---
title: Release 2023.1
slug: "/releases/2023.1"
---

## Breaking changes

-   Deprecated HaveIBeenPwned policy has been removed

    This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.

## New features

-   SLO Support for SAML provider

    authentik now supports SAML SLO (Single logout).

-   Proxy provider now accepts HTTP Basic and Bearer authentication

    See [Header authentication](../../providers/proxy/header_authentication.md).

-   LDAP provider now works with Code-based MFA stages

    If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.

## Upgrading

This release does not introduce any new requirements.

### docker-compose

Download the docker-compose file for 2023.1 from [here](https://goauthentik.io/version/2023.1/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.

### Kubernetes

Update your values to use the new images:

```yaml
image:
    repository: ghcr.io/goauthentik/server
    tag: 2023.1.0
```

## Minor changes/fixes

-   \*: strip leading and trailing whitespace when reading config values from files
-   admin: include task duration in API (#4428)
-   blueprints: Add `!Enumerate`, `!Value` and `!Index` tags (#4338)
-   blueprints: don't set session_duration in default and example flows (#4448)
-   blueprints: Fix resolve model_name in `!Find` tag (#4371)
-   blueprints: internal storage (#4397)
-   crypto: prevent creation of duplicate self-signed default certs
-   events: exclude base models from model audit log
-   events: rework metrics (#4407)
-   internal: check certificate value and not IsSet
-   internal: fix race condition with config loading on startup, add index on debug server
-   internal: improve error handling
-   outposts: use common config loader for outposts to support loading values from file
-   outposts/ldap: decrease verbosity
-   outposts/proxy: add header to prevent redirects
-   outposts/proxy: allow setting no-redirect via header or query param
-   outposts/proxy: cache basic and bearer credentials for one minute
-   outposts/proxy: fix error handling, remove requirement for profile/etc scopes
-   outposts/proxy: make logged user more consistent, set FlushInterval
-   outposts/proxy: set http code when no redirect header is set
-   polices/hibp: remove deprecated (#4363)
-   providers/ldap: add code-MFA support for ldap provider (#4354)
-   providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
-   providers/oauth2: don't allow spaces in scope_name
-   providers/oauth2: fallback to anonymous user for policy engine
-   providers/oauth2: use guardian anonymous user to get claims for provider info
-   providers/proxy: add initial header token auth (#4421)
-   providers/proxy: add setting to intercept authorization header (#4457)
-   providers/proxy: add tests for proxy basic auth (#4357)
-   providers/saml: initial SLO implementation (#2346)
-   root: show error when geoIP download fails
-   sources/ldap: don't run membership sync if group sync is disabled
-   sources/ldap: make task timeout adjustable
-   sources/ldap: manual import (#4456)
-   sources/ldap: only warn about missing groups when source is configured to sync groups
-   stages/user_write: add more user creation options (#4367)
-   web: add core-js polyfill for safari
-   web: ensure img tags have alt attributes
-   web: fix radio label code in dark mode
-   web: fix scrollbar corner color in dark mode
-   web: migrate checkbox to switch (#4409)
-   web/admin: better show dev build
-   web/admin: fix certificate filtering for LDAP verification certificate
-   web/admin: fix overflow in aggregate cards
-   web/admin: link impersonation user for events
-   web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
-   web/admin: show GeoIP information inline in events
-   web/elements: fix pagination page button colours in dark mode
-   web/elements: use correct Action Label for user related events

## Fixed in 2023.1.1

-   add tests to prevent empty SAN
-   blueprints: fix OOB email field overwriting user settings email field
-   ci: build beta for amd64 and arm64 (#4468)
-   crypto: ensure we don't generate an empty SAN certificate
-   crypto: fallback when no SAN values are given
-   outposts/ldap: fix queries filtering objectClass with non-lowercase values
-   outposts/proxy: fix panic due to IsSet misbehaving
-   providers/oauth2: more x5c and ecdsa x/y tests (#4463)
-   providers/proxy: fix issuer for embedded outpost (#4480)
-   sources/ldap: add e2e LDAP source tests (#4462)
-   stages: always use get_pending_user instead of getting context user
-   stages/authenticator_sms: fix code not being sent when phone_number is in context
-   web/admin: don't enable execution logging by default
-   web/admin: improve display of rule severity
-   web/admin: improve display of system task exception
-   web/admin: link group of notification rule
-   web/elements: fix pf-c-switch not rendering correctly in pure tables
-   web/elements: fix SearchSelect not working on safari
-   web/flows: fix flow executor background overlay in safari

## Fixed in 2023.1.2

-   stages/user_write: fix migration setting wrong value, fix form

## Fixed in 2023.1.3

-   \*: fix [CVE-2023-26481](../security/CVE-2023-26481), Reported by [@fuomag9](https://github.com/fuomag9)

