--- title: Release 2023.3 - SCIM support slug: "/releases/2023.3" --- ## New features - SCIM support :::info This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues). ::: authentik can now provision users into other IT systems via the SCIM (System for Cross-domain Identity Management) protocol. The provider synchronizes Users, Groups and the user membership. Objects are synced both when they are saved and based on a pre-defined schedule in the background. Documentation: [SCIM Provider](../../../docs/providers/scim/) - Theming improvements - The custom.css file is now loaded in ShadowDOMs, allowing for much greater customization, as previously it was only possible to style elements outside of the ShadowDOM. See docs for [Flow](../../interfaces/flow/customization.mdx), [User](../../interfaces/user/customization.mdx) and [Admin](../../interfaces/admin/customization.mdx) interfaces. - Previously, authentik would automatically switch between dark and light theme based on the users' browsers' settings. This can now be overridden to either force the light or dark theme, per user/group/tenant. See docs for [Flow](../../interfaces/flow/customization.mdx), [User](../../interfaces/user/customization.mdx) and [Admin](../../interfaces/admin/customization.mdx) interfaces. ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the `docker-compose.yml` file for 2023.3 from [here](https://goauthentik.io/version/2023.3/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes Update your values to use the new images: ```yaml image: repository: ghcr.io/goauthentik/server tag: 2023.3.0 ``` ## Minor changes/fixes included in release 2023.3 - \*: add additional Prometheus metrics, remove unusable high entropy metrics - blueprints: improve error handling in example flow - core: Add `resolve_dns` and `reverse_dns` functions to evaluator (#4769) - core: bootstrap email (#4788) - core: enforce unique on names where it makes sense (#4866) - core: fix bug causing whitespace-only names to raise exception when generating avatars (#4746) - core: fix error when creating token without request in context - core: improve service account creation (#4751) - events: fix m2m_change events not being logged - events: set task start time before start, not on time of init (#4908) - flows: change default flow stage binding settings (#4784) - flows: planner error handling (#4812) - internal: fix crash when port 9000 is in use (#4863) - providers: SCIM (#4835) - providers/ldap: improve compatibility with LDAP clients (#4750) - providers/ldap: making LDAP compatible with Synology (#4694) - providers/oauth2: fix missing information for revoked token access events - providers/oauth2: OpenID conformance (#4758) - providers/proxy: ensure issuer is correct when browser URL override is set - providers/proxy: strip scheme when comparing redirect URL - providers/scim: add option to filter out service accounts, parent group (#4862) - providers/scim: customizable externalId, document behavior (#4868) - providers/scim: handle ServiceProviderConfig 404 (#4915) - root: fix session middleware for websocket connections (#4909) - sources/ldap: improve error handling for password complexity (#4780) - sources/oauth: fix not all token errors being logged with response - sources/plex: fix check_token error unusable if token is empty (#4834) - stages/authenticator_sms: fix twilio sending (#4829) - stages/user_login: add option to terminate other sessions (#4754) - stages/user_login: set session expiry before login (#4920) - tests/e2e: use example blueprints for testing (#4805) - web: fetch custom.css via fetch and add stylesheet (#4804) - web: toggle dark/light theme manually (#4876) - web/admin: fix chart display with no sources (#4782) - web/admin: fix issue with wizard's Next button incorrectly disabled when radio button is already selected (#4821) - web/admin: fix SCIM provider layout (#4919) - web/admin: workaround for tenant certificate selection being cut off (#4820) - web/elements: add loading spinner for charts, render middle text with CSS - web/elements: fix center text not scrolling with container (#4853) - web/elements: fix copy on insecure origins (#4917) - web/elements: fix flipped theme in codemirror (#4901) - web/flows: fix compatibility mode (#4910) - web/flows: fix fa:// icons in sources not shown correctly - web/user: fix source connections not being filtered (#4778) ## Fixed in 2023.3.1 - \*: fix mismatched task names for discovery, make output service connection task monitored (#4956) - core: fix application launch url validator (#4957) - providers: fix authorization_flow not required in API (#4932) - providers/ldap: fix duplicate attributes (#4972) - providers/oauth2: fix response for response_type code and response_mode fragment (#4975) - stages/authenticator_webauthn: remove credential_id size limit (#4931) - web/admin: fix wizards with radio selects not working correctly after use (#4933) - web/common: fix tab label color on dark theme (#4959) - web/flows: fix authenticator selector in dark mode (#4974) - web/user: fix custom user interface background with dark theme (#4960) ## API Changes #### What's New --- ##### `GET` /propertymappings/scim/ ##### `POST` /propertymappings/scim/ ##### `GET` /propertymappings/scim/{pm_uuid}/ ##### `PUT` /propertymappings/scim/{pm_uuid}/ ##### `DELETE` /propertymappings/scim/{pm_uuid}/ ##### `PATCH` /propertymappings/scim/{pm_uuid}/ ##### `GET` /propertymappings/scim/{pm_uuid}/used_by/ ##### `GET` /providers/scim/ ##### `POST` /providers/scim/ ##### `GET` /providers/scim/{id}/ ##### `PUT` /providers/scim/{id}/ ##### `DELETE` /providers/scim/{id}/ ##### `PATCH` /providers/scim/{id}/ ##### `GET` /providers/scim/{id}/sync_status/ ##### `GET` /providers/scim/{id}/used_by/ #### What's Changed --- ##### `POST` /core/users/service_account/ ###### Request: Changed content type : `application/json` - Added property `expiring` (boolean) - Added property `expires` (string) > If not provided, valid for 360 days ##### `GET` /policies/event_matcher/{policy_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: - `authentik.providers.scim` ##### `PUT` /policies/event_matcher/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: - `authentik.providers.scim` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: - `authentik.providers.scim` ##### `PATCH` /policies/event_matcher/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: - `authentik.providers.scim` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: - `authentik.providers.scim` ##### `GET` /providers/oauth2/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `PUT` /providers/oauth2/{id}/ ###### Request: Changed content type : `application/json` New optional properties: - `authorization_flow` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `PATCH` /providers/oauth2/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `GET` /providers/proxy/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `PUT` /providers/proxy/{id}/ ###### Request: Changed content type : `application/json` New optional properties: - `authorization_flow` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `PATCH` /providers/proxy/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `GET` /core/groups/{group_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `PUT` /core/groups/{group_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `PATCH` /core/groups/{group_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `GET` /core/tenants/current/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `ui_theme` * Added property `ui_theme` (object) Enum values: - `automatic` - `light` - `dark` ##### `GET` /events/rules/{pbm_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `PUT` /events/rules/{pbm_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `PATCH` /events/rules/{pbm_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `GET` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `PUT` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `PATCH` /policies/bindings/{policy_binding_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `POST` /policies/event_matcher/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: - `authentik.providers.scim` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: - `authentik.providers.scim` ##### `GET` /policies/event_matcher/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Event Matcher Policy Serializer - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: - `authentik.providers.scim` ##### `GET` /providers/ldap/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `PUT` /providers/ldap/{id}/ ###### Request: Changed content type : `application/json` New optional properties: - `authorization_flow` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `PATCH` /providers/ldap/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `POST` /providers/oauth2/ ###### Request: Changed content type : `application/json` New optional properties: - `authorization_flow` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `GET` /providers/oauth2/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > OAuth2Provider Serializer New optional properties: - `authorization_flow` ##### `POST` /providers/proxy/ ###### Request: Changed content type : `application/json` New optional properties: - `authorization_flow` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `GET` /providers/proxy/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > ProxyProvider Serializer New optional properties: - `authorization_flow` ##### `GET` /providers/saml/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `PUT` /providers/saml/{id}/ ###### Request: Changed content type : `application/json` New optional properties: - `authorization_flow` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `PATCH` /providers/saml/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `GET` /stages/invitation/invitations/{invite_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `created_by` (object) > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `PUT` /stages/invitation/invitations/{invite_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `created_by` (object) > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `PATCH` /stages/invitation/invitations/{invite_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `created_by` (object) > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `POST` /core/groups/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `GET` /core/groups/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `POST` /events/rules/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `GET` /events/rules/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > NotificationRule Serializer - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `GET` /flows/bindings/{fsb_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ##### `PUT` /flows/bindings/{fsb_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ##### `PATCH` /flows/bindings/{fsb_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ##### `GET` /oauth2/access_tokens/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `provider` (object) > OAuth2Provider Serializer New optional properties: - `authorization_flow` ##### `GET` /oauth2/authorization_codes/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `provider` (object) > OAuth2Provider Serializer New optional properties: - `authorization_flow` ##### `GET` /oauth2/refresh_tokens/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `provider` (object) > OAuth2Provider Serializer New optional properties: - `authorization_flow` ##### `POST` /policies/bindings/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `GET` /policies/bindings/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > PolicyBinding Serializer - Changed property `group_obj` (object) > Group Serializer - Changed property `users_obj` (array) Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `POST` /providers/ldap/ ###### Request: Changed content type : `application/json` New optional properties: - `authorization_flow` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `GET` /providers/ldap/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > LDAPProvider Serializer New optional properties: - `authorization_flow` ##### `POST` /providers/saml/ ###### Request: Changed content type : `application/json` New optional properties: - `authorization_flow` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New optional properties: - `authorization_flow` ##### `GET` /providers/saml/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > SAMLProvider Serializer New optional properties: - `authorization_flow` ##### `GET` /sources/user_connections/all/ ###### Parameters: Added: `user` in `query` ##### `POST` /stages/invitation/invitations/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `created_by` (object) > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `GET` /stages/invitation/invitations/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Invitation Serializer - Changed property `created_by` (object) > Stripped down user serializer to show relevant users for groups New optional properties: - `avatar` * Deleted property `avatar` (string) ##### `GET` /stages/user_login/{stage_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `terminate_other_sessions` (boolean) > Terminate all other sessions of the user logging in. ##### `PUT` /stages/user_login/{stage_uuid}/ ###### Request: Changed content type : `application/json` - Added property `terminate_other_sessions` (boolean) > Terminate all other sessions of the user logging in. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `terminate_other_sessions` (boolean) > Terminate all other sessions of the user logging in. ##### `PATCH` /stages/user_login/{stage_uuid}/ ###### Request: Changed content type : `application/json` - Added property `terminate_other_sessions` (boolean) > Terminate all other sessions of the user logging in. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `terminate_other_sessions` (boolean) > Terminate all other sessions of the user logging in. ##### `POST` /flows/bindings/ ###### Request: Changed content type : `application/json` - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ##### `GET` /flows/bindings/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > FlowStageBinding Serializer - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ##### `GET` /flows/inspector/{flow_slug}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `plans` (array) Changed items (object): > Serializer for an active FlowPlan - Changed property `next_planned_stage` (object) > FlowStageBinding Serializer - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. - Changed property `current_stage` (object) > FlowStageBinding Serializer - Changed property `evaluate_on_plan` (boolean) > Evaluate policies during the Flow planning process. ##### `GET` /oauth2/access_tokens/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and RefreshToken - Changed property `provider` (object) > OAuth2Provider Serializer New optional properties: - `authorization_flow` ##### `GET` /oauth2/authorization_codes/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant - Changed property `provider` (object) > OAuth2Provider Serializer New optional properties: - `authorization_flow` ##### `GET` /oauth2/refresh_tokens/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Serializer for BaseGrantModel and RefreshToken - Changed property `provider` (object) > OAuth2Provider Serializer New optional properties: - `authorization_flow` ##### `POST` /stages/user_login/ ###### Request: Changed content type : `application/json` - Added property `terminate_other_sessions` (boolean) > Terminate all other sessions of the user logging in. ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Added property `terminate_other_sessions` (boolean) > Terminate all other sessions of the user logging in. ##### `GET` /stages/user_login/ ###### Parameters: Added: `terminate_other_sessions` in `query` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > UserLoginStage Serializer - Added property `terminate_other_sessions` (boolean) > Terminate all other sessions of the user logging in.