rewite some things on the release notes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2024-01-16 11:36:24 +01:00
parent 15b0952f1b
commit 2225bb3e8e
No known key found for this signature in database

View file

@ -5,6 +5,39 @@ slug: /releases/2024.1
## Breaking changes ## Breaking changes
- Tenants have been renamed to brands
The API endpoints associated with brands have also been renamed.
Blueprints using `authentik_tenants.tenant` will need to be changed to use `authentik_brands.brand`.
- The following config options have been moved from the config file and can now be set using the admin interface (under **System** -> **Settings**) or the API:
- `AUTHENTIK_AVATARS`
- `AUTHENTIK_DEFAULT_USER_CHANGE_NAME`
- `AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL`
- `AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME`
- `AUTHENTIK_GDPR_COMPLIANCE`
- `AUTHENTIK_IMPERSONATION`
- `AUTHENTIK_FOOTER_LINKS`
- `AUTHENTIK_REPUTATION__EXPIRY`
When upgrading to 2024.1, the currently configured options will be automatically migrated to the database, and can be removed from the `.env` or helm values file afterwards.
- Required `offline_access` scope for Refresh tokens
The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.
Applications which require will need their configuration update to include the `offline_access` scope mapping.
- The event retention settings configured in brands (previously tenants, see above) has been removed and is now a system settings, managed in the admin interface or via the API (see above).
There is no built-in migration path for this change. If you set something other than the default (`days=365`), you will need to update the setting in the admin interface.
- authentik now uses PostgreSQL schemas other than `public`.
If you have a custom PostgreSQL deployment, please ensure that the authentik user is allowed to create schemas. Usually, if the authentik user is owner of the database, it already can.
- Removal of deprecated metrics - Removal of deprecated metrics
- `authentik_outpost_flow_timing_get` -> `authentik_outpost_flow_timing_get_seconds` - `authentik_outpost_flow_timing_get` -> `authentik_outpost_flow_timing_get_seconds`
@ -17,47 +50,22 @@ slug: /releases/2024.1
- `authentik_outpost_radius_requests_rejected` -> `authentik_outpost_radius_requests_rejected_total` - `authentik_outpost_radius_requests_rejected` -> `authentik_outpost_radius_requests_rejected_total`
- `authentik_main_requests` -> `authentik_main_request_duration_seconds` - `authentik_main_requests` -> `authentik_main_request_duration_seconds`
- Required `offline_access` scope for Refresh tokens
The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.
Applications which require will need their configuration update to include the `offline_access` scope mapping.
- Tenants have been renamed to brands
The API endpoints associated with brands have also been renamed.
Blueprints using `authentik_tenants.tenant` will need to be changed to use `authentik_brands.brand`.
- The following config options have been removed from the config file and can now be set using the admin interface (under **System** > **Settings**) or the API:
- `avatars`, `AUTHENTIK_AVATARS`
- `default_user_change_name`, `AUTHENTIK_DEFAULT_USER_CHANGE_NAME`
- `default_user_change_email`, `AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL`
- `default_user_change_username`, `AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME`
- `gdpr_compliance`, `AUTHENTIK_GDPR_COMPLIANCE`
- `impersonation`, `AUTHENTIK_IMPERSONATION`
- `footer_links`, `AUTHENTIK_FOOTER_LINKS`
- `reputation_expiry`, `AUTHENTIK_REPUTATION__EXPIRY`
To upgrade, leave those options in your config, then upgrade authentik. The options are now saved in the database and you can remove them from your config.
- The event retention settings configured in brands (previously tenants, see above) has been removed and is now a system settings, managed in the admin interface or via the API (see above).
There is no built-in migration path for this change. If you set something other than the default (`days=365`), you will need to update the setting in the admin interface.
- Icons are now in a `public/` subfolder - Icons are now in a `public/` subfolder
If your media folder is `/media`, icons are now stored in `/media/public`. authentik will automatically migrate the icons upon upgrading. If your media folder is `/media`, icons are now stored in `/media/public`. authentik will automatically migrate the icons upon upgrading.
- The shorthand parameter for `--stage`, `-s` for the `ak test_email` command has been changed to `-S` - The shorthand parameter for `--stage`, `-s` for the `ak test_email` command has been changed to `-S`
- authentik now uses PostgreSQL schemas other than `public`.
If you have a custom PostgreSQL deployment, please ensure that the authentik user is allowed to create schemas. Usually, if the authentik user is owner of the database, it already can.
## New features ## New features
- Tenancy <span class="badge badge--primary">Enterprise</span>
:::warning
This feature is in early preview. Use at your own risk.
:::
It allows for authentik operators to manage several authentik installations without having to deploy additional instances.
- "Pretend user exists" option for Identification stage - "Pretend user exists" option for Identification stage
Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. **This feature is enabled by default.** Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. **This feature is enabled by default.**
@ -66,12 +74,6 @@ slug: /releases/2024.1
Media files can now be stored on S3. Follow the [setup guide](../../installation/storage-s3.md) to get started. Media files can now be stored on S3. Follow the [setup guide](../../installation/storage-s3.md) to get started.
- Tenancy
This feature is still in alpha stage. Use at your own risk.
It allows for authentik operators to manage several authentik installations without having to deploy additional instances.
## Upgrading ## Upgrading
This release does not introduce any new requirements. This release does not introduce any new requirements.