* add flow authentication requirement Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add website for cve Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * flows: handle FlowNonApplicableException without policy result Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
18 KiB
title | slug |
---|---|
Release 2022.11 | 2022.11 |
Breaking changes
-
Have I Been Pwned policy is deprecated
The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.
-
Instead of using multiple redis databases, authentik now uses a single redis database
This will temporarily loose some cached information after the upgrade, like cached system tasks and policy results. This data will be re-cached in the background.
New features
-
authentik now runs on Python 3.11
-
Expanded password policy
The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using zxcvbn to provider concise feedback.
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose file for 2022.11 from here. Afterwards, simply run docker-compose up -d
.
Kubernetes
Update your values to use the new images:
image:
repository: ghcr.io/goauthentik/server
tag: 2022.11.1
Minor changes/fixes
- api: fix missing scheme in securitySchemes
- blueprints: Fixed bug causing blueprint instance context be discarded (#3990)
- core: fix error when propertymappings return complex value
- core: simplify group serializer for user API endpoint (#3899)
- events: deepcopy event kwargs to prevent objects being removed, remove workaround
- events: sanitize generator for json safety
- lib: fix complex objects being included in event context for ak_create_event
- lifecycle: fix incorrect messages looped
- outposts/kubernetes: ingress class (#4002)
- policies: only cache policies for authenticated users
- policies/password: merge hibp add zxcvbn (#4001)
- providers/oauth2: fix inconsistent expiry encoded in JWT
- root: make sentry DSN configurable (#4016)
- root: relicense and launch blog post
- root: use single redis db (#4009)
- sources: add custom icon support (#4022)
- stages/authenticator_*: cleanup
- stages/authenticator_validate: add flag to configure user_verification for webauthn devices
- stages/invitation: directly delete invitation now that flow plan is saved in email token
- web: fix twitter icon
- web/flows: always hide static user info when its not set in the flow
Fixed in 2022.11.1
- blueprints: add desired state attribute to objects (#4061)
- core: fix tab-complete in shell
- root: fix build on arm64
- stages/email: add test for email translation
- web/admin: fix error when importing duo devices
- web/admin: reset cookie_domain when setting non-domain forward auth
Fixed in 2022.11.2
- *: fix CVE-2022-46145
API Changes
What's Changed
GET
/policies/password/{policy_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
check_static_rules
(boolean) -
Added property
check_have_i_been_pwned
(boolean) -
Added property
check_zxcvbn
(boolean) -
Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
-
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
-
PUT
/policies/password/{policy_uuid}/
Request:
Changed content type : application/json
-
Added property
check_static_rules
(boolean) -
Added property
check_have_i_been_pwned
(boolean) -
Added property
check_zxcvbn
(boolean) -
Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
-
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
check_static_rules
(boolean) -
Added property
check_have_i_been_pwned
(boolean) -
Added property
check_zxcvbn
(boolean) -
Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
-
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
-
PATCH
/policies/password/{policy_uuid}/
Request:
Changed content type : application/json
-
Added property
check_static_rules
(boolean) -
Added property
check_have_i_been_pwned
(boolean) -
Added property
check_zxcvbn
(boolean) -
Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
-
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
check_static_rules
(boolean) -
Added property
check_have_i_been_pwned
(boolean) -
Added property
check_zxcvbn
(boolean) -
Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
-
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
-
GET
/core/tokens/{identifier}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
PUT
/core/tokens/{identifier}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
PATCH
/core/tokens/{identifier}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
GET
/core/users/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
PUT
/core/users/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
PATCH
/core/users/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
GET
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
PUT
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
PATCH
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
POST
/policies/password/
Request:
Changed content type : application/json
-
Added property
check_static_rules
(boolean) -
Added property
check_have_i_been_pwned
(boolean) -
Added property
check_zxcvbn
(boolean) -
Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
-
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Added property
check_static_rules
(boolean) -
Added property
check_have_i_been_pwned
(boolean) -
Added property
check_zxcvbn
(boolean) -
Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
-
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
-
GET
/policies/password/
Parameters:
Added: check_have_i_been_pwned
in query
Added: check_static_rules
in query
Added: check_zxcvbn
in query
Added: hibp_allowed_count
in query
Added: zxcvbn_score_threshold
in query
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Password Policy Serializer
-
Added property
check_static_rules
(boolean) -
Added property
check_have_i_been_pwned
(boolean) -
Added property
check_zxcvbn
(boolean) -
Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
-
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
-
-
POST
/core/tokens/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
GET
/core/tokens/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Token Serializer
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
-
GET
/core/user_consent/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
POST
/core/users/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
GET
/core/users/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
GET
/oauth2/authorization_codes/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
GET
/oauth2/refresh_tokens/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
user
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
POST
/policies/bindings/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
GET
/policies/bindings/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > PolicyBinding Serializer
-
Changed property
user_obj
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
-
GET
/core/user_consent/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > UserConsent Serializer
-
Changed property
user
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
-
GET
/oauth2/authorization_codes/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
-
Changed property
user
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
-
GET
/oauth2/refresh_tokens/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Serializer for BaseGrantModel and RefreshToken
-
Changed property
user
(object)User Serializer
-
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
-
Deleted property
users
(array) -
Deleted property
users_obj
(array)
-
-
-