diff --git a/website/docs/releases/2023/v2023.1.md b/website/docs/releases/2023/v2023.1.md index e1bc12a61..a53c11ead 100644 --- a/website/docs/releases/2023/v2023.1.md +++ b/website/docs/releases/2023/v2023.1.md @@ -15,6 +15,14 @@ slug: "/releases/2023.1" authentik now supports SAML SLO (Single logout). +- Proxy provider now accepts HTTP Basic and Bearer authentication + + See [Header authentication](../../providers/proxy/header_authentication.md). + +- LDAP provider now works with Code-based MFA stages + + If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported. + ## Upgrading This release does not introduce any new requirements. @@ -35,6 +43,801 @@ image: ## Minor changes/fixes +- \*: strip leading and trailing whitespace when reading config values from files +- admin: include task duration in API (#4428) +- blueprints: Add `!Enumerate`, `!Value` and `!Index` tags (#4338) +- blueprints: Fix resolve model_name in `!Find` tag (#4371) +- blueprints: internal storage (#4397) +- crypto: prevent creation of duplicate self-signed default certs +- events: rework metrics (#4407) +- internal: check certificate value and not IsSet +- internal: fix race condition with config loading on startup, add index on debug server +- outposts: use common config loader for outposts to support loading values from file +- polices/hibp: remove deprecated (#4363) +- providers/ldap: add code-MFA support for ldap provider (#4354) +- providers/oauth2: correctly fill claims_supported based on selected scopes (#4429) +- providers/oauth2: don't allow spaces in scope_name +- providers/proxy: add initial header token auth (#4421) +- providers/proxy: add tests for proxy basic auth (#4357) +- providers/saml: initial SLO implementation (#2346) +- root: show error when geoIP download fails +- sources/ldap: don't run membership sync if group sync is disabled +- sources/ldap: make task timeout adjustable +- sources/ldap: only warn about missing groups when source is configured to sync groups +- stages/user_write: add more user creation options (#4367) +- web: add core-js polyfill for safari +- web: migrate checkbox to switch (#4409) +- web/admin: fix certificate filtering for LDAP verification certificate +- web/admin: fix overflow in aggregate cards +- web/admin: link impersonation user for events +- web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399) +- web/admin: show GeoIP information inline in events +- web/elements: fix pagination page button colours in dark mode +- web/elements: use correct Action Label for user related events + ## API Changes -_Insert output of `make gen-diff` here_ +#### What's Deleted + +--- + +##### `GET` /policies/haveibeenpwned/ + +##### `POST` /policies/haveibeenpwned/ + +##### `GET` /policies/haveibeenpwned/{policy_uuid}/ + +##### `PUT` /policies/haveibeenpwned/{policy_uuid}/ + +##### `DELETE` /policies/haveibeenpwned/{policy_uuid}/ + +##### `PATCH` /policies/haveibeenpwned/{policy_uuid}/ + +##### `GET` /policies/haveibeenpwned/{policy_uuid}/used_by/ + +#### What's Changed + +--- + +##### `GET` /admin/metrics/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `authorizations` + - `logins` + - `logins_failed` + + New optional properties: + + - `authorizations_per_1h` + - `logins_failed_per_1h` + - `logins_per_1h` + + * Added property `logins` (array) + + Items (object): > Coordinates for diagrams + + - Property `x_cord` (integer) + + - Property `y_cord` (integer) + + * Added property `logins_failed` (array) + + * Added property `authorizations` (array) + + * Deleted property `logins_per_1h` (array) + + * Deleted property `logins_failed_per_1h` (array) + + * Deleted property `authorizations_per_1h` (array) + +##### `GET` /core/users/{id}/metrics/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `authorizations` + - `logins` + - `logins_failed` + + New optional properties: + + - `authorizations_per_1h` + - `logins_failed_per_1h` + - `logins_per_1h` + + * Added property `logins` (array) + + * Added property `logins_failed` (array) + + * Added property `authorizations` (array) + + * Deleted property `logins_per_1h` (array) + + * Deleted property `logins_failed_per_1h` (array) + + * Deleted property `authorizations_per_1h` (array) + +##### `GET` /managed/blueprints/{instance_uuid}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New optional properties: + + - `path` + + * Added property `content` (string) + +##### `PUT` /managed/blueprints/{instance_uuid}/ + +###### Request: + +Changed content type : `application/json` + +New optional properties: + +- `path` + +* Added property `content` (string) + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New optional properties: + + - `path` + + * Added property `content` (string) + +##### `PATCH` /managed/blueprints/{instance_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Added property `content` (string) + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New optional properties: + + - `path` + + * Added property `content` (string) + +##### `POST` /managed/blueprints/{instance_uuid}/apply/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New optional properties: + + - `path` + + * Added property `content` (string) + +##### `GET` /policies/event_matcher/{policy_uuid}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `app` (string) + + > Match