This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/releases/v2022.11.md
Jens L db95dfe38d
security: fix CVE 2022 46145 (#4140)
* add flow authentication requirement

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add website for cve

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* flows: handle FlowNonApplicableException without policy result

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add release notes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-02 16:14:25 +01:00

18 KiB

title slug
Release 2022.11 2022.11

Breaking changes

  • Have I Been Pwned policy is deprecated

    The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.

  • Instead of using multiple redis databases, authentik now uses a single redis database

    This will temporarily loose some cached information after the upgrade, like cached system tasks and policy results. This data will be re-cached in the background.

New features

  • authentik now runs on Python 3.11

  • Expanded password policy

    The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using zxcvbn to provider concise feedback.

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2022.11 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
    repository: ghcr.io/goauthentik/server
    tag: 2022.11.1

Minor changes/fixes

  • api: fix missing scheme in securitySchemes
  • blueprints: Fixed bug causing blueprint instance context be discarded (#3990)
  • core: fix error when propertymappings return complex value
  • core: simplify group serializer for user API endpoint (#3899)
  • events: deepcopy event kwargs to prevent objects being removed, remove workaround
  • events: sanitize generator for json safety
  • lib: fix complex objects being included in event context for ak_create_event
  • lifecycle: fix incorrect messages looped
  • outposts/kubernetes: ingress class (#4002)
  • policies: only cache policies for authenticated users
  • policies/password: merge hibp add zxcvbn (#4001)
  • providers/oauth2: fix inconsistent expiry encoded in JWT
  • root: make sentry DSN configurable (#4016)
  • root: relicense and launch blog post
  • root: use single redis db (#4009)
  • sources: add custom icon support (#4022)
  • stages/authenticator_*: cleanup
  • stages/authenticator_validate: add flag to configure user_verification for webauthn devices
  • stages/invitation: directly delete invitation now that flow plan is saved in email token
  • web: fix twitter icon
  • web/flows: always hide static user info when its not set in the flow

Fixed in 2022.11.1

  • blueprints: add desired state attribute to objects (#4061)
  • core: fix tab-complete in shell
  • root: fix build on arm64
  • stages/email: add test for email translation
  • web/admin: fix error when importing duo devices
  • web/admin: reset cookie_domain when setting non-domain forward auth

Fixed in 2022.11.2

  • *: fix CVE-2022-46145

API Changes

What's Changed


GET /policies/password/{policy_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_static_rules (boolean)

    • Added property check_have_i_been_pwned (boolean)

    • Added property check_zxcvbn (boolean)

    • Added property hibp_allowed_count (integer)

      How many times the password hash is allowed to be on haveibeenpwned

    • Added property zxcvbn_score_threshold (integer)

      If the zxcvbn score is equal or less than this value, the policy will fail.

PUT /policies/password/{policy_uuid}/
Request:

Changed content type : application/json

  • Added property check_static_rules (boolean)

  • Added property check_have_i_been_pwned (boolean)

  • Added property check_zxcvbn (boolean)

  • Added property hibp_allowed_count (integer)

    How many times the password hash is allowed to be on haveibeenpwned

  • Added property zxcvbn_score_threshold (integer)

    If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_static_rules (boolean)

    • Added property check_have_i_been_pwned (boolean)

    • Added property check_zxcvbn (boolean)

    • Added property hibp_allowed_count (integer)

      How many times the password hash is allowed to be on haveibeenpwned

    • Added property zxcvbn_score_threshold (integer)

      If the zxcvbn score is equal or less than this value, the policy will fail.

PATCH /policies/password/{policy_uuid}/
Request:

Changed content type : application/json

  • Added property check_static_rules (boolean)

  • Added property check_have_i_been_pwned (boolean)

  • Added property check_zxcvbn (boolean)

  • Added property hibp_allowed_count (integer)

    How many times the password hash is allowed to be on haveibeenpwned

  • Added property zxcvbn_score_threshold (integer)

    If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_static_rules (boolean)

    • Added property check_have_i_been_pwned (boolean)

    • Added property check_zxcvbn (boolean)

    • Added property hibp_allowed_count (integer)

      How many times the password hash is allowed to be on haveibeenpwned

    • Added property zxcvbn_score_threshold (integer)

      If the zxcvbn score is equal or less than this value, the policy will fail.

