Release 2021.4

Headline Changes

Configurable Policy engine mode

In the past, all objects, which could have policies attached to them, required all policies to pass to consider an action successful. You can now configure if all policies need to pass, or if any policy needs to pass.

This can now be configured for the following objects:
- Applications (access restrictions)
- Sources
- Flows
- Flow-stage bindings
For backwards compatibility, this is set to all, but new objects will default to any.
Expiring Events

Previously, events would stay in the database forever, and had to eventually be cleaned up manually. This version add expiry to events with a default timeout of 1 Year. This also applies to existing events, and their expiry will be set during the migration.
New UI

While the UI mostly looks the same, under the hood a lot has changed. The Web UI is now a Single-page application based on rollup and lit-html. This has several consequences and new features, for example:
- You can now see a user's OAuth Access/Refresh tokens and the consents they've given
- You can now see a per-object changelog based on the model_create/update/delete events being created.
- A new API Browser is available under https://authentink.company/api/v2beta/
- Several new charts, new pages and quality-of-life improvements
- Credentials of objects are no longer shown while editing them
Deprecated Group membership has been removed.

You can now specify the amount of processes started in docker-compose using the WORKERS environment variable.

core: fix propertymapping API returning invalid value for components (#746)
core: improve messaging when creating a recovery link for a user when no recovery flow exists
flows: annotate flows executor 404 error
flows: include configure_flow in stages API
helm: make storage class, size and mode configurable
helm: turn off monitoring by default (#741)
outposts: fix errors when creating multiple outposts
root: add restart: unless-stopped to compose
root: base Websocket message storage on Base not fallback
root: fix healthcheck part in docker-compose
root: fix setting of EMAIL_USE_TLS and EMAIL_USE_SSL
sources/ldap: improve error handling during sync
sources/oauth: fix error when creating an oauth source which has fixed URLs
sources/oauth: fix resolution of sources' provider type
web: fix background-color on router outlet on light mode
web/admin: fix error when user doesn't have permissions to read source
web/admin: fix errors in user profile when non-superuser

*: add model_name to TypeCreate API to distinguish between models sharing a component
api: fix CSRF error when using POST/PATCH/PUT in API Browser
api: make 401 messages clearer
api: mount outposts under outposts/instances to match flows
core: add parameter to output property mapping test result formatted
core: add superuser_full_list to applications list, shows all applications when superuser
core: fix Tokens being created with incorrect intent by default
outposts: don't run outpost_controller when no service connection is set
providers/oauth2: Set CORS Headers for token endpoint, check Origin header against redirect URLs
root: auto-migrate on startup, lock database using pg_advisory_lock
sources/oauth: add login with plex support
sources/oauth: fix redirect loop for source with non-configurable URLs
sources/oauth: save null instead of empty string for sources without configurable URLs
web/admin: add ability to add users to a group whilst creating a group
web/admin: fix default for codemirror
web/admin: fix group member table order
web/admin: fix non-matching provider type being selected when creating an OAuth Source
web/admin: fix provider type resetting when changing provider type
web/admin: fix undefined being shown when viewing application
web/admin: improve default selection for property-mappings

*: make tasks run every 60 minutes not :00 every hour
outposts: check for X-Forwarded-Host to switch context
outposts: improve update performance
outposts: move local connection check to task, run every 60 minutes
providers/oauth2: add proper support for non-http schemes as redirect URIs
providers/oauth2: fix TokenView not having CORS headers set even with proper Origin
sources/oauth: fix error whilst fetching user profile when source uses fixed URLs
sources/oauth: handle error in AzureAD when ID Can't be extracted
stages/user_login: add default backend
web: fix title not being loaded from config
web: only report http errors for 500 and above
web: send response info when response is thrown
web/admin: add description for fields in proxy provider form
web/admin: adjust phrasing of cards on overview page
web/admin: fix display for user supseruser status
web/admin: fix error when me() returns 403
web/admin: fix error when updating identification stage
web/admin: fix invalid group member count
web/admin: fix link to providers on overview page
web/admin: fix mismatched required tags
web/admin: improve phrasing for Policy bindings
web/admin: only allow policies to be bound to sources as users/groups cannot be checked
web/admin: only pre-select items when creating a new object
web/flows: fix Sentry not being loaded correctly

core: fix text on error pages being hard to read
outposts: only kill docker container if its running
root: add middleware to properly report websocket connection to sentry
root: don't use .error of structlog to not send to sentry
stages/email: catch ValueError when global email settings are invalid
stages/invitation: accept token from prompt_data
stages/invitation: fix token not being loaded correctly from query string
web: fix text-colour for form help text
web: ignore network errors for sentry
web/admin: don't show docker certs as required
web/flows: fix redirect loop when sentry is enabled on flow views
web/flows: include ShadyDOM, always enable ShadyDOM for flow interface, improve compatibility with password
web/flows/identification: fix phrasing account recovery

This release does not introduce any new requirements.

Download the docker-compose file for 2021.4 from here. Afterwards, simply run docker-compose up -d.

Run helm repo update and then upgrade your release with helm upgrade authentik authentik/authentik -f values.yaml.