contains > the new HTML escaping strategy introduced in version X causes this value in the CSS to be incorrectly escaped. If you encounter this problem in your current them, update the usage of the stylesheet to ${theme.stylesheet()?no_esc} instead of the previous usage of ${theme.stylesheet()}.

  • Resolves GitHub Issue #489, thanks to @snmed for reporting.

• Fix a Kickstart bug, when a variable is used in the very first API key the replacement was not honored.

  • Resolves GitHub Issue #493, thanks to @tst-dhudlow for reporting!

Enhancements

• When the External JWT Identity Provider does not have any managed domains defined, allow a JWT from any domain to be reconciled. This change makes this IdP configuration more consistent with our IdP configurations that allow for managed domains.

  • Resolves GitHub Issue #491

Known Issues

• Fixed in 1.15.3, on systems running MySQL, the 1.15.0 migration fails on a DELIMITER command and causes the instance table to have a null license_id. If you upgraded to 1.15.2, have connected our instance to a support contract, and ran the 1.15.0 migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab.

  • A workaround for this issue is to download the fusionauth-database-schema-1.15.0.zip from our direct dowload page, unzip and manually apply the migrations/mysql/1.15.0.sql migration. You may also wait to upgrade until 1.15.3 is available and allow maintenance mode to run the fixed migration.

Fixed

• Password breached fixes. On some systems running PostgreSQL a portion of the breach detections features may not function properly. If you are running MySQL this will not affect you, and only certain PostgreSQL versions are affected. If you are not using FusionAuth Reactor this issue will not affect you.

Known Issues

• Fixed in 1.15.3, on systems running MySQL, the 1.15.0 migration fails on a DELIMITER command and causes the instance table to have a null license_id. If you upgraded to 1.15.1, have connected our instance to a support contract, and ran the 1.15.0 migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab.

  • A workaround for this issue is to download the fusionauth-database-schema-1.15.0.zip from our direct dowload page, unzip and manually apply the migrations/mysql/1.15.0.sql migration. You may also wait to upgrade until 1.15.3 is available and allow maintenance mode to run the fixed migration.

Fixed

• A SQL statement in PostgreSQL may cause some 9.x versions to fail to store breach metrics once FusionAuth Reactor has been enabled. If you are running MySQL this will not affect you, and only certain PostgreSQL versions are affected. If you are not using FusionAuth Reactor this issue will not affect you.

Known Issues

• Fixed in 1.15.1, some versions of PostgreSQL may cause an exception when storing breach metrics after enabling FusionAuth Reactor. If you are not using FusionAuth Reactor or you are using MySQL instead of PostgreSQL this issue will not affect you.

• Fixed in 1.15.3, on systems running MySQL, the 1.15.0 migration fails on a DELIMITER command and causes the instance table to have a null license_id. If you upgraded to 1.15.0, have connected our instance to a support contract, and ran the 1.15.0 migration using maintenance mode, you will need to reconnect your license Id in the Reactor tab.

  • A workaround for this issue is to download the fusionauth-database-schema-1.15.0.zip from our direct dowload page, unzip and manually apply the migrations/mysql/1.15.0.sql migration. You may also wait to upgrade until 1.15.3 is available and allow maintenance mode to run the fixed migration.

Changed

• In the FusionAuth admin UI you will notice that User, Groups, Applications and Tenants are all now at the top level of the left navigation sidebar. This change has been done to provide quicker access to these frequently accessed menus.

New

• FusionAuth Reactor ™. FusionAuth Reactor is available with all paid editions of FusionAuth. The first feature in the Reactor suite will be breached password detection. All passwords will be checked against a breached list during all password change events, and optionally during login based upon your configuration.

• New webhook event for use with FusionAuth Reactor breached password detection. This event when enabled will be fired during login if the user is using a vulnerable password.

  • User Password Breach (user.password.breach), see Webhook Events for additional information.

• New Tenant configuration in support of FusionAuth Reactor and additional password validation rules. This configuration can be found in the Password tab of the Tenant configuration on on the Tenant API.

  • tenant.passwordValidationRules.validateOnLogin - When enabled the user’s password will be validated during login. If the password does not meet the currently configured validation rules the user will be required to change their password. Prior to this release password validation was only ever performed during a change event, you may now optionally enforce your password policy during login.

  • tenant.passwordValidationRules.breachDetection - A new object to provide configuration per tenant for password breach detection.

• During login, if the user is required to change their password, the Login API, Authorization Code Grant, Implicit Grant and Password Grant will now also return a change reason. This additional value in the response will indicate why the user is being required to change their password.

  • See the Login API, and corresponding OAuth endpoints for more detail.

Security

• A small window exists after a Refresh Token has expired when this token can still be used under specific circumstances. This symptom only occurs when using the /api/jwt/refresh API, and not when using the Refresh Grant using the /oauth/token endpoint. In a worst case scenario the Refresh Token may be honored up to 5 hours after the expiration date, in most circumstances it will be much less. This only applies to expired Refresh Tokens, revoking a Refresh Token is not affected.

  • Resolves GitHub Issue #454, thanks to @johnmaia one of our FusionAuth MVPs!

Fixed

• Editing a Group in a Tenant that does not yet have any Applications created causes and exception when you attempt to save the edit form in the FusionAuth admin UI.

  • Resolves GitHub Issue #471, thanks to @dhait for letting us know, we appreciate you!

• When Self Service Registration, if Registration Verification is enabled and Email Verification is disabled the user will not receive a Registration Verification email.

  • Resolves GitHub Issue #472

• An exception may occur when using the Import User API if you are missing the applicationId property in a User Registration. This error should have been found as a validation error and instead an exception occurred.

  • Resolves GitHub Issue #479, thanks to our friends at Integra Financial Services for reporting the error.

Enhancements

• Allow Kickstart to better handle varying startup times and delays. A few users reported scenarios where Kickstart would begin before FusionAuth was ready causing Kickstart to fail.

  • Resolves GitHub Issue #477

Changes

• A JWT Populate Lambda now has fewer reserved claims. All claims can now be removed or modified except for exp, iat and the sub claims by the JWT Populate Lambda. You remove or modify claims added by FusionAuth at your own peril.

  • See JWT Populate for additional details.

  • Resolves GitHub #387

• Add additional fields that can be merged by the PATCH HTTP method. The following fields were not being merge, but replaced. The limitation of this change is that it is difficult to remove fields from values from arrays. A future enhancement may be to support the JSON Patch specification which provides semantics for add, replace and remove.

