62af5b2dd3
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
184 lines
8.5 KiB
Markdown
184 lines
8.5 KiB
Markdown
---
|
|
title: Release 2021.9
|
|
slug: "2021.9"
|
|
---
|
|
|
|
## Headline Changes
|
|
|
|
- Split user interface
|
|
|
|
This release splits the administration interface from the end-user interface. This makes things clearer for end-users, as all their options are layed out more clearly.
|
|
|
|
Additionally, the new end-user interface will be more customisable than the admin interface, allowing Administrators to configure what their users can see.
|
|
|
|
The admin interface remains the same, and familiar buttons will redirect you between interfaces.
|
|
|
|
- New proxy
|
|
|
|
The proxy outpost has been rewritten from scratch. This replaces the old proxy, which was based on oauth2_proxy. The new proxy allows us a much greater degree of flexibility, is much lighter and reports errors better.
|
|
|
|
When using a managed outpost, authentik will automatically upgrade to the new proxy outpost. The embedded outpost also uses the new proxy.
|
|
|
|
authentik also now deploys ServiceMonitor CRDs in your Kubernetes cluster (when possibly), to record the metrics of the outposts.
|
|
|
|
If you're using a manually deployed outpost, keep in mind that the ports change to 9000 and 9443 instead of 4180 and 4443
|
|
|
|
- New metrics
|
|
|
|
This version introduces new and simplified Prometheus metrics. There is a new common monitoring port across the server and all outposts, 9300. This port requires no authentication, making it easier to configure.
|
|
|
|
For the core application, this endpoint contains metrics for both authentik and the inbuilt outpost.
|
|
|
|
## Minor changes
|
|
|
|
- *: use common user agent for all outgoing requests
|
|
- admin: migrate to new update check, add option to disable update check
|
|
- api: add additional filters for ldap and proxy providers
|
|
- core: optimise groups api by removing member superuser status
|
|
- core: remove ?v from static files
|
|
- events: add mark_all_seen
|
|
- events: allow setting a mapping for webhook transport to customise request payloads
|
|
- internal: fix font loading errors on safari
|
|
- lifecycle: fix worker startup error when docker socket's group is not called docker
|
|
- outpost: fix spans being sent without parent context
|
|
- outpost: update global outpost config on refresh
|
|
- outposts: add expected outpost replica count to metrics
|
|
- outposts/controllers: re-create service when mismatched ports to prevent errors
|
|
- outposts/controllers/kubernetes: don't create service monitor for embedded outpost
|
|
- outposts/ldap: improve logging of client IPs
|
|
- policies/password: fix symbols not being checked correctly
|
|
- root: include authentik version in backup naming
|
|
- root: show location header in logs when redirecting
|
|
- sources/oauth: prevent potentially confidential data from being logged
|
|
- stages/authenticator_duo: add API to "import" devices from duo
|
|
- stages/identification: fix empty user_fields query returning first user
|
|
- tenants: optimise db queries in middleware
|
|
- web: allow duplicate messages
|
|
- web: ignore network error
|
|
- web/admin: fix notification clear all not triggering render
|
|
- web/admin: fix user selection in token form
|
|
- web/admin: increase default expiry for refresh tokens
|
|
- web/admin: show applications instead of providers in outpost form
|
|
- web/flows: fix display error when using IdentificationStage without input fields
|
|
|
|
## Fixed in 2021.9.1-rc2
|
|
|
|
- core: fix token expiry for service accounts being only 30 minutes
|
|
- outposts: add consistent name and type to metrics
|
|
- outposts/proxy: remove deprecated rs256
|
|
- policies: improve error handling when using bindings without policy
|
|
- providers/saml: improved error handling
|
|
- stages/email: don't crash when testing stage does not exist
|
|
- web: update background image
|
|
|
|
## Fixed in 2021.9.1-rc3
|
|
|
|
- core: allow admins to create tokens with all parameters, re-add user to token form
|
|
- core: fix tokens not being viewable but superusers
|
|
- root: log failed celery tasks to event log
|
|
- sources/ldap: bump timeout, run each sync component in its own task
|
|
- sources/ldap: improve messages of sync tasks in UI
|
|
- sources/ldap: prevent error when retrying old system task with no arguments
|
|
- web: fix datetime-local fields throwing errors on firefox
|
|
- web: fix text colour in delete form in dark mode
|
|
- web: improve display of action buttons with non-primary classes
|
|
- web/admin: fix error in firefox when creating token
|
|
- web/admin: fix ldap sync status for new API
|
|
