This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/releases/2023/v2023.1.md
dependabot[bot] 823e7dbe1a
website: bump the docusaurus group in /website with 3 updates (#7400)
* website: bump the docusaurus group in /website with 3 updates

Bumps the docusaurus group in /website with 3 updates: [@docusaurus/plugin-client-redirects](https://github.com/facebook/docusaurus/tree/HEAD/packages/docusaurus-plugin-client-redirects), [@docusaurus/preset-classic](https://github.com/facebook/docusaurus/tree/HEAD/packages/docusaurus-preset-classic) and [@docusaurus/theme-mermaid](https://github.com/facebook/docusaurus/tree/HEAD/packages/docusaurus-theme-mermaid).


Updates `@docusaurus/plugin-client-redirects` from 2.4.3 to 3.0.0
- [Release notes](https://github.com/facebook/docusaurus/releases)
- [Changelog](https://github.com/facebook/docusaurus/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/docusaurus/commits/v3.0.0/packages/docusaurus-plugin-client-redirects)

Updates `@docusaurus/preset-classic` from 2.4.3 to 3.0.0
- [Release notes](https://github.com/facebook/docusaurus/releases)
- [Changelog](https://github.com/facebook/docusaurus/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/docusaurus/commits/v3.0.0/packages/docusaurus-preset-classic)

Updates `@docusaurus/theme-mermaid` from 2.4.3 to 3.0.0
- [Release notes](https://github.com/facebook/docusaurus/releases)
- [Changelog](https://github.com/facebook/docusaurus/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/docusaurus/commits/v3.0.0/packages/docusaurus-theme-mermaid)

---
updated-dependencies:
- dependency-name: "@docusaurus/plugin-client-redirects"
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: docusaurus
- dependency-name: "@docusaurus/preset-classic"
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: docusaurus
- dependency-name: "@docusaurus/theme-mermaid"
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: docusaurus
...

Signed-off-by: dependabot[bot] <support@github.com>

* update

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate docusaurus config to ts

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix docs-only build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
2023-11-06 15:12:23 +01:00