## API Changes

#### What's Deleted

---

##### `GET` /policies/haveibeenpwned/

##### `POST` /policies/haveibeenpwned/

##### `GET` /policies/haveibeenpwned/{policy_uuid}/

##### `PUT` /policies/haveibeenpwned/{policy_uuid}/

##### `DELETE` /policies/haveibeenpwned/{policy_uuid}/

##### `PATCH` /policies/haveibeenpwned/{policy_uuid}/

##### `GET` /policies/haveibeenpwned/{policy_uuid}/used_by/

#### What's Changed

---

##### `GET` /admin/metrics/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `authorizations`
    -   `logins`
    -   `logins_failed`

    New optional properties:

    -   `authorizations_per_1h`
    -   `logins_failed_per_1h`
    -   `logins_per_1h`

    *   Added property `logins` (array)

        Items (object): > Coordinates for diagrams

        -   Property `x_cord` (integer)

        -   Property `y_cord` (integer)

    *   Added property `logins_failed` (array)

    *   Added property `authorizations` (array)

    *   Deleted property `logins_per_1h` (array)

    *   Deleted property `logins_failed_per_1h` (array)

    *   Deleted property `authorizations_per_1h` (array)

##### `GET` /core/users/{id}/metrics/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `authorizations`
    -   `logins`
    -   `logins_failed`

    New optional properties:

    -   `authorizations_per_1h`
    -   `logins_failed_per_1h`
    -   `logins_per_1h`

    *   Added property `logins` (array)

    *   Added property `logins_failed` (array)

    *   Added property `authorizations` (array)

    *   Deleted property `logins_per_1h` (array)

    *   Deleted property `logins_failed_per_1h` (array)

    *   Deleted property `authorizations_per_1h` (array)

##### `GET` /managed/blueprints/{instance_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `PUT` /managed/blueprints/{instance_uuid}/

###### Request:

Changed content type : `application/json`

New optional properties:

-   `path`

*   Added property `content` (string)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `PATCH` /managed/blueprints/{instance_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `content` (string)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `POST` /managed/blueprints/{instance_uuid}/apply/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `GET` /outposts/proxy/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `intercept_header_auth` (boolean)
        > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

##### `GET` /policies/event_matcher/{policy_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `app` (string)

        > Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        -   `authentik.policies.hibp`

##### `PUT` /policies/event_matcher/{policy_uuid}/

###### Request:

Changed content type : `application/json`

-   Changed property `app` (string)

    > Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    -   `authentik.policies.hibp`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `app` (string)

        > Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        -   `authentik.policies.hibp`

##### `PATCH` /policies/event_matcher/{policy_uuid}/

###### Request:

Changed content type : `application/json`

-   Changed property `app` (string)

    > Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    -   `authentik.policies.hibp`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `app` (string)

        > Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        -   `authentik.policies.hibp`

##### `GET` /propertymappings/scope/{pm_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `scope_name` (string)
        > Scope name requested by the client

##### `PUT` /propertymappings/scope/{pm_uuid}/

###### Request:

Changed content type : `application/json`

-   Changed property `scope_name` (string)
    > Scope name requested by the client

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `scope_name` (string)
        > Scope name requested by the client

##### `PATCH` /propertymappings/scope/{pm_uuid}/

###### Request:

Changed content type : `application/json`

-   Changed property `scope_name` (string)
    > Scope name requested by the client

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `scope_name` (string)
        > Scope name requested by the client

##### `GET` /providers/proxy/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `client_id`

    *   Added property `client_id` (string)

    *   Added property `intercept_header_auth` (boolean)

        > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

    *   Added property `jwks_sources` (array)

        Items (string):

##### `PUT` /providers/proxy/{id}/

###### Request:

Changed content type : `application/json`

-   Added property `intercept_header_auth` (boolean)

    > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

-   Added property `jwks_sources` (array)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `client_id`

    *   Added property `client_id` (string)

    *   Added property `intercept_header_auth` (boolean)

        > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

    *   Added property `jwks_sources` (array)

##### `PATCH` /providers/proxy/{id}/

###### Request:

Changed content type : `application/json`

-   Added property `intercept_header_auth` (boolean)

    > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

-   Added property `jwks_sources` (array)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `client_id`

    *   Added property `client_id` (string)

    *   Added property `intercept_header_auth` (boolean)

        > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

    *   Added property `jwks_sources` (array)

##### `GET` /admin/system_tasks/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    Changed items (object): > Serialize TaskInfo and TaskResult

    New required properties:

    -   `task_duration`

    *   Added property `task_duration` (integer)

##### `GET` /admin/system_tasks/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `task_duration`

    *   Added property `task_duration` (integer)

##### `POST` /managed/blueprints/

###### Request:

Changed content type : `application/json`

New optional properties:

-   `path`

*   Added property `content` (string)

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    New optional properties:

    -   `path`

    *   Added property `content` (string)

##### `GET` /managed/blueprints/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Info about a single blueprint instance file

        New optional properties:

        -   `path`

        *   Added property `content` (string)

##### `GET` /outposts/proxy/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Proxy provider serializer for outposts

        -   Added property `intercept_header_auth` (boolean)
            > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

##### `POST` /policies/event_matcher/

###### Request:

Changed content type : `application/json`

-   Changed property `app` (string)

    > Match events created by selected application. When left empty, all applications are matched.

