Release Notes

Version 1.8.0

Pending Release

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.



  • When viewing Refresh token expiration in the Manage User panel under the Sessions tab, the expiration may be displayed incorrectly if the Refresh Token Time to Live has been set at the Application level. The actual time to live was still correctly enforced, but this display may have been incorrect.

  • In some cases an Id Token signed by FusionAuth may not be able to be verified if it is sent back to FusionAuth. This issue was introduced in version 1.6.0.

  • [Pending review] Using a redirect such as which contains a # character which is not found at the end of the URL may cause an error when building the redirect URL during the Authorization Code grant.

  • If the host operating system is not configured for UTF-8 and you specify multi-byte characters in an email template subject, the subject text may not be rendered correctly when viewed by the recipient.

Version 1.7.4

August 22th, 2019


  • When configuring a SAML v2 IdP relying party using the FusionAuth SP metadata, the configured ACS may not work properly. If you encounter this issue you may manually modify the relying party configuration to change the ACS endpoint to /oauth2/callback.

Version 1.7.3

August 15th, 2019


  • SAML v2, OpenID Connect, Google, Facebook, Twitter and External JWT Identity Provider configurations now have a debug flag. When enabled a debug Event Log will be created during each request to the Identity Provider to assist in debugging integration issues that may occur. In addition, error cases will be logged in the Event log instead of to the product log.

  • SAML v2 Service Provider (Relaying Party) Metadata URL


  • In some cases when running FusionAuth behind a proxy without setting the X-Forwarded-Port header the URLs returned in the OpenID Configuration discovery document may contain an https URL that is suffixed with port 80. If this is encountered prior to this version you may simply add the X-Forwarded-Port header in your proxy configuration.

  • SAML v2 fix when using urn:oasis:names:tc:SAML:2.0:nameid-format:transient or urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Name Id formats.

  • SAML v2 fix in the IdP Metadata. The IDPSSODescriptor was missing the protocolSupportEnumeration which may cause some SAML metadata parsers to fail processing.

  • SAML v2 fix in the IdP Metadata. The value returned in the issuer attribute was not the same as the entityId provided in the metadata which may cause some SAML metadata parsers to fail processing.

  • And audit log entry may not be created for a FusionAuth admin that does not have an email address when modifying configuration with the FusionAuth UI.


  • Integration details have been moved to a view dialog for each Identity Provider configuration. Previously these values were provided as read only fields on the edit panel in the UI.

    • See the View action for your Identity Provider configurations by navigating to Settings Identity Providers.

Version 1.7.2

June 19th, 2019


Version 1.7.1

June 13th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.


  • Possible migration error for PostgreSQL users

Version 1.7.0

June 13th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.


  • The timezone field in the User and UserRegistration must be a IANA time zone. This was previously assumed, but not always enforced. If a timezone is set for a User or UserRegistration that is not a valid IANA timezone, null will be returned when retrieving the User or UserRegistration timezone.


  • Family and relationship modeling. Yeah, everyone has users, but does your IdP manage family relationships?

  • Consent management. Need to record parental consent, or track opt-in for your users? Look no further.

    • Consent concepts

    • Consent APIs

    • We will ship FusionAuth with COPPA VPC, and COPPA Email+ consents, additional consents may be added through the Consent management interface and through the Consent APIs.

  • Export of Audit Logs to a zipped CSV in the UI and via the Export API

  • Export of Login Records to a zipped CSV in the UI and via the Export API

  • Login Record view that contains limited search and pagination capability. In the UI see System Login Records

  • Retention policy for Audit Logs. This feature is disabled by default and may be enabled to retain a configured number of days worth of Audit Logs.

  • Retention policy for Login Records. This feature is disabled by default and may be enabled to retain a configured number of days worth of Login Records.


  • Some timezones may not be correctly discovered during login. When this occurs an undefined value is set which may cause an error during login to the FusionAuth UI.

  • Support importing Bcrypt hashes that contain a . (dot). The Bcrypt Base64 encoding uses a non standard character set which includes a . (dot) instead of a + (plus) as in the standard character set. Thank you to Diego Souza Rodrigues for discovering this issue and letting us know!.

  • Better support for third party 2FA devices such as an RSA key fob. When providing FusionAuth with a secret to enable Two Factor authentication we will accept a string in a Bas32 or Base64 encoded format. The documentation has been updated to further clarify this behavior. Previously if you brought your own secret to FusionAuth to enable 2FA, depending upon the format of the key, you may not have been successful in enabling 2FA for a user.