  • User.preferredLanguages

  • User.memberships

  • User.registrations

  • User.data

  • UserRegistration.data

  • UserRegistration.preferredLanguages

  • UserRegistration.roles

  • Application.data

  • Resolves Github Issue #424

New

• Kickstart™ allows you bypass the Setup Wizard in order to FusionAuth up and running quickly. Deploy development or production instances of FusionAuth using a pre-defined configuration of Users, Groups, Applications, Tenants, Templates, API keys, etc.

  • Resolves GitHub #170 🤘

  • This feature is in Tech Preview which means if we find shortcomings with the design as we gather feedback from end users it is possible we will make breaking changes to the feature to correct or enhance the functionality. Any such changes will be documented in future release notes as appropriate.

• The Tenant API can optionally take a new sourceTenantId parameter to allow you to create a new Tenant using the values from an existing Tenant. Using the sourceTenantId limits the required parameters to the Tenant name.

  • Resolves GitHub #311

• Add a View action to a Group Membership in the Membership tab of the Manage User panel in the UI.

  • Resolves GitHub #413

Fixed

• A memory leak in the Nashorn JavaScript engine used to execute FusionAuth Lambdas has been resolved.

• The OAuth2 Authorization Code grant was required to complete a SAMLv2 login, this grant is no longer required to be enabled.

  • Resolves Github Issue #432

• Added missing theme_manager role to the FusionAuth application

Fixed

• During a reindex operation the status will properly be displayed on every node when viewing the User Search or the Reindex pages in the UI.

• Improve Kafka configuration validation when using the Test button in the UI.

  • Resolves GitHub Issue #318, thanks to @nikos for reporting the issue!

• An exception may occur when using ReactNative with FusionAuth when an HTTP Origin header is sent to FusionAuth with a value of file://. The exception is caused because file:// without a value after the double slash is not a valid URI and cannot be parsed by java.net.URI. However the HTTP specification indicates that an origin header with a scheme of file:// is allowed and when used anything following the prefix is allowed. This fix follows a similar decision made by Apache Tomcat in their CORS filter, see Bugzilla #60008.

  • Resolves GitHub Issue #414, thanks to @karice for reporting the issue and helping us debug!

• When an invalid code or expired code is used on a Passwordless login request an exception may occur.

  • Resolves GitHub Issue #416, thanks to @downagain for reporting the issue!

• When a user email is verified implicitly due to a change password action that originated via an email request the user.verified event is now sent.

  • Resolves GitHub Issue #418, thanks to @JonasDoe for asking via StackOverflow and then opening an issue to help us resolve the issue.

Fixed

• The Elasticsearch migration required to complete the upgrade to 1.13.0 may not always run as intended. Upgrading to this release will kick off an Elasticsearch reindex operation to correct the search index state.

Changes

• In support of the OAuth Device Grant feature released in 1.11.0, a second template was added to separate the completion state.

  • New themed template OAuth device complete. Starting with version 1.12.0, templates will no longer be automatically migrated into an existing theme. We believe this is a safer choice overall. Instead your theme will be marked as requiring upgrade when viewed in the UI. You will be prompted to complete the missing templates when you edit and you will be provided with the option to copy in the default template as a starting point.

  • If FusionAuth attempts to render the missing template you will be prompted with a message indicating your theme needs to be upgraded. In generally this should happen when you are using a new feature and thus should occur at development time. Whenever a new template is added, it is recommended to edit and verify your theme right away after upgrade to ensure a smooth migration.

• In support of the HYPR integration, a new template was added that will be used when waiting for the external HYPR authentication to complete.

  • New themed template OAuth2 wait. Starting with version 1.12.0, templates will no longer be automatically migrated into an existing theme. We believe this is a safer choice overall. Instead your theme will be marked as requiring upgrade when viewed in the UI. You will be prompted to complete the missing templates when you edit and you will be provided with the option to copy in the default template as a starting point.

• The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization

wait-title=Complete login on your external device
waiting=Waiting

[ExternalAuthenticationExpired]=Your external authentication request has expired, please re-attempt authentication.

• A change has been made to how an event is sent to Webhooks when the Transaction configuration does not require any webhooks to succeed. Prior to this version each webhook would be called in order and once the status was collected from each webhook a decision was made to return to the caller or fail the request. In order to increase the performance of webhooks, when the Transaction configuration does not require any webhooks to succeed each webhook will be called in a separate thread (asynchronously) and the request will return immediately. In this scenario any failed requests will not be retried. See Webhooks for more information.

New

• Support HYPR IdP native integration. HYPR brings passwordless and biometric options to FusionAuth.

  • See the HYPR Identity Provider for additional details

• Administrative actions added to Users → Manage panel.

  • Send password reset always available from the drop down menu.

    • Addresses GitHub Issue #351, thanks to @nicholasbutlin for the suggestion!

  • Resend email verification available when the user’s email is not yet verified from the drop down menu.

  • Resend verification available as a new row button in the Registrations tab when a registration is not verified.

Fixed

• Modifying user actions with multi tenants returns a missing tenant error.

  • Resolves GitHub Issue #328, thanks to @AlvMF1 for reporting the issue!

• The JWT Validate endpoint returns the wrong precision for iat and exp claims.

  • Resolves GitHub Issue #347, thanks to @uncledent for reporting and providing detailed information.

• When using the one time password returned from the Change Password API when a Refresh Token was provided during the change request a Refresh Token is not returned from the Login API.

  • Resolves GitHub Issue #382, thanks to to @colingm for reporting the issue.

• A "null" Origin header is allowed in the w3 spec, and when this occurs it may cause an exception when validating authorized origins.

  • Resolves GitHub Issue #379, thanks to @karice for reporting and excellent assist!

• Better handling on the Start Passwordless API when a user does not exist

  • Resolves GitHub Issue #377, thanks to @smoorsausje for reporting!

Enhancement

• The User Delete API will no longer delete User Actions taken by the user. Instead the API will now disassociate any UserActions created by the deleted user by removing them from the Actioning User. In this scenario, a user will remain in an Action taken by a user that has now been deleted.

• A User Action may be applied to a user in a different tenant than the User taking the action. Prior to this release, using the admin UI to take an actioon on a user in a different tenant may fail.

• The following apis now support the PATCH HTTP method. This enhancement completes GitHub Issue #121.

