Skip to main content

Release 2022.7

Breaking changes

  • Removal of verification certificates for Machine-to-Machine authentication in OAuth 2 Provider

    Instead, create an OAuth Source with the certificate configured as JWKS Data, and enable the source in the provider.

  • Maximum Limit of group recursion

    In earlier versions, cyclic group relations can lead to a deadlock when one of groups in the relationship are bound to an application/flow/etc. This is now limited to 20 levels of recursion.

  • Change in context behaviour for policies executed within flows

    In previous versions, the policy context would be set to a reference to the currently active flow plan context. This makes it so any changes to context wre directly reflected in the flow context. The context has been changed to only include the values, and as such updates like this won't be reflected in the flow. Instead, context['flow_plan'] is now set, which contains a full reference to the flow Plan, allowing for more customisability than previously. Context changes can be mad by modifying context['flow_plan'].context.

New features

  • User paths

    To better organize users, they can now be assigned a path. This allows for organization of users based on sources they enrolled with/got imported from, organizational structure or any other structure.

    Sources now have a path template to specify which path users created by it should be assigned. Additionally, you can set the path in the user_write stage in any flow, and it can be dynamically overwritten within a flow's context.

  • API Authentication using JWT

    OAuth Refresh tokens that have been issued with the scope can now be used to authenticate to the API on behalf of the user the token belongs to.

  • Version-family tagged Container images

    Instead of having to choose between using the :latest tag and explicit versions like :2022.7.1, there are now also version-family tags (:2022.7). This allows for sticking with a single version but still getting bugfix updates.

  • OAuth2 Provider default Scopes

    Starting with authentik 2022.7, when an OAuth client doesn't specify any scopes, authentik will treat the request as if all the configured scopes of that provider had been requested. Normal consent is still required depending on the configured flow. No special scopes will be added, as those can't be selected in the configuration.

Minor changes/fixes

  • *: define prometheus metrics in apps to prevent re-import
  • api: add basic jwt auth support with required scope (#2624)
  • ci: add version family (#3059)
  • core: add limit of 20 to group recursion
  • core: create FlowToken instead of regular token for generated recovery links (#3193)
  • core: mark session as modified instead of saving it directly to bump expiry
  • core: re-create anonymous user when repairing permissions
  • core: user paths (#3085)
  • flows: add shortcut to redirect current flow (#3192)
  • flows: denied action (#3194)
  • flows: show messages from ak_message when flow is denied
  • internal: failback with self-signed cert if cert for tenant fails to load
  • internal: fix nil pointer reference
  • internal: skip tracing for go healthcheck and metrics endpoints
  • lifecycle: fix confusing success messages in startup healthiness check
  • lifecycle: run bootstrap tasks inline when using automated install
  • lifecycle: Update postgres healthcheck for compose with user information (#3143)
  • policies: consolidate log user and application
  • providers/oauth2: dont lowercase URL for token requests (#3114)
  • providers/oauth2: ensure refresh tokens are URL safe
  • providers/oauth2: fix OAuth form_post response mode for code response_type
  • providers/oauth2: if a redirect_uri cannot be parsed as regex, compare strict (#3070)
  • providers/oauth2: if no scopes are sent in authorize request, select all configured scopes
  • providers/oauth2: remove deprecated verification_keys (#3071)
  • providers/oauth2: token revoke (#3077)
  • providers/proxy: only send misconfiguration event once
  • root: ignore healthcheck routes in sentry tracing
  • sources/ldap: add configuration for LDAP Source ciphers
  • web: fix redirect when accessing authentik URLs authenticated
  • web: improve detection for locales
  • web/admin: default to users path in sidebar link
  • web/admin: link bound group under policies
  • web/admin: only pre-select oauth2 provider key if creating a new instance
  • web/admin: remove invalid requirement for usernames
  • web/elements: add spinner when loading dynamic routes
  • web/elements: auto-switch themes for codemirror
  • web/flows: add divider to identification stage for security key
  • web/flows: fix error when webauthn operations failed and user retries
  • web/flows: remove autofocus from password field of identifications stage
  • web/flows: statically import webauthn-related stages for safari issues

Fixed in 2022.7.2

  • flows: fix OOB flow incorrectly setting pending user
  • stages/prompt: add basic file field (#3156)
  • tenants: add default_locale read only field, pre-hydrate in flows and read in autodetect as first choice

Fixed in 2022.7.3

  • core: delete expired models when filtering instead of excluding them
  • providers/oauth2: correctly log authenticated user for OAuth views using protected_resource_view
  • sources/oauth: use oidc preferred_username if set, otherwise nickname
  • stages/consent: fix permissions for consent API (allow owner to delete)
  • stages/prompt: force required to false when using readonlyfield
  • stages/prompt: try to base64 decode file, fallback to keeping value as-is
  • web/elements: improve contrast for codemirror backgrounds


This release does not introduce any new requirements.


Download the docker-compose file for 2022.7 from here. Afterwards, simply run docker-compose up -d.


Update your values to use the new images:

tag: 2022.7.1