Release Notes

Looking for release notes older than 1.23.0? Look in the release notes archive. Looking to be notified of new releases?

Version 1.49.1 - Bugfix Beluga

March 6th, 2024

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • The Nashorn JavaScript engine has been removed from FusionAuth. All Lambda functions will now use the GraalJS engine which has been available since version 1.35.0. No action is required, but please note that if you had any Lambda functions still configured to use the Nashorn engine they will be migrated to use GraalJS.
  • In prior versions of FusionAuth, if a new themed page was added, until you upgraded your theme by adding this new page, the end user may be shown a page indicate the page was missing. This was shown because it was assumed that a new page would only be shown for a new feature that had not been enabled, and this page would only ever been seen during development. In this release we are adding a new page that may be shown w/out any additional features being enabled. For this reason, we have removed this place holder page, and we will always fall back to the default theme when a page is missing. You will still want to upgrade your theme as part of your upgrade process, but this change will ensure that we will not break any new or existing workflows when a new page is added.

Security

  • An incorrectly formatted SAML request may cause excessive CPU load.
  • Disable additional JNDI settings in the LDAP connector. This update is proactive, there are no known exploits.
  • Add additional protection against cross-site attacks when FusionAuth is acting as a SAML IdP.
  • Audit log entries added by the FusionAuth admin application may contain sensitive information. Sensitive fields will now be masked when written to the audit log. Please note that this does not affect the Audit Log API, only the use of this API by the FusionAuth admin app.
  • Added additional protection against cross-site attacks when using the self-service account pages.

Fixed

  • The default permissions in AWS RDS PostgreSQL version 15.2 caused the initial configuration of FusionAuth to fail to create the tables required to complete the initial configuration. The required permissions are now being explicitly granted, and the errors reported back to the user have been improved.

  • If a user starts a Forgot Password flow, and clicks on a change password link in an email after the link has expired, the redirect back to the original Forgot Password form will not include the locale parameter. This fix ensures that a locale parameter, when present in the change password link, is preserved through this workflow and allows for localization to remain consistent.

  • When setting up a Facebook IdP, an option was provided in the admin UI to select Use vendor JavaScript as a Login method. This option is not applicable and has been removed.

  • Fix the SCIM filter when filtering on userName eq {username} to always return a single result.

  • The LinkedIn APIs have changed, and the LinkedIn IdP no longer worked for new LinkedIn applications. This update allows FusionAuth to work with new and legacy LinkedIn applications.

  • The FusionAuth TypeScript client library was incorrectly encoding arrays values into query parameters. This bug was preventing a few specific search queries from working correctly.

  • When using MySQL, the default Admin user form was missing the First name field. The field could be added to the form, but was missing in the default version.

  • When an invalid Tenant Id was provided on the .well-known/openid-configuration the default configuration was returned. This has been updated to return a 404 status code.

  • When creating a User with a group membership with a specified member Id that was already in use, the requested completed w/out a validation error and the membership was ignored. The API now correctly validates this condition and will return a 400 and a JSON response.

  • When retrieving all refresh tokens for a user, the response may contain the user’s SSO token. The SSO token can be identified because it does not contain an applicationId and it may not be refreshed. Validation has been improved when using the Refresh Grant, or the Refresh API to ensure FusionAuth correctly fails indicating the token is invalid and may not be refreshed.

  • A regression was introduced in version 1.47.0 to the Change Password themed page. The issue is that the passwordValidationRules variable may be null on the first render. If you had been referencing this field in your template, the render may fail.

  • The Identity Provider Link API states that a token parameter can be accepted during a create. When provided, the token was not being persisted on the link.

  • Fix the “Getting Started” link found in the index page in the default theme.

  • When viewing a User’s Consents in the FusionAuth admin UI, if one or more of the consents have been granted by another user that is not a member of their family, an error is shown in the Given by column.

  • When you have configured the JWT signing key with the ES512 algorithm, the generated signature may be intermittently invalid. This means that JWTs may seemingly fail to validate randomly and you may think you are crazy. You are not crazy. If you are using this signing algorithm, it is recommended you use a different algorithm until you are able to upgrade.

  • SCIM PATCH requests may fail to parse if an op path value contains a named schema containing a . (dot). This parsing error has been corrected.

    For example: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

  • When an SCIM create or update request contains schemas for which no properties exist, subsequent PATCH requests to those schema namespaces may fail.

    For example, if the initial request contains a schema urn:ietf:params:scim:schemas:extension:enterprise:2.0:User without any properties, the default lambda function used to map this request to FusionAuth was not persisting this schema namespace. Then a subsequent PATCH request to add a member to that namespace such as urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department would fail.

    The default SCIM request converter (Lambda function) has been updated to correct this behavior.

Enhancements

  • Link checkers are great. They aim to protect end users from malicious links and phishing attacks. However, they wreak havoc and pain on identity providers using email based workflows to complete passwordless login, or email verification. And FusionAuth is one of those identity providers!

    FusionAuth has employed various tactics over the years to stay ahead of the techniques used by these 3rd party tools. Their techniques continue to evolve making it difficult or impossible to know the difference between a link checker and a real human interacting with the link.

    A new confirmation page has been added that is intended to protect the user, and make our email workflows immune to link checkers.

    For example, when a user initiates a request such as passwordless login, and then completes the request in the same browser, the user will not observe any change. If the user completes the request on a different browser, or completes a request they did not initiate - such as clicking on an email verification link sent when a use is provisioned by an administrator, the user will be prompted to confirm they wish to complete the request.

    If you are using a custom theme, you will want to upgrade your theme to include this new page. Until you complete this upgrade, the default theme will be used for this new page. In the FusionAuth admin UI, the theme page will be named Confirmation required.

  • Ensure the Login API never fails validation due to a timing issue with an Application cache. This rarely affects runtime, but this can be useful for testing where you may create an application and immediately perform a login.

  • Add a trusted proxy configuration to the System Configuration. This new configuration allows you to define one or more trusted upstream proxies using an IP address, or range of addresses using a CIDR notation.

    A client IP address will be captured in a login record, sent to webhooks, and used to provide access when IP ACLs are configured. To correctly resolve the client IP address, we often will need to use the X-Forwarded-For request header.

    This header is modified when it passes through a proxy. In order to trust the contents of this header and resolve the client IP address, FusionAuth must know if it can trust all proxies implicitly, or to only trust those that are explicitly configured as trusted. The change is to optionally configure FusionAuth to no longer trust any upstream proxy that is not explicitly configured as trusted.

    This new configuration can be found in the FusionAuth admin UI by navigating to Settings > System > Networking, or on the System Configuration API.

Internal

  • Update 3rd party dependencies.
    • Upgrade org.postgresql:postgresql 42.6.0 to 42.7.2
    • Upgrade com.fasterxml.jackson 2.15.2 to 2.15.3
    • Upgrade org.mybatis:mybatis 3.5.13 to 3.5.15
    • Resolves GitHub Issue #2534
  • During a reindex operation, log the progress based upon a fixed time interval instead of every 250k records. This ensures the output is predictable regardless of the reindex performance.

Version 1.48.3

December 6th, 2023

Fixed

  • Update the refresh token TTL when using the sliding window with a maximum lifetime JWT Expiration Policy. The symptom of this bug is that a refresh token will expire before the maximum configured lifetime.

Version 1.48.2

November 21st, 2023

Fixed

  • When paging beyond 10,000 in the FusionAuth admin UI for Users or Entities, the bottom set of pagination controls may not work. If you encounter an error when clicking on the pagination controls, use the top set of controls instead. This bug is specific to the new pagination introduced in version 1.48.0.
  • In some cases when using with FusionAuth-hosted pages in an non-secure context, such as accessing FusionAuth on localhost, the PublicKeyCredential JavaScript API will not be available. This may cause an error on your JavaScript console PublicKeyCredential is not defined. This error kept the form on the page from correctly submitting.
  • In version 1.48.0 a change was made to reject a link request from an OpenID Connect IdP when the email_verified claim is supplied with a value of false. An assumption was made that the email and email_verified claims would both be present in the Userinfo response or the id_token. Some providers may split these claims, so this assumption has been removed.

Security

  • Correct the validation of the post_logout_redirect_uri parameter on the OAuth2 Logout request for relative URIs intended for use for FusionAuth applications.

Internal

  • Improve our JWT validation for internal security schemes by failing faster on invalid tokens.

Version 1.48.1

October 29th, 2023

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • A bug was identified in a change made in version 1.48.0 that may affect performance for those with > 1M users.

Version 1.48.0 - Webhook Walrus

October 27th, 2023

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • A bug was identified in a change made in this version that may affect performance for those with > 1M users.

Changed

  • We are officially announcing the end of life for the Nashorn JavaScript engine used by FusionAuth Lambda functions. All new functions have defaulted to the GraalJS since version 1.35.0. The engine is not being removed in the release, but this is an official notice that we plan to remove this engine in early 2024. Please review your lambda functions and ensure the engineType is set to GraalJS.
  • We are officially announcing the end of life for the fusionauth-search package. This is currently available in a .deb, .rpm and .zip bundle for various platforms. This package is still available, but the plan is to stop building this at the end of 2023. Please make plans to discontinue use of the fusionauth-search package if you are currently using it.
  • When the OpenID Connect or External JWT Identity Provider is configured to Link by Email and the IdP returns a claim named email_verified and the value is false, the link request will be rejected. This change is intended to reduce the risk of linking on an un-verified email address.

Security

  • When an IdP is configured to Link by Email or Link by Username and a user already exists with this email or username respectively, perform additional validation to ensure the user does not already have an existing link to the current Identity Provider. This only affects IdP that allow for one to many tenants to be accessed through a single IdP configuration. In practice this means that the IdP cannot guarantee that an email address is considered globally unique and only assigned to a single user.
  • A bug was identified in the multipart/form-data parser that may cause elevated CPU usage in some specific cases.

Fixed

  • Enhance the widget used in multi-value select controls to accept a value when pasting. For example, you may now paste a value from the clipboard directly into the Authorized redirect URLs field. While previously the paste operation worked, the user would have to click the value to confirm. If you clicked off of the field, the value would not be saved.
  • Correct the error message when a user has enabled MFA and a webhook returns a non-200 status code for the user.login.success event. The message will now correctly indicate the webhook has failed instead of the previously incorrect error indicating an invalid token was used.
  • When viewing an Email Template in the FusionAuth admin UI, two dialogs open instead of one. This was the result of two event handlers being bound instead of one.
  • When using the asynchronous tenant delete, it is possible for the delete job to fail if the system is under heavy load. When this occurs the delete job status may not be correctly updated and you are stuck in a Deleting state. The asynchronous job processor has been enhanced to account for this potential failure condition so the job can be correctly restarted if necessary.
  • Correct a potential race condition that could cause a request to the /.well-known/jwks.json endpoint to exception and return a 500 status code when under heavy load.
  • The Lambda metrics introduced in version 1.47.0 may not always correctly increment the failed count when a lambda invocation failed. This affects the lambda.[*].failures and lambda.[{webhookId}].failures metric names.
  • When using the PATCH method on the Tenant API, if you previously had any explicit webhooks configured for this tenant, the association between the tenant and the webhook was lost. If you are not using webhooks, or all of your webhooks are configured for All tenants (webhook.global), this bug would not affect you.
  • Improve the validation for the Entity API to correctly validate the type.id value. Because this value was not being correctly validated, it means the API caller may receive a 500 status code instead of a 400 with a developer friendly JSON response body to indicate how the input can be corrected.
  • A critical bug was identified that caused FusionAuth to incorrectly identify users eligible for deletion based upon the tenant policy to delete users with an unverified email address. Until you have upgraded to version 1.48.0 please disable Delete unverified users if you currently have enabled Email verification, Verify email when changed and Delete unverified users.
  • A bug was identified that affected several APIs when using the PATCH method with fields that require custom deserializers in FusionAuth. Affected APIs included Application, Connector, Message Template and Identity Provider. The symptom you will observe is a failed request with a 500 status code.
  • When using PostgreSQL, under heavy load, a potential deadlock conditions exists when attempting to write login metrics to the database. MySQL database was not affected by this bug. If you were to encounter this bug you may observe some exceptions in the log related to the LoginQueue.
  • Fix a JavaScript error that was preventing Audit Log searches by user from returning results.
  • Resolve an issue where users could not enable two-factor authentication during authentication when they were not registered for the application. Thanks to @wproffitt-elder for reporting!
  • When using the Refresh Token API, un-expired SSO sessions may be incorrectly omitted from the API response. The result of this bug is that an active SSO session may not be displayed in the FusionAuth admin UI. This has now been corrected, and the FusionAuth admin UI and the Refresh Token API will correctly return all valid SSO sessions.
  • If the search.servers configuration value was not added to the fusionauth.properties configuration file, and you omit the SEARCH_SERVERS environment value, FusionAuth would fail to start. The correct behavior is for FusionAuth to default to http://localhost:9021.

Enhancements

  • Enhance the User and Entity Search APIs to paginate beyond 10,000 results. The Search API response will now include a nextResults value that can be used to ask for the next set of search results which enables the API to paginate through the entire available result set.
  • When using the Webhook test action in the FusionAuth admin UI, additional information will now be returned if the webhook returns a non-200 status code. This should make it simpler to debug your webhook integration. Prior to this change, the response would only indicate if the response was successful or not.
  • When using the Webhook test action in the UI, changes to the example request body were not preserved. Changes will now be preserved across send requests for the browser session. This means a test can be run repeatedly without having to perform the same edits to the default event request body.
  • Support specifying webhook SSL certificates from Key Master. Prior to this enhancement, if you needed to specify an SSL certificate, it had to be added to the webhook in PEM format. You may now store this certificate in Key Master and then use this same certificate between webhooks.
    This change is backwards compatible, but the ability to manually specify X.509 certificates in PEM format on the webhook configuration has been deprecated and may be removed in the future. See the Webhook API sslCertificateKeyId field for additional details.
  • Modal dialogs in the FusionAuth admin UI can now be closed by using the escape key or by clicking outside of the modal.
  • Add support for signing webhook events with a SHA-256 hash function. This feature will allow consumers of FusionAuth events to verify the message body has not been modified. The signature is contained in a JWT and will be sent using an HTTP request header named X-FusionAuth-Signature-JWT. You may use existing JWT verification strategies including consuming the public key from the JWKS endpoint.
  • Expose the id_token returned by the Identity Provider to the Reconcile Lambda function when available. If the id_token is returned by the IdP and the signature can be verified it will be now be passed to the lambda function in the tokens argument. Example: tokens.id_token.
  • Add the curl command to the FusionAuth Docker image. This allows you to use the curl command for use in health checks or anytime you need to use curl!
  • Support for optional expansion of the user.registrations and user.memberships properties on the User Search API.
    This change is backwards compatible, but you may optionally request the Search API omit these properties on the response which may improve performance. See the User Search API for additional details on using the expand request parameter, and the expandable response value.
  • Enhance the error messaging returned to the end user when using the Test SMTP button in the FusionAuth admin UI. This enhancement will make it easier to test your SMTP configuration.
  • Reduce un-necessary logging when fuzzers send parameter names containing class.
  • When updating a theme, a validation error will be returned if you are missing messages. Currently the error response does include the missing message keys. This error response is now enhanced to return the keys and the default values from the default theme. This allows you to optionally parse the response for the missing keys and values.
  • Expose the access_token returned by the Identity Provider to the Reconcile Lambda function. The access_token will now be passed to the lambda function in the tokens argument. Example: tokens.access_token.
  • When the id_token is returned from the IdP and the signature can be verified it will now be used to optionally resolve the uniqueIdClaim in addition to the emailClaim and usernameClaim. This means you can configure the uniqueIdClaim to a claim that is only available in the id_token. Prior to this change, the id_token could only be verified if it was signed using the an HMAC algorithm using the client_secret. With this change, if the IdP publishes public keys using the JWKS endpoint that is resolved from the .well-known/openid-configuration FusionAuth will attempt to validate the signature.