  • /api/application

  • /api/application/role

  • /api/consent

  • /api/email/template

  • /api/group

  • /api/identity-provider

  • /api/integration

  • /api/lambda

  • /api/system-configuration

  • /api/tenant

  • /api/theme

  • /api/user

  • /api/user-action

  • /api/user-action-reason

  • /api/user/consent

  • /api/user/registration

  • /api/webhook

• The FusionAuth client libraries now also support the PATCH method.

• When an encoded JWT is accepted in the Authorization header, FusionAuth will now accept the token in the Bearer or the JWT schema.

• When you begin an external login such as Facebook, Google or Twitter an in progress indicator will be added to the login panel to indicate to the user that a request is in progress.

  • Resolves GitHub Issue #331, thanks to @davidmw for the suggestion!

  • If you are using a theme and want to take advantage of this indicator, you can compare the stock OAuth2 Authorize template, look for the note in the top JavaScript section.

Security

• A change was made to the FreeMarker template engine to remove the possibility of malicious code execution through a FreeMarker template. To exploit this vulnerability, one of two scenarios must occur. The first scenario is a user with an API key capable of adding or editing Email or Theme templates, the second scenario is a user with access to the Fusionauth Admin UI that has the necessary authority to add or edit Email or Theme templates. In these two scenarios the user would need to add code to the template with the intention of executing a malicious system command. There is a low probably of this exploitation to occur if you have trusted applications and administrative users.

  • CVE-2020-7799

Changes

• Remove the sid and the iss request parameters on the URL provided by post_logout_redirect_uri. This feature was added in version 1.10.0 and because the redirect URL may be a previously configured Logout URL or a URL provided by the post_logout_redirect_uri we were always adding these additional request parameters to the URL. This change will remove them from the redirect URL and they will only be added to the URLs used to build the iframes in the logout template.

  • Resolves GitHub Issue #332, thanks to @davidmw for the feedback!

• In support of the OAuth Device Grant feature, the following theme changes have been made.

  • New themed template OAuth device. This template has been added to each of your existing themes. As part of your migration please review this template to ensure it matches your intended style.

• The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization

device-form-title=Device login
device-login-complete=Successfully connected device
device-title=Connect Your Device

userCode=Enter your user code

[blank]user_code=Required
[invalid]user_code=Invalid user code

• The following hidden fields were added and you will need to update your [#macro oauthHiddenFields] in the theme "Helpers" of existing Themes if you intend to to utilize the Device Grant or response_mode in the Authorization grant:

[@hidden name="response_mode"/]
[@hidden name="user_code"/]

• An update has been made to the [@link] macro in the Helpers template. If you intend to utilize the Device Grant you will need to add the missing parameters to your macro or copy the updated macro and usage from the default FusionAuth theme. The user_code request parameter has been added to this macro.

New

• Device Authorization Grant

  • This satisfies GitHub Issue #320 - OAuth2 Device Authorization Grant

  • This grant type is commonly used to connect a set top box application to a user account. For example when you connect your HBO NOW Roku application to your account you are prompted with a 6 digit code on the TV screen and instructed to open a web browser to hbonow.com/tvcode to complete the sign-in process. This process is using the OAuth Device Grant or a variation of this workflow.

• Support for the response_mode request parameter during the Authorization Code grant and the Implicit grant workflows.

  • This will provide support for response_mode=form_post

  • Resolves GitHub Issue #159, thanks to @bertiehub for requesting.

• An additional API is available in support of Passwordless Login to allow additional flexibility with third party integrations.

  • See GitHub Issue #175

  • This feature will be available in 3 steps, Start, Send and Complete. Currently the Send API generates a code and sends it to the user, and then a Login API completes the request. The change is backwards compatible, but a Start action will be provided so you may skip the Send and collect the code and send it to the user using a third party system.

  • See the Passwordless API documentation for additional information.

Preview

• The PATCH HTTP method is available on some APIs in a developer preview. This is not yet documented and should only be used in development. The following APIs support the PATCH method, more to come.

  • /api/application

  • /api/user

  • /api/user/registration

  • This is in support of GitHub Issue #121 - Support HTTP method PATCH.

Fixed

• Return a 400 status code with a JSON response body on the Import API when a FK constraint causes the import to fail

  • Resolves GitHub Issue #317, thanks to @AlvMF1 for reporting the issue!

• Return a 401 status code on the Userinfo endpoint for invalid tokens

  • Resolves GitHub Issue #321

• The Passwordless login external identifier complexity settings are not working

  • Resolves GitHub Issue #322, thanks to @pawpro for letting us know!

• An error is incorrectly displayed on the Forgot Password form even when the code is valid

  • Resolves GitHub Issue #330, thanks to @JesperWe for reporting the issue!

• When a large number of tenants exist such as 3-5k, an exception may be thrown during a key cache reload request

  • Resolves GitHub Issue #326, thanks to @johnmaia for reporting!

• When using the id_token_hint on the Logout endpoint, if the token was issued to a user that is not registered for the application it will not contain the applicationId claim. This claim was being used to resolve the client_id required to complete logout. An alternative strategy is now used so that an id_token issued to a user that is registered, or not registered will work as expected when provided on the Logout endpoint.

  • Resolves GitHub Issue #350, thanks to @paulspencerwilliams for taking the time to let us know!

• Support a SAML SP that does not send the <samlp:NameIDPolicy /> constraint in the AuthN request, in this case we will default to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

Enhancement

• Front-channel logout was made more flexible

  • Resolves GitHub Issue #324

  • A new attribute Logout behavior was added to the Application → Oauth configuration

    • Redirect only - legacy behavior of only logging out of SSO and redirecting to either the registered logout URL in the application or the post_logout_redirect_uri.

    • All applications - performs a front channel logout of all registered applications in the tenant. Optionally, the themable Oauth logout page can be modified to only logout of those applications the user is registered for.

• In some cases the Facebook IdP configuration requires a permission of email to be configured in order for the email claim to be returned from the Facebook Me API even when email is also specified in the field parameter. FusionAuth will default both the fields and the permissions parameters to email on create if not provided to make the Facebook IdP work out of the box for more users. Defaults will not be applied if these fields are left blank or omitted on an update.

• The Passwordless Send API now takes an optional code parameter which will be used as the Passwordless code sent in the email. This code can be generated by the new Passwordless Start API.

