Release 2023.1

Breaking changes

Deprecated HaveIBeenPwned policy has been removed

This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.

New features

SLO Support for SAML provider

authentik now supports SAML SLO (Single logout).
Proxy provider now accepts HTTP Basic and Bearer authentication

See Header authentication.
LDAP provider now works with Code-based MFA stages

If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2023.1 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
    repository: ghcr.io/goauthentik/server
    tag: 2023.1.0

Minor changes/fixes

*: strip leading and trailing whitespace when reading config values from files
admin: include task duration in API (#4428)
blueprints: Add !Enumerate, !Value and !Index tags (#4338)
blueprints: don't set session_duration in default and example flows (#4448)
blueprints: Fix resolve model_name in !Find tag (#4371)
blueprints: internal storage (#4397)
crypto: prevent creation of duplicate self-signed default certs
events: exclude base models from model audit log
events: rework metrics (#4407)
internal: check certificate value and not IsSet
internal: fix race condition with config loading on startup, add index on debug server
internal: improve error handling
outposts: use common config loader for outposts to support loading values from file
outposts/ldap: decrease verbosity
outposts/proxy: add header to prevent redirects
outposts/proxy: allow setting no-redirect via header or query param
outposts/proxy: cache basic and bearer credentials for one minute
outposts/proxy: fix error handling, remove requirement for profile/etc scopes
outposts/proxy: make logged user more consistent, set FlushInterval
outposts/proxy: set http code when no redirect header is set
polices/hibp: remove deprecated (#4363)
providers/ldap: add code-MFA support for ldap provider (#4354)
providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
providers/oauth2: don't allow spaces in scope_name
providers/oauth2: fallback to anonymous user for policy engine
providers/oauth2: use guardian anonymous user to get claims for provider info
providers/proxy: add initial header token auth (#4421)
providers/proxy: add setting to intercept authorization header (#4457)
providers/proxy: add tests for proxy basic auth (#4357)
providers/saml: initial SLO implementation (#2346)
root: show error when geoIP download fails
sources/ldap: don't run membership sync if group sync is disabled
sources/ldap: make task timeout adjustable
sources/ldap: manual import (#4456)
sources/ldap: only warn about missing groups when source is configured to sync groups
stages/user_write: add more user creation options (#4367)
web: add core-js polyfill for safari
web: ensure img tags have alt attributes
web: fix radio label code in dark mode
web: fix scrollbar corner color in dark mode
web: migrate checkbox to switch (#4409)
web/admin: better show dev build
web/admin: fix certificate filtering for LDAP verification certificate
web/admin: fix overflow in aggregate cards
web/admin: link impersonation user for events
web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
web/admin: show GeoIP information inline in events
web/elements: fix pagination page button colours in dark mode
web/elements: use correct Action Label for user related events

Fixed in 2023.1.1

add tests to prevent empty SAN
blueprints: fix OOB email field overwriting user settings email field
ci: build beta for amd64 and arm64 (#4468)
crypto: ensure we don't generate an empty SAN certificate
crypto: fallback when no SAN values are given
outposts/ldap: fix queries filtering objectClass with non-lowercase values
outposts/proxy: fix panic due to IsSet misbehaving
providers/oauth2: more x5c and ecdsa x/y tests (#4463)
providers/proxy: fix issuer for embedded outpost (#4480)
sources/ldap: add e2e LDAP source tests (#4462)
stages: always use get_pending_user instead of getting context user
stages/authenticator_sms: fix code not being sent when phone_number is in context
web/admin: don't enable execution logging by default
web/admin: improve display of rule severity
web/admin: improve display of system task exception
web/admin: link group of notification rule
web/elements: fix pf-c-switch not rendering correctly in pure tables
web/elements: fix SearchSelect not working on safari
web/flows: fix flow executor background overlay in safari

Fixed in 2023.1.2

stages/user_write: fix migration setting wrong value, fix form

Fixed in 2023.1.3

*: fix CVE-2023-26481, Reported by @fuomag9

API Changes

What's Deleted

`GET` /policies/haveibeenpwned/

`POST` /policies/haveibeenpwned/

`GET` /policies/haveibeenpwned/{policy_uuid}/

`PUT` /policies/haveibeenpwned/{policy_uuid}/

`DELETE` /policies/haveibeenpwned/{policy_uuid}/

`PATCH` /policies/haveibeenpwned/{policy_uuid}/

`GET` /policies/haveibeenpwned/{policy_uuid}/used_by/

What's Changed

`GET` /admin/metrics/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- authorizations
- logins
- logins_failed
New optional properties:
- authorizations_per_1h
- logins_failed_per_1h
- logins_per_1h
- Added property logins (array)
  
