Skip to main content

Release 2021.8

Headline Changes

  • Embedded Outpost

    To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup.

    You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server. Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under / is sent to the outpost too. The rest is sent to authentik itself.

  • App passwords

    You can now create Tokens with the intent app_password, and use them when authenticating with a flow. This requires the User database + app passwords backend in your password stage (this is done automatically on upgrade).

    You will also see in the logs which backend was used as the auth_method and auth_method_args arguments on the Event.

Minor changes

  • admin: add API to show embedded outpost status, add notice when its not configured properly
  • api: ensure all resources can be filtered
  • api: make all PropertyMappings filterable by multiple managed attributes
  • core: add API to directly send recovery link to user
  • core: add UserSelfSerializer and separate method for users to update themselves with limited fields
  • core: allow changing of groups a user is in from user api
  • flows: fix unhandled error in stage execution not being logged as SYSTEM_EXCEPTION event
  • lifecycle: decrease default worker count on compose
  • outpost/ldap: Performance improvements, support for (member=) lookup
  • providers/proxy: don't create ingress when no hosts are defined
  • sources/plex: add API to get user connections
  • web: add API Drawer
  • web/admin: add UI to copy invitation link
  • web/admin: allow modification of users groups from user view
  • web/admin: re-name service connection to integration

Fixed in 2021.8.1-rc2

  • ci: add pipeline to build and push js api package
  • ci: upgrade web api client when schema changes
  • core: add new token intent and auth backend (#1284)
  • core: add token tests for invalid intent and token auth
  • core: fix token intent not defaulting correctly
  • core: handle error when ?for_user is not numberical
  • lib: move id and key generators to lib (#1286)
  • lifecycle: rename to ak
  • outpost: handle non-existent permission
  • outpost: add recursion limit for docker controller
  • outpost: add repair_permissions command
  • root: add alias for akflow files
  • root: add ASGI Error handler
  • root: add License to NPM package
  • root: fix error_handler for websocket
  • root: fix mis-matched postgres version for CI
  • root: remove remainders from gen
  • root: remove usage of make-gen
  • root: test schema auto-update
  • root: update schema
  • stages/password: auto-enable app password backend
  • stages/user_write: fix wrong fallback authentication backend
  • web: add custom readme to api client
  • web: add ESM to generated Client
  • web: build. api in different folder
  • web: improve api client versioning
  • web: Merge pull request #1258 from goauthentik/publish-api-to-npm
  • web: migrate to @goauthentik/api
  • web: Update Web API Client version (#1283)
  • web/admin: allow users to create app password tokens
  • web/admin: display token's intents
  • web/admin: fix missing app passwords backend
  • web/admin: improve delete modal for stage bindings and policy bindings
  • web/admin: select all password stage backends by default
  • website: add docs for making schema changes
  • website: make default login-2fa flow ignore 2fa with app passwords
  • website/docs: add docs for auth_method and auth_method_args fields

Fixed in 2021.8.1

  • *: cleanup api schema warnings
  • core: fix error for asgi error handler with websockets
  • core: fix error when user updates themselves
  • core: fix user object for token not be set-able
  • root: Fix table of contents for (#1302)
  • root: Require PG_PASS to be set (#1303)
  • web/admin: allow admins to create tokens

Fixed in 2021.8.2

  • root: fix login loop created by old settings stored in cache

Fixed in 2021.8.3

  • outpost: fix FlowExecutor not sending password for identification stage
  • outpost: fix generated traefik labels containing invalid hosts
  • outpost: make docker network configurable when using docker integration
  • web/flow: fix redirects to application being sent multiple times, causing issues with OAuth providers
  • web/flow: fix rendering of checkboxes in prompt stages

Fixed in 2021.8.4

  • api: add /api/v3 path
  • api: add basic rate limiting for sentry proxy endpoint
  • core: fix user_obj being empty on token API
  • events: improve logging for task exceptions
  • outpost/embedded: only send requests for non-akprox paths when we're doing proxy mode
  • outpost/ldap: delay user information removal upon closing of connection
  • policies/password: fix PasswordStage not being usable with prompt stages
  • providers/proxy: fix traefik middleware being generated with wrong ports for embedded outposts
  • providers/proxy: improve error handling for non-tls ingresses
  • stages/authenticator_validate: show single button for multiple webauthn authenticators
  • stages/invitation: fix invitation not inheriting ExpiringModel
  • web/admin: fallback for invitation list on first load
  • web/admin: fix flow executor not opening in new tab
  • web/admin: fix list of webauthn devices not updating after rename
  • web/flows: fix FlowExecutor not updating when challenge changes from outside

Fixed in 2021.8.5

  • api: add additional filters for ldap and proxy providers
  • api: cache schema, fix server urls
  • core: minor query optimization
  • events: add mark_all_seen
  • events: remove authentik_events gauge
  • internal: disable directory listing on static files
  • internal: fix font loading errors on safari
  • internal: fix web requests not having a logger set
  • outpost: fix spans being sent without parent context
  • outposts: add expected outpost replica count to metrics
  • outposts/ldap: improve logging of client IPs
  • policies/password: fix symbols not being checked correctly
  • root: fix is_secure with safari on debug environments
  • root: include authentik version in backup naming
  • stages/identification: fix empty user_fields query returning first user
  • web/admin: fix user selection in token form
  • web/admin: show applications instead of providers in outpost form
  • web/flows: fix display error when using IdentificationStage without input fields


This release does not introduce any new requirements.


Download the docker-compose file for 2021.8 from here. Afterwards, simply run docker-compose up -d.


Update your values to use the new images:

tag: 2021.8.5