Internal

  • Update 3rd party dependencies to remove CVE scan warnings and to stay current. These upgrades are simply a precautionary measure to stay current.
    • Upgrade google-guice 5.1.0 to 6.0.0
    • Upgrade google-guava 30.1.0 to 32.1.2
    • Upgrade java-http 0.2.0 to 0.2.9
    • Upgrade kafka-clients 2.8.2 to 3.6.0
    • Upgrade prime-mvc 4.11.0 to 4.17.1
    • Upgrade snappy-java 1.1.8.1 to 1.1.10.4
    • Resolves GitHub Issue #2385
  • Upgrade to the latest Java 17 LTS. Upgraded from 17.0.3+7 to 17.0.8+1.
  • Update the logging configuration when using the fusionauth-search distribution (.deb, .rpm, or .zip) to be more consistent with the fusionauth-app logging configuration. If you are using Elasticsearch or OpenSearch in Docker or other off the shelf installation of Elasticsearch or OpenSearch this change will not affect you.
  • Update the FusionAuth static file resolution configuration to further limit class path resolution. While no known security risks exist with the current behavior, it is not necessary.

Version 1.47.1

July 27th, 2023

Fixed

  • Revert the GC (garbage collection) logging change introduced in version 1.47.0 for compatibility with the FusionAuth docker image.
  • Resolves GitHub Issue #2392, thanks to @pigletto and @patricknwn for reporting.

Version 1.47.0 - Performance Panther

July 25th, 2023

Please be sure to read the notes in the Changed section before upgrading.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • The garbage collection logging change introduced in version 1.47.0 was not compatible with the way the FusionAuth docker image was built. You will need to use version 1.47.1 if you will be using the FusionAuth docker image.
  • The passwordValidationRules variable may be null on the first render of the Change Password themed page. If you had been referencing this field in your template, the render may fail.

Security

  • A race condition exists when using a refresh token with a one-time-use policy where the same token value could successfully be used twice to obtain a new access token. In practice this would be very difficult to replicate outside of a scripted example.
  • Use a CSRF token with all federated login requests. This change will add additional protection when using a federated login to ensure the login is completed from the same browser that started the login workflow. This mitigates an attack vector that can be used in phishing attacks where a victim could be convinced to click on a link that would cause the user to unknowingly complete a login.

Changed

  • A change was made to the OAuth2 origin validation code. This change is not expected to cause any change in behavior for anyone with configured Authorized Origin URLs. The change is to inspect the port in addition to the schema and host when comparing the request and the Referer or Host header to determine if the request has originated from FusionAuth. One possible edge case that could be affected is if you using localhost in development for both FusionAuth and another application. In this example, it is possible that FusionAuth was not validating the Origin of requests from your application running on localhost correctly. If you encounter this case, you can either remove all Authorized Origin URLs from your configuration, or add the origin of your application so that it can be correctly validated.
  • Due to the necessary change related to adding a CSRF token when performing a federated login, a manual change may be required to your themed login pages. Please read through these details to understand if you will be affected.
    If you are using any 3rd party IdP configurations such as OpenID Connect, SAML v2, Google, Facebook with a custom theme, you will need to make a modification to your template in order for federated login to continue to work correctly.
    If you are not using any 3rd party IdP configurations, or you are not using a custom theme, no change will be necessary.
    If you will be affected by this change, please review the following details and then make the update to your theme as part of your upgrade process.
  1. Find the alternativeLogins macro usage in oauth2Authorize and oauth2Register and add federatedCSRFToken=federatedCSRFToken as the last argument to this macro.
[#-- Updated macro usage. Line breaks added for readability. --]
[@helpers.alternativeLogins clientId=client_id
                            identityProviders=identityProviders
                            passwordlessEnabled=passwordlessEnabled
                            bootstrapWebauthnEnabled=bootstrapWebauthnEnabled
                            idpRedirectState=idpRedirectState
                            federatedCSRFToken=federatedCSRFToken/]
  1. Find the macro named alternativeLogins in helpers and add federatedCSRFToken="" as the last argument to this macro.
[#-- Updated macro in helpers. Line breaks added for readability. --]
[#macro alternativeLogins clientId
                          identityProviders
                          passwordlessEnabled
                          bootstrapWebauthnEnabled=false
                          idpRedirectState=""
                          federatedCSRFToken=""]
  1. Find the element <div class="login-button-container"> in the macro named alternativeLogins in helpers and add id="login-button-container" and data-federated-csrf="${federatedCSRFToken}" attributes.
[#-- Updated div in alternativeLogins macro. Line breaks added for readability. --]
<div id="login-button-container"
     class="login-button-container"
     data-federated-csrf="${federatedCSRFToken}">

Fixed

  • Ensure a signed AuthN request always has the Signature element as the next sibling after the Issuer element. This bug may cause some SAML v2 services provides to reject the signature of an AuthN request sent from FusionAuth.
  • Upgrade our phone number validation to include the Kosovo country code of +383. This upgrade will add support for various other country codes as well. See linked GitHub issue for more detail.
  • Defend against corporate link “checkers” such as Outlook Safe Links and Google Workspace during the Change Password email workflow. This fix resolves a specific symptom that may occur when a link sent to a user during a change password workflow and the user has multi-factor authentication enabled. The symptom the end user may encounter is that multiple codes may be sent to the user during this workflow. When the two-factor method is email, multiple emails may be received, and when two-factor method is SMS, multiple SMS messages may be received. The cause of this symptom is that the link is being inspected by an intermediate party prior to the user’s browser loading the link which functionally means the request is made more than once.
  • Improve locale validation, and restrict the number of preferred languages per user to 20. This should not have any practical impact on users of FusionAuth, but it will better protect FusionAuth from storing erroneous values for the user’s preferred languages. If you have users that speak more than 20 languages, you will need to ask them to pick their top 20 favorites. 😎
  • Improve username validation. This length limitation was already enforced by the schema, but the error message was not developer friendly. This change will add a proper validation error in the API response.
  • Update the Tenant view dialog in the admin UI to reflect the changes made to the /.well-known/openid-configuration endpoint in version 1.46.0. This is a cosmetic change only, and does not include any functional fixes.
  • Fix Tenant select control on Group index page in the admin UI when only a single tenant is configured. This is just a cosmetic fix to how the form was being rendered.
  • Reduce Kafka logging. So noisy.
  • Protect the Kafka event sender from sending events related to it’s own failure. This protects us from overloading the Kafka topic.
  • Fix the user.registration.update.complete event to include the updates roles if applicable.
  • Better defense against a truncated oauth_context request parameter. This parameter is passed around during various OAuth2 workflows to maintain context. This changes allows FusionAuth to fail more gracefully if this is value is intentionally or un-intentionally modified by a 3rd party.

Enhancements

  • Add user.preferredLanguages to the basic self-service registration to allow a user’s preferred language to be collected and then utilized to send localized emails without using advanced self-service registration.
  • Improve handling of cache reload requests under heavy load. This should improve system performance at scale when mass creating or deleting of various items such as applications and keys.
  • Add timers and metrics around lambda invocations and the use of HTTP Connect within a lambda function. This should help customers tune and manage lambdas by providing additional insight into the total execution time.
  • Add configuration to accept any named parameter as a login hint coming from the SAML v2 SP when FusionAuth is acting as the SAML v2 IdP. Prior to this change, FusionAuth would accept login_hint if provided on the request. However, this value can not be configured or optionally disabled.
  • Add identityProviderName to the IdP Link API response.

New

  • Support SAML v2 assertion encryption when FusionAuth is acting as the SAML v2 IdP. This means FusionAuth is now compatible with a SAML v2 SP that requires encrypted assertions.

Internal

  • Add aggregate HTTP request timers and metrics that can be retrieved by the Status API and Prometheus Metrics API.
  • Update 3rd party dependencies.
  • Enable GC (garbage collection) logging. A new log named fusionauth-app.gc.log will be found in the log directory.
  • Improve performance and overhead when downloading and storing the IP location database required for resolving location meta-data for logins by IP address.

Version 1.46.0

June 19th, 2023

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Security

  • An edge case exists where the CAPTCHA may be bypassed when using Advanced Registration forms.
  • Perform additional validation on the user_code when completing a Device Grant by way of the Authorization Code Grant, Implicit Grant, or Password Credentials Grant.
  • Perform additional defensive validation on self-service edit form.
  • Mitigate a potential directory traversal attack. CloudFlare, AWS and similar cloud providers will generally block these requests by default.
    • Please note, FusionAuth Cloud customers are not vulnerable to this type of attack.
    • Resolves GitHub Issue #2299

Fixed

  • Always send email verification on user email change when configured for user self-service
  • Resolve a JavaScript bug when enabling MFA during login. The bug caused an error to be written to the JavaScript console, but no functional errors occurred.
  • When the user.login.success is configured to be transactional and the webhook returns a non 200 status code when the event is fired during the final step of the change password workflow, the failed webhook may not fail the login attempt.
  • Resolves GitHub Issue #2288
  • When enabling IdP initiated login on a SAMLv2 IdP, the base ACS url is hidden in the view dialog
  • When an applicationId is provided on a Two Factor Start or Send APIs, the application variable may not available in the email template.
  • APIs that optionally take a sourceId to indicate you wish to copy will now fail validation if you provide additional parameters in the body that will otherwise be ignored.
  • When adding a user to multiple Groups using the /api/group/member API, the request may fail.
  • When using a wildcard for authorized origin URL, you may receive an invalid origin error.
  • The memory value for fusionauth-app.memory set in the fusionauth.properties file may not be set correctly.
  • When using custom data with nested values such as user.data.company.name and user.data.company.id in an Advanced Registration form the nested values may not be properly persisted.
  • When using the admin UI to update an IdP with >6k applications the request may cause a database error.
  • Add index entity_user_grants to increase SELECT performance
  • When using the validateJWT method in the FusionAuth Java REST Client, the exp or iat claims may have the incorrect precision.
  • OpenAPI spec missing some endpoints
  • A change in behavior was introduced in version 1.41.0 that may cause an error when accessing FusionAuth in Docker. The change was how the Host header was being parsed to pick up the local port.
  • The user.create.complete and user.registration.create.complete events may be sent before the transaction has closed during IdP Login.
  • Correct the internal authentication to receive an internal webhook between FusionAuth service nodes. If you encounter this error, you may see errors in the event log that mention returned response code [401] when sending [JWTRefreshTokenRevoke] event. This error was introduced in version 1.37.0 and the error only occurs when you have more than one FusionAuth service node.
  • When you have enabled Implicit Email Verification, when completing a Multi-Factor login, a user.email.verified event may be sent even if the user has already verified their email address.
  • When the user.reactivate event is configured to be transactional and the webhook returns a non 200 status code, the transaction may not be correctly rolled back.
  • When making a request to the self-service pages, such as /account/ ensure any additional query parameters are preserved through a login workflow.
  • When the user.create event is configured to be transactional, ensure the Setup Password email is not sent if a user.create webhook returns a non 200 status code.
  • When using the Device Grant with the /oauth2/device themed page, you may be shown a Logout button if an SSO session exists during this workflow. Clicking this button will log the user out of the SSO session and return to this page. This fixes the logout link so that you do not receive an error when returning to the /oauth2/device page. A workaround is documented in the linked GitHub issue.

Enhancements

  • The OAuth2 Introspect endpoint now optionally takes a client_secret.
  • A token obtained from the Client Credentials Grant may now be used with the OAuth2 Introspect endpoint.
  • An additional JWT Expiration Policy is now available to configure a sliding window with a maximum lifetime.
  • The OpenID Connect discovery endpoint will now accept the tenantId as a URL segment. This should make it easier to integrate with providers that would not otherwise allow a query parameter on this URL to specify the tenantId.
  • Provide a validation error when using the /api/jwt/reconcile API with any IdP type ExternalJWT.
  • Add configuration to allow unauthenticated access to /api/status and /api/prometheus/metrics APIs from localhost.
  • Add additional support in the default theme to use Google reCAPTCHA v2 in an invisible mode w/ CAPTCHA fallback.
  • Allow any string value in the metaData.device.type property on various APIs.

New

  • Allow Device Grant to be completed out of band.
    • New API /oauth2/device/approve
    • New API /oauth2/device/user-code
    • Resolves GitHub Issue #2218
  • New API to retrieve a pending IdP link.

Internal

  • Upgrade Apache FreeMarker from version 2.3.30 to 2.3.32.
  • Upgrade FusionAuth Java HTTP dependency from version 0.1.13 to 0.1.14.
  • Upgrade Prime MVC dependency from version 4.7.1 to 4.9.10.

Version 1.45.4

July 25th, 2023

Fixed

  • Ensure we correctly handle a truncated or malformed oauth_context request parameter when using the hosted login pages.

Version 1.45.3

May 31st, 2023

Fixed

  • Update fusionauth/java-http to the most recent version to pick up a bug fix.

    This fixes a very low level HTTP server bug. In some rare cases, the HTTP response handler may not identify the end of the stream and effectively truncate the response body. It is difficult to say how may affect your integration if you were to encounter it. If you were to make an API call with a large response body, it may be possible the response would not include a valid JSON object if the response is truncated. When this error occurs, the HTTP status code will be valid, but the response will be truncated or non-existent. For additional detail see the linked commit in the linked GitHub issue.