Fixed

• When logging into Google or other external Identity Provider for an Application outside of the default tenant the login may not complete successfully. This issue was introduced in version 1.9.0. A work around is to use an application in the default tenant.

• A status code of 500 may occur during the processing of the SAML v2 response from an SAML v2 IdP.

  • Resolves GitHub Issue #314, thanks to @Raghavsalotra for all his help verifying a fix for this issue.

Changes

• In support of the OpenID Connect Front Channel logout feature, the following theme changes have been made.

  • New themed template OAuth logout. This template has been added to each of your existing themes. As part of your migration please review this template to ensure it matches your intended style.

• The following theme messages were added. Until these values have been translated they will be rendered in English. At your earliest convenience you will want to add these new keys to your existing themes. You may wish to review the community provided translations which may already contain these new messages. https://github.com/FusionAuth/fusionauth-localization

logging-out=Logging out…
logout-title=Logging out
or=Or

[ExternalAuthenticationException]=%1$s The login request failed.

New

• Support for the OpenID Connect Front Channel logout

  • This updates the existing OAuth2 Logout endpoint to be compliant with the OpenID Connect Front-Channel Logout 1.0 - draft 02 specification

  • TL;DR The /oauth2/logout endpoint will call logout URLs of all tenant applications. A redirect URL can be requested on the URL via post_logout_redirect_uri.

  • Resolves GitHub Issue #256, thanks to all who up voted and provided valuable feedback.

  • The OpenId Connect discovery endpoint now returns the following attributes:

    • end_session_endpoint

    • frontchannel_logout_supported

    • backchannel_logout_supported

Fixed

• Send email API may fail with a 500. This issue was introduced in version 1.9.0.

• SAML v2 Invalid Redirect. This resolves GitHub Issue #287, thanks to @prasanna10021991 for reporting and helping!

Enhancement

• Allow request parameters to be provided on the Authorization endpoint in the OpenID Connect relaying party configuration. This allows FusionAuth to integrate with the Twitch OpenID Authorization Grant implementation.

  • This resolves GitHub Issue #309, thanks to @tauinger-de for reporting and helping out!

  • This is a partial fix to work around not supporting the claims parameter on the Authorize request. See GitHub Issue #308 for additional information.

Fixed

• If you have one or more themes defined prior to upgrade you may be unable to login.

  • Resolves GitHub Issue #306, thanks to @flangfeldt and @jerryhopper for the assist!

  • See workaround in the linked GitHub issue.

  • Resolves Internal Server Error after Fusion Auth Upgrade to v 1.9.1, thanks to Tom Bean for reporting!

Fixed

• Unable to modify the name of the default FusionAuth theme. If you attempt to edit the theme and save the form a validation error occurs that is not expected and will cause an exception. If you encounter this problem you can simply not edit the FusionAuth theme since you are not able to modify the templates anyway. Instead just duplicate the theme if you would like to view any of the default messages.

New

• Full theme localization support for errors and all other text

  • If you’re interested in helping us crowd source additional languages check out this Git repo and open an issue or submit a PR.

  • https://github.com/FusionAuth/fusionauth-localization

Fixed

• When editing a new email template that contained ${user.tenantId} the template validation may fail.

  • Resolves GitHub Issue #294, thanks to @tauinger-de for reporting the issue.

• A locked account may still be able to login via Google or other external identity provider.

  • Resolves GitHub Issue #301, thanks to @jerryhopper (a FusionAuth MVP) for the bug report!

  • Previous to this change when using the OAuth2 login or the Login API, a locked account was treated as a "soft" lock and a 404 would be returned from the Login API which in turn displayed an Invalid credentials error. The account locked (soft delete) state will not return a 423 status code instead of a 404 which will result in a different message to the OAuth2 login.

Fixed

• The SQL issue described below in the warning message has been resolved.

• Performing a clean install of 1.8.0-RC.1 may fail in some cases

• When user.passwordChangeRequired is true and you login via an external identity provider you will be redirected to /password/change with an invalid code so you will not be able to complete the change password workflow. You may work around this change by navigating back to the login page and clicking the forgot password link.

Community MVPs

Thanks to all of our community members who take the time to open features, report bugs, assist others and help us improve FusionAuth! For this release we would like to thank the following GitHub users who helped us out!

• @AlvMF1

• @colundrum

• @damienherve

• @davidmw

• @fabiojvalente

• @flangfeldt

• @johnmaia

• @petechungtuyco

• @prabhakarreddy1234

• @snmed

• @tombeany

• @unkis

• @whiskerch

• @zbruhnke

Changes

• Most of the configuration previously available in the System Settings has been moved to the Tenant configuration to allow for additional flexibility. This is important if you will be utilizing more than one tenant, you may now configure password policies, email configuration, etc per tenant. If you are using the System Configuration or Tenant APIs, please be aware of this change and plan accordingly. If you were manually synchronizing these configurations between systems, you will need to update these processes.

  • SMTP configuration

  • Event configuration

  • Password configuration

  • Failed Authentication configuration

  • Password configuration

  • JWT configuration

  • Theme

• When using a theme, whenever possible provide the tenantId on the request using an HTTP request parameter. This will help ensure FusionAuth will render the page using your chosen theme. In most cases FusionAuth can identify the correct tenant and theme based upon other parameters in the request, but in some circumstances there is not enough information and FusionAuth will default to the stock theme if the tenantId is not explicitly provided.

  • For example in each of the shipped email templates the following has been added to the generated URL ?tenantId=${tenantId}. You may wish to add this to your email templates if you’re using themes.

• If you were previously accessing a themed stylesheet in your template as ${loginTheme.stylesheet} it is now accessed like this ${theme.stylesheet()}.

New

• Top level theme menu in FusionAuth UI. Settings → Themes.

  • Create, delete, edit and update themes

  • Assign a named theme to a tenant

  • Theme preview

• User modifiable CORS configuration

  • GitHub Feature #180 : Expose a CORS configuration to the end user

• A public key may also be retrieved by kid in addition to the applicationId when using the Public Key API. This resolves GitHub Issue #227.

• PKCE support for use during the Implicit Grant

• New User Email Verified and User Registration Verified events. Resolves GitHub Issue #163, thanks to @unkis, @prabhakarreddy1234 and @davidmw for the great feedback!

• Email Verification, Registration Verification, Change Password, Setup Password and Passwordless Login can be be optionally configured to use codes made up of digits instead of long strings. This may be helpful if you wish the user to type in a code during an interactive workflow.