  • Managed domains were not being returned properly for a SAML v2 IdP configuration. This means that that you could not limit the SAML v2 IdP configuration to users with a specific email domain.


Version 1.6.1

May 2nd, 2019


Version 1.6.0

April 28th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.

Please Read

The SAML specification is complex and not all SAML v2 Service Providers are specification compliant. This means your mileage may vary as you utilize the FusionAuth SAML v2 IdP to allow services such as Zendesk, Pivotal and Google G-Suite to log into FusionAuth using SAML v2. If you run into problems open a GitHub issue and we will try to help.


  • Deprecated the following properties SystemConfiguration and Application domain. This is all now managed through Key Master, and existing keys have been migrated into Key Master.

    • jwtConfiguration.issuer

    • jwtConfiguration.algorithm

    • jwtConfiguration.secret

    • jwtConfiguration.publicKey

    • jwtConfiguration.privateKey

  • Deprecated the following property SystemConfiguration.jwtConfiguration.issuer, it has moved to SystemConfiguration.issuer.

  • A new macro was added to the _helpers.ftl that may be managed by your theme. If you have modified the _helpers.ftl template as part of your theme, you will either need to reset that template and merge your changes back in, or add the following code to your _helpers.ftl managed by your theme. If you encounter an issue with this, you will still likely be able to login to correct the issue, if you do get stuck you may disable your theme to login. See

[#macro link url text extraParameters=""]
<a href="${url}?tenantId=${(tenantId)!''}&client_id=${(client_id?url)!''}&nonce=${(nonce?url)!''}&redirect_uri=${(redirect_uri?url)!''}&response_type=${(response_type?url)!''}&scope=${(scope?url)!''}&state=${(state?url)!''}&timezone=${(timezone?url)!''}&${(!''}&metaData.device.type=${(metaData.device.type?url)!''}${extraParameters!''}">


  • Support for SAMLv2 IdP. This satisfies GitHub Issue #3

  • Support for SAMLv2 Service Provider to support federated authentication to a SAMLv2 Identity Provider. This satisfies GitHub Issue #104

  • Lambda support. Lambdas are user defined JavaScript functions that may be executed at runtime to perform various functions. In the initial release of Lambda support they can be used to customize the claims returned in a JWT, reconcile a SAML v2 response or an OpenID Connect response when using these Identity Providers.

    • See the Lambda API and the new Lambda settings in the UI Settings Lambdas.

  • Event Log. The event log will assist developers during integration to debug integrations. The event log will be found in the UI under System Event Log.

    • SMTP Transport errors

    • Lambda execution exceptions

    • Lambda debug output

    • SAML IdP integration errors and debug

    • Runtime exceptions due to email template rendering issues

    • And more!

  • Key Master, manage HMAC, Elliptic and RSA keys, import, download, generate, we do it all here at Key Master.

  • New events

    • user.login.failed

    • user.login.success

    • user.registration.create

    • user.registration.update

    • user.registration.delete

  • Easily duplicate email templates using the Duplicate action.

  • Manage Access Token and Id Token signing separately


  • Insert instant provided on the Import API for Users and Registrations will be reflected in the historical registration reports

  • Additional node information will be available on the About panel when running multiple FusionAuth nodes in a cluster. See System About.


  • If Passwordless login is disabled because no email template has been configured the button will not be displayed on the login panel. If a user attempts to use the passwordless login and the feature has been disabled or the user does not have an email address a error will be displayed to alert the user.

  • If you are using the Implicit Grant and you have Self Service Registration enabled for the same application, the redirect after the registration check will assume you are using the Authorization Code grant. To work around this issue prior to this release, disable Self Service Registration. Thanks to @whiskerch for reporting this issue in GitHub Issue #102.

  • Fixed OpenID Connect federated login. Our JavaScript code was throwing an exception due to the removal of the device field from OAuth. This code wasn’t updated and therefore would not perform the redirect to the third-party Open ID Connect IdP. To fix this issue in 1.5.0 or below, you can remove this line from OpenIDConnect.js on or near line 48: + '&device=' + Prime.Document.queryFirst('input[name=device]').getValue().

  • When you use the Refresh Grant with a Refresh Token that was obtained using the Authorization Code grant using the openid scope, the response will not contain an id_token as you would expect. This fixes GitHub Issue #110 - OIDC and Refresh Tokens. Thanks to @fabiosimeoni for reporting this issue

  • When using the OpenID Connect Identity Provider that requires client authentication may fail even when you provide a client secret in your OpenID Connect configuration.




