Release 2023.3 - SCIM support

New features

• SCIM support

  info

  This feature is still in technical preview, so please report any Bugs you run into on GitHub.

  authentik can now provision users into other IT systems via the SCIM (System for Cross-domain Identity Management) protocol. The provider synchronizes Users, Groups and the user membership. Objects are synced both when they are saved and based on a pre-defined schedule in the background.

  Documentation: SCIM Provider

• Theming improvements

  • The custom.css file is now loaded in ShadowDOMs, allowing for much greater customization, as previously it was only possible to style elements outside of the ShadowDOM. See docs for Flow, User and Admin interfaces.
  • Previously, authentik would automatically switch between dark and light theme based on the users' browsers' settings. This can now be overridden to either force the light or dark theme, per user/group/tenant. See docs for Flow, User and Admin interfaces.

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose.yml file for 2023.3 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
    repository: ghcr.io/goauthentik/server
    tag: 2023.3.0

Minor changes/fixes included in release 2023.3

• *: add additional Prometheus metrics, remove unusable high entropy metrics
• blueprints: improve error handling in example flow
• core: Add resolve_dns and reverse_dns functions to evaluator (#4769)
• core: bootstrap email (#4788)
• core: enforce unique on names where it makes sense (#4866)
• core: fix bug causing whitespace-only names to raise exception when generating avatars (#4746)
• core: fix error when creating token without request in context
• core: improve service account creation (#4751)
• events: fix m2m_change events not being logged
• events: set task start time before start, not on time of init (#4908)
• flows: change default flow stage binding settings (#4784)
• flows: planner error handling (#4812)
• internal: fix crash when port 9000 is in use (#4863)
• providers: SCIM (#4835)
• providers/ldap: improve compatibility with LDAP clients (#4750)
• providers/ldap: making LDAP compatible with Synology (#4694)
• providers/oauth2: fix missing information for revoked token access events
• providers/oauth2: OpenID conformance (#4758)
• providers/proxy: ensure issuer is correct when browser URL override is set
• providers/proxy: strip scheme when comparing redirect URL
• providers/scim: add option to filter out service accounts, parent group (#4862)
• providers/scim: customizable externalId, document behavior (#4868)
• providers/scim: handle ServiceProviderConfig 404 (#4915)
• root: fix session middleware for websocket connections (#4909)
• sources/ldap: improve error handling for password complexity (#4780)
• sources/oauth: fix not all token errors being logged with response
• sources/plex: fix check_token error unusable if token is empty (#4834)
• stages/authenticator_sms: fix twilio sending (#4829)
• stages/user_login: add option to terminate other sessions (#4754)
• stages/user_login: set session expiry before login (#4920)
• tests/e2e: use example blueprints for testing (#4805)
• web: fetch custom.css via fetch and add stylesheet (#4804)
• web: toggle dark/light theme manually (#4876)
• web/admin: fix chart display with no sources (#4782)
• web/admin: fix issue with wizard's Next button incorrectly disabled when radio button is already selected (#4821)
• web/admin: fix SCIM provider layout (#4919)
• web/admin: workaround for tenant certificate selection being cut off (#4820)
• web/elements: add loading spinner for charts, render middle text with CSS
• web/elements: fix center text not scrolling with container (#4853)
• web/elements: fix copy on insecure origins (#4917)
• web/elements: fix flipped theme in codemirror (#4901)
• web/flows: fix compatibility mode (#4910)
• web/flows: fix fa:// icons in sources not shown correctly
• web/user: fix source connections not being filtered (#4778)

Fixed in 2023.3.1

• *: fix mismatched task names for discovery, make output service connection task monitored (#4956)
• core: fix application launch url validator (#4957)
• providers: fix authorization_flow not required in API (#4932)
• providers/ldap: fix duplicate attributes (#4972)
• providers/oauth2: fix response for response_type code and response_mode fragment (#4975)
• stages/authenticator_webauthn: remove credential_id size limit (#4931)
• web/admin: fix wizards with radio selects not working correctly after use (#4933)
• web/common: fix tab label color on dark theme (#4959)
• web/flows: fix authenticator selector in dark mode (#4974)
• web/user: fix custom user interface background with dark theme (#4960)

API Changes

What's New

---

GET /propertymappings/scim/

POST /propertymappings/scim/

GET /propertymappings/scim/{pm_uuid}/

PUT /propertymappings/scim/{pm_uuid}/

DELETE /propertymappings/scim/{pm_uuid}/

PATCH /propertymappings/scim/{pm_uuid}/

GET /propertymappings/scim/{pm_uuid}/used_by/

GET /providers/scim/

POST /providers/scim/

GET /providers/scim/{id}/

PUT /providers/scim/{id}/

DELETE /providers/scim/{id}/

PATCH /providers/scim/{id}/

GET /providers/scim/{id}/sync_status/

GET /providers/scim/{id}/used_by/

What's Changed

---

POST /core/users/service_account/

Request:

Changed content type : application/json

• Added property expiring (boolean)

• Added property expires (string)

  If not provided, valid for 360 days

GET /policies/event_matcher/{policy_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.providers.scim

PUT /policies/event_matcher/{policy_uuid}/

Request:

Changed content type : application/json

• Changed property app (string)

  Match events created by selected application. When left empty, all applications are matched.

