--- title: Release 2021.4 slug: "2021.4" --- ## Headline Changes - Configurable Policy engine mode In the past, all objects, which could have policies attached to them, required *all* policies to pass to consider an action successful. You can now configure if *all* policies need to pass, or if *any* policy needs to pass. This can now be configured for the following objects: - Applications (access restrictions) - Sources - Flows - Flow-stage bindings For backwards compatibility, this is set to *all*, but new objects will default to *any*. - Expiring Events Previously, events would stay in the database forever, and had to eventually be cleaned up manually. This version add expiry to events with a default timeout of 1 Year. This also applies to existing events, and their expiry will be set during the migration. - New UI While the UI mostly looks the same, under the hood a lot has changed. The Web UI is now a Single-page application based on rollup and lit-html. This has several consequences and new features, for example: - You can now see a user's OAuth Access/Refresh tokens and the consents they've given - You can now see a per-object changelog based on the model_create/update/delete events being created. - A new API Browser is available under `https://authentink.company/api/v2beta/` - Several new charts, new pages and quality-of-life improvements - Credentials of objects are no longer shown while editing them - Deprecated Group membership has been removed. ## Minor changes - You can now specify the amount of processes started in docker-compose using the `WORKERS` environment variable. ## Fixed in 2021.4.2 - core: fix propertymapping API returning invalid value for components (https://github.com/goauthentik/authentik/issues/746) - core: improve messaging when creating a recovery link for a user when no recovery flow exists - flows: annotate flows executor 404 error - flows: include configure_flow in stages API - helm: make storage class, size and mode configurable - helm: turn off monitoring by default (https://github.com/goauthentik/authentik/issues/741) - outposts: fix errors when creating multiple outposts - root: add restart: unless-stopped to compose - root: base Websocket message storage on Base not fallback - root: fix healthcheck part in docker-compose - root: fix setting of EMAIL_USE_TLS and EMAIL_USE_SSL - sources/ldap: improve error handling during sync - sources/oauth: fix error when creating an oauth source which has fixed URLs - sources/oauth: fix resolution of sources' provider type - web: fix background-color on router outlet on light mode - web/admin: fix error when user doesn't have permissions to read source - web/admin: fix errors in user profile when non-superuser ## Fixed in 2021.4.3 - *: add model_name to TypeCreate API to distinguish between models sharing a component - api: fix CSRF error when using POST/PATCH/PUT in API Browser - api: make 401 messages clearer - api: mount outposts under outposts/instances to match flows - core: add parameter to output property mapping test result formatted - core: add superuser_full_list to applications list, shows all applications when superuser - core: fix Tokens being created with incorrect intent by default - outposts: don't run outpost_controller when no service connection is set - providers/oauth2: Set CORS Headers for token endpoint, check Origin header against redirect URLs - root: auto-migrate on startup, lock database using pg_advisory_lock - sources/oauth: add login with plex support - sources/oauth: fix redirect loop for source with non-configurable URLs - sources/oauth: save null instead of empty string for sources without configurable URLs - web/admin: add ability to add users to a group whilst creating a group - web/admin: fix default for codemirror - web/admin: fix group member table order - web/admin: fix non-matching provider type being selected when creating an OAuth Source - web/admin: fix provider type resetting when changing provider type - web/admin: fix undefined being shown when viewing application - web/admin: improve default selection for property-mappings ## Fixed in 2021.4.4 - *: make tasks run every 60 minutes not :00 every hour - outposts: check for X-Forwarded-Host to switch context - outposts: improve update performance - outposts: move local connection check to task, run every 60 minutes - providers/oauth2: add proper support for non-http schemes as redirect URIs - providers/oauth2: fix TokenView not having CORS headers set even with proper Origin - sources/oauth: fix error whilst fetching user profile when source uses fixed URLs - sources/oauth: handle error in AzureAD when ID Can't be extracted - stages/user_login: add default backend - web: fix title not being loaded from config - web: only report http errors for 500 and above - web: send response info when response is thrown - web/admin: add description for fields in proxy provider form - web/admin: adjust phrasing of cards on overview page - web/admin: fix display for user supseruser status - web/admin: fix error when me() returns 403 - web/admin: fix error when updating identification stage - web/admin: fix invalid group member count - web/admin: fix link to providers on overview page - web/admin: fix mismatched required tags - web/admin: improve phrasing for Policy bindings - web/admin: only allow policies to be bound to sources as users/groups cannot be checked - web/admin: only pre-select items when creating a new object - web/flows: fix Sentry not being loaded correctly ## Fixed in 2021.4.5 - core: fix text on error pages being hard to read - outposts: only kill docker container if its running - root: add middleware to properly report websocket connection to sentry - root: don't use .error of structlog to not send to sentry - stages/email: catch ValueError when global email settings are invalid - stages/invitation: accept token from prompt_data - stages/invitation: fix token not being loaded correctly from query string - web: fix text-colour for form help text - web: ignore network errors for sentry - web/admin: don't show docker certs as required - web/flows: fix redirect loop when sentry is enabled on flow views - web/flows: include ShadyDOM, always enable ShadyDOM for flow interface, improve compatibility with password - web/flows/identification: fix phrasing account recovery ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the latest docker-compose file from [here](https://raw.githubusercontent.com/goauthentik/authentik/version-2021.4/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`. ### Kubernetes Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`.