Version 1.45.2

May 8th, 2023

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • If you have configured an access token signing key specific to an entity type, the signing key configuration may revert to the tenant configuration after upgrading to this version.

    It is recommended to upgrade to this version at a minimum if you are coming from a version prior to version 1.45.0.

    • For more information on this issue, see the Known Issues in the 1.45.0 release notes.
    • Resolves GitHub Issue #2249

Version 1.45.1

April 14th, 2023

Changed

  • Add additional validation when adding authorized origin to the OAuth2 configuration to ensure the values do not include a path or query string. This change will only affect validation when adding or editing the application configuration. This change will not affect existing configured origins or their use at runtime.

Fixed

  • Support for wildcard configuration when using post_logout_redirect_uri parameter on the OAuth2 Logout request.
  • Fix salt validation for the phpass-md5 or phpass-sha512. This will allow the import of users with this password hash when the salt includes a . (period) character.

Version 1.45.0

April 10th, 2023

Known Issues

  • When importing users using the phpass-md5 or phpass-sha512 schemes shipped in this release, if the salt contains a period (.) the import will fail validation.

  • If you have configured an access token signing key specific to an entity type, the signing key configuration may revert to the tenant configuration after upgrading to this version.

    If you wish to upgrade before a fix is available, please document your access token signing key configuration for each entity type that has provided a specific signing configuration. Then, once the upgrade has completed, review each entity type and confirm the correct signing key configuration. If the configuration is not correct, set the signing key to the previously documented signing key.

    To verify if this issue may affect you during upgrade, confirm your signing configuration for each configured entity type.

    • Navigate to Entity Management -> Entity Types -> Edit -> JWT.
    • If you have not enabled Entity Type specific JWT signing, this section will be collapsed and this entity type will not be affected during upgrade. If the signing configuration is enabled and you have configured a key for the Access token signing key field, you may be affected. Please record this setting and ensure it has not changed after the upgrade has completed.

    If you have not yet upgraded to version 1.45.0, it is recommended to move to version 1.45.2 or later at a minimum and skip this version if you have confirmed you may be affected by this issue.

Security

  • Update usage of verificationId on gated email or registration verification pages when configured to use a clickable link instead of a short code.
  • Update 3rd party dependencies to remove CVE scan warnings. No known exploits are vulnerabilities exist in FusionAuth as the result of using these 3rd party clients. These upgrades are simply a precautionary measure to stay current.
    • Upgrade Elasticsearch client from version 7.10.2 to 7.13.4.
    • Upgrade GraalJS from version 22.3.0 to 22.3.1.
    • Resolves GitHub Issue #2183

Fixed

  • Validate the length of an entity name in order to provide a more friendly validation error message.
  • Updates to the OpenAPI spec to correct an error related to BaseSAMLv2IdentityProvider.
  • Review and correct tooltips in the admin UI for Application specific email templates.

Enhancements

  • De-couple the self-service themed account pages from SSO. You may now use the self-service account pages even if you choose not to preserve your SSO session. For example, you can un-check the “Keep me signed in” checkbox and still use the self-service pages.

    Also allow the self-service account session to be bootstrapped from a mobile application using token authentication, also known as the Bearer authentication scheme. This mechanism provides access to the self-service themed pages even if you are unable to share cookies with the web view used to complete login.

    Example request header: Authorization: Bearer <access_token>

New

  • Add a policy to require a user to provide their current password when changing a password on the self-service account pages. See Applications -> Edit -> Registration -> Form settings -> Require current password.

  • Integrate the Authorization Code grant workflow into FusionAuth for use with single page web applications. This feature may be used with the FusionAuth React or Angular SDKs to support the use of the Authorization Code grant without having to write any backend code.

    And there was much rejoicing. 😅

  • New Search APIs. These new APIs provide search and pagination capability across more APIs and may increase performance when using the FusionAuth admin UI with larger numbers of Tenants and Applications.

    Applications, Consents, Groups, Tenants, Themes, Keys, API keys, User Comments, Email Templates, Identity Providers, Webhooks, and Lambdas. (🦁 🐯 🐻 … oh my!)

  • Add support for Drupal MD5, SHA-512 hashes for easier import

Internal

Version 1.44.0

March 13th, 2023

Additional details
This migration will add an index to the identity_provider_links table. It is not expected to negatively impact the migration time during upgrade, but please be aware that deployments with millions of Identity Provider Links may experience additional processing time during the migration.]

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • A Lambda invocation may incorrectly fail indicating a recursive call was attempted. This is unlikely to occur, but under heavy load, it is possible.
  • The Application API was failing to make a copy when using sourceApplicationId when the source Application has enabled and configured the SAML v2 IdP. This is a bug in a new feature that was added in version 1.43.0.

Enhancements

  • Add default configuration for read and connect timeouts to the SMTP server configuration. This helps protect FusionAuth against an SMTP server that never closes a socket. From time to time we observed an SMTP server hold open a socket, and tie up a send thread which may block other senders.
  • Change Link API request body to match the response. Backwards compatibility is maintained, but this provides a more consistent API feel.
  • Update the Google IdP JavaScript in the themed pages. This change removes the deprecated Google JavaScript library, and adds support for One Tap.
  • Return a 404 with status only for anything under /api/* instead of rendering a 404 page with HTML. It just seems like the right thing to do. Nobody wants HTML in their APIs!
  • Add a new index to the identity_provider_links table to increase performance. Better. Faster. Stronger.
  • Add apiMode: [Public|Partner] to allow the user to select between the public or partner Steam API. The Partner API is preferred if you have access to it because it is not rate limited.

Internal

  • Use Cache-Control: no-store more broadly in the FusionAuth admin application.

Version 1.43.2

July 9th, 2023

Changed

  • The User and User Registration APIs will now restrict user.preferredLanguages and registration.preferredLanguages to a maximum of 20 values. Additionally each value can be no longer than 24 characters. This change is not expected to impact any existing integrations. Do let us know if you have a use case that is not compatible with this change.

Fixed

  • When an event fails to be sent to a Kafka topic, do not attempt to send an event-log.create event that results from the failed request. Correct an edge case that exists where an event-log.create event fails to be sent to a Kafka topic, and this error causes another event-log.create event to be triggered.
  • Limit the length of a valid value for user.preferredLanguages and registration.preferredLanguages to a maximum of 24 characters, and restrict the total number of values to 20 or less.

Internal

Version 1.43.1

March 6th, 2023

Fixed

  • Correct a potential FreeMarker render error caused by a missing CSRF token when performing an SAML v2 IdP initiated login to the FusionAuth admin UI. This error is a side effect of the caller not requesting the scope=offline_access parameter. With this fix, you should no longer encounter the error, and the offline_access scope is now optional on the request. A workaround is to request the offline_access scope.

Version 1.43.0

February 15th, 2023

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • Creating a new application from another application with sourceApplicationId returns a 500 error when the source application has SAML v2 enabled and configured. If you have not configured SAML v2, you will not be affected by this issue. Workaround is to call Create Application API without the sourceApplicationId parameter and supply all the parameters copied from the source application.

Fixed

  • Support importing an x.509 certificate with a private key into KeyMaster in the admin UI.
  • When using the Forgot Password workflow on the FusionAuth login page with a user without an email address, the page would refresh instead of redirecting to the success screen indicating an email had been sent.
  • The Change Password API was incorrectly failing indicating a Trust Token was required even when provided if the user has MFA enabled.
  • Ensure that we correctly terminate an SSO session when beginning a new passwordless login flow with a different user in the same browser.
  • Fix various limitations with adding a consent to a self-service account form.
  • An error may occur when logging into the FusionAuth admin UI with an IdP initiated request from a SAML v2 IdP.
  • An error may occur when logging into the FusionAuth admin UI with an IdP initiated request from a SAML v2 IdP and then navigating to your own profile page.
  • When taking a User Action, the duration is localized for the event. The localization is only available for a fixed number of locales. When an un-supported locale, such as Serbian is requested, an exception will occur. This has been fixed to avoid the exception, and if an un-supported Locale is requested, English will be used as the default.
  • When sending a test event to verify the Kafka configuration, the topic was not being validated as required.
  • When completing the forgot password workflow using the FusionAuth themed pages outside of an OAuth context, you may receive an error that says Oops. It looks like you've gotten here by accident..
  • Update the Email Template preview in the view dialog to be consistent with the preview in the edit page.
  • Restrict the Two Factor Trust during a Change Password request to be used for the workflow that started the request.
  • Fix the edit Form Field in the FusionAuth admin UI for a consent field.
  • Using password reset to unlock account may not work when MFA is enabled for the user. This is a bug in this new feature that was added in version 1.42.0.

Enhancements

  • Additional configuration for the Apple IdP to support login from Mobile and Desktop.
  • Update the System Log viewer in the FusionAuth admin UI to order logs for easier viewing pleasure.
  • Allow Forgot Password API usage when the Forgot Password Email template is not configured if sendForgotPasswordEmail is false.
  • Provide better developer feedback on the Change Password API when using an API key.
  • Allow the SAML v2 IdP to be used for both SP and IdP initiated login. Previously to utilize SP and IdP initiated login for the same SAML v2 IdP, you would have to create two separate configurations. It is still recommended to use the separate SAML v2 IdP initiated configuration if you will not be using an SP initiated login.
  • Support for PostgreSQL 15
  • Add an option to include archived logs in gzip format on the System Log Download API. This will be the default when downloading the logs in the FusionAuth admin UI.
  • Allow the login hint that is passed to a 3rd Party SAML v2 IdP to be configured. Previously this was always login_hint, but Azure will expect username, this can now be configured.
  • Add sourceApplicationId to the Application API to create an app from an existing Application to copy settings. This allows you to more easily use a single Application as a template, or to just make a copy.
  • Ship default email templates for Add and Remove Multi-Factor methods.
  • Add additional SAML IdP config to allow advanced assertion capabilities such as allow any destination, or alternate values. This is sort of a dangerous power user feature, but can be useful when migrating IdP configurations into FusionAuth w/out requiring each IdP to update their ACS.
  • Add additional detail to the edit registration form in the FusionAuth admin UI so you know which user you are editing. Seemed like a good idea.
  • Do not validate Content-Type when a payload has not been provided.

New

Version 1.42.1

January 8th, 2023

Fixed

  • A regression error in version 1.42.0 may cause a user to no longer be able to login after a successful login. In order to encounter this bug, you must have your tenant configured to re-hash passwords on login, and have a user login when their password encryption scheme or factor that does not match the configured tenant defaults. If you may have this type of configuration, please do not upgrade to version 1.42.0 and instead upgrade directly to this version.

Version 1.42.0

December 7th, 2022

Known Issues

  • In this release, you may now create a policy to allow a user to unlock their account after too many failed login attempts by completing a forgot password workflow. A bug was identified in this new feature that may cause this workflow to fail if the user also has 2FA enabled.
  • An error was introduced that may, after one successful login, cause subsequent logins to fail for a user. In order to encounter this bug, you must have your tenant configured to re-hash passwords on login, and have a user login when their password encryption scheme or factor that does not match the configured tenant defaults. If you may have this type of configuration, please do not upgrade to version 1.42.0 and instead upgrade directly to version 1.42.1.

Changed

  • When building a WebAuthn credential, the user’s current email address or username will now be used as the credential name. Previously this value was generated to be unique to help the user identify multiple credentials. However, Safari on macOS and Edge on Windows may display this value to the end user, so this will no longer be generated but set to a value the user should recognize.
  • New themed templates for enabling two-factor authentication during login. Please review your themes to ensure the new templates and localized messages are added.
    • theme.templates.oauth2TwoFactorEnable -> /oauth2/two-factor-enable
    • theme.templates.oauth2TwoFactorEnableComplete -> /oauth2/two-factor-enable-complete
    • Related GitHub Issue #197

Fixed

Enhancements

  • Allow a user to unlock their account after being locked due to too many failed authentication attempts by completing a password reset workflow. See the Cancel action on password reset in the Tenant configuration. Tenants > Edit > Password > Failed authentication settings.
  • Use the existing tenant configuration for modifyEncryptionSchemeOnLogin to also update the hash when changed.
  • Add additional configuration to the Failed authentication settings in the tenant configuration to optionally email the user when the configured action is also configured to allow emailing.
  • Update the System > About panel in the admin UI to report OpenSearch when using OpenSearch instead of Elasticsearch.

New

  • Additional Multi-Factor policy option to require a user to enable multi-factor during login if not yet configured. See Tenants > Edit > MFA > Policies > On login > Required.. Application specific configuration can also be configured, see Applications > Edit > MFA > Policies > On login > Required., using the application configuration requires an Enterprise plan.
  • Allow refresh tokens to be revoked for a user when enabling two-factor authentication. See Tenants > Edit > JWT > Refresh token settings > Refresh token revocation > On multi-factor enable.
  • A new lambda function can be assigned to perform custom validation for any step during a self-service registration. This feature is only available when using a custom form, and is not available when using basic self-service registration. This may be useful to perform advanced field validation, or to call a 3rd party API to perform additional identity verification.

Version 1.41.3

November 21st, 2022

Security

  • Mitigate a potential directory traversal attack. CloudFlare, AWS and similar cloud providers will generally block these requests by default.
    • Please note, FusionAuth Cloud customers are not vulnerable to this type of attack.

Version 1.41.2

November 17th, 2022

Fixed

  • Allow licensed features such as SCIM or WebAuthn to be configured during kickstart.

Version 1.41.1

November 16th, 2022

Security

Fixed

  • Improve synchronization of a user during a connector login. Specifically, allow previously obtained refresh tokens to be preserved during the user update procedures during a connector synchronization event.
  • Allow for invalid language values to be provided in the Accept-Language HTTP request header. When an invalid language is provided, the Accept-Language header will be discarded.
  • Better support for beginning a forgot password workflow using the API and completing the workflow in a themed page when a user also has 2FA enabled.
  • Resolves GitHub Issue #1965

Version 1.41.0

November 10th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • A change to the FusionAuth HTTP server may cause issues with reverse proxies that default upstream connections to HTTP/1.0. The HTTP server we are using no longer supports HTTP/1.0. We have identified that nginx defaults all upstream connections to HTTP/1.0, and the HTTP server we are using no longer supports HTTP/1.0. For nginx specifically, you will need to set the proxy version by adding proxy_http_version 1.1; to your proxy config.

