Skip to main content

Release 2021.4

Headline Changes

  • Configurable Policy engine mode

    In the past, all objects, which could have policies attached to them, required all policies to pass to consider an action successful. You can now configure if all policies need to pass, or if any policy needs to pass.

    This can now be configured for the following objects:

    • Applications (access restrictions)
    • Sources
    • Flows
    • Flow-stage bindings

    For backwards compatibility, this is set to all, but new objects will default to any.

  • Expiring Events

    Previously, events would stay in the database forever, and had to eventually be cleaned up manually. This version add expiry to events with a default timeout of 1 Year. This also applies to existing events, and their expiry will be set during the migration.

  • New UI

    While the UI mostly looks the same, under the hood a lot has changed. The Web UI is now a Single-page application based on rollup and lit-html. This has several consequences and new features, for example:

    • You can now see a user's OAuth Access/Refresh tokens and the consents they've given
    • You can now see a per-object changelog based on the model_create/update/delete events being created.
    • A new API Browser is available under
    • Several new charts, new pages and quality-of-life improvements
    • Credentials of objects are no longer shown while editing them
  • Deprecated Group membership has been removed.

Minor changes

  • You can now specify the amount of processes started in docker-compose using the WORKERS environment variable.

Fixed in 2021.4.2

  • core: fix propertymapping API returning invalid value for components (#746)
  • core: improve messaging when creating a recovery link for a user when no recovery flow exists
  • flows: annotate flows executor 404 error
  • flows: include configure_flow in stages API
  • helm: make storage class, size and mode configurable
  • helm: turn off monitoring by default (#741)
  • outposts: fix errors when creating multiple outposts
  • root: add restart: unless-stopped to compose
  • root: base Websocket message storage on Base not fallback
  • root: fix healthcheck part in docker-compose
  • root: fix setting of EMAIL_USE_TLS and EMAIL_USE_SSL
  • sources/ldap: improve error handling during sync
  • sources/oauth: fix error when creating an oauth source which has fixed URLs
  • sources/oauth: fix resolution of sources' provider type
  • web: fix background-color on router outlet on light mode
  • web/admin: fix error when user doesn't have permissions to read source
  • web/admin: fix errors in user profile when non-superuser

Fixed in 2021.4.3

  • *: add model_name to TypeCreate API to distinguish between models sharing a component
  • api: fix CSRF error when using POST/PATCH/PUT in API Browser
  • api: make 401 messages clearer
  • api: mount outposts under outposts/instances to match flows
  • core: add parameter to output property mapping test result formatted
  • core: add superuser_full_list to applications list, shows all applications when superuser
  • core: fix Tokens being created with incorrect intent by default
  • outposts: don't run outpost_controller when no service connection is set
  • providers/oauth2: Set CORS Headers for token endpoint, check Origin header against redirect URLs
  • root: auto-migrate on startup, lock database using pg_advisory_lock
  • sources/oauth: add login with plex support
  • sources/oauth: fix redirect loop for source with non-configurable URLs
  • sources/oauth: save null instead of empty string for sources without configurable URLs
  • web/admin: add ability to add users to a group whilst creating a group
  • web/admin: fix default for codemirror
  • web/admin: fix group member table order
  • web/admin: fix non-matching provider type being selected when creating an OAuth Source
  • web/admin: fix provider type resetting when changing provider type
  • web/admin: fix undefined being shown when viewing application
  • web/admin: improve default selection for property-mappings

Fixed in 2021.4.4

  • *: make tasks run every 60 minutes not :00 every hour
  • outposts: check for X-Forwarded-Host to switch context
  • outposts: improve update performance
  • outposts: move local connection check to task, run every 60 minutes
  • providers/oauth2: add proper support for non-http schemes as redirect URIs
  • providers/oauth2: fix TokenView not having CORS headers set even with proper Origin
  • sources/oauth: fix error whilst fetching user profile when source uses fixed URLs
  • sources/oauth: handle error in AzureAD when ID Can't be extracted
  • stages/user_login: add default backend
  • web: fix title not being loaded from config
  • web: only report http errors for 500 and above
  • web: send response info when response is thrown
  • web/admin: add description for fields in proxy provider form
  • web/admin: adjust phrasing of cards on overview page
  • web/admin: fix display for user supseruser status
  • web/admin: fix error when me() returns 403
  • web/admin: fix error when updating identification stage
  • web/admin: fix invalid group member count
  • web/admin: fix link to providers on overview page
  • web/admin: fix mismatched required tags
  • web/admin: improve phrasing for Policy bindings
  • web/admin: only allow policies to be bound to sources as users/groups cannot be checked
  • web/admin: only pre-select items when creating a new object
  • web/flows: fix Sentry not being loaded correctly

Fixed in 2021.4.5

  • core: fix text on error pages being hard to read
  • outposts: only kill docker container if its running
  • root: add middleware to properly report websocket connection to sentry
  • root: don't use .error of structlog to not send to sentry
  • stages/email: catch ValueError when global email settings are invalid
  • stages/invitation: accept token from prompt_data
  • stages/invitation: fix token not being loaded correctly from query string
  • web: fix text-colour for form help text
  • web: ignore network errors for sentry
  • web/admin: don't show docker certs as required
  • web/flows: fix redirect loop when sentry is enabled on flow views
  • web/flows: include ShadyDOM, always enable ShadyDOM for flow interface, improve compatibility with password
  • web/flows/identification: fix phrasing account recovery


This release does not introduce any new requirements.


Download the docker-compose file for 2021.4 from here. Afterwards, simply run docker-compose up -d.


Run helm repo update and then upgrade your release with helm upgrade authentik authentik/authentik -f values.yaml.