--- title: Release 2022.11 slug: "/releases/2022.11" --- ## Breaking changes - Have I Been Pwned policy is deprecated The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated. - Instead of using multiple redis databases, authentik now uses a single redis database This will temporarily loose some cached information after the upgrade, like cached system tasks and policy results. This data will be re-cached in the background. ## New features - authentik now runs on Python 3.11 - Expanded password policy The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using [zxcvbn](https://github.com/dropbox/zxcvbn) to provider concise feedback. ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the docker-compose file for 2022.11 from [here](https://goauthentik.io/version/2022.11/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes Update your values to use the new images: ```yaml image: repository: ghcr.io/goauthentik/server tag: 2022.11.1 ``` ## Minor changes/fixes - api: fix missing scheme in securitySchemes - blueprints: Fixed bug causing blueprint instance context be discarded (#3990) - core: fix error when propertymappings return complex value - core: simplify group serializer for user API endpoint (#3899) - events: deepcopy event kwargs to prevent objects being removed, remove workaround - events: sanitize generator for json safety - lib: fix complex objects being included in event context for ak_create_event - lifecycle: fix incorrect messages looped - outposts/kubernetes: ingress class (#4002) - policies: only cache policies for authenticated users - policies/password: merge hibp add zxcvbn (#4001) - providers/oauth2: fix inconsistent expiry encoded in JWT - root: make sentry DSN configurable (#4016) - root: relicense and launch blog post - root: use single redis db (#4009) - sources: add custom icon support (#4022) - stages/authenticator\_\*: cleanup - stages/authenticator_validate: add flag to configure user_verification for webauthn devices - stages/invitation: directly delete invitation now that flow plan is saved in email token - web: fix twitter icon - web/flows: always hide static user info when its not set in the flow ## Fixed in 2022.11.1 - blueprints: add desired state attribute to objects (#4061) - core: fix tab-complete in shell - root: fix build on arm64 - stages/email: add test for email translation - web/admin: fix error when importing duo devices - web/admin: reset cookie_domain when setting non-domain forward auth ## Fixed in 2022.11.2 - \*: fix [CVE-2022-46145](../security/CVE-2022-46145), Reported by [@sdimovv](https://github.com/sdimovv) ## Fixed in 2022.11.3 - web: fix Flow Form failing to load due to outdated API client ## Fixed in 2022.11.4 - \*: fix [CVE-2022-46172](../security/CVE-2022-46172), Reported by [@DreamingRaven](https://github.com/DreamingRaven) - \*: fix [CVE-2022-23555](../security/CVE-2022-23555), Reported by [@fuomag9](https://github.com/fuomag9) ## API Changes #### What's Changed --- ##### `GET` /policies/password/{policy_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `check_static_rules` (boolean) - Added property `check_have_i_been_pwned` (boolean) - Added property `check_zxcvbn` (boolean) - Added property `hibp_allowed_count` (integer) > How many times the password hash is allowed to be on haveibeenpwned - Added property `zxcvbn_score_threshold` (integer) > If the zxcvbn score is equal or less than this value, the policy will fail. ##### `PUT` /policies/password/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Added property `check_static_rules` (boolean) - Added property `check_have_i_been_pwned` (boolean) - Added property `check_zxcvbn` (boolean) - Added property `hibp_allowed_count` (integer) > How many times the password hash is allowed to be on haveibeenpwned - Added property `zxcvbn_score_threshold` (integer) > If the zxcvbn score is equal or less than this value, the policy will fail. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `check_static_rules` (boolean) - Added property `check_have_i_been_pwned` (boolean) - Added property `check_zxcvbn` (boolean) - Added property `hibp_allowed_count` (integer) > How many times the password hash is allowed to be on haveibeenpwned - Added property `zxcvbn_score_threshold` (integer) > If the zxcvbn score is equal or less than this value, the policy will fail. ##### `PATCH` /policies/password/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Added property `check_static_rules` (boolean) - Added property `check_have_i_been_pwned` (boolean) - Added property `check_zxcvbn` (boolean) - Added property `hibp_allowed_count` (integer) > How many times the password hash is allowed to be on haveibeenpwned - Added property `zxcvbn_score_threshold` (integer) > If the zxcvbn score is equal or less than this value, the policy will fail. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `check_static_rules` (boolean) - Added property `check_have_i_been_pwned` (boolean) - Added property `check_zxcvbn` (boolean) - Added property `hibp_allowed_count` (integer) > How many times the password hash is allowed to be on haveibeenpwned - Added property `zxcvbn_score_threshold` (integer) > If the zxcvbn score is equal or less than this value, the policy will fail. ##### `GET` /core/tokens/{identifier}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `PUT` /core/tokens/{identifier}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `PATCH` /core/tokens/{identifier}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /core/users/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `PUT` /core/users/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `PATCH` /core/users/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `PUT` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `PATCH` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `POST` /policies/password/ ###### Request: Changed content type : `application/json` - Added property `check_static_rules` (boolean) - Added property `check_have_i_been_pwned` (boolean) - Added property `check_zxcvbn` (boolean) - Added property `hibp_allowed_count` (integer) > How many times the password hash is allowed to be on haveibeenpwned - Added property `zxcvbn_score_threshold` (integer) > If the zxcvbn score is equal or less than this value, the policy will fail. ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Added property `check_static_rules` (boolean) - Added property `check_have_i_been_pwned` (boolean) - Added property `check_zxcvbn` (boolean) - Added property `hibp_allowed_count` (integer) > How many times the password hash is allowed to be on haveibeenpwned - Added property `zxcvbn_score_threshold` (integer) > If the zxcvbn score is equal or less than this value, the policy will fail. ##### `GET` /policies/password/ ###### Parameters: Added: `check_have_i_been_pwned` in `query` Added: `check_static_rules` in `query` Added: `check_zxcvbn` in `query` Added: `hibp_allowed_count` in `query` Added: `zxcvbn_score_threshold` in `query` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Password Policy Serializer - Added property `check_static_rules` (boolean) - Added property `check_have_i_been_pwned` (boolean) - Added property `check_zxcvbn` (boolean) - Added property `hibp_allowed_count` (integer) > How many times the password hash is allowed to be on haveibeenpwned - Added property `zxcvbn_score_threshold` (integer) > If the zxcvbn score is equal or less than this value, the policy will fail. ##### `POST` /core/tokens/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /core/tokens/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Token Serializer - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /core/user_consent/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `POST` /core/users/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /core/users/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /oauth2/authorization_codes/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /oauth2/refresh_tokens/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `user` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `POST` /policies/bindings/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /policies/bindings/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > PolicyBinding Serializer - Changed property `user_obj` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /core/user_consent/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > UserConsent Serializer - Changed property `user` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /oauth2/authorization_codes/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant - Changed property `user` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array) ##### `GET` /oauth2/refresh_tokens/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and RefreshToken - Changed property `user` (object) > User Serializer - Changed property `groups_obj` (array) Changed items (object): > Simplified Group Serializer for user's groups New optional properties: - `users_obj` * Deleted property `users` (array) * Deleted property `users_obj` (array)