Skip to main content

Release 2023.1

Breaking changes

  • Deprecated HaveIBeenPwned policy has been removed

    This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.

New features

  • SLO Support for SAML provider

    authentik now supports SAML SLO (Single logout).

  • Proxy provider now accepts HTTP Basic and Bearer authentication

    See Header authentication.

  • LDAP provider now works with Code-based MFA stages

    If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2023.1 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
repository: ghcr.io/goauthentik/server
tag: 2023.1.0

Minor changes/fixes

  • *: strip leading and trailing whitespace when reading config values from files
  • admin: include task duration in API (#4428)
  • blueprints: Add !Enumerate, !Value and !Index tags (#4338)
  • blueprints: don't set session_duration in default and example flows (#4448)
  • blueprints: Fix resolve model_name in !Find tag (#4371)
  • blueprints: internal storage (#4397)
  • crypto: prevent creation of duplicate self-signed default certs
  • events: exclude base models from model audit log
  • events: rework metrics (#4407)
  • internal: check certificate value and not IsSet
  • internal: fix race condition with config loading on startup, add index on debug server
  • internal: improve error handling
  • outposts: use common config loader for outposts to support loading values from file
  • outposts/ldap: decrease verbosity
  • outposts/proxy: add header to prevent redirects
  • outposts/proxy: allow setting no-redirect via header or query param
  • outposts/proxy: cache basic and bearer credentials for one minute
  • outposts/proxy: fix error handling, remove requirement for profile/etc scopes
  • outposts/proxy: make logged user more consistent, set FlushInterval
  • outposts/proxy: set http code when no redirect header is set
  • polices/hibp: remove deprecated (#4363)
  • providers/ldap: add code-MFA support for ldap provider (#4354)
  • providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
  • providers/oauth2: don't allow spaces in scope_name
  • providers/oauth2: fallback to anonymous user for policy engine
  • providers/oauth2: use guardian anonymous user to get claims for provider info
  • providers/proxy: add initial header token auth (#4421)
  • providers/proxy: add setting to intercept authorization header (#4457)
  • providers/proxy: add tests for proxy basic auth (#4357)
  • providers/saml: initial SLO implementation (#2346)
  • root: show error when geoIP download fails
  • sources/ldap: don't run membership sync if group sync is disabled
  • sources/ldap: make task timeout adjustable
  • sources/ldap: manual import (#4456)
  • sources/ldap: only warn about missing groups when source is configured to sync groups
  • stages/user_write: add more user creation options (#4367)
  • web: add core-js polyfill for safari
  • web: ensure img tags have alt attributes
  • web: fix radio label code in dark mode
  • web: fix scrollbar corner color in dark mode
  • web: migrate checkbox to switch (#4409)
  • web/admin: better show dev build
  • web/admin: fix certificate filtering for LDAP verification certificate
  • web/admin: fix overflow in aggregate cards
  • web/admin: link impersonation user for events
  • web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
  • web/admin: show GeoIP information inline in events
  • web/elements: fix pagination page button colours in dark mode
  • web/elements: use correct Action Label for user related events

Fixed in 2023.1.1

  • add tests to prevent empty SAN
  • blueprints: fix OOB email field overwriting user settings email field
  • ci: build beta for amd64 and arm64 (#4468)
  • crypto: ensure we don't generate an empty SAN certificate
  • crypto: fallback when no SAN values are given
  • outposts/ldap: fix queries filtering objectClass with non-lowercase values
  • outposts/proxy: fix panic due to IsSet misbehaving
  • providers/oauth2: more x5c and ecdsa x/y tests (#4463)
  • providers/proxy: fix issuer for embedded outpost (#4480)
  • sources/ldap: add e2e LDAP source tests (#4462)
  • stages: always use get_pending_user instead of getting context user
  • stages/authenticator_sms: fix code not being sent when phone_number is in context
  • web/admin: don't enable execution logging by default
  • web/admin: improve display of rule severity
  • web/admin: improve display of system task exception
  • web/admin: link group of notification rule
  • web/elements: fix pf-c-switch not rendering correctly in pure tables
  • web/elements: fix SearchSelect not working on safari
  • web/flows: fix flow executor background overlay in safari

