Release 2023.1
Breaking changes
Deprecated HaveIBeenPwned policy has been removed
This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.
New features
SLO Support for SAML provider
authentik now supports SAML SLO (Single logout).
Proxy provider now accepts HTTP Basic and Bearer authentication
LDAP provider now works with Code-based MFA stages
If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose file for 2023.1 from here. Afterwards, simply run docker-compose up -d
.
Kubernetes
Update your values to use the new images:
image:
repository: ghcr.io/goauthentik/server
tag: 2023.1.0
Minor changes/fixes
- *: strip leading and trailing whitespace when reading config values from files
- admin: include task duration in API (#4428)
- blueprints: Add
!Enumerate
,!Value
and!Index
tags (#4338) - blueprints: don't set session_duration in default and example flows (#4448)
- blueprints: Fix resolve model_name in
!Find
tag (#4371) - blueprints: internal storage (#4397)
- crypto: prevent creation of duplicate self-signed default certs
- events: exclude base models from model audit log
- events: rework metrics (#4407)
- internal: check certificate value and not IsSet
- internal: fix race condition with config loading on startup, add index on debug server
- internal: improve error handling
- outposts: use common config loader for outposts to support loading values from file
- outposts/ldap: decrease verbosity
- outposts/proxy: add header to prevent redirects
- outposts/proxy: allow setting no-redirect via header or query param
- outposts/proxy: cache basic and bearer credentials for one minute
- outposts/proxy: fix error handling, remove requirement for profile/etc scopes
- outposts/proxy: make logged user more consistent, set FlushInterval
- outposts/proxy: set http code when no redirect header is set
- polices/hibp: remove deprecated (#4363)
- providers/ldap: add code-MFA support for ldap provider (#4354)
- providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
- providers/oauth2: don't allow spaces in scope_name
- providers/oauth2: fallback to anonymous user for policy engine
- providers/oauth2: use guardian anonymous user to get claims for provider info
- providers/proxy: add initial header token auth (#4421)
- providers/proxy: add setting to intercept authorization header (#4457)
- providers/proxy: add tests for proxy basic auth (#4357)
- providers/saml: initial SLO implementation (#2346)
- root: show error when geoIP download fails
- sources/ldap: don't run membership sync if group sync is disabled
- sources/ldap: make task timeout adjustable
- sources/ldap: manual import (#4456)
- sources/ldap: only warn about missing groups when source is configured to sync groups
- stages/user_write: add more user creation options (#4367)
- web: add core-js polyfill for safari
- web: ensure img tags have alt attributes
- web: fix radio label code in dark mode
- web: fix scrollbar corner color in dark mode
- web: migrate checkbox to switch (#4409)
- web/admin: better show dev build
- web/admin: fix certificate filtering for LDAP verification certificate
- web/admin: fix overflow in aggregate cards
- web/admin: link impersonation user for events
- web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
- web/admin: show GeoIP information inline in events
- web/elements: fix pagination page button colours in dark mode
- web/elements: use correct Action Label for user related events
Fixed in 2023.1.1
- add tests to prevent empty SAN
- blueprints: fix OOB email field overwriting user settings email field
- ci: build beta for amd64 and arm64 (#4468)
- crypto: ensure we don't generate an empty SAN certificate
- crypto: fallback when no SAN values are given
- outposts/ldap: fix queries filtering objectClass with non-lowercase values
- outposts/proxy: fix panic due to IsSet misbehaving
- providers/oauth2: more x5c and ecdsa x/y tests (#4463)
- providers/proxy: fix issuer for embedded outpost (#4480)
- sources/ldap: add e2e LDAP source tests (#4462)
- stages: always use get_pending_user instead of getting context user
- stages/authenticator_sms: fix code not being sent when phone_number is in context
- web/admin: don't enable execution logging by default
- web/admin: improve display of rule severity
- web/admin: improve display of system task exception
- web/admin: link group of notification rule
- web/elements: fix pf-c-switch not rendering correctly in pure tables
- web/elements: fix SearchSelect not working on safari
- web/flows: fix flow executor background overlay in safari
Fixed in 2023.1.2
- stages/user_write: fix migration setting wrong value, fix form
Fixed in 2023.1.3
- *: fix CVE-2023-26481, Reported by @fuomag9
API Changes
What's Deleted
GET
/policies/haveibeenpwned/
POST
/policies/haveibeenpwned/
GET
/policies/haveibeenpwned/{policy_uuid}/
PUT
/policies/haveibeenpwned/{policy_uuid}/
DELETE
/policies/haveibeenpwned/{policy_uuid}/
PATCH
/policies/haveibeenpwned/{policy_uuid}/
GET
/policies/haveibeenpwned/{policy_uuid}/used_by/
What's Changed
GET
/admin/metrics/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
authorizations
logins
logins_failed
New optional properties:
authorizations_per_1h
logins_failed_per_1h
logins_per_1h
Added property
logins
(array)Items (object): > Coordinates for diagrams
Property
x_cord
(integer)Property
y_cord
(integer)
Added property
logins_failed
(array)Added property
authorizations
(array)Deleted property
logins_per_1h
(array)Deleted property
logins_failed_per_1h
(array)Deleted property
authorizations_per_1h
(array)
GET
/core/users/{id}/metrics/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
authorizations
logins
logins_failed
New optional properties:
authorizations_per_1h
logins_failed_per_1h
logins_per_1h
Added property
logins
(array)Added property
logins_failed
(array)Added property
authorizations
(array)Deleted property
logins_per_1h
(array)Deleted property
logins_failed_per_1h
(array)Deleted property
authorizations_per_1h
(array)
GET
/managed/blueprints/{instance_uuid}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New optional properties:
path
- Added property
content
(string)
PUT
/managed/blueprints/{instance_uuid}/
Request:
Changed content type : application/json
New optional properties:
path
- Added property
content
(string)
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New optional properties:
path
- Added property
content
(string)
PATCH
/managed/blueprints/{instance_uuid}/
Request:
Changed content type : application/json
- Added property
content
(string)
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New optional properties:
path
- Added property
content
(string)
POST
/managed/blueprints/{instance_uuid}/apply/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New optional properties:
path
- Added property
content
(string)
GET
/outposts/proxy/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
- Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property
GET
/policies/event_matcher/{policy_uuid}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
PUT
/policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
PATCH
/policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