  • Resolves GitHub Issue #269, thanks to @zbruhnke for helping us get this one delivered.

Fixed

• Tenant scoped SMTP configuration, password rules, event transactions, JWT signing configuration, etc.

• When viewing Refresh token expiration in the Manage User panel under the Sessions tab, the expiration may be displayed incorrectly if the Refresh Token Time to Live has been set at the Application level. The actual time to live was still correctly enforced, but this display may have been incorrect.

• In some cases an Id Token signed by FusionAuth may not be able to be verified if it is sent back to FusionAuth. This issue was introduced in version 1.6.0.

• If the host operating system is not configured for UTF-8 and you specify multi-byte characters in an email template subject, the subject text may not be rendered correctly when viewed by the recipient.

  • Resolves GitHub Issue #231, thanks to @Lechu67 for reporting via Stack Overflow and helping to diagnose the issue.

• Toggle rendering issue in Firefox. Resolves GitHub issue #260, thanks to @snmed for the assist!

• When creating users and applications programatically, due to a timing issue, you may receive an unexpected error indicating the Application does not exist. Resolves GitHub Issue $252, thanks to @johnmaia for reporting the issue.

• An exception may occur when using the Login with Google feature if the picture claim returned is not a valid URI. Resolves GitHub Issue #249, thanks to @damienherve for reporting the issue.

• A tenant may fail to be deleted. Resolves GitHub Issue #221, thanks to @johnmaia for the assist! If you encounter this issue, ensure the search index is updated, generally this will only happen if you programatically create users and then immediately attempt to delete a tenant.

• The relative link on the Change Password themed template to restart the Forgot Password workflow when the code has expired is broken. Resolves GitHub Issue #280, thanks to @flangfeldt for letting us know!

• The Import API may fail due to a false positive during password salt validation. Resolves GitHub Issue #272, thanks to @tombeany for reporting the issue.

• Modifying an Identity Provider configuration when an Application has been disabled may cause an error in the UI. Resolves GitHub Issue #245, thanks to @fabiojvalente for reporting the issue.

• When the FusionAuth schema exists in the database and you reconnect FusionAuth using the database maintenance mode, depending upon the version of PostgreSQL we may not properly detect that the schema exists and return an error instead of continuing. Resolves GitHub Issue #237, thanks to @whiskerch for reporting the issue.

• A typo in the Java FusionAuth client causes the to fail the generateEmailVerificationId request. Resolves GitHub Issue #282, thanks to @petechungtuyco for reporting the issue and pointing out the solution!

Enhancement

• JWT Refresh Token Revoke event will contain a User object when available

  • Resolves GitHub Issue #255, thanks to @AlvMF1 for the great suggestion!

• In a themed template that may have the passwordValidationRules available after a password validation field error will now always have the passwordValidationRules available if you choose to display them. Resolves GitHub Issue #263, thanks to @AlvMF1 for the suggestion!

• Updated PostgresSQL connector to support SCRAM-SHA-256. Thanks to @colundrum for letting us know and assisting in testing. Resolves GitHub Issue #209

• The OpenId Connect discovery endpoint now accepts optional tenantId request parameter.

• A User object is returned in the jwt.refresh-token.revoke event JSON.

• The field tenantId is returned in event JSON.

Fixed

• When configuring a SAML v2 IdP relying party using the FusionAuth SP metadata, the configured ACS may not work properly. If you encounter this issue you may manually modify the relying party configuration to change the ACS endpoint to /oauth2/callback.

  • Resolves Stack Overflow : Fusionauth ADFS integration issue, thanks to @johan for reporting the issue.

New

• SAML v2, OpenID Connect, Google, Facebook, Twitter and External JWT Identity Provider configurations now have a debug flag. When enabled a debug Event Log will be created during each request to the Identity Provider to assist in debugging integration issues that may occur. In addition, error cases will be logged in the Event log instead of to the product log.

• SAML v2 Service Provider (Relaying Party) Metadata URL

Fixed

• In some cases when running FusionAuth behind a proxy without setting the X-Forwarded-Port header the URLs returned in the OpenID Configuration discovery document may contain an https URL that is suffixed with port 80. If this is encountered prior to this version you may simply add the X-Forwarded-Port header in your proxy configuration.

• SAML v2 fix when using urn:oasis:names:tc:SAML:2.0:nameid-format:transient or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Name Id formats.

  • Resolves GitHub Issue #205, thanks to @mikerees for reporting the issue and helping us test a fix.

• SAML v2 fix in the IdP Metadata. The IDPSSODescriptor was missing the protocolSupportEnumeration which may cause some SAML metadata parsers to fail processing.

  • Resolves GitHub Issue #235, thanks to https://github.com/user1970869 [@user1970869 ] for reporting the issue and helping us test a fix.

• SAML v2 fix in the IdP Metadata. The value returned in the issuer attribute was not the same as the entityId provided in the metadata which may cause some SAML metadata parsers to fail processing.

  • Resolves GitHub Issue #240, thanks to https://github.com/user1970869 [@user1970869 ] for reporting the issue and helping us test a fix.

• And audit log entry may not be created for a FusionAuth admin that does not have an email address when modifying configuration with the FusionAuth UI.

  • Resolves GitHub Issue #268

Enhancement

• Integration details have been moved to a view dialog for each Identity Provider configuration. Previously these values were provided as read only fields on the edit panel in the UI.

  • See the View action for your Identity Provider configurations by navigating to Settings → Identity Providers.

Fixed

• Deleting a user that has recently had a failed login may fail when FusionAuth is tracking failed login attempts to lock user accounts.

  • Resolves GitHub Issue #184 : Cannot delete user with too many login attempts, thanks to @gmpreussner for reporting the issue.

• Login to a 3rd party SAML IdP may fail

  • Resolves GitHub Issue #181 : Trouble with SAML and OpenID logins, thanks to @davidmw for reporting the issue.

• Fix the uptime calculation for nodes when viewed in the About panel. System → About

Fixed

• Possible migration error for PostgreSQL users

Changes

• The timezone field in the User and UserRegistration must be a IANA time zone. This was previously assumed, but not always enforced. If a timezone is set for a User or UserRegistration that is not a valid IANA timezone, null will be returned when retrieving the User or UserRegistration timezone.

New

• Family and relationship modeling. Yeah, everyone has users, but does your IdP manage family relationships?

  • Family concepts

  • Family APIs

• Consent management. Need to record parental consent, or track opt-in for your users? Look no further.