Fixed in 2023.1.2

  • stages/user_write: fix migration setting wrong value, fix form

Fixed in 2023.1.3

API Changes

What's Deleted


GET /policies/haveibeenpwned/
POST /policies/haveibeenpwned/
GET /policies/haveibeenpwned/{policy_uuid}/
PUT /policies/haveibeenpwned/{policy_uuid}/
DELETE /policies/haveibeenpwned/{policy_uuid}/
PATCH /policies/haveibeenpwned/{policy_uuid}/
GET /policies/haveibeenpwned/{policy_uuid}/used_by/

What's Changed


GET /admin/metrics/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • authorizations
    • logins
    • logins_failed

    New optional properties:

    • authorizations_per_1h

    • logins_failed_per_1h

    • logins_per_1h

    • Added property logins (array)

      Items (object): > Coordinates for diagrams

      • Property x_cord (integer)

      • Property y_cord (integer)

    • Added property logins_failed (array)

    • Added property authorizations (array)

    • Deleted property logins_per_1h (array)

    • Deleted property logins_failed_per_1h (array)

    • Deleted property authorizations_per_1h (array)

GET /core/users/{id}/metrics/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • authorizations
    • logins
    • logins_failed

    New optional properties:

    • authorizations_per_1h

    • logins_failed_per_1h

    • logins_per_1h

    • Added property logins (array)

    • Added property logins_failed (array)

    • Added property authorizations (array)

    • Deleted property logins_per_1h (array)

    • Deleted property logins_failed_per_1h (array)

    • Deleted property authorizations_per_1h (array)

GET /managed/blueprints/{instance_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New optional properties:

    • path

    • Added property content (string)
PUT /managed/blueprints/{instance_uuid}/
Request:

Changed content type : application/json

New optional properties:

  • path
  • Added property content (string)
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New optional properties:

    • path

    • Added property content (string)
PATCH /managed/blueprints/{instance_uuid}/
Request:

Changed content type : application/json

  • Added property content (string)
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New optional properties:

    • path

    • Added property content (string)
POST /managed/blueprints/{instance_uuid}/apply/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New optional properties:

    • path

    • Added property content (string)
GET /outposts/proxy/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property intercept_header_auth (boolean)

      When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

GET /policies/event_matcher/{policy_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Removed enum value:

      • authentik.policies.hibp
PUT /policies/event_matcher/{policy_uuid}/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    • authentik.policies.hibp
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Removed enum value:

      • authentik.policies.hibp
PATCH /policies/event_matcher/{policy_uuid}/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    • authentik.policies.hibp
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Removed enum value:

      • authentik.policies.hibp
GET /propertymappings/scope/{pm_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property scope_name (string)

      Scope name requested by the client

PUT /propertymappings/scope/{pm_uuid}/
Request:

Changed content type : application/json

  • Changed property scope_name (string)

    Scope name requested by the client

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property scope_name (string)

      Scope name requested by the client

PATCH /propertymappings/scope/{pm_uuid}/
Request:

Changed content type : application/json

  • Changed property scope_name (string)

    Scope name requested by the client

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property scope_name (string)

      Scope name requested by the client

GET /providers/proxy/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • client_id

    • Added property client_id (string)

    • Added property intercept_header_auth (boolean)

      When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

    • Added property jwks_sources (array)

      Items (string):

PUT /providers/proxy/{id}/
Request:

Changed content type : application/json

  • Added property intercept_header_auth (boolean)

    When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

  • Added property jwks_sources (array)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • client_id

    • Added property client_id (string)

    • Added property intercept_header_auth (boolean)

      When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

    • Added property jwks_sources (array)

PATCH /providers/proxy/{id}/
Request:

Changed content type : application/json

  • Added property intercept_header_auth (boolean)

    When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

  • Added property jwks_sources (array)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • client_id

    • Added property client_id (string)

    • Added property intercept_header_auth (boolean)

      When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

    • Added property jwks_sources (array)

GET /admin/system_tasks/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    Changed items (object): > Serialize TaskInfo and TaskResult

    New required properties:

    • task_duration

    • Added property task_duration (integer)
GET /admin/system_tasks/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • task_duration

    • Added property task_duration (integer)
POST /managed/blueprints/
Request:

Changed content type : application/json

New optional properties:

  • path
  • Added property content (string)
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New optional properties:

    • path

    • Added property content (string)
GET /managed/blueprints/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Info about a single blueprint instance file

      New optional properties:

      • path

      • Added property content (string)
GET /outposts/proxy/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Proxy provider serializer for outposts

      • Added property intercept_header_auth (boolean)

        When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

POST /policies/event_matcher/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    • authentik.policies.hibp
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Removed enum value:

      • authentik.policies.hibp
GET /policies/event_matcher/
Parameters:

Changed: app in query

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Event Matcher Policy Serializer

      • Changed property app (string)

        Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        • authentik.policies.hibp
POST /propertymappings/scope/
Request:

Changed content type : application/json

  • Changed property scope_name (string)

    Scope name requested by the client

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property scope_name (string)

      Scope name requested by the client

GET /propertymappings/scope/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > ScopeMapping Serializer

      • Changed property scope_name (string)

        Scope name requested by the client

POST /providers/proxy/
Request:

Changed content type : application/json

  • Added property intercept_header_auth (boolean)

    When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

  • Added property jwks_sources (array)

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • client_id

    • Added property client_id (string)

    • Added property intercept_header_auth (boolean)

      When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

    • Added property jwks_sources (array)

GET /providers/proxy/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > ProxyProvider Serializer

      New required properties:

      • client_id

      • Added property client_id (string)

      • Added property intercept_header_auth (boolean)

        When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

      • Added property jwks_sources (array)

GET /providers/saml/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • url_slo_post

    • url_slo_redirect

    • Added property url_slo_post (string)

    • Added property url_slo_redirect (string)

PUT /providers/saml/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • url_slo_post

    • url_slo_redirect

    • Added property url_slo_post (string)

    • Added property url_slo_redirect (string)

PATCH /providers/saml/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • url_slo_post

    • url_slo_redirect

    • Added property url_slo_post (string)

    • Added property url_slo_redirect (string)

GET /sources/ldap/{slug}/sync_status/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    Changed items (object): > Serialize TaskInfo and TaskResult

    New required properties:

    • task_duration

    • Added property task_duration (integer)
POST /providers/saml/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • url_slo_post

    • url_slo_redirect

    • Added property url_slo_post (string)

    • Added property url_slo_redirect (string)

GET /providers/saml/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > SAMLProvider Serializer

      New required properties:

      • url_slo_post

      • url_slo_redirect

      • Added property url_slo_post (string)

      • Added property url_slo_redirect (string)

GET /sources/oauth/
Parameters:

Added: has_jwks in query

Only return sources with JWKS data

GET /stages/user_write/{stage_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property user_creation_mode (string)

      Enum values:

      • never_create
      • create_when_required
      • always_create
    • Deleted property can_create_users (boolean)

      When set, this stage can create users. If not enabled and no user is available, stage will fail.

PUT /stages/user_write/{stage_uuid}/
Request:

Changed content type : application/json

  • Added property user_creation_mode (string)

  • Deleted property can_create_users (boolean)

    When set, this stage can create users. If not enabled and no user is available, stage will fail.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property user_creation_mode (string)

    • Deleted property can_create_users (boolean)

      When set, this stage can create users. If not enabled and no user is available, stage will fail.

PATCH /stages/user_write/{stage_uuid}/
Request:

Changed content type : application/json

  • Added property user_creation_mode (string)

  • Deleted property can_create_users (boolean)

    When set, this stage can create users. If not enabled and no user is available, stage will fail.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property user_creation_mode (string)

    • Deleted property can_create_users (boolean)

      When set, this stage can create users. If not enabled and no user is available, stage will fail.

POST /stages/user_write/
Request:

Changed content type : application/json

  • Added property user_creation_mode (string)

  • Deleted property can_create_users (boolean)

    When set, this stage can create users. If not enabled and no user is available, stage will fail.

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Added property user_creation_mode (string)

    • Deleted property can_create_users (boolean)

      When set, this stage can create users. If not enabled and no user is available, stage will fail.

GET /stages/user_write/
Parameters:

Added: user_creation_mode in query

Deleted: can_create_users in query

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > UserWriteStage Serializer

      • Added property user_creation_mode (string)

      • Deleted property can_create_users (boolean)

        When set, this stage can create users. If not enabled and no user is available, stage will fail.