Skip to main content

Release 2022.8

Breaking changes

  • Prompt fields with file type are now a full Base64 Data-URI

    Previously the data was parsed into a string when possible, and when decoding failed, the raw base64 would be saved. Now, the entire URI is parsed, validated and kept in one piece, to make it possible to validate/save the MIME type.

New features

  • Blueprints

    Blueprints allow for the configuration, automation and templating of authentik objects and configurations. They can be used to bootstrap new instances, configure them automatically without external tools, and to template configurations for sharing. See more here

    For installations upgrading to 2022.8, if a single flow exists, then the default blueprints will not be activated, to not overwrite user modifications.

  • Simplified forward auth

    In previous releases, to use forward auth, the reverse proxy would have to be configured to both send auth requests to the outpost, but also allow access to URLs starting with / The second part is now no longer required, with the exception of nginx. Existing setups should continue to function as previously.

  • Support for Caddy forward auth

    Based on the traefik support, there is now dedicated support for Caddy with configuration examples, see here

Minor changes/fixes

  • *: improve error handling for startup tasks
  • core: add API Endpoint to get all MFA devices, add web ui to delete MFA devices of any user
  • core: add attributes. avatar method to allow custom uploaded avatars
  • core: pre-hydrate config into templates to directly load correct assets
  • flows: migrate flows to be yaml (#3335)
  • internal: centralise config for listeners to use same config system everywhere (#3367)
  • internal: fix outposts not reacting to signals while starting
  • internal: fix race conditions when accessing settings before bootstrap
  • internal: walk config in go, check, parse and load from scheme like in python
  • lifecycle: optimise container lifecycle and process signals (#3332)
  • providers/oauth2: don't separate scopes by comma-space in created events
  • providers/oauth2: fix scopes without descriptions not being saved in consent
  • providers/proxy: add caddy endpoint (#3330)
  • providers/proxy: add is_superuser to ak_proxy object, only show full error when superuser
  • providers/proxy: no exposed urls (#3151)
  • root: fix dockerfile for blueprints
  • sources/oauth: correctly concatenate URLs to allow custom parameters to be passed to authorization server
  • sources/oauth: only send header authentication for OIDC source
  • sources/oauth: use mailcow full_name as username for mailcow source (#3299)
  • stages/*: use stage-bound logger when possible
  • stages/authenticator_validate: improve error handling for duo
  • stages/authenticator_duo: fix imported Duo Device not having a name
  • stages/authenticator_sms: use twilio SDK, improve docs
  • stages/authenticator_totp: remove single device per user limit
  • stages/consent: fix error when requests with identical empty permissions
  • stages/consent: fix for post requests (#3339)
  • stages/prompt: fix tests for file field

Fixed in 2022.8.2

  • blueprints: add generic export next to flow exporter (#3439)
  • blueprints: allow for adding remote blueprints (#3435)
  • blueprints: fix exporter not ignoring non-SerializerModel objects
  • blueprints: fix issue in prod setups with encoding dataclasses via json
  • blueprints: remove _state from exporter blueprints
  • core: fix pre-hydrated config not being escaped properly
  • events: correctly handle lists for cleaning/sanitization
  • internal: fix routing for requests with querystring signature to embedded outpost
  • lifecycle: add worker-status command to debug worker cpu usage issues
  • providers/oauth2: fix oauth2 requests being logged as unauthenticated
  • sources/oauth: fix missing doseq param for updating URL query string
  • web/elements: fix automatic slug not working on newly opened forms
  • web/flows: simplify consent's permission handling


This release does not introduce any new requirements.


Download the docker-compose file for 2022.8 from here. Afterwards, simply run docker-compose up -d.


Update your values to use the new images:

tag: 2022.8.1