--- title: Release 2022.1 slug: "/releases/2022.1" --- ## Breaking changes This release mostly removes legacy fields and features that have been deprecated for several releases. - LDAP Outposts: This release removes the `accountStatus` and `superuser` fields. Use the direct replacements `goauthentik.io/ldap/active` and `goauthentik.io/ldap/superuser`. - Proxy Outposts: This release consolidates headers sent by authentik to have a common prefix. The following headers have been removed: - X-Auth-Username, use `X-authentik-username` - X-Auth-Groups, use `X-authentik-groups` - X-Forwarded-Email, use `X-authentik-email` - X-Forwarded-Preferred-Username, use `X-authentik-username` - X-Forwarded-User, use `X-authentik-uid` The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`. Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [_Proxy provider_](../providers/proxy/forward_auth) documentation for updated snippets. - API: The deprecated /api/v2beta/ Endpoint is removed. Use `/api/v3/`. - Backup: The integrated backup has been deprecated for the following reasons: - Difficulty with restores not working properly - Inflexible configuration (fixed retention, limited to once a day, only S3 supported) - Most users will already have an existing backup infrastructure ## Minor changes/fixes - core: dont return 404 when trying to view key of expired token - crypto: fully parse certificate on validation in serializer to prevent invalid certificates from being saved - flows: handle error if flow title contains invalid format string - internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist - internal: use math.MaxInt for compatibility - lifecycle: add early check for missing/invalid secret key - outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier - outposts/proxyv2: fix before-redirect url not being saved in proxy mode - outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost - providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard - root: allow customisation of ports in compose without override - root: decrease to 10 backup history - root: fix backups running every minute instead of once - stages/authenticator_webauthn: make more WebAuthn options configurable - web: add polyfill for Intl.ListFormat - web: directly read csrf token before injecting into request - web: fix double plural in label - web/admin: also set embedded outpost host when it doesn't include scheme - web/admin: fix missing configure flow setting on webuahtn setup stage form - web/flows: remove node directly instead of using removeChild() ## Fixed in 2022.1.2 - internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted - lib: disable backup by default, add note to configuration - lifecycle: replace lowercase, deprecated prometheus_multiproc_dir - outposts: allow custom label for docker containers - policies/hibp: ensure password is encodable - providers/proxy: add PathPrefix to auto-traefik labels - root: upgrade python dependencies ## Fixed in 2022.1.3 - internal: add support for X-Original-URL - internal: add optional debug server listening on 9900 - internal: don't override server header - internal: start adding tests to outpost - lifecycle: make secret_key warning more prominent - lifecycle: wait for db in worker - outposts/ldap: Fix more case sensitivity issues. (#2144) - outposts/proxy: add more test cases for domain-level auth - outposts/proxy: fix potential empty redirect, add tests - outposts/proxy: trace full headers to debug - providers/proxy: fix traefik label - root: add max-requests for gunicorn and max tasks for celery - root: fix redis passwords not being encoded correctly - web/admin: fix links which look like labels - web/admin: fix SMS Stage form not working ## Fixed in 2022.1.4 - core: fix view_token permission not being assigned on token creation for non-admin user - lifecycle: remove gunicorn reload option - lifecycle: send analytics in gunicorn config to decrease outgoing requests when workers get restarted - providers/proxy: add support for X-Original-URI in nginx, better handle missing headers and report errors to authentik - providers/proxy: don't include hostname and scheme in redirect when we only got a path and not a full URL - providers/proxy: fix routing for external_host when using forward_auth_domain - providers/proxy: set traefik labels using object_naming_template instead of UUID - sources/ldap: add list_flatten function to property mappings, enable on managed LDAP mappings - web: add es locale - web: add pl locale - web/admin: only check first half of locale when detecting - web/flows: fix width on flow container - web/user: include locale code in locale selection ## Fixed in 2022.1.5 - build(deps): bump uvicorn from 0.17.1 to 0.17.3 (#2229) - core: allow formatting strings to be used for applications' launch URLs - internal: don't attempt to lookup SNI Certificate if no SNI is sent - internal: fix CSRF error caused by Host header - internal: improve error handling for internal reverse proxy - internal: remove uvicorn server header - internal: trace headers and url for backend requests - outposts: fix channel not always having a logger attribute - outposts: fix compare_ports to support both service and container ports - outposts: fix service reconciler re-creating services - outposts: remove node_port on V1ServicePort checks to prevent service creation loops - providers/proxy: fix Host/:Authority not being modified - providers/proxy: fix nil error in claims - providers/proxy: improve error handling for invalid backend_override - sources/ldap: log entire exception - sources/saml: fix incorrect ProtocolBinding being sent - sources/saml: fix server error - stages/authenticator_validate: handle non-existent device_challenges - web/admin: fix mismatched icons in overview and lists ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the docker-compose file for 2022.1 from [here](https://goauthentik.io/version/2022.1/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes Update your values to use the new images: ```yaml image: repository: ghcr.io/goauthentik/server tag: 2022.1.1 ```