--- title: Release 2022.7 slug: "2022.7" --- ## Breaking changes - Removal of verification certificates for Machine-to-Machine authentication in OAuth 2 Provider Instead, create an OAuth Source with the certificate configured as JWKS Data, and enable the source in the provider. - Maximum Limit of group recursion In earlier versions, cyclic group relations can lead to a deadlock when one of groups in the relationship are bound to an application/flow/etc. This is now limited to 20 levels of recursion. ## New features - User paths To better organize users, they can now be assigned a path. This allows for organization of users based on sources they enrolled with/got imported from, organizational structure or any other structure. Sources now have a path template to specify which path users created by it should be assigned. Additionally, you can set the path in the user_write stage in any flow, and it can be dynamically overwritten within a flow's context. - API Authentication using JWT OAuth Refresh tokens that have been issued with the scope `goauthentik.io/api` can now be used to authenticate to the API on behalf of the user the token belongs to. - Version-family tagged Container images Instead of having to choose between using the `:latest` tag and explicit versions like `:2022.7.1`, there are now also version-family tags (:2022.7). This allows for sticking with a single version but still getting bugfix updates. - OAuth2 Provider default Scopes Starting with authentik 2022.7, when an OAuth client doesn't specify any scopes, authentik will treat the request as if all the configured scopes of that provider had been requested. Normal consent is still required depending on the configured flow. No special scopes will be added, as those can't be selected in the configuration. ## Minor changes/fixes - api: add basic jwt support with required scope (#2624) - ci: add version family (#3059) - core: add limit of 20 to group recursion - core: fix migrations when creating bootstrap token - core: trigger bootstrap tasks in server if we're debugging - core: user paths (#3085) - internal: dont sample gunicorn proxied requests - internal: failback with self-signed cert if cert for tenant fails to load - internal: fix routing to embedded outpost - internal: skip tracing for go healthcheck and metrics endpoints - lifecycle: fix confusing success messages in startup healthiness check - lifecycle: run bootstrap tasks inline when using automated install - lifecycle: Update postgres healthcheck for compose with user information (#3143) - policies: consolidate log user and application - providers/oauth2: dont lowercase URL for token requests (#3114) - providers/oauth2: fix OAuth form_post response mode for code response_type - providers/oauth2: if a redirect_uri cannot be parsed as regex, compare strict (#3070) - providers/oauth2: remove deprecated verification_keys (#3071) - providers/oauth2: token revoke (#3077) - providers/proxy: only send misconfiguration event once - web/admin: link bound group under policies - web/admin: only pre-select oauth2 provider key if creating a new instance - web/admin: remove invalid requirement for usernames - web/elements: add spinner when loading dynamic routes - web/flows: add divider to identification stage for security key - web/flows: fix error when webauthn operations failed and user retries - web/flows: remove autofocus from password field of identifications stage - web/flows: statically import webauthn-related stages for safari issues ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the docker-compose file for 2022.7 from [here](https://goauthentik.io/version/2022.7/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes Update your values to use the new images: ```yaml image: repository: ghcr.io/goauthentik/server tag: 2022.7.1 ```