    Removed enum value:

    -   `authentik.policies.hibp`

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Changed property `app` (string)

        > Match events created by selected application. When left empty, all applications are matched.

        Removed enum value:

        -   `authentik.policies.hibp`

##### `GET` /policies/event_matcher/

###### Parameters:

Changed: `app` in `query`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Event Matcher Policy Serializer

        -   Changed property `app` (string)

            > Match events created by selected application. When left empty, all applications are matched.

            Removed enum value:

            -   `authentik.policies.hibp`

##### `POST` /propertymappings/scope/

###### Request:

Changed content type : `application/json`

-   Changed property `scope_name` (string)
    > Scope name requested by the client

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Changed property `scope_name` (string)
        > Scope name requested by the client

##### `GET` /propertymappings/scope/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > ScopeMapping Serializer

        -   Changed property `scope_name` (string)
            > Scope name requested by the client

##### `POST` /providers/proxy/

###### Request:

Changed content type : `application/json`

-   Added property `intercept_header_auth` (boolean)

    > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

-   Added property `jwks_sources` (array)

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    New required properties:

    -   `client_id`

    *   Added property `client_id` (string)

    *   Added property `intercept_header_auth` (boolean)

        > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

    *   Added property `jwks_sources` (array)

##### `GET` /providers/proxy/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > ProxyProvider Serializer

        New required properties:

        -   `client_id`

        *   Added property `client_id` (string)

        *   Added property `intercept_header_auth` (boolean)

            > When enabled, this provider will intercept the authorization header and authenticate requests based on its value.

        *   Added property `jwks_sources` (array)

##### `GET` /providers/saml/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `url_slo_post`
    -   `url_slo_redirect`

    *   Added property `url_slo_post` (string)

    *   Added property `url_slo_redirect` (string)

##### `PUT` /providers/saml/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `url_slo_post`
    -   `url_slo_redirect`

    *   Added property `url_slo_post` (string)

    *   Added property `url_slo_redirect` (string)

##### `PATCH` /providers/saml/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `url_slo_post`
    -   `url_slo_redirect`

    *   Added property `url_slo_post` (string)

    *   Added property `url_slo_redirect` (string)

##### `GET` /sources/ldap/{slug}/sync_status/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    Changed items (object): > Serialize TaskInfo and TaskResult

    New required properties:

    -   `task_duration`

    *   Added property `task_duration` (integer)

##### `POST` /providers/saml/

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    New required properties:

    -   `url_slo_post`
    -   `url_slo_redirect`

    *   Added property `url_slo_post` (string)

    *   Added property `url_slo_redirect` (string)

##### `GET` /providers/saml/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > SAMLProvider Serializer

        New required properties:

        -   `url_slo_post`
        -   `url_slo_redirect`

        *   Added property `url_slo_post` (string)

        *   Added property `url_slo_redirect` (string)

##### `GET` /sources/oauth/

###### Parameters:

Added: `has_jwks` in `query`

> Only return sources with JWKS data

##### `GET` /stages/user_write/{stage_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `user_creation_mode` (string)

        Enum values:

        -   `never_create`
        -   `create_when_required`
        -   `always_create`

    -   Deleted property `can_create_users` (boolean)
        > When set, this stage can create users. If not enabled and no user is available, stage will fail.

##### `PUT` /stages/user_write/{stage_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `user_creation_mode` (string)

-   Deleted property `can_create_users` (boolean)
    > When set, this stage can create users. If not enabled and no user is available, stage will fail.

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `user_creation_mode` (string)

    -   Deleted property `can_create_users` (boolean)
        > When set, this stage can create users. If not enabled and no user is available, stage will fail.

##### `PATCH` /stages/user_write/{stage_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `user_creation_mode` (string)

-   Deleted property `can_create_users` (boolean)
    > When set, this stage can create users. If not enabled and no user is available, stage will fail.

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `user_creation_mode` (string)

    -   Deleted property `can_create_users` (boolean)
        > When set, this stage can create users. If not enabled and no user is available, stage will fail.

##### `POST` /stages/user_write/

###### Request:

Changed content type : `application/json`

-   Added property `user_creation_mode` (string)

-   Deleted property `can_create_users` (boolean)
    > When set, this stage can create users. If not enabled and no user is available, stage will fail.

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Added property `user_creation_mode` (string)

    -   Deleted property `can_create_users` (boolean)
        > When set, this stage can create users. If not enabled and no user is available, stage will fail.

##### `GET` /stages/user_write/

###### Parameters:

Added: `user_creation_mode` in `query`

Deleted: `can_create_users` in `query`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > UserWriteStage Serializer

        -   Added property `user_creation_mode` (string)

        -   Deleted property `can_create_users` (boolean)
            > When set, this stage can create users. If not enabled and no user is available, stage will fail.