  Added enum value:

  • authentik.providers.scim

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.providers.scim

PATCH /policies/event_matcher/{policy_uuid}/

Request:

Changed content type : application/json

• Changed property app (string)

  Match events created by selected application. When left empty, all applications are matched.

  Added enum value:

  • authentik.providers.scim

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.providers.scim

GET /providers/oauth2/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

PUT /providers/oauth2/{id}/

Request:

Changed content type : application/json

New optional properties:

• authorization_flow

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

PATCH /providers/oauth2/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

GET /providers/proxy/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

PUT /providers/proxy/{id}/

Request:

Changed content type : application/json

New optional properties:

• authorization_flow

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

PATCH /providers/proxy/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

GET /core/groups/{group_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property users_obj (array)

    Changed items (object): > Stripped down user serializer to show relevant users for groups

    New optional properties:

    • avatar

    • Deleted property avatar (string)

PUT /core/groups/{group_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property users_obj (array)

    Changed items (object): > Stripped down user serializer to show relevant users for groups

    New optional properties:

    • avatar

    • Deleted property avatar (string)

PATCH /core/groups/{group_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property users_obj (array)

    Changed items (object): > Stripped down user serializer to show relevant users for groups

    New optional properties:

    • avatar

    • Deleted property avatar (string)

GET /core/tenants/current/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • ui_theme

  • Added property ui_theme (object)

    Enum values:

    • automatic
    • light
    • dark

GET /events/rules/{pbm_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property group_obj (object)

    Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

PUT /events/rules/{pbm_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property group_obj (object)

    Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

PATCH /events/rules/{pbm_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property group_obj (object)

    Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

GET /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property group_obj (object)

    Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

PUT /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property group_obj (object)

    Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

PATCH /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property group_obj (object)

    Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

POST /policies/event_matcher/

Request:

Changed content type : application/json

• Changed property app (string)

  Match events created by selected application. When left empty, all applications are matched.

  Added enum value:

  • authentik.providers.scim

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.providers.scim

GET /policies/event_matcher/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Event Matcher Policy Serializer

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.providers.scim

GET /providers/ldap/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

PUT /providers/ldap/{id}/

Request:

Changed content type : application/json

New optional properties:

• authorization_flow

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

PATCH /providers/ldap/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

POST /providers/oauth2/

Request:

Changed content type : application/json

New optional properties:

• authorization_flow

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New optional properties:

  • authorization_flow

GET /providers/oauth2/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > OAuth2Provider Serializer

    New optional properties:

    • authorization_flow

POST /providers/proxy/

Request:

Changed content type : application/json

New optional properties:

• authorization_flow

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New optional properties:

  • authorization_flow

GET /providers/proxy/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > ProxyProvider Serializer

    New optional properties:

    • authorization_flow

GET /providers/saml/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

PUT /providers/saml/{id}/

Request:

Changed content type : application/json

New optional properties:

• authorization_flow

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

PATCH /providers/saml/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New optional properties:

  • authorization_flow

GET /stages/invitation/invitations/{invite_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property created_by (object)

    Stripped down user serializer to show relevant users for groups

    New optional properties:

    • avatar

    • Deleted property avatar (string)

PUT /stages/invitation/invitations/{invite_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property created_by (object)

    Stripped down user serializer to show relevant users for groups

    New optional properties:

    • avatar

    • Deleted property avatar (string)

PATCH /stages/invitation/invitations/{invite_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property created_by (object)

    Stripped down user serializer to show relevant users for groups

    New optional properties:

    • avatar

    • Deleted property avatar (string)

POST /core/groups/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property users_obj (array)

    Changed items (object): > Stripped down user serializer to show relevant users for groups

    New optional properties:

    • avatar

    • Deleted property avatar (string)

GET /core/groups/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

POST /events/rules/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property group_obj (object)

    Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

GET /events/rules/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > NotificationRule Serializer

    • Changed property group_obj (object)

      Group Serializer

      • Changed property users_obj (array)

        Changed items (object): > Stripped down user serializer to show relevant users for groups

        New optional properties:

        • avatar

        • Deleted property avatar (string)

GET /flows/bindings/{fsb_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property evaluate_on_plan (boolean)

    Evaluate policies during the Flow planning process.