Security

Changed

  • New themed pages added for WebAuthn. Please review your themes to ensure the new templates and localized messages are added.
    • See the Theme API and the Theme documentation for additional details. Review the Upgrading section on the Themes page for information on how to resolve potential breaking changes.
  • WebAuthn re-authentication requires a new hidden form field named userVerifyingPlatformAuthenticatorAvailable to detect compatible devices/browsers and prompt the user to register a passkey. You can view the default templates to determine in which form to insert this field into any customized templates. This field must be present on the following pages:
    • OAuth authorize
    • OAuth complete registration
    • OAuth passwordless
    • OAuth register
    • OAuth two-factor
    • OAuth WebAuthn (new)

Fixed

  • Correct signature verification of a SAML v2 AuthN response after the certificate has been removed from Key Master.
  • An exception may be thrown when there are no keys to be returned from the /api/jwt/public-key when requesting keys by an applicationId.
  • When using Firefox, using the SSO logout a zero byte file may be downloaded.
  • When multiple webhooks are configured, and more than one webhook is configured to receive the event-log.create event, a failed webhook may cause an event loop.
  • Correct deserialization of the userType and title fields in a SCIM resource.

Enhancements

  • Support passing the Assertion Consumer Service (ACS) in the RelayState query parameter.
  • Support using an appId and sessionTicket to complete login with the Steam Identity Provider.
  • Add back support for some legacy HTTP Servlet Request methods for use in themed templates.

New

  • WebAuthn! Passkeys, Touch ID, Face ID, Android fingerprint, Windows Hello!
  • Allow users to be provisioned into the FusionAuth app using an IdP
  • Allow FusionAuth to initiate a SAML v2 login request to a SAML v2 Service Provider.

Internal

Version 1.40.2

September 28th, 2022

Fixed

  • A two-factor trust may expire early causing a user to be prompted to complete two-factor during login. This issue was introduced in version 1.37.0.

Version 1.40.1

September 26th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • A SAML v2 IdP Initiated login request will fail if PKCE is configured as required.
  • The path attribute in some cookies may be set to the request path instead of / which may affect a SAML v2 IdP initiated login request.

Enhancements

  • Support Content-Type in Kickstart when using PATCH request to support application/json-patch+json and application/merge-patch+json.
  • Remove un-necessary logging when the Content-Type request header is invalid or unset.

Version 1.40.0

September 16th, 2022

Changed

  • If you are using MySQL or plan to use MySQL you will need to manually download the JDBC connector to allow FusionAuth to connect to a MySQL database. If you are using PostgreSQL, this change will not affect you. See the installation guide for additional information. We apologize in advance for the inconvenience this causes you, but the Oracle GPL licensing model makes it difficult for FusionAuth to easily delivery this capability.

Fixed

  • An exception may occur when you attempt to perform a PATCH request on a Group using a roleId that does not exist.
  • URL escape the identityProviderUser in the admin UI to correctly build the View and Delete actions links.

Enhancements

  • Support changes to user.active for PUT or PATCH on the SCIM User or Enterprise User endpoints.
  • Performance improvement for SAML v2 request parsing.

New

  • Native Windows support has been re-instated. We apologize for the gap in native Windows support, for those who have been waiting to upgrade since version 1.37.0 you may now upgrade with a native installer. Thank you for all of you who have voiced your opinions with how we are support a native Windows installation.

Version 1.39.0

September 11th, 2022

Fixed

  • When appending the locale request parameter on the Authorize request to pre-select the user’s locale, the locale may still be incorrect for validation errors. For example, appending locale=fr will allow the initial render of the page to be localized in French when available. However, because the user did not manually modify the locale selector on the page, if the login fails due to a validation error, the error messages will be returned in the default locale which is generally English.
  • Group application roles removed during a PATCH request to the Group API.
  • Corrections to the SAML v2 SP and IdP meta data.
    • The HTTP scheme was missing from the entityID. This issue was introduced in version 1.37.0.
    • The NameIdFormat found in the SP meta data was always showing urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress regardless of the value configured in the SAML v2 IdP.
    • Resolves GitHub Issue #1842
  • The potential exists to see an exception in the FusionAuth system logs when the internal login record service runs. It is unlikely you will experience this error unless you have very large login volumes.
  • There is the potential for the Elasticsearch index to become out of sync with respect to group memberships when groups are being deleted, or group members are being deleted from a group.
  • Add missing support for en_GB time and data format support in the FusionAuth admin UI when setting your preferred locale to en_GB.
    • Resolves GitHub Issue #1858, thanks to @adambowen for bringing this to our attention. It wasn’t our intention to force our friends in the United Kingdom 🇬🇧 to painfully read dates and times in the American 🇺🇸 format. Please accept our apologies. 😎

Enhancements

  • Better support for JSON Patch. Now supporting RFC 7386 application/merge-patch+json and RFC 6902 application/json-patch+json. Note that you may still make a request using the PATCH HTTP method using application/json and the current behavior should not be changed. All patch* methods found in the FusionAuth client libraries will still be using application/json for backwards compatibility. However, now that support for these new content types exists, we will be working to build support into our client libraries.
  • Better developer feedback when the Content-Type request header is missing or incorrect.
  • Additional SCIM support for the PATCH HTTP request method, and filter and excludedAttributes request attributes. The addition of these features allow the FusionAuth SCIM server to be compatible with Azure AD SCIM client and Okta SCIM client. The Group filter support has some limitations, see the SCIM Group API doc for additional details.
  • Add some missing message keys to default Theme message bundle.
  • Remove an un-necessary db request when validating the user security scheme for a user in the FusionAuth admin UI.

Version 1.38.1

August 22nd, 2022

Fixed

  • Static resources such as CSS and JS may be missing a Content-Type header which may cause a proxy using X-Content-Type-Options: nosniff to fail to load the resource. This issue was introduced in version 1.37.0.
  • Fix a potential error issue caused by a webhook handler calling back to FusionAuth which may trigger another webhook event. This fix should also improve the performance when sending many events for webhooks.
  • Correct behavior during login when both self-service registration and require registration features are enabled. This configuration may cause a user to be directed to the registration required page during login instead of being registered automatically. If you encounter this error, you may either upgrade or disable the require registration configuration. This appears to be a regression introduced in version 1.36.5.

Version 1.38.0

August 17th, 2022

Fixed

New

Version 1.37.2

August 11th, 2022

Fixed

  • A regression error was introduced in version 1.37.0 that causes HTTP request headers to be malformed when being sent to a Webhook, Generic Messenger or a Generic Connector.

Enhancements

  • In version 1.37.0 you may now create a user in the FusionAuth admin UI optionally performing email verification. The UI controls and messaging have been enhanced to remove potential confusion.

Version 1.37.1

August 10th, 2022

Fixed

  • An exception may occur while trying to capture the debug log event during an authentication request using a Connector.
  • When configuring a User Action to prevent login and using that event with the Failed Login configuration, if you configure the User Action to email the user, the email will not be sent.
  • Kickstart fails because it does not wait for FusionAuth to complete startup.
  • Creating an application in the FusionAuth admin UI may fail due to a licensing error if you do not have an Enterprise license.

Version 1.37.0

August 9th, 2022

This release contains some significant internal changes to our HTTP server. While we do not expect any issues, please be aware of this change as you test and prepare for upgrades. Please also be aware of changes to our Windows bundling options.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • Kickstart fails because it does not wait for FusionAuth to complete startup.
  • Creating an application in the FusionAuth admin UI may fail due to a licensing error if you do not have an Enterprise license.
  • A regression error was introduced in version 1.37.0 that causes HTTP request headers to be malformed when being sent to a Webhook, Generic Messenger or a Generic Connector.
  • Static resources such as CSS and JS may be missing a Content-Type header which may cause a proxy using X-Content-Type-Options: nosniff to fail to load the resource.
  • A two-factor trust may expire early causing a user to be prompted to complete two-factor during login.
  • A theme issue may exist on a form action and may cause breaking changes when upgrading to this version.
    • If you are upgrading, please verify your theme files accurately create a form action. The following themes should be updated as follows:
    • OAuth authorize -> action="/oauth2/authorize"
    • Child registration not allowed -> action="/oauth2/child-registration-not-allowed"
    • OAuth passwordless -> action="/oauth2/passwordless"
    • OAuth register -> action="/oauth2/register"
    • OAuth two factor -> action="/oauth2/two-factor"
    • Change password form -> action="/password/change"
    • Forgot password -> action="/password/forgot"

Security

  • Allow deprecated XML signature algorithms that were removed in Java 17. It is still not recommended that you use any of these legacy SHA1 algorithms, but if you are unable to utilize a modern algorithm, they will be allowed.

Changed

  • Windows install has been removed. Our strategy is to support Windows using WSL 2 with our provided debian package. Please plan to utilize this strategy, and open a GitHub issue if you encounter issues with the installation.
    • Due to customer feedback, a native Windows installation option has been restored as of version 1.40.0.
  • Webhooks are no longer configured as “All applications” or limited to a single Application. They are now scoped to one or more tenants. If you previously had multiple webhooks configured within the same tenant, but scoped to separate Applications you will want to review your configuration and filter events in your own Webhook handler by the applicationId.
  • Deprecate Apache Tomcat specific configuration. See the Configuration reference for additional detail.
    • fusionauth-app.http.max-header-size The default maximum size is now 64k.
    • fusionauth-app.http.cookie-same-site-policy In most cases, cookies will be written using SameSite=Lax, and cookies used by the FusionAuth admin UI utilize SameSite=Strict. If you think there would be value in further customizing cookies by name, or security settings such as SameSite, please upvote GitHub Issue #1414 and describe your intended use-case.
    • fusionauth-app.management.port This was an Apache Tomcat specific port that is no longer required.
    • fusionauth-app.ajp.port is now deprecated, this was an Apache Tomcat specific binary protocol used by Java applications.
    • fusionauth-app.http.relaxed-path-chars This option was not likely documented or in-use by anyone.
    • fusionauth-app.http.relaxed-query-chars This option was not likely documented or in-use by anyone.
  • FastPath and normal startup commands have changed. For example, starting FusionAuth based upon Apache Tomcat used catalina.sh or catalina.bat, the startup process will now use start.sh. See install documentation for more details.
  • When using the FusionAuth Docker image with MySQL, you will need to bundle the MySQL connector jar in the image, or add a layer to the stock FusionAuth image to ensure that curl is installed so that the MySQL connector jar can be downloaded it during startup. It is recommended that you build the connector into the image. See our example Dockerfile on GitHub for an example.

Fixed

  • Add the appropriate feedback to the users when attempting to change an email during a gated email verification that is already in-use.
  • Correct the validation when deleting a key from Key Master when in use by a de-activated application.
  • Perform implicit email verification when enabled and a setup password email request is completed.
  • Handle URL encoded characters in the user-information part of the URL when connecting to Elasticsearch. This allows a username or password to be provided in the URL that have been URL encoded.
  • When using the Change Password workflow in the hosted login pages for a user that has enabled 2FA, if you are not adding the OAuth2 parameters found in the state on the Change Password link built in the email template an error may occur when the user tries to complete the workflow.
  • The Refresh Token retrieve API and the Session tab in admin UI will no longer show expired refresh tokens. While the previous behavior was working as designed, it was confusing to some clients, and an admin was not able to manually remove expired tokens.
  • Fix Lambda JS validation when using ES6 features with the GraalJS engine.

Enhancements

  • Administrative Email Verification using the API or FusionAuth admin UI. When creating a user in the admin UI, you may now optionally create the user with an un-verified email when Email verification is enabled. See the Verify Email API for additional details.
  • The Oauth2 Logout does not log a user out of FusionAuth app if logging out of another application in the same default tenant.
  • Updates to our initial SCIM Server implementation released in version 1.36.0.
  • Better options to capture debug information when troubleshooting an SMTP connection issue. You no longer need to specify mail.debug=true in the advanced SMTP settings, and instead when enabling debug on the SMTP configuration a debug Event Log will be produced with the SMTP debug information.
  • Support larger email templates on MySQL. Prior to this version the TEXT column data type was utilized which has a maximum size of 16k in MySQL, now we are using MEDIUMTEXT which supports up to 16M.
  • Improvements to the OAuth2 Logout endpoint. This endpoint now correctly supports the POST method in addition to the GET method, and you may now use an expired id_token in the id_token_hint parameter.
  • Webhooks are now scoped to one or more tenants. Webhooks will no longer receive all events, but only events for the configured tenants. There is still an option for “All tenants” if you still wish to preserve the previous behavior.
  • Any API response that returns a Refresh Token will now also return a refresh_token_id when in OAuth2 or a refreshTokenId in all other APIs. This may be useful to identify a refresh token for revocation when using a one-time use Refresh Token. This identifier is the primary key of the Refresh Token and can be used by the Refresh Token API.
  • The Access Token will contain a new claim named sid which is the immutable identifier Refresh Token. This claim is not reserved, so it can be removed and will only be present when a refresh token is requested. This is different from the sid claim that is already returned in the id_token, that sid or Session Identifier is the SSO session identifier and is primarily used by FusionAuth to validate a logout request.
  • When available the Refresh Token is now returned in the JWTRefreshTokenRevokeEvent event in the refreshToken field.
  • The Login Ping API may now optionally take the request as a POST body.

New

  • Application scoped Multi-Factor authentication. This feature allows an application choose to participate in Multi-Factor when enabled, and optionally specify a separate TTL for trust scoped to a single application.
  • You may optionally disable the IdP linking strategy for an Identity Provider. This allows you to restrict any automatic linking and manage all IdP linking through the API.
  • Added fusionauth-app.http.read-timeout to the configuration to optionally set the maximum read timeout when making requests to FusionAuth. See the Configuration reference for additional detail.

Internal

  • Remove Apache Tomcat as the underlying application server, in favor of a more modern HTTP server based upon Netty.

Version 1.36.8

July 4th, 2022

Fixed

  • Fix the placeholder text in the entity grants search field.
  • Correct the SCIM HTTP response code when a new resource is created to be 201.
  • Correct the SCIM HTTP response code when a duplicate resource is attempted to be created to be 409.

Version 1.36.7

June 23rd, 2022

Security

  • Ensure the provided client_id matches the Application represented by the Refresh Token when performing a Refresh grant. This is marked as a security fix because the intended design is to ensure the Refresh Token does indeed match the requested client_id. However, the risk is minimal due to the caller still being required to have a valid set of client credentials, and must still present a valid refresh token.

Fixed

  • The initial “start” phase of a user action triggered by a failed login configuration is not sent.
  • When a SAML v2 SP is using an HTTP redirect binding during the Logout request FusionAuth make fail to complete the logout request.
  • A timing issue exists where under load of creating logins and then deleting applications programatically, a login record for a now deleted application may get stuck in the queue causing exceptions when attempting to write the record to the database.
  • Correct the Content-Type HTTP response header returned from the SCIM endpoints.