950 lines
23 KiB
Markdown

---
title: Release 2023.1
slug: "/releases/2023.1"
---
## Breaking changes
- Deprecated HaveIBeenPwned policy has been removed
This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.
## New features
- SLO Support for SAML provider
authentik now supports SAML SLO (Single logout).
- Proxy provider now accepts HTTP Basic and Bearer authentication
See [Header authentication](../../providers/proxy/header_authentication.md).
- LDAP provider now works with Code-based MFA stages
If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.
## Upgrading
This release does not introduce any new requirements.
### docker-compose
Download the docker-compose file for 2023.1 from [here](https://goauthentik.io/version/2023.1/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
### Kubernetes
Update your values to use the new images:
```yaml
image:
repository: ghcr.io/goauthentik/server
tag: 2023.1.0
```
## Minor changes/fixes
- \*: strip leading and trailing whitespace when reading config values from files
- admin: include task duration in API (#4428)
- blueprints: Add `!Enumerate`, `!Value` and `!Index` tags (#4338)
- blueprints: don't set session_duration in default and example flows (#4448)
- blueprints: Fix resolve model_name in `!Find` tag (#4371)
- blueprints: internal storage (#4397)
- crypto: prevent creation of duplicate self-signed default certs
- events: exclude base models from model audit log
- events: rework metrics (#4407)
- internal: check certificate value and not IsSet
- internal: fix race condition with config loading on startup, add index on debug server
- internal: improve error handling
- outposts: use common config loader for outposts to support loading values from file
- outposts/ldap: decrease verbosity
- outposts/proxy: add header to prevent redirects
- outposts/proxy: allow setting no-redirect via header or query param
- outposts/proxy: cache basic and bearer credentials for one minute
- outposts/proxy: fix error handling, remove requirement for profile/etc scopes
- outposts/proxy: make logged user more consistent, set FlushInterval
- outposts/proxy: set http code when no redirect header is set
- polices/hibp: remove deprecated (#4363)
- providers/ldap: add code-MFA support for ldap provider (#4354)
- providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
- providers/oauth2: don't allow spaces in scope_name
- providers/oauth2: fallback to anonymous user for policy engine
- providers/oauth2: use guardian anonymous user to get claims for provider info
- providers/proxy: add initial header token auth (#4421)
- providers/proxy: add setting to intercept authorization header (#4457)
- providers/proxy: add tests for proxy basic auth (#4357)
- providers/saml: initial SLO implementation (#2346)
- root: show error when geoIP download fails
- sources/ldap: don't run membership sync if group sync is disabled
- sources/ldap: make task timeout adjustable
- sources/ldap: manual import (#4456)
- sources/ldap: only warn about missing groups when source is configured to sync groups
- stages/user_write: add more user creation options (#4367)
- web: add core-js polyfill for safari
- web: ensure img tags have alt attributes
- web: fix radio label code in dark mode
- web: fix scrollbar corner color in dark mode
- web: migrate checkbox to switch (#4409)
- web/admin: better show dev build
- web/admin: fix certificate filtering for LDAP verification certificate
- web/admin: fix overflow in aggregate cards
- web/admin: link impersonation user for events
- web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
- web/admin: show GeoIP information inline in events
- web/elements: fix pagination page button colours in dark mode
- web/elements: use correct Action Label for user related events
## Fixed in 2023.1.1
- add tests to prevent empty SAN
- blueprints: fix OOB email field overwriting user settings email field
- ci: build beta for amd64 and arm64 (#4468)
- crypto: ensure we don't generate an empty SAN certificate
- crypto: fallback when no SAN values are given
- outposts/ldap: fix queries filtering objectClass with non-lowercase values
- outposts/proxy: fix panic due to IsSet misbehaving
- providers/oauth2: more x5c and ecdsa x/y tests (#4463)
- providers/proxy: fix issuer for embedded outpost (#4480)
- sources/ldap: add e2e LDAP source tests (#4462)
- stages: always use get_pending_user instead of getting context user
- stages/authenticator_sms: fix code not being sent when phone_number is in context
- web/admin: don't enable execution logging by default
- web/admin: improve display of rule severity
- web/admin: improve display of system task exception
- web/admin: link group of notification rule
- web/elements: fix pf-c-switch not rendering correctly in pure tables
- web/elements: fix SearchSelect not working on safari
- web/flows: fix flow executor background overlay in safari
## Fixed in 2023.1.2
- stages/user_write: fix migration setting wrong value, fix form
## Fixed in 2023.1.3
- \*: fix [CVE-2023-26481](../security/CVE-2023-26481), Reported by [@fuomag9](https://github.com/fuomag9)
## API Changes
#### What's Deleted
---
##### `GET` /policies/haveibeenpwned/
##### `POST` /policies/haveibeenpwned/
##### `GET` /policies/haveibeenpwned/&#123;policy_uuid&#125;/
##### `PUT` /policies/haveibeenpwned/&#123;policy_uuid&#125;/
##### `DELETE` /policies/haveibeenpwned/&#123;policy_uuid&#125;/
##### `PATCH` /policies/haveibeenpwned/&#123;policy_uuid&#125;/
##### `GET` /policies/haveibeenpwned/&#123;policy_uuid&#125;/used_by/
#### What's Changed
---
##### `GET` /admin/metrics/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `authorizations`
- `logins`
- `logins_failed`
New optional properties:
- `authorizations_per_1h`
- `logins_failed_per_1h`
- `logins_per_1h`
* Added property `logins` (array)
Items (object): > Coordinates for diagrams
- Property `x_cord` (integer)
- Property `y_cord` (integer)
* Added property `logins_failed` (array)
* Added property `authorizations` (array)
* Deleted property `logins_per_1h` (array)
* Deleted property `logins_failed_per_1h` (array)
* Deleted property `authorizations_per_1h` (array)
##### `GET` /core/users/&#123;id&#125;/metrics/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `authorizations`
- `logins`
- `logins_failed`
New optional properties:
- `authorizations_per_1h`