PUT /flows/bindings/{fsb_uuid}/

Request:

Changed content type : application/json

• Changed property evaluate_on_plan (boolean)

  Evaluate policies during the Flow planning process.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property evaluate_on_plan (boolean)

    Evaluate policies during the Flow planning process.

PATCH /flows/bindings/{fsb_uuid}/

Request:

Changed content type : application/json

• Changed property evaluate_on_plan (boolean)

  Evaluate policies during the Flow planning process.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property evaluate_on_plan (boolean)

    Evaluate policies during the Flow planning process.

GET /oauth2/access_tokens/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property provider (object)

    OAuth2Provider Serializer

    New optional properties:

    • authorization_flow

GET /oauth2/authorization_codes/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property provider (object)

    OAuth2Provider Serializer

    New optional properties:

    • authorization_flow

GET /oauth2/refresh_tokens/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property provider (object)

    OAuth2Provider Serializer

    New optional properties:

    • authorization_flow

POST /policies/bindings/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property group_obj (object)

    Group Serializer

    • Changed property users_obj (array)

      Changed items (object): > Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

GET /policies/bindings/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > PolicyBinding Serializer

    • Changed property group_obj (object)

      Group Serializer

      • Changed property users_obj (array)

        Changed items (object): > Stripped down user serializer to show relevant users for groups

        New optional properties:

        • avatar

        • Deleted property avatar (string)

POST /providers/ldap/

Request:

Changed content type : application/json

New optional properties:

• authorization_flow

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New optional properties:

  • authorization_flow

GET /providers/ldap/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > LDAPProvider Serializer

    New optional properties:

    • authorization_flow

POST /providers/saml/

Request:

Changed content type : application/json

New optional properties:

• authorization_flow

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New optional properties:

  • authorization_flow

GET /providers/saml/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SAMLProvider Serializer

    New optional properties:

    • authorization_flow

GET /sources/user_connections/all/

Parameters:

Added: user in query

POST /stages/invitation/invitations/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property created_by (object)

    Stripped down user serializer to show relevant users for groups

    New optional properties:

    • avatar

    • Deleted property avatar (string)

GET /stages/invitation/invitations/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Invitation Serializer

    • Changed property created_by (object)

      Stripped down user serializer to show relevant users for groups

      New optional properties:

      • avatar

      • Deleted property avatar (string)

GET /stages/user_login/{stage_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property terminate_other_sessions (boolean)

    Terminate all other sessions of the user logging in.

PUT /stages/user_login/{stage_uuid}/

Request:

Changed content type : application/json

• Added property terminate_other_sessions (boolean)

  Terminate all other sessions of the user logging in.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property terminate_other_sessions (boolean)

    Terminate all other sessions of the user logging in.

PATCH /stages/user_login/{stage_uuid}/

Request:

Changed content type : application/json

• Added property terminate_other_sessions (boolean)

  Terminate all other sessions of the user logging in.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property terminate_other_sessions (boolean)

    Terminate all other sessions of the user logging in.

POST /flows/bindings/

Request:

Changed content type : application/json

• Changed property evaluate_on_plan (boolean)

  Evaluate policies during the Flow planning process.

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property evaluate_on_plan (boolean)

    Evaluate policies during the Flow planning process.

GET /flows/bindings/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > FlowStageBinding Serializer

    • Changed property evaluate_on_plan (boolean)

      Evaluate policies during the Flow planning process.

GET /flows/inspector/{flow_slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property plans (array)

    Changed items (object): > Serializer for an active FlowPlan

    • Changed property next_planned_stage (object)

      FlowStageBinding Serializer

      • Changed property evaluate_on_plan (boolean)

        Evaluate policies during the Flow planning process.

    • Changed property current_stage (object)

      FlowStageBinding Serializer

      • Changed property evaluate_on_plan (boolean)

        Evaluate policies during the Flow planning process.

GET /oauth2/access_tokens/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Serializer for BaseGrantModel and RefreshToken

    • Changed property provider (object)

      OAuth2Provider Serializer

      New optional properties:

      • authorization_flow

GET /oauth2/authorization_codes/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

    • Changed property provider (object)

      OAuth2Provider Serializer

      New optional properties:

      • authorization_flow

GET /oauth2/refresh_tokens/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Serializer for BaseGrantModel and RefreshToken

    • Changed property provider (object)

      OAuth2Provider Serializer

      New optional properties:

      • authorization_flow

POST /stages/user_login/

Request:

Changed content type : application/json

• Added property terminate_other_sessions (boolean)

  Terminate all other sessions of the user logging in.

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Added property terminate_other_sessions (boolean)

    Terminate all other sessions of the user logging in.

GET /stages/user_login/

Parameters:

Added: terminate_other_sessions in query

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > UserLoginStage Serializer

    • Added property terminate_other_sessions (boolean)

      Terminate all other sessions of the user logging in.