title: Release 2023.1
slug: "/releases/2023.1"

## Breaking changes

-   Deprecated HaveIBeenPwned policy has been removed

    This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.

## New features

-   SLO Support for SAML provider

    authentik now supports SAML SLO (Single logout).

-   Proxy provider now accepts HTTP Basic and Bearer authentication

    See [Header authentication](../../providers/proxy/header_authentication.md).

-   LDAP provider now works with Code-based MFA stages

    If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.

## Upgrading

This release does not introduce any new requirements.

### docker-compose

Download the docker-compose file for 2023.1 from [here](https://goauthentik.io/version/2023.1/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.

### Kubernetes

Update your values to use the new images:

    repository: ghcr.io/goauthentik/server
    tag: 2023.1.0

## Minor changes/fixes

-   \*: strip leading and trailing whitespace when reading config values from files
-   admin: include task duration in API (#4428)
-   blueprints: Add `!Enumerate`, `!Value` and `!Index` tags (#4338)
-   blueprints: Fix resolve model_name in `!Find` tag (#4371)
-   blueprints: internal storage (#4397)
-   crypto: prevent creation of duplicate self-signed default certs
-   events: rework metrics (#4407)
-   internal: check certificate value and not IsSet
-   internal: fix race condition with config loading on startup, add index on debug server
-   outposts: use common config loader for outposts to support loading values from file
-   polices/hibp: remove deprecated (#4363)
-   providers/ldap: add code-MFA support for ldap provider (#4354)
-   providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
-   providers/oauth2: don't allow spaces in scope_name
-   providers/proxy: add initial header token auth (#4421)
-   providers/proxy: add tests for proxy basic auth (#4357)
-   providers/saml: initial SLO implementation (#2346)
-   root: show error when geoIP download fails
-   sources/ldap: don't run membership sync if group sync is disabled
-   sources/ldap: make task timeout adjustable
-   sources/ldap: only warn about missing groups when source is configured to sync groups
-   stages/user_write: add more user creation options (#4367)
-   web: add core-js polyfill for safari
-   web: migrate checkbox to switch (#4409)
-   web/admin: fix certificate filtering for LDAP verification certificate
-   web/admin: fix overflow in aggregate cards
-   web/admin: link impersonation user for events
-   web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
-   web/admin: show GeoIP information inline in events
-   web/elements: fix pagination page button colours in dark mode
-   web/elements: use correct Action Label for user related events

## API Changes

#### What's Deleted


##### `GET` /policies/haveibeenpwned/

##### `POST` /policies/haveibeenpwned/

##### `GET` /policies/haveibeenpwned/{policy_uuid}/

##### `PUT` /policies/haveibeenpwned/{policy_uuid}/

##### `DELETE` /policies/haveibeenpwned/{policy_uuid}/

##### `PATCH` /policies/haveibeenpwned/{policy_uuid}/

##### `GET` /policies/haveibeenpwned/{policy_uuid}/used_by/

#### What's Changed


##### `GET` /admin/metrics/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `authorizations`
    -   `logins`
    -   `logins_failed`

    New optional properties:

    -   `authorizations_per_1h`
    -   `logins_failed_per_1h`
    -   `logins_per_1h`

    *   Added property `logins` (array)

        Items (object): > Coordinates for diagrams

        -   Property `x_cord` (integer)

        -   Property `y_cord` (integer)

    *   Added property `logins_failed` (array)

    *   Added property `authorizations` (array)

    *   Deleted property `logins_per_1h` (array)

    *   Deleted property `logins_failed_per_1h` (array)

    *   Deleted property `authorizations_per_1h` (array)

##### `GET` /core/users/{id}/metrics/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `authorizations`
    -   `logins`
    -   `logins_failed`

    New optional properties:

    -   `authorizations_per_1h`
    -   `logins_failed_per_1h`
    -   `logins_per_1h`

    *   Added property `logins` (array)

    *   Added property `logins_failed` (array)

    *   Added property `authorizations` (array)

    *   Deleted property `logins_per_1h` (array)

    *   Deleted property `logins_failed_per_1h` (array)

    *   Deleted property `authorizations_per_1h` (array)

##### `GET` /managed/blueprints/{instance_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `PUT` /managed/blueprints/{instance_uuid}/

###### Request:

Changed content type : `application/json`

New optional properties:

-   `path`

*   Added property `content` (string)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `PATCH` /managed/blueprints/{instance_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `content` (string)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `POST` /managed/blueprints/{instance_uuid}/apply/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `GET` /policies/event_matcher/{policy_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `app` (string)

        > Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        -   `authentik.policies.hibp`

##### `PUT` /policies/event_matcher/{policy_uuid}/

###### Request:

Changed content type : `application/json`

-   Changed property `app` (string)

    > Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    -   `authentik.policies.hibp`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `app` (string)

        > Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        -   `authentik.policies.hibp`

##### `PATCH` /policies/event_matcher/{policy_uuid}/

###### Request:

Changed content type : `application/json`

-   Changed property `app` (string)

    > Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    -   `authentik.policies.hibp`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `app` (string)

        > Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        -   `authentik.policies.hibp`

##### `GET` /propertymappings/scope/{pm_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `scope_name` (string)
        > Scope name requested by the client

##### `PUT` /propertymappings/scope/{pm_uuid}/

###### Request:

Changed content type : `application/json`

-   Changed property `scope_name` (string)
    > Scope name requested by the client

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `scope_name` (string)
        > Scope name requested by the client

##### `PATCH` /propertymappings/scope/{pm_uuid}/

###### Request:

Changed content type : `application/json`

-   Changed property `scope_name` (string)
    > Scope name requested by the client

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `scope_name` (string)
        > Scope name requested by the client