  Items (object): > Coordinates for diagrams
  - Property x_cord (integer)
  - Property y_cord (integer)
- Added property logins_failed (array)
- Added property authorizations (array)
- Deleted property logins_per_1h (array)
- Deleted property logins_failed_per_1h (array)
- Deleted property authorizations_per_1h (array)

`GET` /core/users/{id}/metrics/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- authorizations
- logins
- logins_failed
New optional properties:
- authorizations_per_1h
- logins_failed_per_1h
- logins_per_1h
- Added property logins (array)
- Added property logins_failed (array)
- Added property authorizations (array)
- Deleted property logins_per_1h (array)
- Deleted property logins_failed_per_1h (array)
- Deleted property authorizations_per_1h (array)

`GET` /managed/blueprints/{instance_uuid}/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New optional properties:
- path
- Added property content (string)

`PUT` /managed/blueprints/{instance_uuid}/

Request:

Changed content type : application/json

New optional properties:

path

Added property content (string)

Return Type:

Changed response : 200 OK

Changed content type : application/json

New optional properties:
- path
- Added property content (string)

`PATCH` /managed/blueprints/{instance_uuid}/

Request:

Changed content type : application/json

Added property content (string)

Return Type:

Changed response : 200 OK

Changed content type : application/json

New optional properties:
- path
- Added property content (string)

`POST` /managed/blueprints/{instance_uuid}/apply/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New optional properties:
- path
- Added property content (string)

`GET` /outposts/proxy/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Added property intercept_header_auth (boolean)
  
  When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

`GET` /policies/event_matcher/{policy_uuid}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property app (string)
  
  Match events created by selected application. When left empty, all applications are matched.
  
  Removed enum value:
  - authentik.policies.hibp

`PUT` /policies/event_matcher/{policy_uuid}/

Request:

Changed content type : application/json

Changed property app (string)

Match events created by selected application. When left empty, all applications are matched.

Removed enum value:
- authentik.policies.hibp

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property app (string)
  
  Match events created by selected application. When left empty, all applications are matched.
  
  Removed enum value:
  - authentik.policies.hibp

`PATCH` /policies/event_matcher/{policy_uuid}/

Request:

Changed content type : application/json

Changed property app (string)

Match events created by selected application. When left empty, all applications are matched.

Removed enum value:
- authentik.policies.hibp

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property app (string)
  
  Match events created by selected application. When left empty, all applications are matched.
  
  Removed enum value:
  - authentik.policies.hibp

`GET` /propertymappings/scope/{pm_uuid}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property scope_name (string)
  
  Scope name requested by the client

`PUT` /propertymappings/scope/{pm_uuid}/

Request:

Changed content type : application/json

Changed property scope_name (string)

Scope name requested by the client

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property scope_name (string)
  
  Scope name requested by the client

`PATCH` /propertymappings/scope/{pm_uuid}/

Request:

Changed content type : application/json

Changed property scope_name (string)

Scope name requested by the client

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property scope_name (string)
  
  Scope name requested by the client

`GET` /providers/proxy/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- client_id
- Added property client_id (string)
- Added property intercept_header_auth (boolean)
  
  When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property jwks_sources (array)
  
  Items (string):

`PUT` /providers/proxy/{id}/

Request:

Changed content type : application/json

Added property intercept_header_auth (boolean)

When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property jwks_sources (array)

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- client_id
- Added property client_id (string)
- Added property intercept_header_auth (boolean)
  
  When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property jwks_sources (array)

`PATCH` /providers/proxy/{id}/

Request:

Changed content type : application/json

Added property intercept_header_auth (boolean)

When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property jwks_sources (array)

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- client_id
- Added property client_id (string)
- Added property intercept_header_auth (boolean)
  
  When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property jwks_sources (array)

`GET` /admin/system_tasks/

Return Type:

Changed response : 200 OK

Changed content type : application/json

Changed items (object): > Serialize TaskInfo and TaskResult

New required properties:
- task_duration
- Added property task_duration (integer)

`GET` /admin/system_tasks/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- task_duration
- Added property task_duration (integer)

`POST` /managed/blueprints/

Request:

Changed content type : application/json

New optional properties:

path

Added property content (string)

Return Type:

Changed response : 201 Created

Changed content type : application/json

New optional properties:
- path
- Added property content (string)

`GET` /managed/blueprints/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > Info about a single blueprint instance file
  
  New optional properties:
  - path
  - Added property content (string)

`GET` /outposts/proxy/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > Proxy provider serializer for outposts
  - Added property intercept_header_auth (boolean)
    
    When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

`POST` /policies/event_matcher/

Request:

Changed content type : application/json

Changed property app (string)

Match events created by selected application. When left empty, all applications are matched.

Removed enum value:
- authentik.policies.hibp

Return Type:

Changed response : 201 Created

Changed content type : application/json
- Changed property app (string)
  
  Match events created by selected application. When left empty, all applications are matched.
  