  • Consent concepts

  • Consent APIs

  • We will ship FusionAuth with COPPA VPC, and COPPA Email+ consents, additional consents may be added through the Consent management interface and through the Consent APIs.

• Export of Audit Logs to a zipped CSV in the UI and via the Export API

• Export of Login Records to a zipped CSV in the UI and via the Export API

• Login Record view that contains limited search and pagination capability. In the UI see System → Login Records

• Retention policy for Audit Logs. This feature is disabled by default and may be enabled to retain a configured number of days worth of Audit Logs.

• Retention policy for Login Records. This feature is disabled by default and may be enabled to retain a configured number of days worth of Login Records.

Fixed

• Some timezones may not be correctly discovered during login. When this occurs an undefined value is set which may cause an error during login to the FusionAuth UI.

• Support importing Bcrypt hashes that contain a . (dot). The Bcrypt Base64 encoding uses a non standard character set which includes a . (dot) instead of a + (plus) as in the standard character set. Thank you to Diego Souza Rodrigues for discovering this issue and letting us know!.

• Better support for third party 2FA devices such as an RSA key fob. When providing FusionAuth with a secret to enable Two Factor authentication we will accept a string in a Bas32 or Base64 encoded format. The documentation has been updated to further clarify this behavior. Previously if you brought your own secret to FusionAuth to enable 2FA, depending upon the format of the key, you may not have been successful in enabling 2FA for a user.

• Managed domains were not being returned properly for a SAML v2 IdP configuration. This means that that you could not limit the SAML v2 IdP configuration to users with a specific email domain.

Enhancement

• The User Registration object is now available as a top level object in the Verify Registration email template. The registration was previously available in the user object, but it will now also be a top level object registration.

• Support arbitrary URIs for OAuth redirects.

  • Resolves Github Issue #58 : Support OAuth2 redirect to an arbitrary scheme in support of native applications

• Add user.mobilePhone to the search index. For an existing installation, to take advantage of this field for existing users, you may need to rebuild the search index. See System → Reindex

  • Resolves GitHub Issue #165 : Add mobilePhone in User Search

  • Thanks to @petechungtuyco for letting us know and suggesting the addition.

Fixed

• Using OpenID Connect with Microsoft Azure AD may fail

  • Thanks to @stevenrombauts and @plunkettscott for reporting the issue. OpenID connect fails with Azure AD #153.

Changes

• Deprecated the following properties SystemConfiguration and Application domain. This is all now managed through Key Master, and existing keys have been migrated into Key Master.

  • jwtConfiguration.issuer

  • jwtConfiguration.algorithm

  • jwtConfiguration.secret

  • jwtConfiguration.publicKey

  • jwtConfiguration.privateKey

• Deprecated the following property SystemConfiguration.jwtConfiguration.issuer, it has moved to SystemConfiguration.issuer.

• A new macro was added to the _helpers.ftl that may be managed by your theme. If you have modified the _helpers.ftl template as part of your theme, you will either need to reset that template and merge your changes back in, or add the following code to your _helpers.ftl managed by your theme. If you encounter an issue with this, you will still likely be able to login to correct the issue, if you do get stuck you may disable your theme to login. See https://fusionauth.io/docs/v1/tech/themes/#handling-failures.

New

• Support for SAMLv2 IdP. This satisfies GitHub Issue #3

• Support for SAMLv2 Service Provider to support federated authentication to a SAMLv2 Identity Provider. This satisfies GitHub Issue #104

• Lambda support. Lambdas are user defined JavaScript functions that may be executed at runtime to perform various functions. In the initial release of Lambda support they can be used to customize the claims returned in a JWT, reconcile a SAML v2 response or an OpenID Connect response when using these Identity Providers.

  • See the Lambda API and the new Lambda settings in the UI Settings → Lambdas.

• Event Log. The event log will assist developers during integration to debug integrations. The event log will be found in the UI under System → Event Log.

  • SMTP Transport errors

  • Lambda execution exceptions

  • Lambda debug output

  • SAML IdP integration errors and debug

  • Runtime exceptions due to email template rendering issues

  • And more!

• Key Master, manage HMAC, Elliptic and RSA keys, import, download, generate, we do it all here at Key Master.

  • Key APIs

• New events

  • user.login.failed

  • user.login.success

  • user.registration.create

  • user.registration.update

  • user.registration.delete

• Easily duplicate email templates using the Duplicate action.

  • https://github.com/FusionAuth/fusionauth-issues/issues/142

• Manage Access Token and Id Token signing separately

Enhancement

• Insert instant provided on the Import API for Users and Registrations will be reflected in the historical registration reports

  • https://github.com/FusionAuth/fusionauth-issues/issues/144

• Additional node information will be available on the About panel when running multiple FusionAuth nodes in a cluster. See System → About.

Fixed

• If Passwordless login is disabled because no email template has been configured the button will not be displayed on the login panel. If a user attempts to use the passwordless login and the feature has been disabled or the user does not have an email address a error will be displayed to alert the user.

• If you are using the Implicit Grant and you have Self Service Registration enabled for the same application, the redirect after the registration check will assume you are using the Authorization Code grant. To work around this issue prior to this release, disable Self Service Registration. Thanks to @whiskerch for reporting this issue in GitHub Issue #102.

• Fixed OpenID Connect federated login. Our JavaScript code was throwing an exception due to the removal of the device field from OAuth. This code wasn’t updated and therefore would not perform the redirect to the third-party Open ID Connect IdP. To fix this issue in 1.5.0 or below, you can remove this line from OpenIDConnect.js on or near line 48: + '&device=' + Prime.Document.queryFirst('input[name=device]').getValue().

• When you use the Refresh Grant with a Refresh Token that was obtained using the Authorization Code grant using the openid scope, the response will not contain an id_token as you would expect. This fixes GitHub Issue #110 - OIDC and Refresh Tokens. Thanks to @fabiosimeoni for reporting this issue

• When using the OpenID Connect Identity Provider that requires client authentication may fail even when you provide a client secret in your OpenID Connect configuration.

• https://github.com/FusionAuth/fusionauth-issues/issues/118

• https://github.com/FusionAuth/fusionauth-issues/issues/119

• https://github.com/FusionAuth/fusionauth-issues/issues/122

Changed

• Removed /oauth2/token from the CORS configuration. This change will cause the CORS filter to reject a POST request to the /oauth2/token endpoint when the request originates in JavaScript from a different domain. This will effectively prohibit the use of the OAuth2 Password grant from JavaScript.

