Skip to main content

Release 2021.3

Headline Changes

  • WebAuthn support

    This release introduces support for WebAuthn, an open standard for the use of hardware authentication keys like YubiKeys on the web.

    You can configure a WebAuthn device using the "WebAuthn Authenticator Setup Stage" stage. Afterwards, it can be used as an n-th factor, just like TOTP authenticators.

  • Simplify role-based access

    Instead of having to create a Group Membership policy for every group you want to use, you can now select a Group and even a User directly in a binding.

    When a group is selected, the binding behaves the same as if a Group Membership policy exists.

    When a user is selected, the binding checks the user of the request, and denies the request when the user doesn't match.

    Group Membership policies are automatically migrated to use this simplified access.

  • Invisible reCAPTCHA

    The checkbox-based reCAPTCHA has been replaced with reCAPTCHA v2 Invisible.

    This is a breaking change, as a set of reCAPTCHA keys are only valid for a single type. For this, go to and create a new set of keys with the "reCAPTCHA v2" type and "Invisible reCAPTCHA badge" mode.

  • Migration of Flow Executor to SPA/API

    The flow executor has been migrated to a full SPA/API architecture. This was required for WebAuthn, but also allows for greater customizability.

    It also allows other services to use the flow executor via an API, which will be used by the outpost further down the road.

  • Deny stage

    A new stage which simply denies access. This can be used to conditionally deny access to users during a flow. Authorization flows for example required an authenticated user, but there was no previous way to block access for un-authenticated users.

    If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs.

Fixed in 2021.3.2

  • sources/ldap: fix sync for Users without pwdLastSet
  • web: fix date display issue
  • web: fix submit in Modal reloading page in firefox

Fixed in 2021.3.3

  • providers/oauth2: allow protected_resource_view when method is OPTIONS
  • stages/authenticator_static: fix error when disable static tokens
  • stages/authenticator_webauthn: add missing migration
  • web: fix Colours for user settings in dark mode
  • web: fix Flow executor not showing spinner when redirecting
  • web: fix Source icons not being displayed on firefox
  • web: fix styling for static token list

Fixed in 2021.3.4

  • admin: include git build hash in gh-* tags and show build hash in admin overview
  • events: don't fail on boot when geoip can't be opened
  • helm: add initial geoip
  • outposts: improve logs for outpost connection
  • policies: fix error when clearing policy cache when no policies are cached
  • root: add comment for error reporting to compose
  • root: add geoip config to docker-compose
  • sources/oauth: fix error on user enrollment when no enrollment flow is defined
  • web: add close button to messages
  • web: backport fix: add missing background filter
  • web: fix outpost health display
  • web: fix path for fallback flow view
  • web: fix system task index
  • web: improve compatibility with password managers
  • web: improve layout of expanded event info
  • web: improve styling for application list
  • web: prevent duplicate messages
  • web: show related edit button for bound stages and policies
  • web: use chunking for vendor and api
  • web: use loadingState for autosubmitStage
  • web: use sections in sidebar, adjust colouring


This release does not introduce any new requirements.


Download the docker-compose file for 2021.3 from here. Afterwards, simply run docker-compose up -d and then the standard upgrade command of docker-compose run --rm server migrate.


Run helm repo update and then upgrade your release with helm upgrade authentik authentik/authentik --devel -f values.yaml.