Version 1.5.0

March 25th, 2019

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.


  • Removed /oauth2/token from the CORS configuration. This change will cause the CORS filter to reject a POST request to the /oauth2/token endpoint when the request originates in JavaScript from a different domain. This will effectively prohibit the use of the OAuth2 Password grant from JavaScript.

  • The device parameter is no longer required on the Login API or the Authorized endpoint in order to receive a Refresh Token. If the device parameter is provided it will be ignored.

  • Correct the Refresh API response body to match the documentation. If you are currently consuming the JSON body of this API using the POST method, you will need to update your integration to match the documented response body.


  • Support for Passwordless login via email. See Passwordless API if you’ll be integrating with this API to build your own login form. To use this feature using the provided FusionAuth login form, enable Passwordless by navigating to your FusionAuth Application Settings Applications and selecting the Security tab.

  • Support for the OAuth2 Implicit Grant. See the OAuth 2.0 & OpenID Connect Overview and OAuth 2.0 Endpoints for additional information.

  • The Authorization Code, Password, Implicit and Refresh Token grants maybe enabled or disabled per application. See oauthConfiguration.enabledGrants property in the Application API, or the OAuth tab in the Application configuration in the FusionAuth UI.

  • The Change Password API can be called using a JWT. This provides additional support for the Change Password workflow in a single page web application. See the Change Password API for additional details.

  • The Change Password API in some cases will return a One Time password (OTP). This password may then be exchanged for a new JWT and a Refresh Token on the Login API. This allows for a more seamless user experience when performing a change password workflow. See the Change Password and Login API for additional details.

  • The Login API can now be restricted to require an API key. The default for new applications will require authentication which can be disabled. Existing applications will not require authentication via API to preserve the existing behavior. The Login API may also be restricted from return Refresh Tokens are allowing an existing Refresh Token be used to refresh an Access Token. These settings will be configurable per Application, see the Application API for additional details, or the Security tab in the Application configuration in the UI. If using the Application API, see the application.loginConfiguration parameters.

  • The c_hash, at_hash and nonce claims will be added to the id_token payload for the appropriate grants.

  • Add support for client_secret_post to the already provided client_secret_basic Client Authentication method. This means that in addition to using HTTP Basic Authentication, you may also provide the client_id and client_secret in the request body.


  • Better ECDSA private and public key validation to ensure the algorithm selected by the user matches the provided key.

  • When using the Change Password workflow in the OAuth2 Implicit or Authorization Code grants, the user will be automatically logged in upon completing a change password that is required during login.

  • The Two Factor Login API will return the twoFactorTrustId as an HTTP Only secure cookie in addition to being returned in the JSON response body. This provides additional support and ease of use when making use of this API in a single page web application. See the Two Factor Login API for additional details.


  • When using the Login Report in the UI and searching by user, if you have more than one tenant you will encounter an error.

  • Validation errors are not displayed in the Add Claim dialog when configuring claim mapping for an External JWT Identity Provider

  • Calling the Tenant API with the POST or PUT methods w/out a request body will result in a 500 instead of a 400 with an error message.

  • When a locale preference has not been set for a FusionAuth admin and the English locale is used the user may see dates displayed in d/M/yyyy instead of M/d/yyyy.

  • Fix some form validation errors during self-registration.

  • The Action user action on the Manage User panel was opening the Comment dialog instead of the Action user dialog

  • When a user has 2FA enabled and a password change is required during login, the 2FA will now occur before the change password workflow

  • When more than one tenant exists, the Forgot Password link on the FusionAuth login page will not function properly.

  • The Logout API may not always delete the access_token and refresh_token cookies if they exist on the browser.

  • The id_token will be signed with the client_secret when HS256, HS384 or HS512 is selected as the signing algorithm. This is necessary for compliance with OpenID Connect Core ID Token Validation. This fixes GitHub issue GitHub Issue #57, thanks to @Garogat for reporting this issue. If you encounter this issue prior to this version, copy the Client Secret found in the UI on the OAuth tab of your Application configuration into the HMAC secret on the JWT configuration tab.

  • The Login API will now return a 400 with an error JSON response body if the applicationId parameter does not belong to any configured applications. Previous to this release, this was treated the same as if the User was not registered to the requested application.

  • A change to the Docker build for permissions reduced the overall fusionauth-app image by ~ 200 MB.

Version 1.4.0

February 4th, 2019

Please Read

The FusionAuth System Requirements have been updated. Please review the updated requirements to ensure you have met the minimum supported versions of operating system and database.


