---
title: Release 2022.11
slug: "/releases/2022.11"
---

## Breaking changes

-   Have I Been Pwned policy is deprecated

    The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.

-   Instead of using multiple redis databases, authentik now uses a single redis database

    This will temporarily loose some cached information after the upgrade, like cached system tasks and policy results. This data will be re-cached in the background.

## New features

-   authentik now runs on Python 3.11
-   Expanded password policy

    The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using [zxcvbn](https://github.com/dropbox/zxcvbn) to provider concise feedback.

## Upgrading

This release does not introduce any new requirements.

### docker-compose

Download the docker-compose file for 2022.11 from [here](https://goauthentik.io/version/2022.11/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.

### Kubernetes

Update your values to use the new images:

```yaml
image:
    repository: ghcr.io/goauthentik/server
    tag: 2022.11.1
```

## Minor changes/fixes

-   api: fix missing scheme in securitySchemes
-   blueprints: Fixed bug causing blueprint instance context be discarded (#3990)
-   core: fix error when propertymappings return complex value
-   core: simplify group serializer for user API endpoint (#3899)
-   events: deepcopy event kwargs to prevent objects being removed, remove workaround
-   events: sanitize generator for json safety
-   lib: fix complex objects being included in event context for ak_create_event
-   lifecycle: fix incorrect messages looped
-   outposts/kubernetes: ingress class (#4002)
-   policies: only cache policies for authenticated users
-   policies/password: merge hibp add zxcvbn (#4001)
-   providers/oauth2: fix inconsistent expiry encoded in JWT
-   root: make sentry DSN configurable (#4016)
-   root: relicense and launch blog post
-   root: use single redis db (#4009)
-   sources: add custom icon support (#4022)
-   stages/authenticator\_\*: cleanup
-   stages/authenticator_validate: add flag to configure user_verification for webauthn devices
-   stages/invitation: directly delete invitation now that flow plan is saved in email token
-   web: fix twitter icon
-   web/flows: always hide static user info when its not set in the flow

## Fixed in 2022.11.1

-   blueprints: add desired state attribute to objects (#4061)
-   core: fix tab-complete in shell
-   root: fix build on arm64
-   stages/email: add test for email translation
-   web/admin: fix error when importing duo devices
-   web/admin: reset cookie_domain when setting non-domain forward auth

## Fixed in 2022.11.2

-   \*: fix [CVE-2022-46145](../security/CVE-2022-46145), Reported by [@sdimovv](https://github.com/sdimovv)

## Fixed in 2022.11.3

-   web: fix Flow Form failing to load due to outdated API client

## Fixed in 2022.11.4

-   \*: fix [CVE-2022-46172](../security/CVE-2022-46172), Reported by [@DreamingRaven](https://github.com/DreamingRaven)
-   \*: fix [CVE-2022-23555](../security/CVE-2022-23555), Reported by [@fuomag9](https://github.com/fuomag9)

## API Changes

#### What's Changed

---

##### `GET` /policies/password/{policy_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `check_static_rules` (boolean)

    -   Added property `check_have_i_been_pwned` (boolean)

    -   Added property `check_zxcvbn` (boolean)

    -   Added property `hibp_allowed_count` (integer)

        > How many times the password hash is allowed to be on haveibeenpwned

    -   Added property `zxcvbn_score_threshold` (integer)
        > If the zxcvbn score is equal or less than this value, the policy will fail.

##### `PUT` /policies/password/{policy_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `check_static_rules` (boolean)

-   Added property `check_have_i_been_pwned` (boolean)

-   Added property `check_zxcvbn` (boolean)

-   Added property `hibp_allowed_count` (integer)

    > How many times the password hash is allowed to be on haveibeenpwned

-   Added property `zxcvbn_score_threshold` (integer)
    > If the zxcvbn score is equal or less than this value, the policy will fail.

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `check_static_rules` (boolean)

    -   Added property `check_have_i_been_pwned` (boolean)

    -   Added property `check_zxcvbn` (boolean)

    -   Added property `hibp_allowed_count` (integer)

        > How many times the password hash is allowed to be on haveibeenpwned

    -   Added property `zxcvbn_score_threshold` (integer)
        > If the zxcvbn score is equal or less than this value, the policy will fail.

##### `PATCH` /policies/password/{policy_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `check_static_rules` (boolean)

-   Added property `check_have_i_been_pwned` (boolean)

-   Added property `check_zxcvbn` (boolean)

-   Added property `hibp_allowed_count` (integer)

    > How many times the password hash is allowed to be on haveibeenpwned

-   Added property `zxcvbn_score_threshold` (integer)
    > If the zxcvbn score is equal or less than this value, the policy will fail.

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Added property `check_static_rules` (boolean)

    -   Added property `check_have_i_been_pwned` (boolean)

    -   Added property `check_zxcvbn` (boolean)

    -   Added property `hibp_allowed_count` (integer)

        > How many times the password hash is allowed to be on haveibeenpwned

    -   Added property `zxcvbn_score_threshold` (integer)
        > If the zxcvbn score is equal or less than this value, the policy will fail.

