Release Notes

Version 1.5.0

Pending Release


  • Support for the OAuth2 Implicit Grant


  • Better ECDSA private and public key validation to ensure the algorithm selected by the user matches the provided key.


  • When using the Login Report in the UI and searching by user, if you have more than one tenant you will encounter an error.

  • Validation errors are not displayed in the Add Claim dialog when configuring claim mapping for an External JWT Identity Provider

  • Calling the Tenant API with the POST or PUT methods w/out a request body will result in a 500 instead of a 400 with an error message.

  • When a locale preference has not been set for a FusionAuth admin and the English locale is used the user may see dates displayed in d/M/yyyy instead of M/d/yyyy.

  • Fix some form validation errors during self-registration.

Version 1.4.0

February 4th, 2019

Please Read

The FusionAuth System Requirements have been updated. Please review the updated requirements to ensure you have met the minimum supported versions of operating system and database.


  • Renamed Type enum in DeviceInfo class to DeviceType. This will only affect you if you are using the Java or C# client and reference this enum directly. If you are using this class directly, you may need to update an import in your client code.

  • More than one authorization code may exist for a single user at a given time. This will allow multiple asynchronous requests to begin an OAuth2 Authorization Grant workflow and succeed regardless of order.


  • Self service registration. You may optionally enable this feature per application and allow users to create a new account or register for new applications without building your own registration forms.

  • JSON Web Key set support. This endpoint will be exposed at /.well-known/jwks.json and will be published in the OpenID Configuration metadata endpoint as well. Prior to this release the public keys used to sign JSON Web Tokens were only available in PEM format using the Public Key API, this endpoint will still be available and supported.

  • Added Elliptic Curve signature support for JSON Web Tokens, ES256, ES384 and ES512.

  • Added Typescript client library

  • The Login Report may now be optionally filtered to a particular User in the UI, and the Login Report API will now take loginId or userId.


  • When using Docker compose, if you start up with --pull to update to the latest version of FusionAuth and there happens to be a database schema update, the silent configuration mode may fail. This occurs because the silent configuration was not performing the database schema update automatically. If you encounter this issue, you will need to manually update the schema.

    • This will only occur if you are running a version of FusionAuth prior to 1.1.0 and upgrade using --pull during docker-compose up.

  • When you have multiple tenants created, a tenant may be deleted with an API key that is not assigned to the tenant. This has been corrected and a tenant may only be deleted using an API key that is not assigned to any tenant. This issue will only affect you if you have more than one tenant.

  • Updated Maintenance Mode (setup wizard) to work with MySQL version 8.0.13 and above. MySQL has changed their SSL/TLS handling and our connections were not correctly handling public keys. This has been fixed by allowing FusionAuth to perform a secondary request to MySQL to fetch the public key.

  • Logging in with a Social Login provider such as Google for an existing FusionAuth user may cause them to be unable to login to FusionAuth directly using their original credentials.

  • When using the OpenID Connect Identity Provider, the incoming claim given_name was being saved in the fullName field instead of the firstName.

  • When a user is soft deleted, actioned to prevent login, expired, or they have changed their password since their last login, their SSO session will be invalidated instead of waiting for the session to expire.


  • Upgrade to fusionauth-jwt 3.0.1 in support of Elliptic Curve crypto support.

Version 1.3.1

December 19th, 2018


  • API key will take precedence for API authentication if both a JWT and an API key are provided on the request. For example, when making a GET request to the User API, if a JWT is provided in a cookie, and a valid API key is also provided in the Authorization HTTP header, the previous design was to prefer the JWT. This design point meant that even when an API key was provided, even when providing a valid API key, you would be unable to retrieve any user but the one represented by the JWT.

  • The client_id is no longer required on the OAuth Token endpoint when client authentication is configured as required, in this scenario the client Id is provided in the HTTP Basic Authorization header.


  • When editing the JWT settings in the FusionAuth application the UI a JavaScript error may cause some of the settings to not render properly. This error was introduced in version 1.3.0.

  • Added missing properties to the Application view dialog in the FusionAuth UI.

  • The openid scope may not be honored during login when a user has Two Factor authentication enabled. The symptom of this issue is that the response from the Token endpoint will not contain an id_token even when the openid scope was requested.

  • Validation for the OAuth2 Token endpoint may fail when the client_id request body parameter is omitted and return a 500 instead of a 400 status code.

  • When a OAuth2 redirect URI is registered with a query parameter, the resulting redirect URI will not be built correctly.

  • When trying to configure Elasticsearch engine during maintenance mode the index may get created but fail to leave maintenance mode. FusionAuth makes a HEAD request to Elasticsearch to check if the required indexes exist during startup and prior to leaving maintenance mode. When connected to an AWS Elasticsearch cluster this request does not behave as expected which causes FusionAuth to stay in maintenance mode. This issue has been resolved and should allow FusionAuth to properly connect to and utilize Elasticsearch running in an AWS cluster.

