Skip to main content

Release 2023.2 - Signout and Avatar improvements

New features

  • Proxy provider logout improvements

    In previous versions, logging out of a single proxied application would only invalidate that application's session. Starting with this release, when logging out of a proxied application (via the /outpost.goauthentik.io/sign_out URL), all the users session within the outpost are terminated. Sessions in other outposts and with other protocols are unaffected.

    Additionally, different providers now have different cookies, instead of all using the same "authentik_proxy" token.

  • UX Improvements

    As with the previous improvements, we've made a lot of minor improvements to the general authentik UX to make your life easier.

  • OAuth2 Provider improvements

    The OAuth2 provider has been reworked to be closer to OAuth specifications and better support refresh tokens and offline access. Additionally the expiry for access tokens and refresh tokens can be adjusted separately now.

  • Generated avatars, multiple avatar modes

    authentik now supports multiple avatar modes, and will use the next configured mode when a mode doesn't have an avatar. For example, the new default configuration attempts to use gravatar, but if the user's email does not have a gravatar setup, it will instead use the new generated avatars. See Configuration

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2023.2 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
    repository: ghcr.io/goauthentik/server
    tag: 2023.2.0

Minor changes/fixes

  • */saml: disable pretty_print, add signature tests
  • blueprints: don't update default tenant
  • blueprints: handle error when blueprint entry identifier field does not exist
  • core: Add support for auto generating unique avatars based on the user's initials (#4663)
  • core: delete session when user is set to inactive
  • core: fix inconsistent branding in end_session view
  • core: fix missing uniqueness validator on user api
  • core: fix token's set_key accessing data incorrectly
  • events: dont log oauth temporary model creation
  • events: improve sanitising for tuples and sets
  • events: prevent error when request fails without response
  • internal: better error message when outpost API controller couldn't fetch outposts
  • internal: fix cache-control header
  • policies/event_matcher: fix empty app label not being allowed, require at least 1 criteria
  • providers/ldap: add unbind flow execution (#4484)
  • providers/ldap: fix error not being checked correctly when fetching users
  • providers/oauth2: add user id as "sub" mode
  • providers/oauth2: don't use policy cache for token requests
  • providers/oauth2: only set auth_time in ID token when a login event is stored in the session
  • providers/oauth2: optimise client credentials JWT database lookup (#4606)
  • providers/oauth2: rework OAuth2 Provider (#4652)
  • providers/proxy: add token support for basic auth
  • providers/proxy: different cookie name based on hashed client id (#4666)
  • providers/proxy: outpost wide logout implementation (#4605)
  • providers/saml: fix invalid SAML provider metadata, add schema tests
  • providers/saml: fix mismatched SAML SLO Urls (#4655)
  • stages/authenticator_validate: fix error with passwordless webauthn login
  • stages/prompt: field name (#4497)
  • stages/user_write: fix migration setting wrong value, fix form
  • web: fix token delete form not showing token identifiers
  • web/admin: add notice for user_login stage session cookie behaviour
  • web/admin: clarify access code expiration
  • web/admin: default to disable policy execution logging
  • web/admin: fix certificate filtering for SAML verification certificate
  • web/admin: rework event info page to show all event infos
  • web/elements: add dropdown css to DOM directly instead of including
  • web/elements: fix ak-expand not using correct font
  • web/elements: fix clashing page url param
  • web/elements: improve codemirror contrast in dark theme
  • web/elements: make table rows clickable to select items
  • web/elements: persist table page in URL parameters
  • web/flows: fix flow background overlay on firefox
  • web/user: filter tokens by username
  • web/user: refactor loading of data in userinterface

Fixed in 2023.2.1

  • internal: fix scheme not being forwarded correctly for host intercepted requests
  • sources/ldap: add LDAP Debug endpoint
  • web/admin: improve action button spinner on ldap source page
  • web/admin: remove groups and users from users and group form to prevent accidental removal when updating
  • web/admin: use full page size for modals

Fixed in 2023.2.2

  • flows: include flow authentication requirement in diagram
  • lib: don't try to cache generated avatar with full user, only cache with name
  • providers/ldap: check MFA password on password stage
  • providers/proxy: fix client credential flows not using http interceptor
  • providers/proxy: fix value is too long with filesystem sessions
  • root: use channel send workaround for sync sending of websocket messages
  • web/admin: fix error when creating new users
  • web/user: revert truncate behaviour for application description

Fixed in 2023.2.3

API Changes

What's New

POST /admin/system/

What's Changed

POST /core/tokens/{identifier}/set_key/
GET /providers/oauth2/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property sub_mode (string)

      Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

      Added enum value:

      • user_id
PUT /providers/oauth2/{id}/
Request:

Changed content type : application/json

  • Changed property sub_mode (string)

    Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    • user_id
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property sub_mode (string)

      Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

      Added enum value:

      • user_id
PATCH /providers/oauth2/{id}/
Request:

Changed content type : application/json

  • Changed property sub_mode (string)

    Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    • user_id
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property sub_mode (string)

      Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

      Added enum value:

      • user_id
POST /providers/oauth2/
Request:

Changed content type : application/json

  • Changed property sub_mode (string)

    Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    • user_id
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property sub_mode (string)

      Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

      Added enum value:

      • user_id
GET /providers/oauth2/
Parameters:

Changed: sub_mode in query

Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > OAuth2Provider Serializer

      • Changed property sub_mode (string)

        Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        • user_id
GET /oauth2/authorization_codes/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property provider (object)

      OAuth2Provider Serializer

      • Changed property sub_mode (string)

        Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        • user_id
GET /oauth2/refresh_tokens/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property provider (object)

      OAuth2Provider Serializer

      • Changed property sub_mode (string)

        Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        • user_id
GET /oauth2/authorization_codes/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

      • Changed property provider (object)

        OAuth2Provider Serializer

        • Changed property sub_mode (string)

          Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

          Added enum value:

          • user_id
GET /oauth2/refresh_tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and RefreshToken

      • Changed property provider (object)

        OAuth2Provider Serializer

        • Changed property sub_mode (string)

          Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

          Added enum value:

          • user_id
GET /stages/prompt/prompts/{prompt_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • name

    • Added property name (string)
PUT /stages/prompt/prompts/{prompt_uuid}/
Request:

Changed content type : application/json

New required properties:

  • name
  • Added property name (string)
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • name

    • Added property name (string)
PATCH /stages/prompt/prompts/{prompt_uuid}/
Request:

Changed content type : application/json

  • Added property name (string)
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • name

    • Added property name (string)
POST /stages/prompt/prompts/
Request:

Changed content type : application/json

New required properties:

  • name
  • Added property name (string)
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • name

    • Added property name (string)
GET /stages/prompt/prompts/
Parameters:

Added: name in query

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Prompt Serializer

      New required properties:

      • name

      • Added property name (string)