Skip to main content

Release 2021.6

Headline Changes

  • Duo two-factor support

    You can now add the new authenticator_duo stage to configure Duo authenticators. Duo has also been added as device class to the authenticator_validation stage.

    Currently, only Duo push notifications are supported. Because no additional input is required, Duo also works with the LDAP Outpost.

  • Multi-tenancy

    This version adds soft multi-tenancy. This means you can configure different branding settings and different default flows per domain.

    This also changes how a default flow is determined. Previously, for defaults flow, authentik would pick the first flow that

      - matches the required designation
    - comes first sorted by slug
    - is allowed by policies

    Now, authentik first checks if the current tenant has a default flow configured for the selected designation. If not, it behaves the same as before, meaning that if you want to select a default flow based on policy, you can just leave the tenant default empty.

  • Domain-level authorization with proxy providers

    Instead of simply being able to toggle between forward auth and proxy mode, you can now enable forward auth for an entire domain. This has the downside that you can't do per-application authorization, but also simplifies configuration as you don't have to create each application in authentik.

  • API Schema now uses OpenAPI v3

    The API endpoints are mostly the same, however all the clients are now built from an OpenAPI v3 schema. You can retrieve the schema from

  • On Kubernetes installs without a /media PVC, you can now set URLs instead of uploading files.

  • Expanded prometheus metrics for PolicyEngine and FlowPlanner

Minor changes

  • You can now specify which sources should be shown on an Identification stage.
  • Add UI for the reputation of IPs and usernames for reputation policies.
  • Fix proxy outpost not being able to redeem tokens when using with an un-trusted SSL Certificate
  • Add UI to check access of any application for any user

Fixed in 2021.6.1-rc5

  • flows: fix configuration URL being set when no flow is configure
  • stages/authenticator_totp: set TOTP issuer based on slug'd tenant title
  • stages/authenticator_webauthn: use tenant title as RP_NAME
  • stages/identification: add UPN
  • stages/password: add constants for password backends
  • web: fix flow download link

Fixed in 2021.6.1-rc6

  • ci: build and push stable tag when rc not in release name
  • core: delete real session when AuthenticatedSession is deleted
  • core: fix impersonation not working with inactive users
  • core: fix upload api not checking clear properly
  • core: revert check_access API to get to prevent CSRF errors
  • events: add tenant to event
  • events: catch unhandled exceptions from request as event, add button to open github issue
  • flows: fix error clearing flow background when no files have been uploaded
  • outpost: fix syntax error when creating an outpost with connection
  • outposts: fix integrity error with tokens
  • outposts/ldap: improve responses for unsuccessful binds
  • policies/reputation: fix race condition in tests
  • provider/proxy: mark forward_auth flag as deprecated
  • providers/saml: improve error handling for signature errors
  • root: fix build_hash being set incorrectly for tagged versions
  • sources/saml: check sessions before deleting user
  • stages/authenticator_duo: don't create default duo stage
  • stages/authenticator_validate: add tests for authenticator validation
  • stages/identification: fix challenges not being annotated correctly and API client not loading data correctly
  • web: add capabilities to sentry event
  • web: migrate banner to sidebar
  • web/admin: fix user enable/disable modal not matching other modals
  • web/admin: select service connection by default when only one exists
  • web/flows: fix expiry not shown on consent stage when loading
  • web/flows: fix IdentificationStage's label not matching fields
  • web/flows: improve display of allowed fields for identification stage
  • website/docs: add docs for outpost configuration

Fixed in 2021.6.1

  • core: fix error getting stages when enrollment flow isn't set
  • core: fix error when creating AuthenticatedSession without key
  • flows: fix error when stage has incorrect type
  • providers/saml: add support for NameID type unspecified
  • providers/saml: fix error when getting transient user identifier
  • providers/saml: fix NameIDPolicy not being parsed correctly
  • recovery: fix error when creating multiple keys for the same user
  • stages/authenticator_duo: fix error when enrolling an existing user
  • stages/authenticator_duo: make Duo-admin viewset writeable
  • website/docs: remove migrate command

Fixed in 2021.6.2

  • core: add support for custom urls for avatars
  • core: deepmerge user.group_attributes, use group_attributes for user settings
  • core: fix PropertyMapping's globals not matching Expression policy
  • core: remove default flow background from default css, set static in base_full and dynamically in if/flow
  • crypto: catch error when loading private key
  • flows: make flow plan cache timeout configurable
  • outposts: fix port and inner_port being mixed on docker controller
  • outposts/proxy: fix additionalHeaders not being set properly
  • policies: don't use policy cache when checking application access
  • policies: make policy result cache timeout configurable
  • root: allow loading local /static files without debug flag
  • root: make general cache timeouts configurable
  • root: remove old traefik labels
  • root: save temporary database dump in /tmp
  • root: set outposts.docker_image_base to gh-master for tests
  • stages/authenticator_validate: fix error when using not_configured_action=configure
  • tenants: fix tenant not being queried correctly when using accessing over a child domain
  • web/admin: fix tenant's default flag not being saved
  • web/admin: handle elements in slot=form not being forms
  • web/admin: sort inputs on authenticator validation stage form

Fixed in 2021.6.3

  • api: use partition instead of split for token
  • core: fix flow background not correctly loading on initial draw
  • events: add ability to create events via API
  • events: ignore notification non-existent in transport
  • events: only create SYSTEM_EXCEPTION event when error would've been sent to sentry
  • expressions: fix regex_match result being inverted
  • flows: add FlowStageBinding to flow plan instead of just stage
  • flows: add invalid_response_action to configure how the FlowExecutor should handle invalid responses
  • flows: handle possible errors with FlowPlans received from cache
  • outposts: check docker container ports match
  • outposts/ldap: fixed IsActive and IsSuperuser returning swapped incorrect values (#1078)
  • providers/oauth2: fix exp of JWT when not using seconds
  • sources/ldap: improve error handling when checking for password complexity on non-ad setups
  • stages/authenticator_duo: fix component not being set in API
  • stages/prompt: ensure hidden and static fields keep the value they had set
  • stages/user_write: add flag to create new users as inactive
  • tenants: include all default flows in current_tenant
  • web/admin: fix deletion of authenticator not reloading the state correctly
  • web/admin: fix only recovery flows being selectable for unenrollment flow in tenant form
  • web/admin: fix text color on pf-c-card

Fixed in 2021.6.4

  • core: only show Reset password link when recovery flow is configured
  • crypto: show both sha1 and sha256 fingerprints
  • flows: handle old cached flow plans better
  • g: fix static and media caching not working properly
  • outposts: fix container not being started after creation
  • outposts: fix docker controller not checking env correctly
  • outposts: fix docker controller not checking ports correctly
  • outposts: fix empty message when docker outpost controller has changed nothing
  • outposts: fix permissions not being set correctly upon outpost creation
  • outposts/ldap: add support for boolean fields in ldap
  • outposts/proxy: always redirect to session-end interface on sign_out
  • providers/oauth2: add revoked field, create suspicious event when previous token is used
  • providers/oauth2: deepmerge claims
  • providers/oauth2: fix CORS headers not being set for unsuccessful requests
  • providers/oauth2: use self.expires for exp field instead of calculating it again
  • sources/oauth: create configuration error event when profile can't be parsed as json
  • stages/user_write: add wrapper for post to user_write
  • web/admin: fix ModelForm not re-loading after being reset
  • web/admin: show oauth2 token revoked status


This release does not introduce any new requirements.


Download the docker-compose file for 2021.6 from here. Afterwards, simply run docker-compose up -d.


Upgrade to the latest chart version to get the new images.