--- title: Release 2023.2 - Signout and Avatar improvements slug: "/releases/2023.2" --- ## New features - Proxy provider logout improvements In previous versions, logging out of a single proxied application would only invalidate that application's session. Starting with this release, when logging out of a proxied application (via the _/outpost.goauthentik.io/sign_out_ URL), all the users session within the outpost are terminated. Sessions in other outposts and with other protocols are unaffected. Additionally, different providers now have different cookies, instead of all using the same "authentik_proxy" token. - UX Improvements As with the previous improvements, we've made a lot of minor improvements to the general authentik UX to make your life easier. - OAuth2 Provider improvements The OAuth2 provider has been reworked to be closer to OAuth specifications and better support refresh tokens and offline access. Additionally the expiry for access tokens and refresh tokens can be adjusted separately now. - Generated avatars, multiple avatar modes authentik now supports multiple avatar modes, and will use the next configured mode when a mode doesn't have an avatar. For example, the new default configuration attempts to use gravatar, but if the user's email does not have a gravatar setup, it will instead use the new generated avatars. See [Configuration](../../installation/configuration.md#authentik_avatars) ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the docker-compose file for 2023.2 from [here](https://goauthentik.io/version/2023.2/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes Update your values to use the new images: ```yaml image: repository: ghcr.io/goauthentik/server tag: 2023.2.0 ``` ## Minor changes/fixes - \*/saml: disable pretty_print, add signature tests - blueprints: don't update default tenant - blueprints: handle error when blueprint entry identifier field does not exist - core: Add support for auto generating unique avatars based on the user's initials (#4663) - core: delete session when user is set to inactive - core: fix inconsistent branding in end_session view - core: fix missing uniqueness validator on user api - core: fix token's set_key accessing data incorrectly - events: dont log oauth temporary model creation - events: improve sanitising for tuples and sets - events: prevent error when request fails without response - internal: better error message when outpost API controller couldn't fetch outposts - internal: fix cache-control header - policies/event_matcher: fix empty app label not being allowed, require at least 1 criteria - providers/ldap: add unbind flow execution (#4484) - providers/ldap: fix error not being checked correctly when fetching users - providers/oauth2: add user id as "sub" mode - providers/oauth2: don't use policy cache for token requests - providers/oauth2: only set auth_time in ID token when a login event is stored in the session - providers/oauth2: optimise client credentials JWT database lookup (#4606) - providers/oauth2: rework OAuth2 Provider (#4652) - providers/proxy: add token support for basic auth - providers/proxy: different cookie name based on hashed client id (#4666) - providers/proxy: outpost wide logout implementation (#4605) - providers/saml: fix invalid SAML provider metadata, add schema tests - providers/saml: fix mismatched SAML SLO Urls (#4655) - stages/authenticator_validate: fix error with passwordless webauthn login - stages/prompt: field name (#4497) - stages/user_write: fix migration setting wrong value, fix form - web: fix token delete form not showing token identifiers - web/admin: add notice for user_login stage session cookie behaviour - web/admin: clarify access code expiration - web/admin: default to disable policy execution logging - web/admin: fix certificate filtering for SAML verification certificate - web/admin: rework event info page to show all event infos - web/elements: add dropdown css to DOM directly instead of including - web/elements: fix ak-expand not using correct font - web/elements: fix clashing page url param - web/elements: improve codemirror contrast in dark theme - web/elements: make table rows clickable to select items - web/elements: persist table page in URL parameters - web/flows: fix flow background overlay on firefox - web/user: filter tokens by username - web/user: refactor loading of data in userinterface ## Fixed in 2023.2.1 - internal: fix scheme not being forwarded correctly for host intercepted requests - sources/ldap: add LDAP Debug endpoint - web/admin: improve action button spinner on ldap source page - web/admin: remove groups and users from users and group form to prevent accidental removal when updating - web/admin: use full page size for modals ## Fixed in 2023.2.2 - flows: include flow authentication requirement in diagram - lib: don't try to cache generated avatar with full user, only cache with name - providers/ldap: check MFA password on password stage - providers/proxy: fix client credential flows not using http interceptor - providers/proxy: fix value is too long with filesystem sessions - root: use channel send workaround for sync sending of websocket messages - web/admin: fix error when creating new users - web/user: revert truncate behaviour for application description ## Fixed in 2023.2.3 - \*: fix [CVE-2023-26481](../security/CVE-2023-26481), Reported by [@fuomag9](https://github.com/fuomag9) ## API Changes #### What's New --- ##### `POST` /admin/system/ #### What's Changed --- ##### `POST` /core/tokens/{identifier}/set_key/ ##### `GET` /providers/oauth2/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `PUT` /providers/oauth2/{id}/ ###### Request: Changed content type : `application/json` - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `PATCH` /providers/oauth2/{id}/ ###### Request: Changed content type : `application/json` - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `POST` /providers/oauth2/ ###### Request: Changed content type : `application/json` - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `GET` /providers/oauth2/ ###### Parameters: Changed: `sub_mode` in `query` > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > OAuth2Provider Serializer - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `GET` /oauth2/authorization_codes/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `provider` (object) > OAuth2Provider Serializer - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `GET` /oauth2/refresh_tokens/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `provider` (object) > OAuth2Provider Serializer - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `GET` /oauth2/authorization_codes/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant - Changed property `provider` (object) > OAuth2Provider Serializer - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `GET` /oauth2/refresh_tokens/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and RefreshToken - Changed property `provider` (object) > OAuth2Provider Serializer - Changed property `sub_mode` (string) > Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Added enum value: - `user_id` ##### `GET` /stages/prompt/prompts/{prompt_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `name` * Added property `name` (string) ##### `PUT` /stages/prompt/prompts/{prompt_uuid}/ ###### Request: Changed content type : `application/json` New required properties: - `name` * Added property `name` (string) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `name` * Added property `name` (string) ##### `PATCH` /stages/prompt/prompts/{prompt_uuid}/ ###### Request: Changed content type : `application/json` - Added property `name` (string) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `name` * Added property `name` (string) ##### `POST` /stages/prompt/prompts/ ###### Request: Changed content type : `application/json` New required properties: - `name` * Added property `name` (string) ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `name` * Added property `name` (string) ##### `GET` /stages/prompt/prompts/ ###### Parameters: Added: `name` in `query` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Prompt Serializer New required properties: - `name` * Added property `name` (string)