• The device parameter is no longer required on the Login API or the Authorized endpoint in order to receive a Refresh Token. If the device parameter is provided it will be ignored.

• Correct the Refresh API response body to match the documentation. If you are currently consuming the JSON body of this API using the POST method, you will need to update your integration to match the documented response body.

New

• Support for Passwordless login via email. See Passwordless API if you’ll be integrating with this API to build your own login form. To use this feature using the provided FusionAuth login form, enable Passwordless by navigating to your FusionAuth Application Settings → Applications and selecting the Security tab.

• Support for the OAuth2 Implicit Grant. See the OAuth 2.0 & OpenID Connect Overview and OAuth 2.0 Endpoints for additional information.

• The Authorization Code, Password, Implicit and Refresh Token grants maybe enabled or disabled per application. See oauthConfiguration.enabledGrants property in the Application API, or the OAuth tab in the Application configuration in the FusionAuth UI.

• The Change Password API can be called using a JWT. This provides additional support for the Change Password workflow in a single page web application. See the Change Password API for additional details.

• The Change Password API in some cases will return a One Time password (OTP). This password may then be exchanged for a new JWT and a Refresh Token on the Login API. This allows for a more seamless user experience when performing a change password workflow. See the Change Password and Login API for additional details.

• The Login API can now be restricted to require an API key. The default for new applications will require authentication which can be disabled. Existing applications will not require authentication via API to preserve the existing behavior. The Login API may also be restricted from return Refresh Tokens are allowing an existing Refresh Token be used to refresh an Access Token. These settings will be configurable per Application, see the Application API for additional details, or the Security tab in the Application configuration in the UI. If using the Application API, see the application.loginConfiguration parameters.

• The c_hash, at_hash and nonce claims will be added to the id_token payload for the appropriate grants.

• Add support for client_secret_post to the already provided client_secret_basic Client Authentication method. This means that in addition to using HTTP Basic Authentication, you may also provide the client_id and client_secret in the request body.

Enhancement

• Better ECDSA private and public key validation to ensure the algorithm selected by the user matches the provided key.

• When using the Change Password workflow in the OAuth2 Implicit or Authorization Code grants, the user will be automatically logged in upon completing a change password that is required during login.

• The Two Factor Login API will return the twoFactorTrustId as an HTTP Only secure cookie in addition to being returned in the JSON response body. This provides additional support and ease of use when making use of this API in a single page web application. See the Two Factor Login API for additional details.

Fixed

• When using the Login Report in the UI and searching by user, if you have more than one tenant you will encounter an error.

• Validation errors are not displayed in the Add Claim dialog when configuring claim mapping for an External JWT Identity Provider

• Calling the Tenant API with the POST or PUT methods w/out a request body will result in a 500 instead of a 400 with an error message.

• When a locale preference has not been set for a FusionAuth admin and the English locale is used the user may see dates displayed in d/M/yyyy instead of M/d/yyyy.

• Fix some form validation errors during self-registration.

• The Action user action on the Manage User panel was opening the Comment dialog instead of the Action user dialog

• When a user has 2FA enabled and a password change is required during login, the 2FA will now occur before the change password workflow

• When more than one tenant exists, the Forgot Password link on the FusionAuth login page will not function properly.

• The Logout API may not always delete the access_token and refresh_token cookies if they exist on the browser.

• The id_token will be signed with the client_secret when HS256, HS384 or HS512 is selected as the signing algorithm. This is necessary for compliance with OpenID Connect Core 3.1.3.7 ID Token Validation. This fixes GitHub issue GitHub Issue #57, thanks to @anbraten for reporting this issue. If you encounter this issue prior to this version, copy the Client Secret found in the UI on the OAuth tab of your Application configuration into the HMAC secret on the JWT configuration tab.

• The Login API will now return a 400 with an error JSON response body if the applicationId parameter does not belong to any configured applications. Previous to this release, this was treated the same as if the User was not registered to the requested application.

• A change to the Docker build for permissions reduced the overall fusionauth-app image by ~ 200 MB.

Changed

• Renamed Type enum in DeviceInfo class to DeviceType. This will only affect you if you are using the Java or C# client and reference this enum directly. If you are using this class directly, you may need to update an import in your client code.

• More than one authorization code may exist for a single user at a given time. This will allow multiple asynchronous requests to begin an OAuth2 Authorization Grant workflow and succeed regardless of order.

New

• Self service registration. You may optionally enable this feature per application and allow users to create a new account or register for new applications without building your own registration forms.

• JSON Web Key set support. This endpoint will be exposed at /.well-known/jwks.json and will be published in the OpenID Configuration metadata endpoint as well. Prior to this release the public keys used to sign JSON Web Tokens were only available in PEM format using the Public Key API, this endpoint will still be available and supported.

  • See JSON Web Key Set (JWKS) for more information.

• Added Elliptic Curve signature support for JSON Web Tokens, ES256, ES384 and ES512.

• Added Typescript client library https://github.com/FusionAuth/fusionauth-typescript-client

• The Login Report may now be optionally filtered to a particular User in the UI, and the Login Report API will now take loginId or userId.

Fixed

• When using Docker compose, if you start up with --pull to update to the latest version of FusionAuth and there happens to be a database schema update, the silent configuration mode may fail. This occurs because the silent configuration was not performing the database schema update automatically. If you encounter this issue, you will need to manually update the schema.

  • This will only occur if you are running a version of FusionAuth prior to 1.1.0 and upgrade using --pull during docker-compose up.

• When you have multiple tenants created, a tenant may be deleted with an API key that is not assigned to the tenant. This has been corrected and a tenant may only be deleted using an API key that is not assigned to any tenant. This issue will only affect you if you have more than one tenant.

• Updated Maintenance Mode (setup wizard) to work with MySQL version 8.0.13 and above. MySQL has changed their SSL/TLS handling and our connections were not correctly handling public keys. This has been fixed by allowing FusionAuth to perform a secondary request to MySQL to fetch the public key.

• Logging in with a Social Login provider such as Google for an existing FusionAuth user may cause them to be unable to login to FusionAuth directly using their original credentials.

• When using the OpenID Connect Identity Provider, the incoming claim given_name was being saved in the fullName field instead of the firstName.