  • Renamed Type enum in DeviceInfo class to DeviceType. This will only affect you if you are using the Java or C# client and reference this enum directly. If you are using this class directly, you may need to update an import in your client code.

  • More than one authorization code may exist for a single user at a given time. This will allow multiple asynchronous requests to begin an OAuth2 Authorization Grant workflow and succeed regardless of order.


  • Self service registration. You may optionally enable this feature per application and allow users to create a new account or register for new applications without building your own registration forms.

  • JSON Web Key set support. This endpoint will be exposed at /.well-known/jwks.json and will be published in the OpenID Configuration metadata endpoint as well. Prior to this release the public keys used to sign JSON Web Tokens were only available in PEM format using the Public Key API, this endpoint will still be available and supported.

  • Added Elliptic Curve signature support for JSON Web Tokens, ES256, ES384 and ES512.

  • Added Typescript client library

  • The Login Report may now be optionally filtered to a particular User in the UI, and the Login Report API will now take loginId or userId.


  • When using Docker compose, if you start up with --pull to update to the latest version of FusionAuth and there happens to be a database schema update, the silent configuration mode may fail. This occurs because the silent configuration was not performing the database schema update automatically. If you encounter this issue, you will need to manually update the schema.

    • This will only occur if you are running a version of FusionAuth prior to 1.1.0 and upgrade using --pull during docker-compose up.

  • When you have multiple tenants created, a tenant may be deleted with an API key that is not assigned to the tenant. This has been corrected and a tenant may only be deleted using an API key that is not assigned to any tenant. This issue will only affect you if you have more than one tenant.

  • Updated Maintenance Mode (setup wizard) to work with MySQL version 8.0.13 and above. MySQL has changed their SSL/TLS handling and our connections were not correctly handling public keys. This has been fixed by allowing FusionAuth to perform a secondary request to MySQL to fetch the public key.

  • Logging in with a Social Login provider such as Google for an existing FusionAuth user may cause them to be unable to login to FusionAuth directly using their original credentials.

  • When using the OpenID Connect Identity Provider, the incoming claim given_name was being saved in the fullName field instead of the firstName.

  • When a user is soft deleted, actioned to prevent login, expired, or they have changed their password since their last login, their SSO session will be invalidated instead of waiting for the session to expire.


  • Upgrade to fusionauth-jwt 3.0.1 in support of Elliptic Curve crypto support.

Version 1.3.1

December 19th, 2018


  • API key will take precedence for API authentication if both a JWT and an API key are provided on the request. For example, when making a GET request to the User API, if a JWT is provided in a cookie, and a valid API key is also provided in the Authorization HTTP header, the previous design was to prefer the JWT. This design point meant that even when an API key was provided, even when providing a valid API key, you would be unable to retrieve any user but the one represented by the JWT.

  • The client_id is no longer required on the OAuth Token endpoint when client authentication is configured as required, in this scenario the client Id is provided in the HTTP Basic Authorization header.


  • When editing the JWT settings in the FusionAuth application the UI a JavaScript error may cause some of the settings to not render properly. This error was introduced in version 1.3.0.

  • Added missing properties to the Application view dialog in the FusionAuth UI.

  • The openid scope may not be honored during login when a user has Two Factor authentication enabled. The symptom of this issue is that the response from the Token endpoint will not contain an id_token even when the openid scope was requested.

  • Validation for the OAuth2 Token endpoint may fail when the client_id request body parameter is omitted and return a 500 instead of a 400 status code.

  • When a OAuth2 redirect URI is registered with a query parameter, the resulting redirect URI will not be built correctly.

  • When trying to configure Elasticsearch engine during maintenance mode the index may get created but fail to leave maintenance mode. FusionAuth makes a HEAD request to Elasticsearch to check if the required indexes exist during startup and prior to leaving maintenance mode. When connected to an AWS Elasticsearch cluster this request does not behave as expected which causes FusionAuth to stay in maintenance mode. This issue has been resolved and should allow FusionAuth to properly connect to and utilize Elasticsearch running in an AWS cluster.

Version 1.3.0

December 5th, 2018


  • An Application may disable the issue of refresh tokens through configuration. See oauthConfiguration.generateRefreshTokens in the Application API or the Generate refresh tokens toggle in the FusionAuth UI when editing an application.

  • The OAuth2 client secret may be optionally regenerated using the FusionAuth UI during Application edit.

  • Support for OAuth2 confidential clients, this is supported by optionally requiring client authentication via configuration. See oauthConfiguration.requireClientAuthentication in the Application API or the Require authentication toggle in the FusionAuth UI when editing an application.


