ec84ba9b6d
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
274 lines
14 KiB
Markdown
274 lines
14 KiB
Markdown
---
|
|
title: Release 2021.12
|
|
slug: "2021.12"
|
|
---
|
|
|
|
## Headline changes
|
|
|
|
This release does not have any headline features, and mostly fixes bugs.
|
|
|
|
## Breaking changes
|
|
|
|
- stages/prompt: Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid.
|
|
|
|
## Minor changes
|
|
|
|
- core: make defaults for _change_email and _change_username configurable
|
|
- core: remove dump_config, handle directly in config loader without booting django, don't check database
|
|
- events: add gdpr_compliance option
|
|
- internal: fix integrated docs not working
|
|
- internal: use runserver when debug for code reload
|
|
- lib: add cli option for lib.config
|
|
- lib: add improved log to sentry events being sent
|
|
- lib: fix custom URL schemes being overwritten
|
|
- lib: load json strings in config env variables
|
|
- lib: log error for file:// in config
|
|
- lifecycle: allow custom worker count in k8s
|
|
- lifecycle: improve backup restore by dropping database before
|
|
- lifecycle: improve redis connection debug py printing full URL
|
|
- outpost: configure error reporting based off of main instance config
|
|
- outposts: don't panic when listening for metrics fails
|
|
- outposts: reload on signal USR1, fix display of reload offset
|
|
- outposts/ldap: copy boundUsers map when running refresh instead of using blank map
|
|
- outposts/ldap: fix panic when attempting to update without locked users mutex
|
|
- outposts/proxy: continue compiling additional regexes even when one fails
|
|
- outposts/proxy: show better error when hostname isn't configured
|
|
- outposts/proxy: use disableIndex for static files
|
|
- policies/expression: fix ak_user_has_authenticator evaluation when not specifying optional device_type (#1849)
|
|
- providers/saml: fix SessionNotOnOrAfter not being included
|
|
- root: add lifespan shim to prevent errors
|
|
- root: fix settings for managed not loaded
|
|
- root: make sentry sample rate configurable
|
|
- stages/authenticator_validate: catch error when attempting to configure user without flow
|
|
- stages/email: fix missing component in response when retrying email send
|
|
- stages/email: minify email css template
|
|
- stages/email: prevent error with duplicate token
|
|
- web: improve dark theme for vertical tabs
|
|
- web: only show applications with http link
|
|
- web/admin: allow flow edit on flow view page
|
|
- web/admin: fix actions column on ip reputation page
|
|
- web/admin: fix Forms with file uploads not handling errors correctly
|
|
- web/admin: make object view pages more consistent
|
|
- web/admin: make user clickable for bound policies list
|
|
- web/admin: redesign provider pages to provide more info
|
|
- web/admin: show changelog on user info page
|
|
- web/admin: unify rendering and sorting of user lists
|
|
- web/elements: add new API to store attributes in URL, use for table and tabs
|
|
- web/elements: allow app.model names for ak-object-changelog
|
|
- web/elements: allow multiple tabs with different state
|
|
- web/flows: fix spinner during webauthn not centred
|
|
- web/flows: update default background
|
|
- web/user: fix filtering for applications based on launchURL
|
|
- web/user: fix height issues on user interface
|
|
|
|
## Fixed in 2021.12.1-rc2
|
|
|
|
- *: don't use go embed to make using custom files easier
|
|
- crypto: add certificate discovery to automatically import certificates from lets encrypt
|
|
- crypto: fix default API not having an ordering
|
|
- outposts: always trigger outpost reconcile on startup
|
|
- outposts/ldap: Rework/improve LDAP search logic. (#1687)
|
|
- outposts/proxy: make logging fields more consistent
|
|
- outposts/proxy: re-add rs256 support
|
|
- providers/proxy: fix defaults for traefik integration
|
|
- providers/proxy: use wildcard for traefik headers copy
|
|
- providers/saml: fix error when using post bindings and user freshly logged in
|
|
- providers/saml: fix IndexError in signature check
|
|
- sources/ldap: add optional tls verification certificate
|
|
- sources/ldap: allow multiple server URIs for loadbalancing and failover
|
|
- sources/ldap: don't cache LDAP Connection, use random server
|
|
- sources/ldap: handle typeerror during creation of objects when using wrong keyword params
|
|
- sources/plex: fix plex token being included in event log
|
|
- stages/prompt: fix error when both default and required are set
|
|
- web/admin: add spinner to table refresh button to show progress
|
|
- web/admin: don't show disabled http basic as red
|
|
- web/admin: fix wrong description for reputation policy
|
|
- web/flows: fix linting errors
|
|
- web/flows: Revise duo authenticator login prompt text (#1872)
|
|
|
|
## Fixed in 2021.12.1-rc3
|
|
|
|
- core: add FlowToken which saves the pickled flow plan, replace standard token in email stage to allow finishing flows in different sessions
|
|