##### `GET` /core/tokens/{identifier}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user_obj` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `PUT` /core/tokens/{identifier}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user_obj` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `PATCH` /core/tokens/{identifier}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user_obj` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `GET` /core/users/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `groups_obj` (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        -   `users_obj`

        *   Deleted property `users` (array)

        *   Deleted property `users_obj` (array)

##### `PUT` /core/users/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `groups_obj` (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        -   `users_obj`

        *   Deleted property `users` (array)

        *   Deleted property `users_obj` (array)

##### `PATCH` /core/users/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `groups_obj` (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        -   `users_obj`

        *   Deleted property `users` (array)

        *   Deleted property `users_obj` (array)

##### `GET` /policies/bindings/{policy_binding_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user_obj` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `PUT` /policies/bindings/{policy_binding_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user_obj` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `PATCH` /policies/bindings/{policy_binding_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user_obj` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `POST` /policies/password/

###### Request:

Changed content type : `application/json`

-   Added property `check_static_rules` (boolean)

-   Added property `check_have_i_been_pwned` (boolean)

-   Added property `check_zxcvbn` (boolean)

-   Added property `hibp_allowed_count` (integer)

    > How many times the password hash is allowed to be on haveibeenpwned

-   Added property `zxcvbn_score_threshold` (integer)
    > If the zxcvbn score is equal or less than this value, the policy will fail.

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Added property `check_static_rules` (boolean)

    -   Added property `check_have_i_been_pwned` (boolean)

    -   Added property `check_zxcvbn` (boolean)

    -   Added property `hibp_allowed_count` (integer)

        > How many times the password hash is allowed to be on haveibeenpwned

    -   Added property `zxcvbn_score_threshold` (integer)
        > If the zxcvbn score is equal or less than this value, the policy will fail.

##### `GET` /policies/password/

###### Parameters:

Added: `check_have_i_been_pwned` in `query`

Added: `check_static_rules` in `query`

Added: `check_zxcvbn` in `query`

Added: `hibp_allowed_count` in `query`

Added: `zxcvbn_score_threshold` in `query`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Password Policy Serializer

        -   Added property `check_static_rules` (boolean)

        -   Added property `check_have_i_been_pwned` (boolean)

        -   Added property `check_zxcvbn` (boolean)

        -   Added property `hibp_allowed_count` (integer)

            > How many times the password hash is allowed to be on haveibeenpwned

        -   Added property `zxcvbn_score_threshold` (integer)
            > If the zxcvbn score is equal or less than this value, the policy will fail.

##### `POST` /core/tokens/

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Changed property `user_obj` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `GET` /core/tokens/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Token Serializer

        -   Changed property `user_obj` (object)

            > User Serializer

            -   Changed property `groups_obj` (array)

                Changed items (object): > Simplified Group Serializer for user's groups

                New optional properties:

                -   `users_obj`

                *   Deleted property `users` (array)

                *   Deleted property `users_obj` (array)

##### `GET` /core/user_consent/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `POST` /core/users/

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Changed property `groups_obj` (array)

        Changed items (object): > Simplified Group Serializer for user's groups

        New optional properties:

        -   `users_obj`

        *   Deleted property `users` (array)

        *   Deleted property `users_obj` (array)

##### `GET` /core/users/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `GET` /oauth2/authorization_codes/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `GET` /oauth2/refresh_tokens/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `user` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `POST` /policies/bindings/

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Changed property `user_obj` (object)

        > User Serializer

        -   Changed property `groups_obj` (array)

            Changed items (object): > Simplified Group Serializer for user's groups

            New optional properties:

            -   `users_obj`

            *   Deleted property `users` (array)

            *   Deleted property `users_obj` (array)

##### `GET` /policies/bindings/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > PolicyBinding Serializer

        -   Changed property `user_obj` (object)

            > User Serializer

            -   Changed property `groups_obj` (array)

                Changed items (object): > Simplified Group Serializer for user's groups

                New optional properties:

                -   `users_obj`

                *   Deleted property `users` (array)

                *   Deleted property `users_obj` (array)

##### `GET` /core/user_consent/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > UserConsent Serializer

        -   Changed property `user` (object)

            > User Serializer

            -   Changed property `groups_obj` (array)

                Changed items (object): > Simplified Group Serializer for user's groups

                New optional properties:

                -   `users_obj`

                *   Deleted property `users` (array)

                *   Deleted property `users_obj` (array)

##### `GET` /oauth2/authorization_codes/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

        -   Changed property `user` (object)

            > User Serializer

            -   Changed property `groups_obj` (array)

                Changed items (object): > Simplified Group Serializer for user's groups

                New optional properties:

                -   `users_obj`

                *   Deleted property `users` (array)

                *   Deleted property `users_obj` (array)

##### `GET` /oauth2/refresh_tokens/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Serializer for BaseGrantModel and RefreshToken

        -   Changed property `user` (object)

            > User Serializer

            -   Changed property `groups_obj` (array)

                Changed items (object): > Simplified Group Serializer for user's groups

                New optional properties:

                -   `users_obj`

                *   Deleted property `users` (array)

                *   Deleted property `users_obj` (array)