  Removed enum value:
  - authentik.policies.hibp

`GET` /policies/event_matcher/

Parameters:

Changed: app in query

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > Event Matcher Policy Serializer
  - Changed property app (string)
    
    Match events created by selected application. When left empty, all applications are matched.
    
    Removed enum value:
    - authentik.policies.hibp

`POST` /propertymappings/scope/

Request:

Changed content type : application/json

Changed property scope_name (string)

Scope name requested by the client

Return Type:

Changed response : 201 Created

Changed content type : application/json
- Changed property scope_name (string)
  
  Scope name requested by the client

`GET` /propertymappings/scope/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > ScopeMapping Serializer
  - Changed property scope_name (string)
    
    Scope name requested by the client

`POST` /providers/proxy/

Request:

Changed content type : application/json

Added property intercept_header_auth (boolean)

When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
Added property jwks_sources (array)

Return Type:

Changed response : 201 Created

Changed content type : application/json

New required properties:
- client_id
- Added property client_id (string)
- Added property intercept_header_auth (boolean)
  
  When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property jwks_sources (array)

`GET` /providers/proxy/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > ProxyProvider Serializer
  
  New required properties:
  - client_id
  - Added property client_id (string)
  - Added property intercept_header_auth (boolean)
    
    When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
  - Added property jwks_sources (array)

`GET` /providers/saml/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- url_slo_post
- url_slo_redirect
- Added property url_slo_post (string)
- Added property url_slo_redirect (string)

`PUT` /providers/saml/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- url_slo_post
- url_slo_redirect
- Added property url_slo_post (string)
- Added property url_slo_redirect (string)

`PATCH` /providers/saml/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json

New required properties:
- url_slo_post
- url_slo_redirect
- Added property url_slo_post (string)
- Added property url_slo_redirect (string)

`GET` /sources/ldap/{slug}/sync_status/

Return Type:

Changed response : 200 OK

Changed content type : application/json

Changed items (object): > Serialize TaskInfo and TaskResult

New required properties:
- task_duration
- Added property task_duration (integer)

`POST` /providers/saml/

Return Type:

Changed response : 201 Created

Changed content type : application/json

New required properties:
- url_slo_post
- url_slo_redirect
- Added property url_slo_post (string)
- Added property url_slo_redirect (string)

`GET` /providers/saml/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > SAMLProvider Serializer
  
  New required properties:
  - url_slo_post
  - url_slo_redirect
  - Added property url_slo_post (string)
  - Added property url_slo_redirect (string)

`GET` /sources/oauth/

Parameters:

Added: has_jwks in query

Only return sources with JWKS data

`GET` /stages/user_write/{stage_uuid}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Added property user_creation_mode (string)
  
  Enum values:
  - never_create
  - create_when_required
  - always_create
- Deleted property can_create_users (boolean)
  
  When set, this stage can create users. If not enabled and no user is available, stage will fail.

`PUT` /stages/user_write/{stage_uuid}/

Request:

Changed content type : application/json

Added property user_creation_mode (string)
Deleted property can_create_users (boolean)

When set, this stage can create users. If not enabled and no user is available, stage will fail.

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Added property user_creation_mode (string)
- Deleted property can_create_users (boolean)
  
  When set, this stage can create users. If not enabled and no user is available, stage will fail.

`PATCH` /stages/user_write/{stage_uuid}/

Request:

Changed content type : application/json

Added property user_creation_mode (string)
Deleted property can_create_users (boolean)

When set, this stage can create users. If not enabled and no user is available, stage will fail.

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Added property user_creation_mode (string)
- Deleted property can_create_users (boolean)
  
  When set, this stage can create users. If not enabled and no user is available, stage will fail.

`POST` /stages/user_write/

Request:

Changed content type : application/json

Added property user_creation_mode (string)
Deleted property can_create_users (boolean)

When set, this stage can create users. If not enabled and no user is available, stage will fail.

Return Type:

Changed response : 201 Created

Changed content type : application/json
- Added property user_creation_mode (string)
- Deleted property can_create_users (boolean)
  
  When set, this stage can create users. If not enabled and no user is available, stage will fail.

`GET` /stages/user_write/

Parameters:

Added: user_creation_mode in query

Deleted: can_create_users in query

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > UserWriteStage Serializer
  - Added property user_creation_mode (string)
  - Deleted property can_create_users (boolean)
    
    When set, this stage can create users. If not enabled and no user is available, stage will fail.

