Release 2023.1
Breaking changes
-
Deprecated HaveIBeenPwned policy has been removed
This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.
New features
-
SLO Support for SAML provider
authentik now supports SAML SLO (Single logout).
-
Proxy provider now accepts HTTP Basic and Bearer authentication
-
LDAP provider now works with Code-based MFA stages
If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose file for 2023.1 from here. Afterwards, simply run docker-compose up -d
.
Kubernetes
Update your values to use the new images:
image:
repository: ghcr.io/goauthentik/server
tag: 2023.1.0
Minor changes/fixes
- *: strip leading and trailing whitespace when reading config values from files
- admin: include task duration in API (#4428)
- blueprints: Add
!Enumerate
,!Value
and!Index
tags (#4338) - blueprints: don't set session_duration in default and example flows (#4448)
- blueprints: Fix resolve model_name in
!Find
tag (#4371) - blueprints: internal storage (#4397)
- crypto: prevent creation of duplicate self-signed default certs
- events: exclude base models from model audit log
- events: rework metrics (#4407)
- internal: check certificate value and not IsSet
- internal: fix race condition with config loading on startup, add index on debug server
- internal: improve error handling
- outposts: use common config loader for outposts to support loading values from file
- outposts/ldap: decrease verbosity
- outposts/proxy: add header to prevent redirects
- outposts/proxy: allow setting no-redirect via header or query param
- outposts/proxy: cache basic and bearer credentials for one minute
- outposts/proxy: fix error handling, remove requirement for profile/etc scopes
- outposts/proxy: make logged user more consistent, set FlushInterval
- outposts/proxy: set http code when no redirect header is set
- polices/hibp: remove deprecated (#4363)
- providers/ldap: add code-MFA support for ldap provider (#4354)
- providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
- providers/oauth2: don't allow spaces in scope_name
- providers/oauth2: fallback to anonymous user for policy engine
- providers/oauth2: use guardian anonymous user to get claims for provider info
- providers/proxy: add initial header token auth (#4421)
- providers/proxy: add setting to intercept authorization header (#4457)
- providers/proxy: add tests for proxy basic auth (#4357)
- providers/saml: initial SLO implementation (#2346)
- root: show error when geoIP download fails
- sources/ldap: don't run membership sync if group sync is disabled
- sources/ldap: make task timeout adjustable
- sources/ldap: manual import (#4456)
- sources/ldap: only warn about missing groups when source is configured to sync groups
- stages/user_write: add more user creation options (#4367)
- web: add core-js polyfill for safari
- web: ensure img tags have alt attributes
- web: fix radio label code in dark mode
- web: fix scrollbar corner color in dark mode
- web: migrate checkbox to switch (#4409)
- web/admin: better show dev build
- web/admin: fix certificate filtering for LDAP verification certificate
- web/admin: fix overflow in aggregate cards
- web/admin: link impersonation user for events
- web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
- web/admin: show GeoIP information inline in events
- web/elements: fix pagination page button colours in dark mode
- web/elements: use correct Action Label for user related events
Fixed in 2023.1.1
- add tests to prevent empty SAN
- blueprints: fix OOB email field overwriting user settings email field
- ci: build beta for amd64 and arm64 (#4468)
- crypto: ensure we don't generate an empty SAN certificate
- crypto: fallback when no SAN values are given
- outposts/ldap: fix queries filtering objectClass with non-lowercase values
- outposts/proxy: fix panic due to IsSet misbehaving
- providers/oauth2: more x5c and ecdsa x/y tests (#4463)
- providers/proxy: fix issuer for embedded outpost (#4480)
- sources/ldap: add e2e LDAP source tests (#4462)
- stages: always use get_pending_user instead of getting context user
- stages/authenticator_sms: fix code not being sent when phone_number is in context
- web/admin: don't enable execution logging by default
- web/admin: improve display of rule severity
- web/admin: improve display of system task exception
- web/admin: link group of notification rule
- web/elements: fix pf-c-switch not rendering correctly in pure tables
- web/elements: fix SearchSelect not working on safari
- web/flows: fix flow executor background overlay in safari
Fixed in 2023.1.2
- stages/user_write: fix migration setting wrong value, fix form
Fixed in 2023.1.3
- *: fix CVE-2023-26481, Reported by @fuomag9
API Changes
What's Deleted
GET
/policies/haveibeenpwned/
POST
/policies/haveibeenpwned/
GET
/policies/haveibeenpwned/{policy_uuid}/
PUT
/policies/haveibeenpwned/{policy_uuid}/
DELETE
/policies/haveibeenpwned/{policy_uuid}/
PATCH
/policies/haveibeenpwned/{policy_uuid}/
GET
/policies/haveibeenpwned/{policy_uuid}/used_by/
What's Changed
GET
/admin/metrics/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
authorizations
logins
logins_failed
New optional properties:
-
authorizations_per_1h
-
logins_failed_per_1h
-
logins_per_1h
-
Added property
logins
(array)Items (object): > Coordinates for diagrams
-
Property
x_cord
(integer) -
Property
y_cord
(integer)
-
-
Added property
logins_failed
(array) -
Added property
authorizations
(array) -
Deleted property
logins_per_1h
(array) -
Deleted property
logins_failed_per_1h
(array) -
Deleted property
authorizations_per_1h
(array)
GET
/core/users/{id}/metrics/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
authorizations
logins
logins_failed
New optional properties:
-
authorizations_per_1h
-
logins_failed_per_1h
-
logins_per_1h
-
Added property
logins
(array) -
Added property
logins_failed
(array) -
Added property
authorizations
(array) -
Deleted property
logins_per_1h
(array) -
Deleted property
logins_failed_per_1h
(array) -
Deleted property
authorizations_per_1h
(array)
GET
/managed/blueprints/{instance_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
-
path
- Added property
content
(string)
-
PUT
/managed/blueprints/{instance_uuid}/
Request:
Changed content type : application/json
New optional properties:
path
- Added property
content
(string)
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
-
path
- Added property
content
(string)
-
PATCH
/managed/blueprints/{instance_uuid}/
Request:
Changed content type : application/json
- Added property
content
(string)
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
-
path
- Added property
content
(string)
-
POST
/managed/blueprints/{instance_uuid}/apply/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
-
path
- Added property
content
(string)
-
GET