  • Calling the Introspect endpoint with a JWT returned from the Issue API may fail due to the missing aud claim.

  • The MySQL schema previously was using random_bytes which is not available in MariaDB. These usages have been replaced with an equivalent that will function the same in MySQL and MariaDB.

  • When editing or adding a new user in the FusionAuth UI, the Birthdate field may get set automatically before the date selector is utilized. A JavaScript error was causing this condition and it has been fixed.

Version 1.2.2

November 27th, 2018


  • Add X-FusionAuth-TenantId to allowed CORS headers.

  • When FusionAuth is running behind a proxy such as an AWS ALB / ELB the redirect URI required to complete login may not be resolved correctly. This may cause the redirect back to the FusionAuth UI login to fail with a CSRF exception. If you encounter this issue you may see an error message that says Something doesn’t seem right. You have been logged out of FusionAuth. The work-around for this issue if you encounter it will be to perform the redirect from HTTP to HTTPS in your load balancer.

  • Some minor usability issues in the Identity Provider configuration UI.

Version 1.2.1

November 16th, 2018


  • Better error handling when an API caller sends invalid JSON messages. Prior to this enhancement if FusionAuth did not provide a specific error message for a particular field a 500 HTTP status code was returned if the JSON could not be parsed properly. This enhancement will ensure that sending a FusionAuth API invalid JSON will consistently result in a 400 status code with a JSON body describing the error.

  • Allow an Identity Provider to be enabled and disabled from the UI. You may still choose to enable or disable a specific Application for use with an Identity Provider, but with this enhancement you may not turn off an Identity Provider for all Applications with one switch.


  • Preserve Application Identity Provider configuration for disabled Applications when editing a Identity Provider from the UI.

Version 1.2.0

November 15th, 2018


  • Add TTL configuration for Refresh Tokens to the Application configuration. When you enable JWT configuration per Application this value will override the global setting.


  • An error in the Twitter OAuth v1 workflow has been resolved.

Version 1.1.1

November 13th, 2018


  • If you were to have an Identity Provider for federated third party JSON Web Tokens configured prior to upgrading to 1.1.0 FusionAuth may fail during the database migration to version 1.1.0.

Version 1.1.0

November 13th, 2018

Database migration

The database schema has changed and an upgrade is required for this version of FusionAuth. You will be prompted to upgrade the database by maintenance mode before you may login.

See Database Upgrades for more information about database migrations.


  • Social login support

  • Full theme support for login. See the Login Theme tutorial for additional information and examples.

  • Better localization support in the FusionAuth UI. You now have the option to set or modify your preferred language for use in the FusionAuth UI. Providing a preferred language will cause dates to be formatted based upon your preference. For example, the default data format is M/D/YYYY, but if you are not in the United States this may not be the way you expect a date to be formatted. If you set your locale to French you will now see a more appropriate format of D/M/YYYY. This value is stored on the User Registration for FusionAuth in the preferredLanguages field.


  • When viewing sessions (refresh tokens) on the Manage User panel, the start and expiration times will be displayed.

Version 1.0.18

October 29th, 2018


  • If FusionAuth starts up in maintenance mode and stays there for an extended period of time without the User completing the configuration from the web browser, FusionAuth may get stuck in maintenance mode. If you encounter this issue, where you seemingly are entering the correct credentials on the Database configuration page and are unable to continue, restart FusionAuth and the issue will be resolved.

Version 1.0.17

October 5th, 2018


Version 1.0.16

October 5th, 2018


  • Better support for running in Docker. Enhanced silent configuration capability for database and search engine boot strap configuration in Docker Compose to be more resilient.


  • If custom data is added to an Application, Group or Tenant before editing the corresponding object in the UI, the custom data may be lost.

Version 1.0.15

October 1st, 2018


  • Better support for running in Docker. Configuration can be override using environment variables. See Docker Install for additional information.


  • The first time a user reached the failed login threshold and a 409 response code was returned the response body was empty. Subsequent login requests correctly returned the JSON response body with the 409, now the JSON response body is correctly returned the first time the user reaches the failed login threshold.

Version 1.0.14

September 17th, 2018


  • When using PostgreSQL an exception may occur during an internal cache reload request. If you encounter this issue you will see a stack trace in the fusionauth-app.log. If you see this error and need assistance, please open an issue in the FusionAuth Issues GitHub project.

Unexpected error. We’re missing an internal API key to notify distributed caches.

Version 1.0.13

September 12th, 2018


  • General availability release