• When a user is soft deleted, actioned to prevent login, expired, or they have changed their password since their last login, their SSO session will be invalidated instead of waiting for the session to expire.

  • Resolves Github Issue #59 :Using a access token for a lock account

Internal

• Upgrade to fusionauth-jwt 3.0.1 in support of Elliptic Curve crypto support.

Changed

• API key will take precedence for API authentication if both a JWT and an API key are provided on the request. For example, when making a GET request to the User API, if a JWT is provided in a cookie, and a valid API key is also provided in the Authorization HTTP header, the previous design was to prefer the JWT. This design point meant that even when an API key was provided, even when providing a valid API key, you would be unable to retrieve any user but the one represented by the JWT.

  • Resolves GitHub Issue #43 : Id is ignored on Retrieve User when JWT is present

• The client_id is no longer required on the OAuth Token endpoint when client authentication is configured as required, in this scenario the client Id is provided in the HTTP Basic Authorization header.

  • Resolves Github Issue #54 :Token request returning 500 when client_id is omitted

Fixed

• When editing the JWT settings in the FusionAuth application the UI a JavaScript error may cause some of the settings to not render properly. This error was introduced in version 1.3.0.

• Added missing properties to the Application view dialog in the FusionAuth UI.

• The openid scope may not be honored during login when a user has Two Factor authentication enabled. The symptom of this issue is that the response from the Token endpoint will not contain an id_token even when the openid scope was requested.

  • Resolves Github Issue #53 : Authorization with scope openid fails when 2FA is enabled

• Validation for the OAuth2 Token endpoint may fail when the client_id request body parameter is omitted and return a 500 instead of a 400 status code.

  • Resolves Github Issue #54 : Token request returning 500 when client_id is omitted

• When a OAuth2 redirect URI is registered with a query parameter, the resulting redirect URI will not be built correctly.

  • Resolves Github Issue #55 : Adding a query parameter to the redirect_uri causes an invalid URI to be returned

• When trying to configure Elasticsearch engine during maintenance mode the index may get created but fail to leave maintenance mode. FusionAuth makes a HEAD request to Elasticsearch to check if the required indexes exist during startup and prior to leaving maintenance mode. When connected to an AWS Elasticsearch cluster this request does not behave as expected which causes FusionAuth to stay in maintenance mode. This issue has been resolved and should allow FusionAuth to properly connect to and utilize Elasticsearch running in an AWS cluster.

New

• An Application may disable the issue of refresh tokens through configuration. See oauthConfiguration.generateRefreshTokens in the Application API or the Generate refresh tokens toggle in the FusionAuth UI when editing an application.

• The OAuth2 client secret may be optionally regenerated using the FusionAuth UI during Application edit.

• Support for OAuth2 confidential clients, this is supported by optionally requiring client authentication via configuration. See oauthConfiguration.requireClientAuthentication in the Application API or the Require authentication toggle in the FusionAuth UI when editing an application.

Fixed

• Calling the Introspect endpoint with a JWT returned from the Issue API may fail due to the missing aud claim.

• The MySQL schema previously was using random_bytes which is not available in MariaDB. These usages have been replaced with an equivalent that will function the same in MySQL and MariaDB.

  • Thanks to @anbraten for bringing this to our attention and suggesting and verifying a solution via GitHub Issue #48 : Support for MariaDB

• When editing or adding a new user in the FusionAuth UI, the Birthdate field may get set automatically before the date selector is utilized. A JavaScript error was causing this condition and it has been fixed.

  • Resolves GitHub Issue #41 : Birthday is autofilled when adding or editing a user

Fixed

• Add X-FusionAuth-TenantId to allowed CORS headers.

  • Resolves GitHub Issue #44 : CORS blocks API request containing X-FusionAuth-TenantId

• When FusionAuth is running behind a proxy such as an AWS ALB / ELB the redirect URI required to complete login may not be resolved correctly. This may cause the redirect back to the FusionAuth UI login to fail with a CSRF exception. If you encounter this issue you may see an error message that says Something doesn’t seem right. You have been logged out of FusionAuth. The work-around for this issue if you encounter it will be to perform the redirect from HTTP to HTTPS in your load balancer.

• Some minor usability issues in the Identity Provider configuration UI.

Enhancement

• Better error handling when an API caller sends invalid JSON messages. Prior to this enhancement if FusionAuth did not provide a specific error message for a particular field a 500 HTTP status code was returned if the JSON could not be parsed properly. This enhancement will ensure that sending a FusionAuth API invalid JSON will consistently result in a 400 status code with a JSON body describing the error.

  • Resolves GitHub Issue #17 : Malformed or invalid JSON causes 500 error

• Allow an Identity Provider to be enabled and disabled from the UI. You may still choose to enable or disable a specific Application for use with an Identity Provider, but with this enhancement you may not turn off an Identity Provider for all Applications with one switch.

Fixed

• Preserve Application Identity Provider configuration for disabled Applications when editing a Identity Provider from the UI.

Fixed

• If you were to have an Identity Provider for federated third party JSON Web Tokens configured prior to upgrading to 1.1.0 FusionAuth may fail during the database migration to version 1.1.0.

Fixed

• If FusionAuth starts up in maintenance mode and stays there for an extended period of time without the User completing the configuration from the web browser, FusionAuth may get stuck in maintenance mode. If you encounter this issue, where you seemingly are entering the correct credentials on the Database configuration page and are unable to continue, restart FusionAuth and the issue will be resolved.

Fixed

• When running in Docker Compose, FusionAuth cannot connect to the search service when trying to exit the setup wizard.

  • https://github.com/FusionAuth/fusionauth-containers/issues/2

Enhancement

• Better support for running in Docker. Enhanced silent configuration capability for database and search engine boot strap configuration in Docker Compose to be more resilient.

Fixed

• If custom data is added to an Application, Group or Tenant before editing the corresponding object in the UI, the custom data may be lost.

New

• Better support for running in Docker. Configuration can be override using environment variables. See Docker Install for additional information.

Fixed

• The first time a user reached the failed login threshold and a 409 response code was returned the response body was empty. Subsequent login requests correctly returned the JSON response body with the 409, now the JSON response body is correctly returned the first time the user reaches the failed login threshold.

Fixed

• When using PostgreSQL an exception may occur during an internal cache reload request. If you encounter this issue you will see a stack trace in the fusionauth-app.log. If you see this error and need assistance, please open an issue in the FusionAuth Issues GitHub project.

New

• General availability release