GET /core/tokens/{identifier}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

PUT /core/tokens/{identifier}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

PATCH /core/tokens/{identifier}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /core/users/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property groups_obj (array)

      Changed items (object): > Simplified Group Serializer for user's groups

      New optional properties:

      • users_obj
      • Deleted property users (array)

      • Deleted property users_obj (array)

PUT /core/users/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property groups_obj (array)

      Changed items (object): > Simplified Group Serializer for user's groups

      New optional properties:

      • users_obj
      • Deleted property users (array)

      • Deleted property users_obj (array)

PATCH /core/users/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property groups_obj (array)

      Changed items (object): > Simplified Group Serializer for user's groups

      New optional properties:

      • users_obj
      • Deleted property users (array)

      • Deleted property users_obj (array)

GET /policies/bindings/{policy_binding_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

PUT /policies/bindings/{policy_binding_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

PATCH /policies/bindings/{policy_binding_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

POST /policies/password/
Request:

Changed content type : application/json

  • Added property check_static_rules (boolean)

  • Added property check_have_i_been_pwned (boolean)

  • Added property check_zxcvbn (boolean)

  • Added property hibp_allowed_count (integer)

    How many times the password hash is allowed to be on haveibeenpwned

  • Added property zxcvbn_score_threshold (integer)

    If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Added property check_static_rules (boolean)

    • Added property check_have_i_been_pwned (boolean)

    • Added property check_zxcvbn (boolean)

    • Added property hibp_allowed_count (integer)

      How many times the password hash is allowed to be on haveibeenpwned

    • Added property zxcvbn_score_threshold (integer)

      If the zxcvbn score is equal or less than this value, the policy will fail.

GET /policies/password/
Parameters:

Added: check_have_i_been_pwned in query

Added: check_static_rules in query

Added: check_zxcvbn in query

Added: hibp_allowed_count in query

Added: zxcvbn_score_threshold in query

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Password Policy Serializer

      • Added property check_static_rules (boolean)

      • Added property check_have_i_been_pwned (boolean)

      • Added property check_zxcvbn (boolean)

      • Added property hibp_allowed_count (integer)

        How many times the password hash is allowed to be on haveibeenpwned

      • Added property zxcvbn_score_threshold (integer)

        If the zxcvbn score is equal or less than this value, the policy will fail.

POST /core/tokens/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /core/tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Token Serializer

      • Changed property user_obj (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user's groups

          New optional properties:

          • users_obj
          • Deleted property users (array)

          • Deleted property users_obj (array)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

POST /core/users/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property groups_obj (array)

      Changed items (object): > Simplified Group Serializer for user's groups

      New optional properties:

      • users_obj
      • Deleted property users (array)

      • Deleted property users_obj (array)

GET /core/users/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /oauth2/authorization_codes/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /oauth2/refresh_tokens/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

POST /policies/bindings/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      • Changed property groups_obj (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        • users_obj
        • Deleted property users (array)

        • Deleted property users_obj (array)

GET /policies/bindings/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > PolicyBinding Serializer

      • Changed property user_obj (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user's groups

          New optional properties:

          • users_obj
          • Deleted property users (array)

          • Deleted property users_obj (array)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > UserConsent Serializer

      • Changed property user (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user's groups

          New optional properties:

          • users_obj
          • Deleted property users (array)

          • Deleted property users_obj (array)

GET /oauth2/authorization_codes/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

      • Changed property user (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user's groups

          New optional properties:

          • users_obj
          • Deleted property users (array)

          • Deleted property users_obj (array)

GET /oauth2/refresh_tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and RefreshToken

      • Changed property user (object)

        User Serializer

        • Changed property groups_obj (array)

          Changed items (object): > Simplified Group Serializer for user's groups

          New optional properties:

          • users_obj
          • Deleted property users (array)

          • Deleted property users_obj (array)