authentik/website/docs/releases/2023/v2023.1.md

950 lines
23 KiB
Markdown

---
title: Release 2023.1
slug: "/releases/2023.1"
---
## Breaking changes
- Deprecated HaveIBeenPwned policy has been removed
This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.
## New features
- SLO Support for SAML provider
authentik now supports SAML SLO (Single logout).
- Proxy provider now accepts HTTP Basic and Bearer authentication
See [Header authentication](../../add-secure-apps/providers/proxy/header_authentication.md).
- LDAP provider now works with Code-based MFA stages
If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.
## Upgrading
This release does not introduce any new requirements.
### docker-compose
Download the docker-compose file for 2023.1 from [here](https://goauthentik.io/version/2023.1/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
### Kubernetes
Update your values to use the new images:
```yaml
image:
repository: ghcr.io/goauthentik/server
tag: 2023.1.0
```
## Minor changes/fixes
- \*: strip leading and trailing whitespace when reading config values from files
- admin: include task duration in API (#4428)
- blueprints: Add `!Enumerate`, `!Value` and `!Index` tags (#4338)
- blueprints: don't set session_duration in default and example flows (#4448)
- blueprints: Fix resolve model_name in `!Find` tag (#4371)
- blueprints: internal storage (#4397)
- crypto: prevent creation of duplicate self-signed default certs
- events: exclude base models from model audit log
- events: rework metrics (#4407)
- internal: check certificate value and not IsSet
- internal: fix race condition with config loading on startup, add index on debug server
- internal: improve error handling
- outposts: use common config loader for outposts to support loading values from file
- outposts/ldap: decrease verbosity
- outposts/proxy: add header to prevent redirects
- outposts/proxy: allow setting no-redirect via header or query param
- outposts/proxy: cache basic and bearer credentials for one minute
- outposts/proxy: fix error handling, remove requirement for profile/etc scopes
- outposts/proxy: make logged user more consistent, set FlushInterval
- outposts/proxy: set http code when no redirect header is set
- polices/hibp: remove deprecated (#4363)
- providers/ldap: add code-MFA support for ldap provider (#4354)
- providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
- providers/oauth2: don't allow spaces in scope_name
- providers/oauth2: fallback to anonymous user for policy engine
- providers/oauth2: use guardian anonymous user to get claims for provider info
- providers/proxy: add initial header token auth (#4421)
- providers/proxy: add setting to intercept authorization header (#4457)
- providers/proxy: add tests for proxy basic auth (#4357)
- providers/saml: initial SLO implementation (#2346)
- root: show error when geoIP download fails
- sources/ldap: don't run membership sync if group sync is disabled
- sources/ldap: make task timeout adjustable
- sources/ldap: manual import (#4456)
- sources/ldap: only warn about missing groups when source is configured to sync groups
- stages/user_write: add more user creation options (#4367)
- web: add core-js polyfill for safari
- web: ensure img tags have alt attributes
- web: fix radio label code in dark mode
- web: fix scrollbar corner color in dark mode
- web: migrate checkbox to switch (#4409)
- web/admin: better show dev build
- web/admin: fix certificate filtering for LDAP verification certificate
- web/admin: fix overflow in aggregate cards
- web/admin: link impersonation user for events
- web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
- web/admin: show GeoIP information inline in events
- web/elements: fix pagination page button colours in dark mode
- web/elements: use correct Action Label for user related events
## Fixed in 2023.1.1
- add tests to prevent empty SAN
- blueprints: fix OOB email field overwriting user settings email field
- ci: build beta for amd64 and arm64 (#4468)
- crypto: ensure we don't generate an empty SAN certificate
- crypto: fallback when no SAN values are given
- outposts/ldap: fix queries filtering objectClass with non-lowercase values
- outposts/proxy: fix panic due to IsSet misbehaving
- providers/oauth2: more x5c and ecdsa x/y tests (#4463)
- providers/proxy: fix issuer for embedded outpost (#4480)
- sources/ldap: add e2e LDAP source tests (#4462)
- stages: always use get_pending_user instead of getting context user
- stages/authenticator_sms: fix code not being sent when phone_number is in context
- web/admin: don't enable execution logging by default
- web/admin: improve display of rule severity
- web/admin: improve display of system task exception
- web/admin: link group of notification rule
- web/elements: fix pf-c-switch not rendering correctly in pure tables
- web/elements: fix SearchSelect not working on safari
- web/flows: fix flow executor background overlay in safari
## Fixed in 2023.1.2
- stages/user_write: fix migration setting wrong value, fix form
## Fixed in 2023.1.3
- \*: fix [CVE-2023-26481](../../security/cves/CVE-2023-26481.md), Reported by [@fuomag9](https://github.com/fuomag9)
## API Changes
#### What's Deleted
---
##### `GET` /policies/haveibeenpwned/
##### `POST` /policies/haveibeenpwned/
##### `GET` /policies/haveibeenpwned/{policy_uuid}/
##### `PUT` /policies/haveibeenpwned/{policy_uuid}/
##### `DELETE` /policies/haveibeenpwned/{policy_uuid}/
##### `PATCH` /policies/haveibeenpwned/{policy_uuid}/
##### `GET` /policies/haveibeenpwned/{policy_uuid}/used_by/
#### What's Changed
---
##### `GET` /admin/metrics/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `authorizations`
- `logins`
- `logins_failed`
New optional properties:
- `authorizations_per_1h`
- `logins_failed_per_1h`
- `logins_per_1h`
* Added property `logins` (array)
Items (object): > Coordinates for diagrams
- Property `x_cord` (integer)