- core: fix missing permission check for group creating when creating service account
|
|
- outposts/ldap: Fix search case sensitivity. (#1897)
|
|
- policies/expression: add ak_call_policy
|
|
- providers/saml: add ?force_binding to limit bindings for metadata endpoint
|
|
- root: add request_id to celery tasks, prefixed with "task-"
|
|
- sources/*: Allow creation of source connections via API
|
|
- stages/prompt: use policyenginemode all
|
|
- tests/e2e: add post binding test
|
|
- web: fix duplicate classes, make generic icon clickable
|
|
- web: fix text colour for bad request on light mode
|
|
- web/admin: show outpost warning on application page too
|
|
- web/elements: close dropdown when refresh event is dispatched
|
|
- web/user: allow custom font-awesome icons for applications
|
|
|
|
## Fixed in 2021.12.1-rc4
|
|
|
|
- core: fix error when using invalid key-values in attributes query
|
|
- flows: fix error in inspector view
|
|
- flows: fix error when trying to print FlowToken objects
|
|
- lib: correctly report "faked" IPs to sentry
|
|
- outposts: add additional checks for websocket connection
|
|
- outposts: cleanup logs for failed binds
|
|
- outposts: don't try to create docker client for embedded outpost
|
|
- outposts: fix docker controller not stopping containers
|
|
- outposts: fix unlabeled transaction
|
|
- outposts: handle RuntimeError during websocket connect
|
|
- outposts: rewrite re-connect logic without recws
|
|
- outposts: set display name for outpost service account
|
|
- outposts/ldap: fix searches with mixed casing
|
|
- outposts/proxy: use filesystem storage for non-embedded outposts
|
|
- policies: don't always clear application cache on post_save
|
|
- stagse/authenticator_webauthn: remove pydantic import
|
|
- web: fix borders of sidebars in dark mode
|
|
|
|
## Fixed in 2021.12.1-rc5
|
|
|
|
- crypto: add additional validation before importing a certificate
|
|
- events: add flow_execution event type
|
|
- events: fix schema for top_per_user
|
|
- flows: fix wrong exception being caught in flow inspector
|
|
- outposts: reset backoff after successful connect
|
|
- outposts/proxy: fix securecookie: the value is too long again, since it can happen even with filesystem storage
|
|
- providers/oauth2: add additional logging to show with token path is taken
|
|
- providers/oauth2: use generate_key instead of uuid4
|
|
- sources/ldap: fix incorrect task names being referenced, use source native slug
|
|
- sources/oauth: add initial okta type
|
|
- sources/oauth: allow oauth types to override their login button challenge
|
|
- sources/oauth: implement apple native sign-in using the apple JS SDK
|
|
- sources/oauth: strip parts of custom apple client_id
|
|
- stages/authenticator_webauthn: make user_verification configurable
|
|
- stages/identification: fix miscalculated sleep
|
|
- stages/invitation: use GroupMemberSerializer serializer to prevent all of the user's groups and their users from being returned
|
|
- web: add link to open API Browser for API Drawer
|
|
- web/admin: add dashboard with user creation/login statistics
|
|
- web/admin: fix invalid display for LDAP Source sync status
|
|
- web/admin: fix rendering for applications on view page
|
|
- web/admin: fix rendering of applications with custom icon
|
|
- web/admin: improve wording for froward_auth, don't show setup when using proxy mode
|
|
- web/admin: show warning when deleting currently logged in user
|
|
- web/admin: update overview page
|
|
- web/flows: fix error when attempting to enroll new webauthn device
|
|
|
|
## Fixed in 2021.12.1
|
|
|
|
- core: fix error when attempting to provider from cached application
|
|
- events: improve app lookup for event creation
|
|
- internal: cleanup duplicate and redundant code, properly set sentry SDK scope settings
|
|
- lifecycle: add -Ofair to celery
|
|
- web/admin: add sidebar to applications
|
|
- web/admin: fix notification unread colours not matching on user and admin interface
|
|
- web/admin: fix stage related flows not being shown in a list
|
|
- web/elements: add Markdown component to improve rendering
|
|
- web/elements: add support for sidebar on table page
|
|
- web/elements: close notification drawer when clearing all notifications
|
|
|
|
## Fixed in 2021.12.2
|
|
|
|
- core: don't rotate non-api tokens
|
|
- crypto: fix private keys not being imported correctly
|
|
- outposts: release binary outposts (#1954)
|
|
- outposts/proxy: match skipPathRegex against full URL on domain auth
|
|
- policies/password: add minimum digits
|
|
- providers/oauth2: don't rely on expiry task for access codes and refresh tokens
|
|
- sources/oauth: allow writing to user in SourceConnection
|
|
- web: ignore instantSearchSDKJSBridgeClearHighlight error on edge on iOS
|
|
- web/admin: fix background colour for application sidebar
|
|
- web/elements: fix border between search buttons
|
|
|
|
## Fixed in 2021.12.3
|
|
|
|
- *: revert to using GHCR directly
|
|
- core: fix error when getting launch URL for application with non-existent Provider