/outposts/proxy/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property
GET
/policies/event_matcher/{policy_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
-
PUT
/policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
-
PATCH
/policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
-
GET
/propertymappings/scope/{pm_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
PUT
/propertymappings/scope/{pm_uuid}/
Request:
Changed content type : application/json
- Changed property
scope_name
(string)Scope name requested by the client
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
PATCH
/propertymappings/scope/{pm_uuid}/
Request:
Changed content type : application/json
- Changed property
scope_name
(string)Scope name requested by the client
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
GET
/providers/proxy/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
-
client_id
-
Added property
client_id
(string) -
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
-
Added property
jwks_sources
(array)Items (string):
-
PUT
/providers/proxy/{id}/
Request:
Changed content type : application/json
-
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
-
Added property
jwks_sources
(array)
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
-
client_id
-
Added property
client_id
(string) -
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
-
Added property
jwks_sources
(array)
-
PATCH
/providers/proxy/{id}/
Request:
Changed content type : application/json
-
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
-
Added property
jwks_sources
(array)
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
-
client_id
-
Added property
client_id
(string) -
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
-
Added property
jwks_sources
(array)
-
GET
/admin/system_tasks/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
Changed items (object): > Serialize TaskInfo and TaskResult
New required properties:
-
task_duration
- Added property
task_duration
(integer)
-
GET
/admin/system_tasks/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
-
task_duration
- Added property
task_duration
(integer)
-
POST
/managed/blueprints/
Request:
Changed content type : application/json
New optional properties:
path
- Added property
content
(string)
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
New optional properties:
-
path
- Added property
content
(string)
-
GET
/managed/blueprints/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Info about a single blueprint instance file
New optional properties:
-
path
- Added property
content
(string)
-
-
GET
/outposts/proxy/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Proxy provider serializer for outposts
- Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property
-
POST
/policies/event_matcher/
Request:
Changed content type : application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
-
GET
/policies/event_matcher/
Parameters:
Changed: app
in query
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Event Matcher Policy Serializer
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
-
-
POST
/propertymappings/scope/
Request:
Changed content type : application/json
- Changed property
scope_name
(string)Scope name requested by the client
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
GET
/propertymappings/scope/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > ScopeMapping Serializer
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
-
POST
/providers/proxy/
Request:
Changed content type : application/json
-
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
-
Added property
jwks_sources
(array)
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
New required properties:
-
client_id
-
Added property
client_id
(string) -
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
-
Added property
jwks_sources
(array)
-
GET
/providers/proxy/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > ProxyProvider Serializer
New required properties:
-
client_id
-
Added property
client_id
(string) -
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
-
Added property
jwks_sources
(array)
-
-
GET
/providers/saml/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
-
url_slo_post
-
url_slo_redirect
-
Added property
url_slo_post
(string) -
Added property
url_slo_redirect
(string)
-
PUT
/providers/saml/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
-
url_slo_post
-
url_slo_redirect
-
Added property
url_slo_post
(string) -
Added property
url_slo_redirect
(string)
-
PATCH
/providers/saml/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
-
url_slo_post
-
url_slo_redirect
-
Added property
url_slo_post
(string) -
Added property
url_slo_redirect
(string)
-
GET
/sources/ldap/{slug}/sync_status/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
Changed items (object): > Serialize TaskInfo and TaskResult
New required properties:
-
task_duration
- Added property
task_duration
(integer)
-
POST
/providers/saml/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
New required properties:
-
url_slo_post
-
url_slo_redirect
-
Added property
url_slo_post
(string) -
Added property
url_slo_redirect
(string)
-
GET
/providers/saml/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > SAMLProvider Serializer
New required properties:
-
url_slo_post
-
url_slo_redirect
-
Added property
url_slo_post
(string) -
Added property
url_slo_redirect
(string)
-
-
GET
/sources/oauth/
Parameters:
Added: has_jwks
in query
Only return sources with JWKS data
GET
/stages/user_write/{stage_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
user_creation_mode
(string)Enum values:
never_create
create_when_required
always_create
-
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
-
PUT
/stages/user_write/{stage_uuid}/
Request:
Changed content type : application/json
-
Added property
user_creation_mode
(string) -
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
user_creation_mode
(string) -
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
-
PATCH
/stages/user_write/{stage_uuid}/
Request:
Changed content type : application/json
-
Added property
user_creation_mode
(string) -
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
user_creation_mode
(string) -
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
-
POST
/stages/user_write/
Request:
Changed content type : application/json
-
Added property
user_creation_mode
(string) -
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Added property
user_creation_mode
(string) -
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
-
GET
/stages/user_write/
Parameters:
Added: user_creation_mode
in query
Deleted: can_create_users
in query
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > UserWriteStage Serializer
-
Added property
user_creation_mode
(string) -
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
-
-