##### `GET` /providers/proxy/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `client_id`

    *   Added property `client_id` (string)

    *   Added property `jwks_sources` (array)

        Items (string):

##### `PUT` /providers/proxy/{id}/

###### Request:

Changed content type : `application/json`

-   Added property `jwks_sources` (array)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `client_id`

    *   Added property `client_id` (string)

    *   Added property `jwks_sources` (array)

##### `PATCH` /providers/proxy/{id}/

###### Request:

Changed content type : `application/json`

-   Added property `jwks_sources` (array)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `client_id`

    *   Added property `client_id` (string)

    *   Added property `jwks_sources` (array)

##### `GET` /admin/system_tasks/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    Changed items (object): > Serialize TaskInfo and TaskResult

    New required properties:

    -   `task_duration`

    *   Added property `task_duration` (integer)

##### `GET` /admin/system_tasks/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `task_duration`

    *   Added property `task_duration` (integer)

##### `POST` /managed/blueprints/

###### Request:

Changed content type : `application/json`

New optional properties:

-   `path`

*   Added property `content` (string)

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `GET` /managed/blueprints/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Info about a single blueprint instance file

        New optional properties:

        -   `path`

        *   Added property `content` (string)

##### `POST` /policies/event_matcher/

###### Request:

Changed content type : `application/json`

-   Changed property `app` (string)

    > Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    -   `authentik.policies.hibp`

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Changed property `app` (string)

        > Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        -   `authentik.policies.hibp`

##### `GET` /policies/event_matcher/

###### Parameters:

Changed: `app` in `query`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Event Matcher Policy Serializer

        -   Changed property `app` (string)

            > Match events created by selected application. When left empty, all applications are matched.

            Removed enum value:

            -   `authentik.policies.hibp`

##### `POST` /propertymappings/scope/

###### Request:

Changed content type : `application/json`

-   Changed property `scope_name` (string)
    > Scope name requested by the client

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Changed property `scope_name` (string)
        > Scope name requested by the client

##### `GET` /propertymappings/scope/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > ScopeMapping Serializer

        -   Changed property `scope_name` (string)
            > Scope name requested by the client

##### `POST` /providers/proxy/

###### Request:

Changed content type : `application/json`

-   Added property `jwks_sources` (array)

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    New required properties:

    -   `client_id`

    *   Added property `client_id` (string)

    *   Added property `jwks_sources` (array)

##### `GET` /providers/proxy/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > ProxyProvider Serializer

        New required properties:

        -   `client_id`

        *   Added property `client_id` (string)

        *   Added property `jwks_sources` (array)

##### `GET` /providers/saml/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `url_slo_post`
    -   `url_slo_redirect`

    *   Added property `url_slo_post` (string)

    *   Added property `url_slo_redirect` (string)

##### `PUT` /providers/saml/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `url_slo_post`
    -   `url_slo_redirect`

    *   Added property `url_slo_post` (string)

    *   Added property `url_slo_redirect` (string)

##### `PATCH` /providers/saml/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `url_slo_post`
    -   `url_slo_redirect`

    *   Added property `url_slo_post` (string)

    *   Added property `url_slo_redirect` (string)

##### `GET` /sources/ldap/{slug}/sync_status/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    Changed items (object): > Serialize TaskInfo and TaskResult

    New required properties:

    -   `task_duration`

    *   Added property `task_duration` (integer)

##### `POST` /providers/saml/

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    New required properties:

    -   `url_slo_post`
    -   `url_slo_redirect`

    *   Added property `url_slo_post` (string)

    *   Added property `url_slo_redirect` (string)

##### `GET` /providers/saml/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > SAMLProvider Serializer

        New required properties:

        -   `url_slo_post`
        -   `url_slo_redirect`

        *   Added property `url_slo_post` (string)

        *   Added property `url_slo_redirect` (string)

##### `GET` /sources/oauth/

###### Parameters:

Added: `has_jwks` in `query`

> Only return sources with JWKS data

##### `GET` /stages/user_write/{stage_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `user_creation_mode` (string)

        Enum values:

        -   `never_create`
        -   `create_when_required`
        -   `always_create`

    -   Deleted property `can_create_users` (boolean)
        > When set, this stage can create users. If not enabled and no user is available, stage will fail.

##### `PUT` /stages/user_write/{stage_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `user_creation_mode` (string)

-   Deleted property `can_create_users` (boolean)
    > When set, this stage can create users. If not enabled and no user is available, stage will fail.

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `user_creation_mode` (string)

    -   Deleted property `can_create_users` (boolean)
        > When set, this stage can create users. If not enabled and no user is available, stage will fail.

##### `PATCH` /stages/user_write/{stage_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `user_creation_mode` (string)

-   Deleted property `can_create_users` (boolean)
    > When set, this stage can create users. If not enabled and no user is available, stage will fail.

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `user_creation_mode` (string)

    -   Deleted property `can_create_users` (boolean)
        > When set, this stage can create users. If not enabled and no user is available, stage will fail.

##### `POST` /stages/user_write/

###### Request:

Changed content type : `application/json`

-   Added property `user_creation_mode` (string)

-   Deleted property `can_create_users` (boolean)
    > When set, this stage can create users. If not enabled and no user is available, stage will fail.

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Added property `user_creation_mode` (string)

    -   Deleted property `can_create_users` (boolean)
        > When set, this stage can create users. If not enabled and no user is available, stage will fail.

##### `GET` /stages/user_write/

###### Parameters:

Added: `user_creation_mode` in `query`

Deleted: `can_create_users` in `query`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > UserWriteStage Serializer

        -   Added property `user_creation_mode` (string)

        -   Deleted property `can_create_users` (boolean)
            > When set, this stage can create users. If not enabled and no user is available, stage will fail.