GET
/propertymappings/scope/{pm_uuid}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
PUT
/propertymappings/scope/{pm_uuid}/
Request:
Changed content type : application/json
- Changed property
scope_name
(string)Scope name requested by the client
Return Type:
Changed response : 200 OK
Changed content type :
application/json
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
PATCH
/propertymappings/scope/{pm_uuid}/
Request:
Changed content type : application/json
- Changed property
scope_name
(string)Scope name requested by the client
Return Type:
Changed response : 200 OK
Changed content type :
application/json
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
GET
/providers/proxy/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
client_id
Added property
client_id
(string)Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property
jwks_sources
(array)Items (string):
PUT
/providers/proxy/{id}/
Request:
Changed content type : application/json
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property
jwks_sources
(array)
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
client_id
Added property
client_id
(string)Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property
jwks_sources
(array)
PATCH
/providers/proxy/{id}/
Request:
Changed content type : application/json
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property
jwks_sources
(array)
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
client_id
Added property
client_id
(string)Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property
jwks_sources
(array)
GET
/admin/system_tasks/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed items (object): > Serialize TaskInfo and TaskResult
New required properties:
task_duration
- Added property
task_duration
(integer)
GET
/admin/system_tasks/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
task_duration
- Added property
task_duration
(integer)
POST
/managed/blueprints/
Request:
Changed content type : application/json
New optional properties:
path
- Added property
content
(string)
Return Type:
Changed response : 201 Created
Changed content type :
application/json
New optional properties:
path
- Added property
content
(string)
GET
/managed/blueprints/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > Info about a single blueprint instance file
New optional properties:
path
- Added property
content
(string)
GET
/outposts/proxy/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > Proxy provider serializer for outposts
- Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property
POST
/policies/event_matcher/
Request:
Changed content type : application/json
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
Return Type:
Changed response : 201 Created
Changed content type :
application/json
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
GET
/policies/event_matcher/
Parameters:
Changed: app
in query
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > Event Matcher Policy Serializer
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
authentik.policies.hibp
POST
/propertymappings/scope/
Request:
Changed content type : application/json
- Changed property
scope_name
(string)Scope name requested by the client
Return Type:
Changed response : 201 Created
Changed content type :
application/json
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
GET
/propertymappings/scope/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > ScopeMapping Serializer
- Changed property
scope_name
(string)Scope name requested by the client
- Changed property
POST
/providers/proxy/
Request:
Changed content type : application/json
Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property
jwks_sources
(array)
Return Type:
Changed response : 201 Created
Changed content type :
application/json
New required properties:
client_id
Added property
client_id
(string)Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property
jwks_sources
(array)
GET
/providers/proxy/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > ProxyProvider Serializer
New required properties:
client_id
Added property
client_id
(string)Added property
intercept_header_auth
(boolean)When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property
jwks_sources
(array)
GET
/providers/saml/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
url_slo_post
url_slo_redirect
Added property
url_slo_post
(string)Added property
url_slo_redirect
(string)
PUT
/providers/saml/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
url_slo_post
url_slo_redirect
Added property
url_slo_post
(string)Added property
url_slo_redirect
(string)
PATCH
/providers/saml/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
New required properties:
url_slo_post
url_slo_redirect
Added property
url_slo_post
(string)Added property
url_slo_redirect
(string)
GET
/sources/ldap/{slug}/sync_status/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed items (object): > Serialize TaskInfo and TaskResult
New required properties:
task_duration
- Added property
task_duration
(integer)
POST
/providers/saml/
Return Type:
Changed response : 201 Created
Changed content type :
application/json
New required properties:
url_slo_post
url_slo_redirect
Added property
url_slo_post
(string)Added property
url_slo_redirect
(string)
GET
/providers/saml/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > SAMLProvider Serializer
New required properties:
url_slo_post
url_slo_redirect
Added property
url_slo_post
(string)Added property
url_slo_redirect
(string)
GET
/sources/oauth/
Parameters:
Added: has_jwks
in query
Only return sources with JWKS data
GET
/stages/user_write/{stage_uuid}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Added property
user_creation_mode
(string)Enum values:
never_create
create_when_required
always_create
Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
PUT
/stages/user_write/{stage_uuid}/
Request:
Changed content type : application/json
Added property
user_creation_mode
(string)Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Added property
user_creation_mode
(string)Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
PATCH
/stages/user_write/{stage_uuid}/
Request:
Changed content type : application/json
Added property
user_creation_mode
(string)Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Added property
user_creation_mode
(string)Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
POST
/stages/user_write/
Request:
Changed content type : application/json
Added property
user_creation_mode
(string)Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
Return Type:
Changed response : 201 Created
Changed content type :
application/json
Added property
user_creation_mode
(string)Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.
GET
/stages/user_write/
Parameters:
Added: user_creation_mode
in query
Deleted: can_create_users
in query
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > UserWriteStage Serializer
Added property
user_creation_mode
(string)Deleted property
can_create_users
(boolean)When set, this stage can create users. If not enabled and no user is available, stage will fail.