Version 1.36.6

June 16th, 2022

Fixed

  • When using Rate Limiting for Failed logins, the user may be able to login successfully after being rate limited - but prior to the end of the configured time period.
  • When using a JWT Populate lambda and modifying the default value of the aud claim to be an array instead of a string value, this token can no longer be used by the Introspect endpoint. This fix allows you to modify the aud claim to be an array, and it may be used with the Introspect endpoint as long as the requested client_id is contained in the aud claim. The OAuth2 Logout endpoint was also updated to allow this same aud modification to be using an id_token as the id_token_hint. When using this style of token as an id_token_hint, the first value in the aud claim that is equal to a FusionAuth application Id will be utilized.

Version 1.36.5

June 13th, 2022

Security

  • Upgrade Java to get the patch for CVE-2022-21449. Note that in version 1.36.4 FusionAuth manually patched this vulnerability. To ensure you are not vulnerable to this vulnerability, upgrade to FusionAuth version 1.36.4 or later, or discontinue use of the Elliptic Curve algorithm.
  • Fix validation of the Oauth2 Logout endpoint when using the post_logout_redirect parameter. As documented here, you must ensure that any value for this parameter is in the Authorized URLs list for the application. This may be a breaking change if you do not.

Fixed

  • Fix a UI bug that caused the application column to show “Single sign-on” instead of the Application name in the Session tab of the user management panel.
  • If you have enabled Two-Factor authentication and self-service registration, a user may not be routed to the Complete Registration step correctly after completing the Two-Factor challenge.
  • Resolves GitHub Issue #1708, thanks to @chimericdream for reporting the issue!
  • The displayName property on the Link a User API is ignored. This is a regression bug that was introduced in version 1.36.0.
  • A 3rd party Web Application Firewall such as CloudFlare may inject JavaScript into the <head> element and this may cause a failure to properly initialize support for an Identity Provider such as Twitter.

Internal

  • Upgrade to the latest Java 17 LTS. Upgraded from 17.0.1+12 to 17.0.3+7.

Version 1.36.4

April 21st, 2022

Security

  • Proactive patch for Java CVE-2022-21449. This release will patch the vulnerability described in the referenced CVE until we are able to release a version of FusionAuth using the upcoming patched release of Java. If you are not able to upgrade to this release, discontinue use of ECDSA keys in FusionAuth for JWT or SAML signing.

Version 1.36.3

April 19th, 2022

Fixed

  • An additional edge case was identified in the issue resolved by GitHub Issue #1687. If you did encounter the issue resolved by GitHub Issue #1687, you should plan to upgrade to this patch version so that you can fully utilize the new auth_time claim introduced in 1.36.0.

Version 1.36.2

April 14th, 2022

Fixed

  • If you are using the openid scope which produces an id_token, and you utilize a 3rd party library that consumes the id_token to validate the signature, expiration or similar claims, the token may be incorrectly identified as expired. This is because after a refresh token is used to generate a new id_token the auth_time claim may have lost precision from the original value in the initial id_token.

Version 1.36.1

April 14th, 2022

Fixed

  • When building an entity grant in the UI for a user or other entity, the search results may contain entities from all tenants. If you attempt to select an entity in a tenant other than the tenant for which the user or entity belongs, an exception will occur.
  • If you create an empty directory in the FusionAuth plugin directory, or create a directory that does not contain any FusionAuth plugin jars, and have other plugin jars in the root of the plugin directory, the legitimate plugin jar may not be loaded. If you encounter this problem, either remove the empty directories, or make the empty directories read only.
  • If you are using the Client Credentials Grant and omit the permissions from the target-entity: scope, the expected permissions will not be returned as part of the access token claims.

Version 1.36.0

April 7th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you create an empty directory in the FusionAuth plugin directory, or create a directory that does not contain any FusionAuth plugin jars, and have other plugin jars in the root of the plugin directory, the legitimate plugin jar may not be loaded. If you encounter this problem, either remove the empty directories, or make the empty directories read only.
    • This has been resolved in version 1.36.1.
  • If you are using the Client Credentials Grant and omit the permissions from the target-entity: scope, the expected permissions will not be returned as part of the access token claims.
    • This has been resolved in version 1.36.1.
  • If you are using the openid scope which produces an id_token, and you utilize a 3rd party library that consumes the id_token to validate the signature, expiration or similar claims, the token may be incorrectly identified as expired. This is because after a refresh token is used to generate a new id_token the auth_time claim may have lost precision from the original value in the initial id_token.
    • This has been resolved in version 1.36.3.

Security

  • Ensure that the Change Password identifier is revoked if an API is used to change a user’s password after the user has initiated a change password request.

Changed

  • The JWT authorization method is no longer supported when using the GET method on the Retrieve Refresh Tokens API.
    • The reason for this potentially breaking change is due to concern of potential abuse. If you were previously using a JWT to authorize the request to the GET HTTP method, you will need to modify your integration to utilize an API key. See the Retrieve Refresh Tokens API for additional details.
    • Resolves GitHub Issue #1646
  • Updated reserved JWT claims by grant type. The amr claims is marked as reserved, and will be available in a future release.
    • Reserved for authorization code and implicit grant, amr, exp, iat, sub and tid. Only amr and tid are new for this release.
    • Reserved for Vending API amr, exp and iat. Only the amr claim is new for this release.
    • Reserved for Client Credentials grant, amr, aud, exp, iat, permissions, sub and tid.
    • Resolves GitHub Issue #1669

Fixed

  • The requested AssertionConsumerServiceURL in a SAML v2 AuthNRequest is ignored and the first URL configured is used instead.
  • Entities don’t support the use of : in the permission name, this limitation has been removed.
  • An application role may not be immediately available to assign to a user after initial creation. This issue was due to some additional caching introduced in version 1.32.1.
  • The Password Grant response is missing the Two Factor Method Ids when a Two-Factor challenge is required. This issue was introduced in version 1.26.0 when Two-Factor Method Ids were added to the Login API response.
  • The Tenant edit and add panel displays Webhook events that are not configured at the Tenant level.
  • FusionAuth may fail to start on Windows when using the startup.bat script. See linked issue for a workaround.
  • Enhance email validation to keep obviously incorrect emails from being used during self-service user registration.
  • When using the GraalJS Lambda engine, you cannot use ECMA 6 features such as const or let.
    • This only affects version 1.35.0 when using the new GraalJS engine, and does not represent a regression because prior to version 1.35.0 the only Lambda engine available was Nashorn which only supported ECMA 5.1.
    • Resolves GitHub Issue #1630
  • When using a Connector, a timing issue exists that could cause a login to fail. See the linked issue for an example exception that you may observe if you encounter this issue.
  • The Tenant View dialog may show the incorrect Event transaction setting for a Tenant created via the API.
  • When the openid scope is used along with the offline_access scope and then the resulting refresh token is used in a Refresh grant, the returned id_token may be signed with the key configured for the access_token.
  • Ignore read-only directories inside of the configured plugin directory instead of throwing an exception.

Enhancements

  • Add a separate execute thread pool in the Apache Tomcat configuration to separate incoming requests from localhost callback requests to reduce thread contention.
  • Allow for plugins that require dependent jars in their classpath.
    • To take advantage of this capability, create a sub-directory in the configured plugin directory. Place your plugin jar, and any dependant jars in the same directory or nested sub-directories. Each immediate sub-directory of the configured plugin directory will be considered a discrete classloader. Each of these class loaders will still share the parent classloader, so it is still advised to keep dependencies to a bare minimum such that you don’t conflict with existing dependencies of FusionAuth.
    • Resolves GitHub Issue #1663
  • Minimize the duration of the database Transaction during authentication. This should improve login performance, especially when using an LDAP or Generic Connector.
  • Alphabetize the Applications in Select form controls in the FusionAuth admin UI, this should make it easier for those are not robots to navigate when you have many applications.
  • Allow a login using a 3rd party IdP such as Google to succeed even if an Elasticsearch exception occurs when attempting to re-index the user.

New

  • Initial technology preview for SCIM Server, this feature is available in the Enterprise edition.
  • Nintendo Online Identity Provider, this feature is available with all licensed editions of FusionAuth.
  • New Identity Provider Link & Unlink Events
  • Default the Event Transaction Type in the Tenant configuration to None
  • New JWT claims
    • The tid claim is now being set in all JWTs. This is the FusionAuth Tenant Id, and is marked as reserved.
    • The JWT header will also now contain a gty claim which will represent the grant types in order of use for this token.
    • Resolves GitHub Issue #1669

Internal

Version 1.35.0

March 10th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • When using the FastPath installation for Windows, the startup may fail to download Java if you are using the startup.bat option for starting services.
  • Using the Identity Provider Link API when more than one tenant is configured may fail unless you are specifying the tenant Id using the X-FusionAuth-TenantId HTTP request header.
  • Self-service registration may fail to validate an email address beginning with @.
  • Using the Passwordless API without passing the OAuth2 state parameters on the URL such as client_id, and the user is not registered for the Application, the request may fail.

New

  • Initial technology preview for HTTP requests within a lambda function, termed Lambda HTTP Connect. All previously configured lambdas will continue to run on the legacy JS engine. Starting in this release the default engine for newly created lambdas will be GraalJS, but you have the ability to select the preferred engine. When using the GraalJS engine, you will be able to begin making HTTP requests within the lambda function. At some point in the future we will deprecate and fully remove the legacy JS engine (Nashorn). For the time being, use the new engine if you are able, and provide us feedback if you find anything is not working. If you do encounter a problem open an issue, and switch the lambda back to the Nashorn engine.

Version 1.34.1

February 23rd, 2022

Fixed

Version 1.34.0

February 21st, 2022

Known Issues

  • SAML v2 Login to FusionAuth may fail due to an exception. Please upgrade directly to FusionAuth version >= 1.34.1

Security

  • Resolve a potential vulnerability in the IdP Link API. If you are actively using any IdP configured to use the CreatePendingLink linking strategy, please upgrade at your earliest convenience.

Changed

  • When using the OpenID Connect identity provider, you have the option to select one of three client authentication options. You may select none, client_secret_basic or client_secret_post. Some 3rd party identity providers do not allow the client_id to be sent in the request body when using client_secret_basic. A strict reading of the OAuth2 and OpenID Connect specifications imply that the client_id should only be present in the request body when a client secret is not used, or you have selected none or client_secret_post for an authentication method. This change is to make FusionAuth more compliant with 3rd party IdPs that enforce this behavior. It is not expected that this change will have any negative impact on OpenID Connect configurations that have been working up until this release. However, please be aware of this change and verify existing OpenID Connect identity providers continue to behave as expected.
  • Utilize PKCE anytime FusionAuth is initiating an Authorization Code grant to FusionAuth. While most of this will be transparent and should not affect any of your integrations, there is one use case in which it is important for FusionAuth to utilize PKCE when performing an Authorization Code grant to FusionAuth. This use case is when you are using an application with PKCE configured as required, and you then use the Device grant using the themed FusionAuth pages. In this case FusionAuth must utilize PKCE in order to pass PKCE validation during the request.
  • When using the interactive Setup Wizard to perform initial setup of FusionAuth, the checkbox to sign up for the FusionAuth newsletter has been changed to be checked by default. This means that prior to this release you had to opt-in, and starting in this release, you will need to opt-out during this step. You also have the option to un-subscribe from the newsletter at any point in the future.

New

  • Native support for PBKDF2 using a 512-bit derived key length. The default PBKDF2 algorithm uses a 256-bit derived key length. Some IdPs such as KeyCloak use a 512-bit key, so this plugin should support an import from KeyCloak without using a custom plugin. This new algorithm is available using the value salted-pbkdf2-hmac-sha256-512 during the User Import API.

Version 1.33.0

February 7th, 2022

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Security

  • Add -Dlog4j2.formatMsgNoLookups=true to the fusionauth-search bundled version of Elasticsearch.
    • Please note, that if you are running a standalone version of Elasticsearch, this will not affect you, and you should still complete any suggested mitigation steps for your Elasticsearch instance. This VM argument added to the fusionauth-search bundle is only added to make people feel warm and fuzzy. FusionAuth Cloud users are not vulnerable to CVE-2021-44228, and even if you are self-hosting FusionAuth and utilizing the Elasticsearch bundled with fusionauth-search you are not vulnerable if you have followed our suggested securing steps. Also due to the version of Java we are using to run Elasticsearch, you are not vulnerable. But we all like to put on our tinfoil hats sometimes, so we are making this change for good measure.
    • Resolves GitHub Issue #1520
  • Updated PostgreSQL JDBC driver from version 42.2.22 to 42.3.2.
    • This update is only pertinent to you if you are using a PostgreSQL database. If you are using MySQL, you are not vulnerable.
    • FusionAuth Cloud users are not affected. If you are self-hosting FusionAuth you are only vulnerable if you allow un-authorized modifications to your JDBC connection string used by FusionAuth to connect to the database. I hope you are not doing this. 😉 Please read the following CVE to better understand the vulnerability to see how it may or may not affect you.
    • CVE-2022-21724.
    • Resolves GitHub Issue #1535
  • Proactively upgrade Logback. Instead of Log4J, FusionAuth uses Logback. In response to the recent vulnerabilities in Log4J, the Logback team has proactively added some additional hardening to their library to ensure similar vulnerabilities are not found.
  • Better protection against malicious actors that have access to configuring Themed templates.
  • Ensure we enforce a Two-Factor challenge before changing a password using the Change Password API.

Changed

  • If you are using the Change Password API with users that have Two-Factor enabled you may need to adjust your integration. Beginning in this release, to use the Change Password API for a user with Two-Factor enabled, you will need to obtain a Trust Token from the Two Factor Login API in order to complete this request. This is potentially a breaking change, the decision was made to make this potentially breaking change due to the enhanced security provided by this change.