events created by selected application. When left empty, all applications are matched. + + Removed enum value: + + - `authentik.policies.hibp` + +##### `PUT` /policies/event_matcher/{policy_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Changed property `app` (string) + + > Match events created by selected application. When left empty, all applications are matched. + + Removed enum value: + + - `authentik.policies.hibp` + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `app` (string) + + > Match events created by selected application. When left empty, all applications are matched. + + Removed enum value: + + - `authentik.policies.hibp` + +##### `PATCH` /policies/event_matcher/{policy_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Changed property `app` (string) + + > Match events created by selected application. When left empty, all applications are matched. + + Removed enum value: + + - `authentik.policies.hibp` + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `app` (string) + + > Match events created by selected application. When left empty, all applications are matched. + + Removed enum value: + + - `authentik.policies.hibp` + +##### `GET` /propertymappings/scope/{pm_uuid}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `scope_name` (string) + > Scope name requested by the client + +##### `PUT` /propertymappings/scope/{pm_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Changed property `scope_name` (string) + > Scope name requested by the client + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `scope_name` (string) + > Scope name requested by the client + +##### `PATCH` /propertymappings/scope/{pm_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Changed property `scope_name` (string) + > Scope name requested by the client + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `scope_name` (string) + > Scope name requested by the client + +##### `GET` /providers/proxy/{id}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `client_id` + + * Added property `client_id` (string) + + * Added property `jwks_sources` (array) + + Items (string): + +##### `PUT` /providers/proxy/{id}/ + +###### Request: + +Changed content type : `application/json` + +- Added property `jwks_sources` (array) + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `client_id` + + * Added property `client_id` (string) + + * Added property `jwks_sources` (array) + +##### `PATCH` /providers/proxy/{id}/ + +###### Request: + +Changed content type : `application/json` + +- Added property `jwks_sources` (array) + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `client_id` + + * Added property `client_id` (string) + + * Added property `jwks_sources` (array) + +##### `GET` /admin/system_tasks/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + Changed items (object): > Serialize TaskInfo and TaskResult + + New required properties: + + - `task_duration` + + * Added property `task_duration` (integer) + +##### `GET` /admin/system_tasks/{id}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `task_duration` + + * Added property `task_duration` (integer) + +##### `POST` /managed/blueprints/ + +###### Request: + +Changed content type : `application/json` + +New optional properties: + +- `path` + +* Added property `content` (string) + +###### Return Type: + +Changed response : **201 Created** + +- Changed content type : `application/json` + + New optional properties: + + - `path` + + * Added property `content` (string) + +##### `GET` /managed/blueprints/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `results` (array) + + Changed items (object): > Info about a single blueprint instance file + + New optional properties: + + - `path` + + * Added property `content` (string) + +##### `POST` /policies/event_matcher/ + +###### Request: + +Changed content type : `application/json` + +- Changed property `app` (string) + + > Match events created by selected application. When left empty, all applications are matched. + + Removed enum value: + + - `authentik.policies.hibp` + +###### Return Type: + +Changed response : **201 Created** + +- Changed content type : `application/json` + + - Changed property `app` (string) + + > Match events created by selected application. When left empty, all applications are matched. + + Removed enum value: + + - `authentik.policies.hibp` + +##### `GET` /policies/event_matcher/ + +###### Parameters: + +Changed: `app` in `query` + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `results` (array) + + Changed items (object): > Event Matcher Policy Serializer + + - Changed property `app` (string) + + > Match events created by selected application. When left empty, all applications are matched. + + Removed enum value: + + - `authentik.policies.hibp` + +##### `POST` /propertymappings/scope/ + +###### Request: + +Changed content type : `application/json` + +- Changed property `scope_name` (string) + > Scope name requested by the client + +###### Return Type: + +Changed response : **201 Created** + +- Changed content type : `application/json` + + - Changed property `scope_name` (string) + > Scope name requested by the client + +##### `GET` /propertymappings/scope/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `results` (array) + + Changed items (object): > ScopeMapping Serializer + + - Changed property `scope_name` (string) + > Scope name requested by the client + +##### `POST` /providers/proxy/ + +###### Request: + +Changed content type : `application/json` + +- Added property `jwks_sources` (array) + +###### Return Type: + +Changed response : **201 Created** + +- Changed content type : `application/json` + + New required properties: + + - `client_id` + + * Added property `client_id` (string) + + * Added property `jwks_sources` (array) + +##### `GET` /providers/proxy/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `results` (array) + + Changed items (object): > ProxyProvider Serializer + + New required properties: + + - `client_id` + + * Added property `client_id` (string) + + * Added property `jwks_sources` (array) + +##### `GET` /providers/saml/{id}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `url_slo_post` + - `url_slo_redirect` + + * Added property `url_slo_post` (string) + + * Added property `url_slo_redirect` (string) + +##### `PUT` /providers/saml/{id}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `url_slo_post` + - `url_slo_redirect` + + * Added property `url_slo_post` (string) + + * Added property `url_slo_redirect` (string) + +##### `PATCH` /providers/saml/{id}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + New required properties: + + - `url_slo_post` + - `url_slo_redirect` + + * Added property `url_slo_post` (string) + + * Added property `url_slo_redirect` (string) + +##### `GET` /sources/ldap/{slug}/sync_status/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + Changed items (object): > Serialize TaskInfo and TaskResult + + New required properties: + + - `task_duration` + + * Added property `task_duration` (integer) + +##### `POST` /providers/saml/ + +###### Return Type: + +Changed response : **201 Created** + +- Changed content type : `application/json` + + New required properties: + + - `url_slo_post` + - `url_slo_redirect` + + * Added property `url_slo_post` (string) + + * Added property `url_slo_redirect` (string) + +##### `GET` /providers/saml/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `results` (array) + + Changed items (object): > SAMLProvider Serializer + + New required properties: + + - `url_slo_post` + - `url_slo_redirect` + + * Added property `url_slo_post` (string) + + * Added property `url_slo_redirect` (string) + +##### `GET` /sources/oauth/ + +###### Parameters: + +Added: `has_jwks` in `query` + +> Only return sources with JWKS data + +##### `GET` /stages/user_write/{stage_uuid}/ + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Added property `user_creation_mode` (string) + + Enum values: + + - `never_create` + - `create_when_required` + - `always_create` + + - Deleted property `can_create_users` (boolean) + > When set, this stage can create users. If not enabled and no user is available, stage will fail. + +##### `PUT` /stages/user_write/{stage_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Added property `user_creation_mode` (string) + +- Deleted property `can_create_users` (boolean) + > When set, this stage can create users. If not enabled and no user is available, stage will fail. + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Added property `user_creation_mode` (string) + + - Deleted property `can_create_users` (boolean) + > When set, this stage can create users. If not enabled and no user is available, stage will fail. + +##### `PATCH` /stages/user_write/{stage_uuid}/ + +###### Request: + +Changed content type : `application/json` + +- Added property `user_creation_mode` (string) + +- Deleted property `can_create_users` (boolean) + > When set, this stage can create users. If not enabled and no user is available, stage will fail. + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Added property `user_creation_mode` (string) + + - Deleted property `can_create_users` (boolean) + > When set, this stage can create users. If not enabled and no user is available, stage will fail. + +##### `POST` /stages/user_write/ + +###### Request: + +Changed content type : `application/json` + +- Added property `user_creation_mode` (string) + +- Deleted property `can_create_users` (boolean) + > When set, this stage can create users. If not enabled and no user is available, stage will fail. + +###### Return Type: + +Changed response : **201 Created** + +- Changed content type : `application/json` + + - Added property `user_creation_mode` (string) + + - Deleted property `can_create_users` (boolean) + > When set, this stage can create users. If not enabled and no user is available, stage will fail. + +##### `GET` /stages/user_write/ + +###### Parameters: + +Added: `user_creation_mode` in `query` + +Deleted: `can_create_users` in `query` + +###### Return Type: + +Changed response : **200 OK** + +- Changed content type : `application/json` + + - Changed property `results` (array) + + Changed items (object): > UserWriteStage Serializer + + - Added property `user_creation_mode` (string) + + - Deleted property `can_create_users` (boolean) + > When set, this stage can create users. If not enabled and no user is available, stage will fail.