Breaking changes
New features
Upgrading
- docker-compose
- Kubernetes
Minor changes/fixes
Fixed in 2023.1.1
Fixed in 2023.1.2
Fixed in 2023.1.3
API Changes
- What's Deleted
- What's Changed

Breaking changes​

New features​

Upgrading​

docker-compose​

Kubernetes​

Minor changes/fixes​

Fixed in 2023.1.1​

Fixed in 2023.1.2​

Fixed in 2023.1.3​

API Changes​

What's Deleted​

GET /policies/haveibeenpwned/​

POST /policies/haveibeenpwned/​

GET /policies/haveibeenpwned/{policy_uuid}/​

PUT /policies/haveibeenpwned/{policy_uuid}/​

DELETE /policies/haveibeenpwned/{policy_uuid}/​

PATCH /policies/haveibeenpwned/{policy_uuid}/​

GET /policies/haveibeenpwned/{policy_uuid}/used_by/​

What's Changed​

GET /admin/metrics/​

Return Type:​

GET /core/users/{id}/metrics/​

Return Type:​

GET /managed/blueprints/{instance_uuid}/​

Return Type:​

PUT /managed/blueprints/{instance_uuid}/​

Request:​

Return Type:​

PATCH /managed/blueprints/{instance_uuid}/​

Request:​

Return Type:​

POST /managed/blueprints/{instance_uuid}/apply/​

Return Type:​

GET /outposts/proxy/{id}/​

Return Type:​

GET /policies/event_matcher/{policy_uuid}/​

Return Type:​

PUT /policies/event_matcher/{policy_uuid}/​

Request:​

Return Type:​

PATCH /policies/event_matcher/{policy_uuid}/​

Request:​

Return Type:​

GET /propertymappings/scope/{pm_uuid}/​

Return Type:​

PUT /propertymappings/scope/{pm_uuid}/​

Request:​

Return Type:​

PATCH /propertymappings/scope/{pm_uuid}/​

Request:​

Return Type:​

GET /providers/proxy/{id}/​

Return Type:​

PUT /providers/proxy/{id}/​

Request:​

Return Type:​

PATCH /providers/proxy/{id}/​

Request:​

Return Type:​

GET /admin/system_tasks/​

Return Type:​

GET /admin/system_tasks/{id}/​

Return Type:​

POST /managed/blueprints/​

Request:​

Return Type:​

GET /managed/blueprints/​

Return Type:​

GET /outposts/proxy/​

Return Type:​

POST /policies/event_matcher/​

Request:​

Return Type:​

GET /policies/event_matcher/​

Parameters:​

Return Type:​

POST /propertymappings/scope/​

Request:​

Return Type:​

GET /propertymappings/scope/​

Breaking changes

New features

Upgrading

docker-compose

Kubernetes

Minor changes/fixes

Fixed in 2023.1.1

Fixed in 2023.1.2

Fixed in 2023.1.3

API Changes

What's Deleted

`GET` /policies/haveibeenpwned/

`POST` /policies/haveibeenpwned/

`GET` /policies/haveibeenpwned/{policy_uuid}/

`PUT` /policies/haveibeenpwned/{policy_uuid}/

`DELETE` /policies/haveibeenpwned/{policy_uuid}/

`PATCH` /policies/haveibeenpwned/{policy_uuid}/

`GET` /policies/haveibeenpwned/{policy_uuid}/used_by/

What's Changed

`GET` /admin/metrics/

Return Type:

`GET` /core/users/{id}/metrics/

Return Type:

`GET` /managed/blueprints/{instance_uuid}/

Return Type:

`PUT` /managed/blueprints/{instance_uuid}/

Request:

Return Type:

`PATCH` /managed/blueprints/{instance_uuid}/

Request:

Return Type:

`POST` /managed/blueprints/{instance_uuid}/apply/

Return Type:

`GET` /outposts/proxy/{id}/

Return Type:

`GET` /policies/event_matcher/{policy_uuid}/

Return Type:

`PUT` /policies/event_matcher/{policy_uuid}/

Request:

Return Type:

`PATCH` /policies/event_matcher/{policy_uuid}/

Request:

Return Type:

`GET` /propertymappings/scope/{pm_uuid}/

Return Type:

`PUT` /propertymappings/scope/{pm_uuid}/

Request:

Return Type:

`PATCH` /propertymappings/scope/{pm_uuid}/

Request:

Return Type:

`GET` /providers/proxy/{id}/

Return Type:

`PUT` /providers/proxy/{id}/

Request:

Return Type:

`PATCH` /providers/proxy/{id}/

Request:

Return Type:

`GET` /admin/system_tasks/

Return Type:

`GET` /admin/system_tasks/{id}/

Return Type:

`POST` /managed/blueprints/

Request:

Return Type:

`GET` /managed/blueprints/

Return Type:

`GET` /outposts/proxy/

Return Type:

`POST` /policies/event_matcher/

Request:

Return Type:

`GET` /policies/event_matcher/

Parameters:

Return Type:

`POST` /propertymappings/scope/

Request:

Return Type:

`GET` /propertymappings/scope/