Fixed

  • The FastPath install may fail to download Java on versions >= 1.32.0. The issue was that the curl request needed to be configured to follow a redirect with the new URLs for the Java download. See the linked issue for a workaround if you want to use FastPath for an older version.
  • Ensure we are able to handle Login records that may contain more than one IP address. When passing through a proxy, the X-Forwarded-For HTTP request header may contain more than one IP address. This fix ensures we parse this header correctly and handle existing Login records that may have been recorded with more than one value.
  • Using the Login with Apple button on a themed login or registration page may fail when using Safari on iOS 12. A workaround is documented in the linked GitHub issue if you are unable to upgrade FusionAuth.
  • The Event Log, Audit Log, Login Records search feature in the FusionAuth admin UI may not reset the pagination correctly when beginning a new search request.
  • Group Membership may not be preserved after the first login request when using a Connector without migration.
  • The jwt.refresh-token.revoke event may not be sent during a request to the Logout API (/api/logout).
  • A consent added to a self-service registration form may show up incorrectly during a complete registration step during login.
  • Better support for user.birthDate when using Advanced self-service registration when Family is enabled with child registration.
  • When configuring more than one preferred language in the FusionAuth admin UI on the User or User Registration, the order may not be preserved. For example, if you configured French, English where French is the preferred languages, with a second option of English, when saving the form, the serialized value will become English, French and will not likely be saved in the order you expect.
  • Fix a potential memory leak in the Email services. If you are sending a lot of email through FusionAuth, this error may cause your FusionAuth service to run out of memory. Restarting the service periodically can mitigate this potential if you are unable to upgrade. This issue was most likely introduced in version 1.30.1.
  • When completing a Family workflow where a parent joins a child to a family, the parentEmail field may not be properly updated in the search index.
  • If you have previously configured Basic Self-Service registration, and then begin using Advanced Self-Service it is possible that a validation may occur that you did not expect.
  • Some edge cases exist when using the Async Tenant Delete API or deleting a Tenant in the FusionAuth admin UI where a tenant may get stuck in the Pending Delete state.

Enhancements

  • Add the underlying host architecture and operating system name and version to the About panel in the FusionAuth admin UI. See System -> About.
  • Add a tooltip to the Webhook Application configuration to help reduce some confusion until we deprecate this Application configuration.
  • Support longer Refresh Tokens on the Refresh Tokens Import API. The previous limitation was that the refresh token was less than or equal to 191 characters. The assumption was made that this token was opaque and that 191 was very adequate. Some IdPs utilize JWTs for Refresh Tokens and in this case, the length is likely to exceed the previous limitation. This enhancements allows for longer refresh tokens. In particular this will provide better support for importing Refresh Tokens from KeyCloak. See the Import Refresh Tokens API for additional details.
  • Use a better thread pooling strategy for Webhooks to better support a very large volume of events where the event recipient may not respond quickly enough. This allows more events to be queued up if we cannot send them fast enough while waiting for a response from the webhook.
  • Improve licensing errors on the API and FusionAuth admin UI to better differentiate between not licensed, and a feature that requires a specific licensed feature. In particular, some of the features introduced as part of the Threat Detection feature require an Enterprise License with this feature enabled. So you may have a licensed edition of FusionAuth, and a feature may still not be available. This change should make it clearer why a particular feature cannot be enabled.
  • Add tokenExpirationInstant to the Login Response similar to how the Token endpoint response returns expires_in to indicate when the access token returned in the response will expire.
  • Additional User API validation in support of Family configuration with child registration restrictions.
  • Support for ARM 64, the Apple M1, AWS Graviton, etc. Docker images are now published for Intel, and various ARM architectures, and FastPath and other installation paths have support for downloading Java for the correct architecture.
  • Add the option to use the userId on the Start Two-Factor API ** Resolves GitHub Issue #1571
  • Move the changePasswordId to the request body during a POST request. For backwards compatibility, the changePasswordId will also be accepted on the URL segment.

Version 1.32.1

December 13th, 2021

Fixed

  • If you are modifying the user email or username in an Identity Provider Reconcile Lambda, the lambda may be invoked more than once after the initial link has been established. This may cause User registration data to be modified, or lost. If you have not yet upgraded to this version, it is advised that you wait until you can update to version 1.32.1.
  • The 1.32.0 version of the Docker image was initially released with a missing Java module that may cause the image to fail during startup. An updated version of the image has been released, if you encounter an issue, please delete your local version of the image and pull it again. The issue is also resolved in this version, so you may also pull the latest tag once this version is available.

Version 1.32.0

December 10th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • This version of FusionAuth will now run on Java 17. If you are using any SAML v2 IdP configurations that still utilize a legacy XML signature algorithm, this upgrade may break that integration.
    • It is recommended to test your SAML v2 IdP logins with this version prior to upgrading, or confirm that all of your IdPs are not using any of the following restricted XML signature algorithms: ** http://www.w3.org/2000/09/xmldsig#sha1 ** http://www.w3.org/2000/09/xmldsig#dsa-sha1 ** http://www.w3.org/2000/09/xmldsig#rsa-sha1
    • See GitHub Issue #1202 for additional details and an optional workaround if you are unable to discontinue use of these algorithms.

Fixed

  • The global and application registration count rollup may fail when using PostgreSQL. This will cause the registration count reports to be incorrect.
  • When using the Development Reset feature (technical preview) and the FusionAuth application is configured to use a specific theme, the reset will fail.

Enhancements

  • Identity provider linking that was introduced in version 1.28.0 can now optionally be configured to limit the number of unique links to an IdP for a particular user.
  • Allow application URIs to be configured as an OAuth2 Authorized request origin URLs. For example, you may now configure android-app://com.example as a valid Authorized request origin.
  • Add configuration to allow implicit email verification to be disabled. For example, prior to this release, email based workflows such as Passwordless login, email based registration verification, email based password change, and verifying a two-factor code during login through an email would implicitly mark a user’s email as verified if email verification was enabled and the user had not yet completed email verification. In most cases this seems to be the best choice for the end user such that they do not perform redundant tasks to verify their email address once they have provided evidence they have access to the email address. This configuration allows this behavior to be disabled if you wish to require your end user to always go through a specific email verification process for legal or other similar reasons.
  • Add a notice on the Device workflow panel when an existing SSO session exists to allow the user to optionally logout prior to continuing.

New

  • You may optionally specify custom SMTP headers in the Tenant email configuration. These configured headers will be added to all outbound messages.

Internal

  • Java 17 LTS. Update to the latest long term support version of Java.

Version 1.31.0

November 18th, 2021

Known Issues

  • If you are modifying the user email or username in an Identity Provider Reconcile Lambda, the lambda may be invoked more than once after the initial link has been established. This may cause User registration data to be modified, or lost. If you have not yet upgraded to this version, it is advised that you wait until you can update to version 1.32.1.

Changed

  • You may now modify, or fabricate an email or username in the Identity Provider Reconcile Lambda regardless of the Identity Provider type.
    • Some of this capability has been provided in the past for the OpenID Connect Identity Provider. This capability was removed in version 1.28.0 when Identity Provider Linking was introduced due to the additional use cases now supported through linking strategies. Due to high demand, and many real world use-cases presented by our users, this decision has been reversed in favor of flexibility for the developer. Please use caution when using this capability, and note that if you create or modify a username or email in the Reconcile lambda, the lambda will be invoked twice during a single login request.
    • Resolves GitHub Issue #1425

Fixed

  • Requiring a birthdate on a self-service registration form when also requiring a parent email may cause an exception.
  • Improvements to locale handling to expand beyond ISO 639 support to support locales such as es_419, aghem and others.
  • Disabling webhooks on the tenant configuration by clicking on the Enabled table header doesn’t work as expected.
  • Fix general message template issues when using the preview action for a message template, or a localized version of the template.
  • An API key created using Kickstart is not validated for length correctly.
  • The error message returned to the end user when a webhook fails during a Self-Service Registration is not able to be customized through a theme.
  • The Theme preview may not render the Account Edit themed page when a Self-Service form is configured
  • Unable to delete an email template when an email template is not assigned to a Consent.
  • A timing issue exists when creating a new Application role, and then immediately attempting to register a user with that role.
  • Using an expired Passwordless link may result in an infinite redirect
  • Missing validation on the Registration API to ensure the User exists by Id when passing the userId on the HTTP request URL segment
  • When copying a Tenant in the FusionAuth admin UI when the source Tenant has Blocked domain configuration present, the Blocked domain configuration is not copied to the new tenant.
  • When using the OAuth2 Password grant (Resource Owner Credentials grant), and the client_id is provided in the HTTP Basic Authorization header, but not in the HTTP post body, the resulting JWT will not contain the aud claim.
  • A database foreign key violation may occur in the Registration Count aggregation service if you delete a Tenant before the aggregator runs.
  • Enabling Two-Factor in the Self-Service themed forms, or in the admin UI may fail to render the QR code if the encoded string used to build the QR code is between 192 and 220 characters in length.
  • When a user is assigned roles explicitly through a User Registration in addition to a Group membership, the roles assigned by the Group membership will not be returned.
  • When using the Setup Password email template provided by FusionAuth with the User Registration API to create a User and a Registration in a single API call the URL generated and sent to the user may not be usable. A client_id will have been added to the URL which will result in an error when the FusionAuth page is rendered. To work around the issue prior to this release, please remove the client_id from the Email template.
  • A SAML v2 SP using an HTTP Redirect Binding that has URL encoded the query string using lower case percent encoding may cause FusionAuth to fail to validate the signature.

Enhancements

  • You may now access the id_token when available during an OpenID Connect Reconcile lambda
  • Add additional support for idp_hint for Apple and Twitter Identity Providers.
  • Add an example use and changed user to the Audit Log Test event when using the Webhook Tester in the FusionAuth admin UI
  • When FusionAuth is unable to discover OpenID endpoints using the configured Issuer during configuration of an OpenID Connect Identity Provider an Event Log will be produced to assist you in debugging the connection.

Internal

Version 1.30.2

October 13th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • When logging in with an anonymous user from an IdP that now has a linking strategy other than Anonymous an exception occurs. This can occur if you change your linking strategy from Anonymous to something else, and users that were created while configured as Anonymous log in again.
  • The view dialog may not completely render for an SAML v2 IdP Initiated IdP configuration. The dialog fails to completely render due to a FreeMarker exception.
  • If you are activating FusionAuth Reactor during initial startup via Kickstart, and you have CAPTCHA enabled for the FusionAuth admin application, you may not be able to login until the Threat Detection feature comes online. Depending upon your network connection, this may take a few seconds, or a few minutes.
  • The .NET client library handled exp and other JWT timestamp values incorrectly.
  • When using the duplicate Application button in the admin UI, if the source Application has SAML v2 configured, but not enabled, the copy may fail with an exception.
  • Updating a connector will add an additional * domain configuration. This is a regression issue introduced in version 1.28.0.
  • When generating an RSA Key, a user cannot specify a certain Id.
  • If using kickstart to activate a licensed instance with advanced threat detection enabled, it is possible to get stuck in the Setup Wizard.
  • A user can add new entries to an access control list, but can’t delete them using the administrative user interface.
  • Default lambdas are no longer available in Kickstart environment variables. This is a regression introduced in version 1.30.0.
  • The event payload for a user deactivation was not complete when the deactivation happened via the administrative user interface. It lacked some information such as the IP address of the request.
  • When both Kickstart and maintenance mode occur during an upgrade, a NullPointerException could occur if the default tenant Id was being modified.
  • The IP address can be missing from login records in certain circumstances.
  • Requests with IPv6 addresses cause NumberFormatExceptions.
  • CAPTCHA may not work on the email verification required page.
  • Rendering the passwordValidationRules object on the register page in theme preview does not work.
  • User search widget has an empty value if the user does not have a name.
  • Filling out a CAPTCHA through self service registration or other paths does not save device trust; the user will be prompted a second time.
  • Setup Wizard may be shown in a multi-node environment after it has completed.
  • When using advanced threat detection rate limiting, users are unable to set the rate limit configuration to 1 to allow a limited action be performed only once.
  • Custom data for webhooks not displayed in the admin UI.
  • A truncated deflated SAML AuthN request was not handled as well as it should have been.
  • Some key pairs capable of signing a SAML request are not eligible in the UI.
  • Custom data for connectors not displayed in the admin UI.

Enhancements

  • When using MySQL with a large number of applications, and application roles, it may become slow to retrieve a user. This change should improve performance when using MySQL.
  • Improve the performance of using the Public Key API endpoint when you have a lot of applications and keys.
  • Display the database version and elastic search versions in the administrative user interface.
  • Improve User and Registration API performance at scale.
  • Try to support SAML POST bindings with SSO even when cookie samesite policy is set to SameSite=Lax.
  • Add a default NameID format when one is not provided on SAML AuthN or Logout requests.

Internal

Version 1.30.1

August 25th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • Registration counts may fail to be rolled up into reports when using PostgreSQL. Updating to 1.30.2 should resolve the issue.
  • A potential memory leak was introduced in this version. Updating to 1.33.0 should resolve the issue, if you are unable to upgrade, restarting the service periodically can mitigate this potential issue.

Fixed

  • The Text MIME type of an email may not render unicode correctly when the host system does not have UTF-8 set as the default character set.
  • Unable to assign an IP ACl to an application if one is not already assigned to the tenant.
  • Unable to delete an IP ACL in use by a tenant

Enhancements

  • General performance improvements for login, OAuth2 grants, and user create and registration.
  • Add the User Two Factor methods to the Elasticsearch index.
    • If you have existing users with Two-Factor enabled, you will want to perform a re-index in order to search on two-factor configuration.
    • Resolves GitHub Issue #1352, thanks to one of our favorite FusionAuth users @flangfeldt for making the request.

Internal

  • Performance improvements

Version 1.30.0

August 12th, 2021

Features that require the Threat Detection feature:

  • CAPTCHA
  • Domain blocking in registration
  • IP access control lists
  • IP location
  • Some of the new events and transactional emails
  • Rate limiting

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you are referencing any Reconcile Lambda Ids using the syntax FUSIONAUTH_LAMBDA{type}_ID - this may no longer work due to a change in how these default lambdas are initialized.
    • The current work around is to modify your kickstart to build your own version of this lambda instead of using the FusionAuth default.
    • You will find a copy of the default lambdas shipped with FusionAuth in the Lambda documentation that you may use to copy into your kickstart.
    • The issue is being tracked here GitHub Issue #1373

Fixed

  • Unable to enable user.action event at the tenant using the UI. If you encounter this issue, you may work around it by using the Tenant API.
  • If you make an API request to /api/two-factor/login with an empty JSON body, an exception will occur instead of a validation error being returned with a 400 status code.
  • When using an IdP with a linking mode other than Create Pending Link, the token may not correctly be stored. If you previously had been using the token stored on the User Registration, and are now looking for it in the Identity Provider Link, you may not find it. This fix resolves the issue.
  • When you are using FusionAuth as a SAML v2 IdP with Redirect bindings, you were unable to use idp_hint to bypass the login page to federate to another provider.