- Property `y_cord` (integer)
* Added property `logins_failed` (array)
* Added property `authorizations` (array)
* Deleted property `logins_per_1h` (array)
* Deleted property `logins_failed_per_1h` (array)
* Deleted property `authorizations_per_1h` (array)
##### `GET` /core/users/{id}/metrics/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `authorizations`
- `logins`
- `logins_failed`
New optional properties:
- `authorizations_per_1h`
- `logins_failed_per_1h`
- `logins_per_1h`
* Added property `logins` (array)
* Added property `logins_failed` (array)
* Added property `authorizations` (array)
* Deleted property `logins_per_1h` (array)
* Deleted property `logins_failed_per_1h` (array)
* Deleted property `authorizations_per_1h` (array)
##### `GET` /managed/blueprints/{instance_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `PUT` /managed/blueprints/{instance_uuid}/
###### Request:
Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `PATCH` /managed/blueprints/{instance_uuid}/
###### Request:
Changed content type : `application/json`
- Added property `content` (string)
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `POST` /managed/blueprints/{instance_uuid}/apply/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `GET` /outposts/proxy/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
##### `GET` /policies/event_matcher/{policy_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `PUT` /policies/event_matcher/{policy_uuid}/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `PATCH` /policies/event_matcher/{policy_uuid}/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `GET` /propertymappings/scope/{pm_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `PUT` /propertymappings/scope/{pm_uuid}/
###### Request:
Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `PATCH` /propertymappings/scope/{pm_uuid}/
###### Request:
Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `GET` /providers/proxy/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
Items (string):
##### `PUT` /providers/proxy/{id}/
###### Request:
Changed content type : `application/json`
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property `jwks_sources` (array)
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
##### `PATCH` /providers/proxy/{id}/
###### Request:
Changed content type : `application/json`
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property `jwks_sources` (array)
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
##### `GET` /admin/system_tasks/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
Changed items (object): > Serialize TaskInfo and TaskResult
New required properties:
- `task_duration`
* Added property `task_duration` (integer)
##### `GET` /admin/system_tasks/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `task_duration`
* Added property `task_duration` (integer)
##### `POST` /managed/blueprints/
###### Request:
Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `GET` /managed/blueprints/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Info about a single blueprint instance file
New optional properties:
- `path`
* Added property `content` (string)
##### `GET` /outposts/proxy/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Proxy provider serializer for outposts
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
##### `POST` /policies/event_matcher/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `GET` /policies/event_matcher/
###### Parameters:
Changed: `app` in `query`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Event Matcher Policy Serializer
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `POST` /propertymappings/scope/
###### Request:
Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `GET` /propertymappings/scope/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > ScopeMapping Serializer
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `POST` /providers/proxy/
###### Request:
Changed content type : `application/json`
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property `jwks_sources` (array)
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
##### `GET` /providers/proxy/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > ProxyProvider Serializer
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
##### `GET` /providers/saml/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `PUT` /providers/saml/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `PATCH` /providers/saml/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `GET` /sources/ldap/{slug}/sync_status/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
Changed items (object): > Serialize TaskInfo and TaskResult
New required properties:
- `task_duration`
* Added property `task_duration` (integer)
##### `POST` /providers/saml/
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `GET` /providers/saml/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > SAMLProvider Serializer
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `GET` /sources/oauth/
###### Parameters:
Added: `has_jwks` in `query`
> Only return sources with JWKS data
##### `GET` /stages/user_write/{stage_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `user_creation_mode` (string)
Enum values:
- `never_create`
- `create_when_required`
- `always_create`
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
##### `PUT` /stages/user_write/{stage_uuid}/
###### Request:
Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
##### `PATCH` /stages/user_write/{stage_uuid}/
###### Request:
Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
##### `POST` /stages/user_write/
###### Request:
Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
##### `GET` /stages/user_write/
###### Parameters:
Added: `user_creation_mode` in `query`
Deleted: `can_create_users` in `query`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > UserWriteStage Serializer
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.