- `logins_failed_per_1h`
- `logins_per_1h`
* Added property `logins` (array)
* Added property `logins_failed` (array)
* Added property `authorizations` (array)
* Deleted property `logins_per_1h` (array)
* Deleted property `logins_failed_per_1h` (array)
* Deleted property `authorizations_per_1h` (array)
##### `GET` /managed/blueprints/&#123;instance_uuid&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `PUT` /managed/blueprints/&#123;instance_uuid&#125;/
###### Request:
Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `PATCH` /managed/blueprints/&#123;instance_uuid&#125;/
###### Request:
Changed content type : `application/json`
- Added property `content` (string)
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `POST` /managed/blueprints/&#123;instance_uuid&#125;/apply/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `GET` /outposts/proxy/&#123;id&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
##### `GET` /policies/event_matcher/&#123;policy_uuid&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `PUT` /policies/event_matcher/&#123;policy_uuid&#125;/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `PATCH` /policies/event_matcher/&#123;policy_uuid&#125;/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `GET` /propertymappings/scope/&#123;pm_uuid&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `PUT` /propertymappings/scope/&#123;pm_uuid&#125;/
###### Request:
Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `PATCH` /propertymappings/scope/&#123;pm_uuid&#125;/
###### Request:
Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `GET` /providers/proxy/&#123;id&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
Items (string):
##### `PUT` /providers/proxy/&#123;id&#125;/
###### Request:
Changed content type : `application/json`
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property `jwks_sources` (array)
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
##### `PATCH` /providers/proxy/&#123;id&#125;/
###### Request:
Changed content type : `application/json`
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property `jwks_sources` (array)
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
##### `GET` /admin/system_tasks/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
Changed items (object): > Serialize TaskInfo and TaskResult
New required properties:
- `task_duration`
* Added property `task_duration` (integer)
##### `GET` /admin/system_tasks/&#123;id&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `task_duration`
* Added property `task_duration` (integer)
##### `POST` /managed/blueprints/
###### Request:
Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New optional properties:
- `path`
* Added property `content` (string)
##### `GET` /managed/blueprints/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Info about a single blueprint instance file
New optional properties:
- `path`
* Added property `content` (string)
##### `GET` /outposts/proxy/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Proxy provider serializer for outposts
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
##### `POST` /policies/event_matcher/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `GET` /policies/event_matcher/
###### Parameters:
Changed: `app` in `query`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Event Matcher Policy Serializer
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Removed enum value:
- `authentik.policies.hibp`
##### `POST` /propertymappings/scope/
###### Request:
Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `GET` /propertymappings/scope/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > ScopeMapping Serializer
- Changed property `scope_name` (string)
> Scope name requested by the client
##### `POST` /providers/proxy/
###### Request:
Changed content type : `application/json`
- Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
- Added property `jwks_sources` (array)
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
##### `GET` /providers/proxy/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > ProxyProvider Serializer
New required properties:
- `client_id`
* Added property `client_id` (string)
* Added property `intercept_header_auth` (boolean)
> When enabled, this provider will intercept the authorization header and authenticate requests based on its value.
* Added property `jwks_sources` (array)
##### `GET` /providers/saml/&#123;id&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `PUT` /providers/saml/&#123;id&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `PATCH` /providers/saml/&#123;id&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `GET` /sources/ldap/&#123;slug&#125;/sync_status/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
Changed items (object): > Serialize TaskInfo and TaskResult
New required properties:
- `task_duration`
* Added property `task_duration` (integer)
##### `POST` /providers/saml/
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `GET` /providers/saml/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > SAMLProvider Serializer
New required properties:
- `url_slo_post`
- `url_slo_redirect`
* Added property `url_slo_post` (string)
* Added property `url_slo_redirect` (string)
##### `GET` /sources/oauth/
###### Parameters:
Added: `has_jwks` in `query`
> Only return sources with JWKS data
##### `GET` /stages/user_write/&#123;stage_uuid&#125;/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `user_creation_mode` (string)
Enum values:
- `never_create`
- `create_when_required`
- `always_create`
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
##### `PUT` /stages/user_write/&#123;stage_uuid&#125;/
###### Request:
Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
##### `PATCH` /stages/user_write/&#123;stage_uuid&#125;/
###### Request:
Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
##### `POST` /stages/user_write/
###### Request:
Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
##### `GET` /stages/user_write/
###### Parameters:
Added: `user_creation_mode` in `query`
Deleted: `can_create_users` in `query`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > UserWriteStage Serializer
- Added property `user_creation_mode` (string)
- Deleted property `can_create_users` (boolean)
> When set, this stage can create users. If not enabled and no user is available, stage will fail.