- web/admin: fix settings link on user avatar
|
|
- web/admin: trigger refresh after syncing ldap
|
|
- web/user: add auto-focus search for applications
|
|
- web/user: add missing stop impersonation button
|
|
- web/user: fix edit button for applications
|
|
- web/user: fix final redirect after stage setup
|
|
- web/user: optimise load, fix unread status for notifications
|
|
|
|
## Fixed in 2021.9.1
|
|
|
|
- api: disable include_format_suffixes
|
|
- core: fix token identifier not being slugified when created with user-controller input
|
|
- outposts: don't map port 9300 on docker, only expose port
|
|
- outposts: don't restart container when health checks are starting
|
|
- outposts/ldap: allow custom attributes to shadow built-in attributes
|
|
- policies/expression: add ak_user_has_authenticator
|
|
- root: use tagged go client version
|
|
- stages/email: don't throw 404 when token can't be found
|
|
- stages/email: slugify token identifier
|
|
- stages/email: use different query arguments for email and invitation tokens
|
|
- web: fix notification badge not refreshing after clearing notifications
|
|
|
|
## Fixed in 2021.9.2
|
|
|
|
- api: add logging to sentry proxy
|
|
- internal: add asset paths for user interface
|
|
- web: fix import order of polyfills causing shadydom to not work on firefox and safari
|
|
- web/user: enable sentry
|
|
|
|
## Fixed in 2021.9.3
|
|
|
|
- core: fix api return code for user self-update
|
|
- events: add additional validation for event transport
|
|
- outposts: ensure service is always re-created with mismatching ports
|
|
- outposts: fix outposts not correctly updating central state
|
|
- outposts: make AUTHENTIK_HOST_BROWSER configurable from central config
|
|
- outposts/proxy: ensure cookies only last as long as tokens
|
|
- outposts/proxy: Fix failing traefik healthcheck (#1470)
|
|
- outposts/proxyv2: fix routing not working correctly for domain auth
|
|
- providers/proxy: add token_validity field for outpost configuration
|
|
- web/admin: add notice for recovery
|
|
- web/admin: fix NotificationWebhookMapping not loading correctly
|
|
- web/admin: fix Transport Form not loading mode correctly on edit
|
|
- web/admin: handle error correctly when creating user recovery link
|
|
- web/elements: fix token copy error in safari
|
|
- web/elements: improve error handling on forms
|
|
- web/user: fix brand not being shown in safari
|
|
- web/user: search apps when user typed before apps have loaded
|
|
- website/docs: fix typos and grammar (#1459)
|
|
|
|
## Fixed in 2021.9.4
|
|
|
|
- outposts: allow disabling of docker controller port mapping
|
|
- outposts/proxy: fix duplicate protocol in domain auth mode
|
|
- root: Use fully qualified names for docker bases base images. (#1490)
|
|
- sources/ldap: add support for Active Directory `userAccountControl` attribute
|
|
- sources/ldap: don't sync ldap source when no property mappings are set
|
|
- web/admin: don't require username nor name for activate/deactivate toggles
|
|
- web/admin: fix LDAP Source form not exposing syncParentGroup
|
|
- web/elements: fix initialLoad not being done when viewportCheck was disabled
|
|
- web/elements: use dedicated button for search clear instead of webkit exclusive one
|
|
|
|
## Fixed in 2021.9.5
|
|
|
|
- events: add missing migration
|
|
- lifecycle: switch to h11 uvicorn worker for now
|
|
- outpost/proxy: fix missing negation for internal host ssl verification
|
|
- outposts: check ports of deployment in kubernetes outpost controller
|
|
- outposts: don't always build permissions on outpost.user access, only in signals and tasks
|
|
- outposts: fix circular import in kubernetes controller
|
|
- outposts/proxy: add new headers with unified naming
|
|
- outposts/proxy: show full error message when user is authenticated
|
|
- providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514)
|
|
- providers/proxy: always check ingress secret in kubernetes controller
|
|
- sources/ldap: fix logic error in Active Directory account disabled status
|
|
- stages/email: add activate_user_on_success flag, add for all example flows
|
|
- stages/user_login: add check for user.is_active and tests
|
|
- tests/integration: fix tests failing due to incorrect comparison
|
|
- web/admin: fix search group label
|
|
|
|
## Upgrading
|
|
|
|
This release does not introduce any new requirements.
|
|
|
|
### docker-compose
|
|
|
|
Download the docker-compose file for 2021.9 from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.9/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
|
|
|
|
### Kubernetes
|
|
|
|
Update your values to use the new images:
|
|
|
|
```yaml
|
|
image:
|
|
repository: ghcr.io/goauthentik/server
|
|
tag: 2021.9.1
|
|
```
|