Version 1.3.0

December 5th, 2018


  • An Application may disable the issue of refresh tokens through configuration. See oauthConfiguration.generateRefreshTokens in the Application API or the Generate refresh tokens toggle in the FusionAuth UI when editing an application.

  • The OAuth2 client secret may be optionally regenerated using the FusionAuth UI during Application edit.

  • Support for OAuth2 confidential clients, this is supported by optionally requiring client authentication via configuration. See oauthConfiguration.requireClientAuthentication in the Application API or the Require authentication toggle in the FusionAuth UI when editing an application.


  • Calling the Introspect endpoint with a JWT returned from the Issue API may fail due to the missing aud claim.

  • The MySQL schema previously was using random_bytes which is not available in MariaDB. These usages have been replaced with an equivalent that will function the same in MySQL and MariaDB.

  • When editing or adding a new user in the FusionAuth UI, the Birthdate field may get set automatically before the date selector is utilized. A JavaScript error was causing this condition and it has been fixed.

Version 1.2.2

November 27th, 2018


  • Add X-FusionAuth-TenantId to allowed CORS headers.

  • When FusionAuth is running behind a proxy such as an AWS ALB / ELB the redirect URI required to complete login may not be resolved correctly. This may cause the redirect back to the FusionAuth UI login to fail with a CSRF exception. If you encounter this issue you may see an error message that says Something doesn’t seem right. You have been logged out of FusionAuth. The work-around for this issue if you encounter it will be to perform the redirect from HTTP to HTTPS in your load balancer.

  • Some minor usability issues in the Identity Provider configuration UI.

Version 1.2.1

November 16th, 2018


  • Better error handling when an API caller sends invalid JSON messages. Prior to this enhancement if FusionAuth did not provide a specific error message for a particular field a 500 HTTP status code was returned if the JSON could not be parsed properly. This enhancement will ensure that sending a FusionAuth API invalid JSON will consistently result in a 400 status code with a JSON body describing the error.

  • Allow an Identity Provider to be enabled and disabled from the UI. You may still choose to enable or disable a specific Application for use with an Identity Provider, but with this enhancement you may not turn off an Identity Provider for all Applications with one switch.


  • Preserve Application Identity Provider configuration for disabled Applications when editing a Identity Provider from the UI.

Version 1.2.0

November 15th, 2018


  • Add TTL configuration for Refresh Tokens to the Application configuration. When you enable JWT configuration per Application this value will override the global setting.


  • An error in the Twitter OAuth v1 workflow has been resolved.

Version 1.1.1

November 13th, 2018


  • If you were to have an Identity Provider for federated third party JSON Web Tokens configured prior to upgrading to 1.1.0 FusionAuth may fail during the database migration to version 1.1.0.

Version 1.1.0

November 13th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Upgrades/Patches for more information about database migrations.


  • Social login support

  • Full theme support for login. See the Login Theme tutorial for additional information and examples.

  • Better localization support in the FusionAuth UI. You now have the option to set or modify your preferred language for use in the FusionAuth UI. Providing a preferred language will cause dates to be formatted based upon your preference. For example, the default data format is M/D/YYYY, but if you are not in the United States this may not be the way you expect a date to be formatted. If you set your locale to French you will now see a more appropriate format of D/M/YYYY. This value is stored on the User Registration for FusionAuth in the preferredLanguages field.


  • When viewing sessions (refresh tokens) on the Manage User panel, the start and expiration times will be displayed.

Version 1.0.18

October 29th, 2018


  • If FusionAuth starts up in maintenance mode and stays there for an extended period of time without the User completing the configuration from the web browser, FusionAuth may get stuck in maintenance mode. If you encounter this issue, where you seemingly are entering the correct credentials on the Database configuration page and are unable to continue, restart FusionAuth and the issue will be resolved.

Version 1.0.17

October 5th, 2018


Version 1.0.16

October 5th, 2018


  • Better support for running in Docker. Enhanced silent configuration capability for database and search engine boot strap configuration in Docker Compose to be more resilient.


  • If custom data is added to an Application, Group or Tenant before editing the corresponding object in the UI, the custom data may be lost.

Version 1.0.15

October 1st, 2018


  • Better support for running in Docker. Configuration can be override using environment variables. See Docker Install for additional information.


  • The first time a user reached the failed login threshold and a 409 response code was returned the response body was empty. Subsequent login requests correctly returned the JSON response body with the 409, now the JSON response body is correctly returned the first time the user reaches the failed login threshold.

Version 1.0.14

September 17th, 2018


  • When using PostgreSQL an exception may occur during an internal cache reload request. If you encounter this issue you will see a stack trace in the fusionauth-app.log. If you see this error and need assistance, please open an issue in the FusionAuth Issues GitHub project.

Unexpected error. We’re missing an internal API key to notify distributed caches.

Version 1.0.13

September 12th, 2018


  • General availability release