Changed

  • New themed page added for Unauthorized access.
    • See the Theme API and the Theme documentation for additional details.
  • A macro available to themes named [@helpers.input] was modified to be able to build a checkbox. This change could affect you if you try to copy and paste the checkbox usage without modifying the macro definition in your Helper file. Review the Upgrading section on the Themes page for information on how to resolve potential breaking changes.

New

  • JWT Vending machine
    • This allows a JWT to be created for a not-yet-existing user with a payload defined by the API caller.
    • Resolves GitHub Issue #525
  • FusionAuth wasn’t awesome enough, so we added a robust Threat Detection feature for enterprise customers. This feature includes:
  • IP Access Control for API keys
    • This allows support for an API key to be further restricted by the origin IP address.
    • Resolves GitHub Issue #933
  • IP Access Control for SSO and self service forms
    • This allows you to limit access to the FusionAuth SSO or a particular application login through SSO by IP address
  • Blocked domain configuration to limit registrations from specific email domains
  • Rate limiting per user for the following requests:
    • Failed login (only used if Failed Login configuration is not in use)
    • Forgot password
    • Send email verification
    • Send passwordless
    • Send registration verification
    • Send two-factor
  • Captcha - add CAPTCHA to login and other end user forms to help ensure only humans are submitting forms.
    • This feature is in tech preview and is subject to change.
    • Support for Google ReCaptcha v2, Google ReCaptcha v3, HCaptcha and HCaptcha Enterprise
    • Resolves GitHub Issue #278
  • IP location.
    • When possible, an IP address will be resolved to include city, country, region, zip code, longitude and latitude.
    • IP location will be included in login records and will be available in some email templates and webhook events
    • Used to calculate impossible travel between login locations
  • New Webhook events:
    • Audit Log Create audit-log.create
    • Event Log Create event-log.create
    • Kickstart Success kickstart.success
    • User Create Complete user.create.complete
    • User Delete Complete user.delete.complete
    • User Update Complete user.update.complete
    • User LoginId Duplicate On Create user.loginId.duplicate.create
    • User LoginId Duplicate Update user.loginId.duplicate.update
    • User Email Update user.email.update
    • User Login New Device user.login.new-device
    • User Login Suspicious user.login.suspicious
    • User Password Reset Success user.password.reset.success
    • User Password Reset Send user.password.reset.send
    • User Password Reset Start user.password.reset.start
    • User Password Update user.password.update
    • User Registration Create Complete user.registration.create.complete
    • User Registration Delete Complete user.registration.delete.complete
    • User Registration Update Complete user.registration.update.complete
    • User Two Factor Method Added user.two-factor.method.add
    • User Two Factor Method Removed user.two-factor.method.remove
    • See the Event Webhooks documentation for additional details.
    • Resolves GitHub Issue #1308, thanks to @adoliver for the suggestion!
    • Resolves GitHub Issue #1178
    • Resolves GitHub Issue #1128
    • Resolves GitHub Issue #1129
  • New transactional emails:
    • Email update
    • Login Id duplicate on create
    • Login Id duplicate on update
    • Login with new device
    • Suspicious login
    • Password reset success
    • Password update
    • Two-factor method added
    • Two-factor method removed

Enhancements

  • Search on oldValue, newValue and reason in the Audit Log.
    • See the Audit Log Search API for additional details on searching on oldValue, newValue and reason in the audit log.
  • When using IdP linking in conjunction with the Oauth2 Device grant, the recently completed links will be available on the Device complete themed page by using the completedLinks variable.
    • See the Device Complete themed page documentation for additional details.
  • More themed pages will have access to the currently logged in user using the currentUser variable.
    • See the Theme documentation for additional details.

Version 1.29.4

August 12th, 2021

Fixed

  • When a user is required to complete registration after login, the user may no longer be able to login w/out a password reset. This is a regression from version 1.28.0, and only affects those using self-service registration that will have existing users that do not have all required fields on their account.

Version 1.29.3

August 6th, 2021

Fixed

  • A 404 may be returned when attempting to update a user with PUT or PATCH on the User API if the user has an unverified email and email verification has been disabled.

Version 1.29.2

July 31st, 2021

Fixed

  • When using a SAML v2 IdP that does not send back a KeyInfo element in the XML response, an exception may occur when attempting to parse the response.

Version 1.29.1

July 26th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • In a multi-tenant configuration, SSO sessions may be pre-maturely terminated if one tenant has a lower TTL configuration than the other tenants. To work around this issue prior to this release, ensure all SSO TTL configurations are equal.
  • The arg names in the LambdaType enum were not all correct.
  • An IdP Debug event log may not get produced when a unique Id could not be resolved.
  • When enabling the SAMl v2 IdP debug log an exception may be taken when attempting to produce the debug event log. The result is that the debug log will not be produced.

Version 1.29.0

July 10th, 2021

Fixed

  • When viewing the theme preview for the oauth2/start-idp-link.ftl template, and error may be logged.
  • When a webhook transaction fails to create a user or registration on a themed page, a non-themed error page may be displayed

Enhancements

  • Enhance the Link API to retrieve a user by a 3rd party unique Id to identify a FusionAuth user is linked to the user. See the Link API for additional details.
  • During a device link request which contains a device linking token, show an intermediate page asking the user if they would like to sign in with an existing user or create a new user.
  • Allow the IdP Login API to optionally be passed a request parameter to indicate a link should not be established and a 404 should be returned instead. This is useful if you wish to identify if a link exists first before starting an auxiliary workflow such as a device grant with a linking token. See the Login API for additional details.
  • Add additional configuration to the unique username configuration to support always appending a suffix even when the username is not in use. See the Tenant API for additional details.
  • Add an additional debug event log when for the SAML IdP to debug the AuthN request sent to the SAML IdP
  • In version 1.28.0 the resolution of the value returned by the SAML v2 IdP in the NameID was modified. If the IdP returns a format of unspecified with a value of email then after upgrading to version 1.28.0 your SAML IdP will not function properly. Ideally you would ask your IdP to return you a NameID format of emailAddress, but if that is not possible this enhancement will allow FusionAuth to accept the value returned in the NameID if the format is returned as unspecified.
  • Instead of logging FreeMarker exceptions to the system log and producing a stack trace that may end up in the UI, an event log will be produced. The message in the UI will be condensed based upon the runtime mode. When in development mode some details will be provided to assist in debugging your themed template. If in production runtime mode only a message indicating an error occurred will be displayed to the user.

Internal

  • Update HikariCP from 3.4.1 to 4.0.3, and update PostgreSQL JDBC driver from 42.2.14 to 42.2.22

Version 1.28.1

June 21st, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Fixed

  • Allow self-consent form field on a self-service form.
  • Correct validation of a consent form field on edit. Control type was failing validation on edit.
  • An imported user requiring password change, and email verification may fail to verify email verification with an email verification gate.
  • Better parsing of the X-Fowarded-For HTTP request header. This header may contain one to many IP addresses, and only the first value should be preserved for the login record. Prior to this fix, it would be possible to see a login record that contained multiple IP addresses separated by a comma.
  • Correctly show the Verification URL in the OAuth2 configuration when the Device grant is selected. This issue was introduced in 1.28.0.
  • Use the correct FusionAuth redirect URL when using the Sony Playstation Network IdP.
  • Use the correct FusionAuth redirect URL when using the Steam IdP. This IdP uses an Implicit grant and should be using the /oauth2/callback/implicit callback URL.
  • Allow the Epic Games IdP to function properly when omitting the scope configuration property.

Tech Preview

  • You may optionally start an account link when beginning a Device grant.

Version 1.28.0

June 7rd, 2021

The FusionAuth identity providers have undergone a significant improvement to add additional flexibility and support for 3rd parties. Please take time to test this upgrade with your existing configuration to ensure compatibility. Some of the features in this release are in tech-preview.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you are using self-service registration there is a possibility that a user may be required to complete registration by adding additional fields to their account after they login. In this scenario it is possible that they will no longer be able to login and will be required to reset their password. The fix for this was added in 1.29.4.
  • If you are using the SAML v2 Populate Lambda or the SAML v2 Reconcile Lambda the NameID field has been changed to an array. You will need to update your lambda code if you are using this field.

Changed

  • You may no longer build a synthetic email address using a lambda for an OpenID Connect identity provider. This has been removed because you may now link a user by username or create a link w/out a username or an email to an existing FusionAuth user. If you are using this feature, you may need to plan for a migration to this new behavior. If you have a support contract with FusionAuth, please reach out and ask for additional information.
  • When using FusionAuth as a SAML IdP, FusionAuth will now accept urn:oasis:names:tc:SAML:2.0:nameid-format:persistent in addition to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. This should allow FusionAuth to work with SAML v2 service providers that only support the persistent NameID format.
  • Tokens returned by IdPs are no longer stored on the User Registration object in the tokens field. Each token is now stored with the IdP link for the User and the IdP. See the Link API for additional details.

New

  • Reindex API
  • Account Link API
    • This API will allow you to link and un-link users in 3rd party identity providers with a FusionAuth user.
    • See the Link API for usage.
  • IdP Linking options
    • Each Identity Provider may now be configured with a linking strategy. The strategies will include linking by email, username, anonymous or a link to an existing user.
    • Linking by username is now supported. There is a higher risk of account takeover using this strategy, you should use caution when using this feature.
    • Tokens from identity providers should now be retrieved from the link, rather than the registration. More information can be found under identityProviderLink.token response value here
  • Email Send API allows an email address in the To field instead of only allowing FusionAuth userIds
  • SAML Identity Provider can now be configured to use any NameID format. Previously only the Email NameID format was utilized.
    • This should allow the SAML identity provider configuration to be more flexible and work with additional SAML identity providers.

Enhanced

  • When FusionAuth is acting as a SAML Identity Provider, you may now send a NameID format of Email or Persistent.
    • This should allow FusionAuth to work with additional SAML service providers such as Slack.
    • Resolves GitHub Issue #522
  • The Email Send API now allows you to send to a user that does not yet exist in FusionAuth by allowing you to specify an email address for the To: field.
  • The Facebook and Google Identity Providers will now default to using a redirect instead of a popup for login. All existing configurations will be migrated to use the popup dialog to remain consistent with the previous behavior. With this update you may now also use the idp_hint parameter to login with Facebook and Google.
  • Additional PKCE and Client Authentication configuration
    • You may now optionally configure PKCE as required, not required, or required when not using a confidential client. This offers better compatibility when multiple client types (a webapp and a mobile app, for example) are authenticating against a single FusionAuth application.
    • Resolves GitHub Issue #1152
  • Add the currently selected Two Factor method object to the Themed Two Factor page /oauth2/two-factor
  • Allow using IdP buttons on the Themed registration page
  • When using email verification required with the gated configuration, optionally send the user another email before entering the gated page if the user does not have an existing verification email that is not expired.

Fixed

  • Do not add the NotBefore assertion on the SAML AuthN response on the subject confirmation.
  • When importing users with passwordChangeRequired=true w/out specifying the change reason an exception may occur during login.
  • When using the email verification gate and self-service registration if a user requires their email to be verified and is forced through the complete registration flow they will not be correctly gated.
  • Fix a JavaScript bug that may cause some of the themed pages to render incorrectly in the view window.

Tech Preview

  • New IdPs for EpicGames, Nintendo, Sony PlayStation Network, Steam, Twitch, Xbox - see link for more information
  • Development kickstart reset. When you are running in development runtime mode, you’ll see a Reset menu item in the System navigation menu.
    • See System -> Reset
  • There is now a JWT populate lambda for the Client Credentials grant. See link for more information.

Version 1.27.2

May 10th, 2021

Changed

  • In version 1.26.0 the ability to use user.data.email for Forgot Password and Passwordless login flows was removed. Support for this behavior has been restored in this patch.

Fixed

  • When building a new theme starting with 1.27.0, you may encounter a JavaScript error during page render. This error should not cause any end user failures, but the login may not properly capture the browser type.

Version 1.27.1

May 7th, 2021

Fixed

  • When migrating from 1.26.0 or earlier to version 1.27.0 the initial render of the add Tenant panel in the admin UI may fail to render. If you encounter this issue, you may upgrade or edit the FusionAuth tenant first and then try the request again.
  • Make the verification flow simpler when you enable both email and registration verification during self-service registration.
  • The view dialog for the SAML v2 IdP Initiated configuration may not render correctly.
  • When configuring the SAML v2 IdP Initiated Login configuration for an IdP that has a issuer that is not a URL the configuration will fail because we are expecting a URL for this field.

Version 1.27.0

May 5th, 2021

Some of the features in this release are in tech-preview. Please give us feedback and let us know how they work for you!

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • Login API now returns 213 for Registration Not Verified.
    • See the Login API response for additional details.
  • The Login API and the User API may optionally return a emailVerificationId or registrationVerificationId to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long “clickable” link.
    • See the Login API response for additional details.
  • The Verify Email API now takes the verificationId in the request body instead of a URL segment. See the Verify Email API for additional details.
    • This change is backwards compatible, but the deprecated use of the API may be removed in the future.
    • The client libraries methods have also been preserved, but a new method has been added to accept a request body.
  • The Verify Registration API now takes the verificationId in the request body instead of a URL segment.
    • This change is backwards compatible, but the deprecated use of the API may be removed in the future.
    • The client libraries methods have also been preserved, but a new method has been added to accept a request body.
  • When calling PUT on the Login API (ping) the response may optionally return an emailVerificationId or registrationVerificationId to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long “clickable” link.
    • See the Login API response for additional details.
  • The User API and Registration API may optionally return an emailVerificationId or a map of registration verification Ids to assist the developer in completing a verification workflow when the verification strategy has been configured to use a short code instead of a long “clickable” link.
    • See the User and Registration API response examples for additional details.

Fixed

  • CleanSpeak username filtering may not always work when using advanced self-service registration forms with only one step.
  • Link to SAML v2 IdP Initiated Add in the admin UI was missing. See GH issue for a work around.
  • Fixes for the new API Key API - usages in the admin UI. Allow the admin UI to upgrade and downgrade API keys for Key Manager.

Tech Preview

  • Application Themes. You may optionally assign a theme per application which will then be utilize instead of the tenant configuration.
  • Email verification gate. When using the FusionAuth themed pages, you may force a user to verify their email address before being redirected back to your application.
  • Configurable verification strategies to use an interactive form instead of a clickable link.
    • May require a change to your email template, see the updated Email Verification documentation for additional details.
    • GitHub Issue #1191
  • Unique usernames. Allow more than one user to select the same username and allow FusionAuth to manage a unique suffix.

New

  • Product Version API.
    • Resolves GitHub Issue #1193
    • Thanks to @jegger for the request!
    • See Version API for additional details or find retrieveVersion in your FusionAuth client library.