|
|
- internal: fix sentry sample rate not applying to proxy
|
|
- internal: rework global logging settings, embedded outpost no longer overwrites core
|
|
- outpost: re-run globalSetup when updating config, allowing for live log level changes
|
|
- outposts: handle/ignore http Abort handler
|
|
- outposts/ldap: fix log formatter and level not being set correctly
|
|
- outposts/proxy: add initial redirect-loop prevention
|
|
- outposts/proxy: fix allowlist for forward_auth and traefik
|
|
- outposts/proxy: fix ping URI not being routed
|
|
- outposts/proxy: fix session not expiring correctly due to miscalculation
|
|
- root: allow trace log level to work for core/embedded
|
|
- root: don't set secure cross opener policy
|
|
- root: drop redis cache sentry errors
|
|
- root: fix inconsistent URL quoting of redis URLs
|
|
- web/admin: add outpost type to list
|
|
- web/admin: auto set the embedded outpost's authentik_host on first view
|
|
- web/admin: don't auto-select certificate for LDAP source verification
|
|
- web/admin: fix border for outpost health status
|
|
|
|
## Fixed in 2021.12.4
|
|
|
|
- crypto: improve handling for non-rsa private keys
|
|
- events: create test notification with event with data
|
|
- internal: add custom proxy certificates support to embedded outpost
|
|
- policies: fix application cache not being cleared correctly
|
|
- providers/oauth2: remove jwt_alg field and set algorithm based on selected keypair, select HS256 when no keypair is selected
|
|
- stages/authenticator_validate: add passwordless login
|
|
- stages/authenticator_validate: fix prompt not triggering when using in non-authentication context
|
|
- stages/authenticator_validate: refuse passwordless flow if flow is not for authentication
|
|
- tenants: add web certificate field, make authentik's core certificate configurable based on keypair
|
|
- web/admin: fix explore integration not opening in new tab
|
|
- web/elements: fix link from notification drawer not working in user interface
|
|
- web/user: fix user details not rendering when loading to a different user settings tab and then switching
|
|
|
|
## Fixed in 2021.12.5
|
|
|
|
- *: don't use exception keyword with structlog
|
|
- *: use py3.10 syntax for unions, remove old Type[] import when possible
|
|
- core: add API endpoint to directly set user's password
|
|
- core: add error handling in source flow manager when flow isn't applicable
|
|
- core: prevent LDAP password being set for internal hash upgrades
|
|
- crypto: return private key's type (required for some oauth2 providers)
|
|
- flows: add test helpers to simplify and improve checking of stages, remove force_str
|
|
- flows: don't create EventAction.FLOW_EXECUTION
|
|
- flows: update default flow titles
|
|
- flows: use WithUserInfoChallenge for AccessDeniedChallenge
|
|
- lib: strip values for timedelta from string
|
|
- outposts: add remote docker integration via SSH
|
|
- outposts: fix outpost's sentry not sending release
|
|
- outposts: include outposts build hash in state
|
|
- outposts/proxy: add support for multiple states, when multiple requests are redirect at once
|
|
- outposts/proxy: fix error checking for type assertion
|
|
- sources/oauth: add additional scopes field to get additional data from provider
|
|
- sources/oauth: fix github provider not including correct base scopes
|
|
- stages/identification: add field for passwordless flow
|
|
- web: add tr to locale
|
|
- web: remove page header colour, match user navbar to admin sidebar
|
|
- web/admin: add Admin in titlebar for admin interface
|
|
- web/admin: fix alignment in outpost list when expanding rows
|
|
- web/admin: fix display when groups/users don't fit on a single row
|
|
- web/admin: include key type in list
|
|
- web/admin: mark additional scopes as non-required
|
|
- web/admin: show flow title in list
|
|
- web/elements: fix alignment of chipgroup on modal add
|
|
- web/elements: fix spacing between chips in chip-group
|
|
- web/elements: re-enable codemirror line numbers (fixed on firefox)
|
|
- web/flows: add workaround for autofocus not working in password stage
|
|
- web/flows: fix duplicate loading spinners when using webauthn
|
|
- web/flows: fix helper form not being removed from identification stage (improve password manager compatibility)
|
|
- web/flows: include user in access denied stage
|
|
- web/flows: only add helper username input if using native shadow dom to prevent browser confusion
|
|
- web/user: add language selection
|
|
- web/user: rework user source connection UI
|
|
|
|
## Upgrading
|
|
|
|
This release does not introduce any new requirements.
|
|
|
|
### docker-compose
|
|
|
|
Download the docker-compose file for 2021.12 from [here](https://goauthentik.io/version/2021.12/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
|
|
|
|
### Kubernetes
|
|
|
|
Update your values to use the new images:
|
|
|
|
```yaml
|
|
image:
|
|
repository: ghcr.io/goauthentik/server
|
|
tag: 2021.12.1-rc1
|
|
```
|