Enhancements

  • Try to support Microsoft Outlook Safe Links
  • Support HTTP Basic Auth using an API key for the Prometheus Metrics endpoint added in 1.26.0.
    • See Prometheus endpoint documentation for additional details on authenticating this endpoint.
    • Resolves GitHub Issue #1189

Version 1.26.1

April 20th, 2021

Fixed

  • If you use a non default theme for the FusionAuth default tenant, you may see an error when trying to log in to the admin UI after upgrading to version 1.25.0. You can workaround this by appending ?&bypassTheme=true to your login URL, or append /admin/ to your base FusionAuth URL to log into the admin UI.

Known Issues

  • You cannot create a “SAML v2 IdP Initiated” Identity Provider in the admin UI; it isn’t present in the “Add Identity Providers” dropdown. You can workaround this by entering the URL to add an Identity Provider manually: \[GitHub Issue #1181](https://auth.example.com/admin/identity-provider/add/SAMLv2IdPInitiated (append /admin/identity-provider/add/SAMLv2IdPInitiated to your FusionAuth base URL). Tracking in https://github.com/FusionAuth/fusionauth-issues/issues/1181).

Version 1.26.0

April 20th, 2021

Lots of changes ahead! Read carefully to see how this release may affect you.

Two Factor APIs

Breaking changes. If you use this functionality, please review the API changes and test before upgrading. The Two-Factor API, two-factor fields on the User and Import User APIs and the Integrations API have changed and are not backwards compatible. If you use this functionality, please review the API changes and test before upgrading.

Upgrading from < 1.7.0

If you are upgrading from a version less than 1.7.0, you must do a two stage upgrade. Upgrade to a version greater than or equal to 1.7.0 but less than 1.26.0, then upgrade from that version to 1.26.0. There were internal migration changes which necessitate this two stage process.

Accessing the admin Login after upgrading:

The / path of FusionAuth no longer automatically forwards to the admin login. To access the admin UI to complete this configuration append /admin/ to the URL. Once the theme configuration is complete, this root page will contain links to login and instructions on how to utilize this root landing page.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you use a non default theme for the FusionAuth default tenant, you may see an error when trying to log in to the admin UI. You can workaround this by appending ?&bypassTheme=true to your login URL.

Changed

  • The Two-Factor API has changed which allows you to enable and disable Two-Factor methods as well as send codes.
  • The Two-Factor Login API now returns 409 for too many attempts. This allows the Two-Factor Login API to provide the same locking capability as the Login API when too many failed attempts occur.
  • The Import API has changed for enabling Two-Factor.
  • The User API has changed for enabling and disabling Two-Factor. See the User API for changes.
    • See the User API for changes.
  • Email and SMS Two-Factor methods will now require a paid edition of FusionAuth. Learn more about paid editions.
    • If you are only using Authenticator/TOTP for Two-Factor, this functionality will continue to work properly in the community edition.
  • If you are upgrading from a version less than 1.7.0, you must do a two stage upgrade. Upgrade to a version greater than or equal to 1.7.0 but less than 1.26.0, then upgrade from that version to 1.26.0. There were internal migration changes which necessitate this two stage process.

Fixed

  • You can now delete a user registration for an inactive application
  • Spurious text ‘[object Object]’ on FusionAuth admin UI screen when certain Chrome extensions present.

Tech Preview

New

  • Prometheus Metrics endpoint
  • IdP initiated SSO
  • An API key to create API keys!
  • Portions of GitHub Issue #960 were delivered, including features such as:
    • Two-Factor step-up API
    • SMS Two-Factor with configurable delivery methods
    • Localized Message Templates which can be used for SMS Two-Factor messages
  • Self service user profile page
  • Themeable root page
  • Messengers which are used to send SMS messages through Twilio, Kafka or a generic JSON REST API
  • Licensing now supports air-gapped deployments
  • Client Credentials grant

Enhancements

Version 1.25.0

March 10th, 2021

SAML v2 Logout is now fully supported. No action should be required. If you are currently using FusionAuth as a SAML v2 IdP, please verify your configuration as you may want to provide additional configuration to take full advantage of the SAML v2 Logout configuration. The additional of SAML v2 Logout means there is a new themed page to manage the user experience for SAML v2 Logout. Please review your theme to ensure your user experience is not interrupted. See additional details in the New section below.

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Changed

  • In support of the SAML v2 Logout feature, the following theme changes have been made.
    • New themed template SAMLv2 logout template. This template will be rendered when you utilize the SAML v2 Logout feature, it is nearly identical to the existing OAuth2 logout themed page. If you are using themes, please review your theme to ensure your user experience is not interrupted.

Fixed

  • If you are using Elasticsearch version 6 you may encounter an error when using the Search API. This is due to a change in how we optionally request the document hit count in the search request to Elasticsearch. The change is not compatible with Elasticsearch version 6. As a work around, you can set accurateTotal=true in the API request. See the User Search API for additional details on using this parameter.
  • Using the HTTP PATCH method on the FusionAuth application may produce erroneous validation errors.
  • Adding additional Java options in the configuration file when the value contains a space may not work correctly.
  • A NullPointerException may occur when you have users registered for an application in a non default tenant and you create a login report for only that application. Thanks to @NikolayMetchev for filing this.
  • When you omit the state parameter on the Authorization request, you may receive a state parameter on the redirect_uri that you did not expect.

New

Enhancements

  • Add a button to the Sessions tab in the FusionAuth admin UI to delete all user sessions at once, this action is also available from the drop down action list when managing a user.
  • Add Debug to OAuth2 grants, this will primarily assist in debugging the Authorization Code grant auth code exchange with the Token endpoint.
  • Add CORS Debug, this will assist you in debugging CORS related 403 HTTP status codes.
  • Better SMTP debug for specific scenarios. This should assist with async connection issues and provide context to the tenant and template being rendered during the exception.
  • Allow the Registration API to accept the applicationId as a URL segment
  • Twitter IdP Login API can optionally accept an access token. When building your own login page, if you complete the initial step with Twitter and utilize the oauth_verifier to perform some initial processing of the Twitter user, you may now still send the access token in the form of oauth_token and oauth_token_secret to FusionAuth to complete the login. This is done by omitting the oauth_verifier on the Login request. See Complete the Twitter Login for additional information.
  • When Key Master generates a kid because one is not provided on the request, if there is a public key, generate the kid as a JWK thumbprint instead of a randomly generated value.
  • When using the Search feature in the FusionAuth admin UI, once you begin searching using a specific term or any of the advanced controls, the pagination result total will be an accurate representation of the number of matches returned by Elasticsearch. When no search criteria is provided, the number of matches will cap at the default value of 10,000 and the pagination results will indicate 10,000+ which means at least 10,000 users match the search criteria.

Internal

Version 1.24.0

February 11th, 2021

Known Issues

  • If you are using Elasticsearch version 6 you may encounter an error when using the Search API. This is due to a change in how we optionally request the document hit count in the search request to Elasticsearch. The change is not compatible with Elasticsearch version 6. As a work around, you can set accurateTotal=true in the API request.

Security

  • More consistent usage of the Cache-Control HTTP response header. The default for all pages will be Cache-Control: no-cache, and some pages that may contain potentially sensitive information such as the API key add, edit or index pages will use a Cache-Control: no-store. No known vulnerability exists with the previous behavior, this is just a proactive change to limit the possible mis-use of cached pages in the FusionAuth admin UI.
  • A vulnerability in an underlying SAML v2 library was resolved. If you are using SAML please upgrade FusionAuth to 1.24.0 or later as soon as possible.

Changed

  • The applicationId and roles claims are no longer returned in the id_token issued when requesting the openid scope. The id_token should not be used for authorization, this change makes it less likely to mis-use this token. If you have a requirement for these claims (you shouldn’t), you can add them back by using a JWT Populate lambda. See Id Token claims for additional information.

Fixed

  • When using the Add or Edit Identity Provider forms in the admin UI, if you have ~2,000 or more applications it is possible for the form request to be truncated by the underlying application server. This error is caused by the maximum number of request parameters being exceeded. This form in particular, along with the Group Add/Edit and Webhook Add/Edit contains a number of fields that is a function of the number of applications configured. An informational error may be written to the system log indicating this truncation has occurred, but no hard error would have occurred. The symptom will be that depending upon your configuration, a portion of it may be lost during this form submit. The entry in the log will contain this message org.apache.tomcat.util.http.Parameters.processParameters More than the maximum number of request parameters (GET plus POST) for a single request ([10,000]) were detected. Any parameters beyond this limit have been ignored..
  • When you have registered a custom plugin for password hashing, using the View Tenant dialog may fail to render.
  • Unable to remove a User from a Group using the admin UI dialog. This was a regression issue introduced in version 1.23.0.
  • If a user was not currently in the Elasticsearch index, the user delete request may fail.
  • The JWT returned from the Register API when you are creating a User and a Registration in one request may not contain the roles claim. This occurs when you do not assign the roles explicitly on the request, and instead are using default role assignment in the application configuration.
  • Updating a User that has existing group memberships may no longer be searchable in Elasticsearch by their Group memberships until the next time the user logs into FusionAuth.
  • A Kafka Producer configuration that contains an equals sign = in the property value will fail to parse. This was identified in attempting to configure credentials to connect to CloudKarafka.

Enhancements

  • Support a Kickstart file with only a licenseId. Previously at least one API key was required because the intent of Kickstart is to call one or more APIs. While there is not a very practical use case for only providing a licenseId and no API requests, this minimal configuration will no longer fail indicating an API key is required. See Set your License Id in the Kickstart documentation.
  • You may now import an RSA certificate with a key bit length less than 2048 into Key Master. The minimum supported RSA key length for signing a JWT is 2048, so this was previously the minimum requirement to import anything into Key Master. However, we have several configurations now that require a certificate that is only used to verify a signature from a third party. In these cases, we are not using the certificate to sign anything, and @trevorr rightly pointed out that we should allow smaller keys to be imported to support these use cases. Thank you for the (now obvious) insight! We really appreciate our community members that provide us value for value.
  • Added an additional Search API parameter to allow you to obtain the actual hit count from Elasticsearch. For performance reasons, the default behavior of an Elasticsearch query is to limit the hit count to 10,000. This means that if your query matched more than 10,000 records, the API response will only indicate that at least 10,000 records matched. This is very adequate for pagination purposes, or general queries. There are times where you are building a very specific query and the intent is to identify an accurate number of matching records. You may now provide an additional parameter to the search request named accurateTotal which will then return an accurate hit count on the API response. See the User Search API for additional details.
  • Allow the user to click on the Enabled column in the Webhook event configuration in the Webhook and Tenant configurations to enable or disable all events at once. This is just a usability enhancement to save you from clicking over and over. You’re welcome.
  • For pages with potentially a lot of items such as Applications, Tenants, etc - that do not currently have pagination, add a count at the bottom of the panel. This allows you to look smart by knowing how many “things” you have without having to count them yourself.

Internal

  • Some enhancements to JavaScript event handlers to perform better on pages with 2-3k+ applications. Pretty boring.

Version 1.23.3

January 21th, 2021

Fixed

  • A tenant delete request may fail. See details in the linked GH issue for a work around. This issue was introduced in version 1.22.0.

Version 1.23.2

January 20th, 2021

Fixed

  • A bug in the PostgreSQL migration will cause you to lose your SAML v2 IdP configuration. If you are using MySQL or you are not using the SAML v2 IdP configuration, this bug will not affect you. The issue was introduced in version 1.21.0, so if you are upgrading from a version prior to 1.21.0 to 1.23.2 you will not be affected. If you have already upgraded to 1.21.0 or any version greater than 1.21.0 prior to this patch, you will have already encountered the issue. If you do encounter this issue, you will need to update the SAML v2 IdP configuration found in each affected Application configuration.

Version 1.23.1

January 13th, 2021

Fixed

  • When configured to sign the SAML v2 AuthN requests to the SAML v2 IdP, the SAML v2 SP metadata does not correctly reflect this settings. The attribute AuthnRequestsSigned should now reflect the signing configuration.
    • When configured to sign requests, the SP metadata response will now also contain the KeyDescriptor element to describe the X.509 certificate used to verify the signature.
    • Resolves GitHub Issue #1067

Version 1.23.0

January 11th, 2021

The database schema has changed and an upgrade is required for this version of FusionAuth. While in development mode you will prompted to upgrade the database by maintenance mode before you may login. In a production runtime with silent configuration, the upgrade will occur automatically during startup.

See Database Upgrades for more information about database migrations.

Known Issues

  • If you are upgrading to this version, are using PostgreSQL, and you intend to use the provided LinkedIn Reconcile lambda, you will need to make a small adjustment prior to using it.
    • Navigate to Customizations -> Lambdas and edit the lambda named Default LinkedIn Reconcile provided by FusionAuth and click edit. You will see an error indicated by a red dot on line 23 of the function body. To fix this error, delete the two empty lines between the end of line 23 and 25, once the error indicator is gone, save the lambda.
  • Unable to remove a User from a group using the admin UI dialog.

Fixed

  • A validation error may not be visible when selecting self service registration options when the FusionAuth license has not been activated.
  • The User Action API was returning a 200 status code instead of a 404 when requesting an action by Id that did not exist.
  • The IP address shown on the About panel may be the same for each node when viewed on a multi-node FusionAuth instance. This address is shown for informational purposes and was only a cosmetic defect w/out any functional issues.
  • The SAML Response XML was failing XSD validation for the Signature element location when the request was not successful, or FusionAuth was configured to sign the response instead of the assertion.
  • Fix a possible NPE when making an Update request to a group in a multi-tenant environment. With this fix, the correct API response will be returned.
  • When creating an IdP from the API for Google, Facebook, Twitter, or HYPR - the API was allowing an Id to be provided. Each of these IdP types of which only one are allowed, have a fixed Id that is managed by FusionAuth. The API should ignore the requested Id and set the correct Id instead. If you encounter this issue, the work around is to omit the Id on the API request.
  • Kickstart fails when using a variable in the tenantId field for an API key.

New

  • Sign in with LinkedIn. A new identity provider type is available for LinkedIn.
  • New FusionAuth roles oriented for Level 1 support personnel. These new roles are named user_support_viewer and user_support_manager, see FusionAuth application roles for additional detail.

Enhancements

  • Updates to the User and Import API to provide validation on the length of an email address. This will provide a developer a better error when the provided email address is too long.

Client libraries

  • Enhancements to the .NET Core client library to better support requests in a multi-tenant environment and to use the IDictionary reference instead of Dictionary.