--- title: Release 2023.6 slug: "/releases/2023.6" --- ## New features - LDAP StartTLS support authentik's [LDAP Provider](../../providers/ldap/index.md) now supports StartTLS in addition to supporting SSL. The StartTLS is a more modern method of encrypting LDAP traffic. With this added support, the LDAP [Outpost](../../outposts/index.mdx) can now support multiple certificates. - LDAP Schema improvements In addition to the StartTLS support, the schema support in the LDAP provider has been drastically overhauled. This will improve support with applications and clients relying on the schema to parse data received. Additionally, the base DN is no longer required to be set when binding, as the outpost now finds the correct provider based on the bind DN. - Event matcher policy can now match on individual models Previously the _Event matcher policy_ was only able to match on event actions, client IPs and apps, which made it a requirement to use expression policies to match only on certain model actions. ## Upgrading This release does not introduce any new requirements. ### docker-compose To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands: ``` wget -O docker-compose.yml https://goauthentik.io/version/2023.6/docker-compose.yml docker-compose up -d ``` The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name. ### Kubernetes Upgrade the Helm Chart to the new version using the following commands: ```shell helm repo update helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.6 ``` ## Minor changes/fixes - \*: use dataclass slots wherever applicable (#6005) - blueprints: allow setting user's passwords from blueprints (#5797) - blueprints: fix API validation with OCI blueprint path (#5822) - blueprints: fix check for file path not being run on worker (#5703) - blueprints: support custom ports for OCI blueprints (#5727) - core: make groups field for user optional (#5702) - core: prevent selecting a group as a parent of itself (#6016) - events: fix ak_create_event using wrong request for event creation (#5731) - lifecycle: Add depends_on for worker and server container (#5634) - outposts/ldap: fix race condition when refreshing the provider - outposts: fix missing radius outpost controller (#5730) - policies/event_matcher: add model filter (#5802) - policies/event_matcher: change empty values to null (#6032) - providers/ldap: add StartTLS support (#5861) - providers/ldap: fix LDAP Outpost application selection (#5812) - providers/ldap: fix Outpost provider listing excluding backchannel providers (#5933) - providers/ldap: improve password totp detection (#6006) - providers/ldap: rework Schema and DSE (#5838) - providers/oauth2: correctly advertise code_challenge_methods_supported (#6007) - providers/oauth2: launch url: if URL parsing fails, return no launch URL (#5918) - providers/proxy: add support for traefik.io API and CRD (#5801) - security: cure53 fix (#6039) - sources/ldap: add support for cert based auth (#5850) - sources/ldap: fix duplicate bind when authenticating user directly to… (#5927) - sources/ldap: include UnwillingToPerformError as possible exception (#6031) - sources/saml: separate verification cert (#5699) - web/admin: fix codemirror not working on safari (#5943) - web/admin: theme adjustments (#5944) - web/flows: fix RedirectStage not detecting absolute URLs correctly (#5781) - web/user: fix MFA enroll dropdown broken when password stage has no configuration flow (#5744) - web/user: fix broken search on application library (#5743) - web/user: fix search input styling (#5745) - web/user: refactor LibraryPage for testing, add CTA (#5665) - web: Replace lingui.js with lit-localize (#5761) ## Fixed in 2023.6.1 - core: fix UUID filter field for users api (#6203) - outposts/ldap: revert attribute filtering (#6188) - outposts/ldap: add test for attribute filtering (#6189) - sources/ldap: fix more errors (#6191) - sources/ldap: fix page size (#6187) ## API Changes #### What's New --- ##### `GET` /admin/models/ #### What's Changed --- ##### `GET` /policies/event_matcher/{policy_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `model` (object) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. > > - `authentik_crypto.certificatekeypair` - Certificate-Key Pair > - `authentik_events.event` - Event > - `authentik_events.notificationtransport` - Notification Transport > - `authentik_events.notification` - Notification > - `authentik_events.notificationrule` - Notification Rule > - `authentik_events.notificationwebhookmapping` - Webhook Mapping > - `authentik_flows.flow` - Flow > - `authentik_flows.flowstagebinding` - Flow Stage Binding > - `authentik_outposts.dockerserviceconnection` - Docker Service-Connection > - `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection > - `authentik_outposts.outpost` - outpost > - `authentik_policies_dummy.dummypolicy` - Dummy Policy > - `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy > - `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy > - `authentik_policies_expression.expressionpolicy` - Expression Policy > - `authentik_policies_password.passwordpolicy` - Password Policy > - `authentik_policies_reputation.reputationpolicy` - Reputation Policy > - `authentik_policies_reputation.reputation` - reputation > - `authentik_policies.policybinding` - Policy Binding > - `authentik_providers_ldap.ldapprovider` - LDAP Provider > - `authentik_providers_oauth2.scopemapping` - Scope Mapping > - `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider > - `authentik_providers_oauth2.authorizationcode` - Authorization Code > - `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token > - `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token > - `authentik_providers_proxy.proxyprovider` - Proxy Provider > - `authentik_providers_radius.radiusprovider` - Radius Provider > - `authentik_providers_saml.samlprovider` - SAML Provider > - `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping > - `authentik_providers_scim.scimprovider` - SCIM Provider > - `authentik_providers_scim.scimmapping` - SCIM Mapping > - `authentik_sources_ldap.ldapsource` - LDAP Source > - `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping > - `authentik_sources_oauth.oauthsource` - OAuth Source > - `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection > - `authentik_sources_plex.plexsource` - Plex Source > - `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection > - `authentik_sources_saml.samlsource` - SAML Source > - `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection > - `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage > - `authentik_stages_authenticator_duo.duodevice` - Duo Device > - `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage > - `authentik_stages_authenticator_sms.smsdevice` - SMS Device > - `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage > - `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage > - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage > - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage > - `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device > - `authentik_stages_captcha.captchastage` - Captcha Stage > - `authentik_stages_consent.consentstage` - Consent Stage > - `authentik_stages_consent.userconsent` - User Consent > - `authentik_stages_deny.denystage` - Deny Stage > - `authentik_stages_dummy.dummystage` - Dummy Stage > - `authentik_stages_email.emailstage` - Email Stage > - `authentik_stages_identification.identificationstage` - Identification Stage > - `authentik_stages_invitation.invitationstage` - Invitation Stage > - `authentik_stages_invitation.invitation` - Invitation > - `authentik_stages_password.passwordstage` - Password Stage > - `authentik_stages_prompt.prompt` - Prompt > - `authentik_stages_prompt.promptstage` - Prompt Stage > - `authentik_stages_user_delete.userdeletestage` - User Delete Stage > - `authentik_stages_user_login.userloginstage` - User Login Stage > - `authentik_stages_user_logout.userlogoutstage` - User Logout Stage > - `authentik_stages_user_write.userwritestage` - User Write Stage > - `authentik_tenants.tenant` - Tenant > - `authentik_blueprints.blueprintinstance` - Blueprint Instance > - `authentik_core.group` - group > - `authentik_core.user` - User > - `authentik_core.application` - Application > - `authentik_core.token` - Token Enum values: - `authentik_crypto.certificatekeypair` - `authentik_events.event` - `authentik_events.notificationtransport` - `authentik_events.notification` - `authentik_events.notificationrule` - `authentik_events.notificationwebhookmapping` - `authentik_flows.flow` - `authentik_flows.flowstagebinding` - `authentik_outposts.dockerserviceconnection` - `authentik_outposts.kubernetesserviceconnection` - `authentik_outposts.outpost` - `authentik_policies_dummy.dummypolicy` - `authentik_policies_event_matcher.eventmatcherpolicy` - `authentik_policies_expiry.passwordexpirypolicy` - `authentik_policies_expression.expressionpolicy` - `authentik_policies_password.passwordpolicy` - `authentik_policies_reputation.reputationpolicy` - `authentik_policies_reputation.reputation` - `authentik_policies.policybinding` - `authentik_providers_ldap.ldapprovider` - `authentik_providers_oauth2.scopemapping` - `authentik_providers_oauth2.oauth2provider` - `authentik_providers_oauth2.authorizationcode` - `authentik_providers_oauth2.accesstoken` - `authentik_providers_oauth2.refreshtoken` - `authentik_providers_proxy.proxyprovider` - `authentik_providers_radius.radiusprovider` - `authentik_providers_saml.samlprovider` - `authentik_providers_saml.samlpropertymapping` - `authentik_providers_scim.scimprovider` - `authentik_providers_scim.scimmapping` - `authentik_sources_ldap.ldapsource` - `authentik_sources_ldap.ldappropertymapping` - `authentik_sources_oauth.oauthsource` - `authentik_sources_oauth.useroauthsourceconnection` - `authentik_sources_plex.plexsource` - `authentik_sources_plex.plexsourceconnection` - `authentik_sources_saml.samlsource` - `authentik_sources_saml.usersamlsourceconnection` - `authentik_stages_authenticator_duo.authenticatorduostage` - `authentik_stages_authenticator_duo.duodevice` - `authentik_stages_authenticator_sms.authenticatorsmsstage` - `authentik_stages_authenticator_sms.smsdevice` - `authentik_stages_authenticator_static.authenticatorstaticstage` - `authentik_stages_authenticator_totp.authenticatortotpstage` - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - `authentik_stages_authenticator_webauthn.webauthndevice` - `authentik_stages_captcha.captchastage` - `authentik_stages_consent.consentstage` - `authentik_stages_consent.userconsent` - `authentik_stages_deny.denystage` - `authentik_stages_dummy.dummystage` - `authentik_stages_email.emailstage` - `authentik_stages_identification.identificationstage` - `authentik_stages_invitation.invitationstage` - `authentik_stages_invitation.invitation` - `authentik_stages_password.passwordstage` - `authentik_stages_prompt.prompt` - `authentik_stages_prompt.promptstage` - `authentik_stages_user_delete.userdeletestage` - `authentik_stages_user_login.userloginstage` - `authentik_stages_user_logout.userlogoutstage` - `authentik_stages_user_write.userwritestage` - `authentik_tenants.tenant` - `authentik_blueprints.blueprintinstance` - `authentik_core.group` - `authentik_core.user` - `authentik_core.application` - `authentik_core.token` ##### `PUT` /policies/event_matcher/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Added property `model` (object) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. > > - `authentik_crypto.certificatekeypair` - Certificate-Key Pair > - `authentik_events.event` - Event > - `authentik_events.notificationtransport` - Notification Transport > - `authentik_events.notification` - Notification > - `authentik_events.notificationrule` - Notification Rule > - `authentik_events.notificationwebhookmapping` - Webhook Mapping > - `authentik_flows.flow` - Flow > - `authentik_flows.flowstagebinding` - Flow Stage Binding > - `authentik_outposts.dockerserviceconnection` - Docker Service-Connection > - `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection > - `authentik_outposts.outpost` - outpost > - `authentik_policies_dummy.dummypolicy` - Dummy Policy > - `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy > - `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy > - `authentik_policies_expression.expressionpolicy` - Expression Policy > - `authentik_policies_password.passwordpolicy` - Password Policy > - `authentik_policies_reputation.reputationpolicy` - Reputation Policy > - `authentik_policies_reputation.reputation` - reputation > - `authentik_policies.policybinding` - Policy Binding > - `authentik_providers_ldap.ldapprovider` - LDAP Provider > - `authentik_providers_oauth2.scopemapping` - Scope Mapping > - `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider > - `authentik_providers_oauth2.authorizationcode` - Authorization Code > - `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token > - `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token > - `authentik_providers_proxy.proxyprovider` - Proxy Provider > - `authentik_providers_radius.radiusprovider` - Radius Provider > - `authentik_providers_saml.samlprovider` - SAML Provider > - `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping > - `authentik_providers_scim.scimprovider` - SCIM Provider > - `authentik_providers_scim.scimmapping` - SCIM Mapping > - `authentik_sources_ldap.ldapsource` - LDAP Source > - `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping > - `authentik_sources_oauth.oauthsource` - OAuth Source > - `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection > - `authentik_sources_plex.plexsource` - Plex Source > - `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection > - `authentik_sources_saml.samlsource` - SAML Source > - `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection > - `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage > - `authentik_stages_authenticator_duo.duodevice` - Duo Device > - `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage > - `authentik_stages_authenticator_sms.smsdevice` - SMS Device > - `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage > - `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage > - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage > - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage > - `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device > - `authentik_stages_captcha.captchastage` - Captcha Stage > - `authentik_stages_consent.consentstage` - Consent Stage > - `authentik_stages_consent.userconsent` - User Consent > - `authentik_stages_deny.denystage` - Deny Stage > - `authentik_stages_dummy.dummystage` - Dummy Stage > - `authentik_stages_email.emailstage` - Email Stage > - `authentik_stages_identification.identificationstage` - Identification Stage > - `authentik_stages_invitation.invitationstage` - Invitation Stage > - `authentik_stages_invitation.invitation` - Invitation > - `authentik_stages_password.passwordstage` - Password Stage > - `authentik_stages_prompt.prompt` - Prompt > - `authentik_stages_prompt.promptstage` - Prompt Stage > - `authentik_stages_user_delete.userdeletestage` - User Delete Stage > - `authentik_stages_user_login.userloginstage` - User Login Stage > - `authentik_stages_user_logout.userlogoutstage` - User Logout Stage > - `authentik_stages_user_write.userwritestage` - User Write Stage > - `authentik_tenants.tenant` - Tenant > - `authentik_blueprints.blueprintinstance` - Blueprint Instance > - `authentik_core.group` - group > - `authentik_core.user` - User > - `authentik_core.application` - Application > - `authentik_core.token` - Token ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `model` (object) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. > > - `authentik_crypto.certificatekeypair` - Certificate-Key Pair > - `authentik_events.event` - Event > - `authentik_events.notificationtransport` - Notification Transport > - `authentik_events.notification` - Notification > - `authentik_events.notificationrule` - Notification Rule > - `authentik_events.notificationwebhookmapping` - Webhook Mapping > - `authentik_flows.flow` - Flow > - `authentik_flows.flowstagebinding` - Flow Stage Binding > - `authentik_outposts.dockerserviceconnection` - Docker Service-Connection > - `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection > - `authentik_outposts.outpost` - outpost > - `authentik_policies_dummy.dummypolicy` - Dummy Policy > - `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy > - `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy > - `authentik_policies_expression.expressionpolicy` - Expression Policy > - `authentik_policies_password.passwordpolicy` - Password Policy > - `authentik_policies_reputation.reputationpolicy` - Reputation Policy > - `authentik_policies_reputation.reputation` - reputation > - `authentik_policies.policybinding` - Policy Binding > - `authentik_providers_ldap.ldapprovider` - LDAP Provider > - `authentik_providers_oauth2.scopemapping` - Scope Mapping > - `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider > - `authentik_providers_oauth2.authorizationcode` - Authorization Code > - `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token > - `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token > - `authentik_providers_proxy.proxyprovider` - Proxy Provider > - `authentik_providers_radius.radiusprovider` - Radius Provider > - `authentik_providers_saml.samlprovider` - SAML Provider > - `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping > - `authentik_providers_scim.scimprovider` - SCIM Provider > - `authentik_providers_scim.scimmapping` - SCIM Mapping > - `authentik_sources_ldap.ldapsource` - LDAP Source > - `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping > - `authentik_sources_oauth.oauthsource` - OAuth Source > - `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection > - `authentik_sources_plex.plexsource` - Plex Source > - `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection > - `authentik_sources_saml.samlsource` - SAML Source > - `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection > - `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage > - `authentik_stages_authenticator_duo.duodevice` - Duo Device > - `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage > - `authentik_stages_authenticator_sms.smsdevice` - SMS Device > - `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage > - `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage > - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage > - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage > - `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device > - `authentik_stages_captcha.captchastage` - Captcha Stage > - `authentik_stages_consent.consentstage` - Consent Stage > - `authentik_stages_consent.userconsent` - User Consent > - `authentik_stages_deny.denystage` - Deny Stage > - `authentik_stages_dummy.dummystage` - Dummy Stage > - `authentik_stages_email.emailstage` - Email Stage > - `authentik_stages_identification.identificationstage` - Identification Stage > - `authentik_stages_invitation.invitationstage` - Invitation Stage > - `authentik_stages_invitation.invitation` - Invitation > - `authentik_stages_password.passwordstage` - Password Stage > - `authentik_stages_prompt.prompt` - Prompt > - `authentik_stages_prompt.promptstage` - Prompt Stage > - `authentik_stages_user_delete.userdeletestage` - User Delete Stage > - `authentik_stages_user_login.userloginstage` - User Login Stage > - `authentik_stages_user_logout.userlogoutstage` - User Logout Stage > - `authentik_stages_user_write.userwritestage` - User Write Stage > - `authentik_tenants.tenant` - Tenant > - `authentik_blueprints.blueprintinstance` - Blueprint Instance > - `authentik_core.group` - group > - `authentik_core.user` - User > - `authentik_core.application` - Application > - `authentik_core.token` - Token ##### `PATCH` /policies/event_matcher/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Added property `model` (object) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. > > - `authentik_crypto.certificatekeypair` - Certificate-Key Pair > - `authentik_events.event` - Event > - `authentik_events.notificationtransport` - Notification Transport > - `authentik_events.notification` - Notification > - `authentik_events.notificationrule` - Notification Rule > - `authentik_events.notificationwebhookmapping` - Webhook Mapping > - `authentik_flows.flow` - Flow > - `authentik_flows.flowstagebinding` - Flow Stage Binding > - `authentik_outposts.dockerserviceconnection` - Docker Service-Connection > - `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection > - `authentik_outposts.outpost` - outpost > - `authentik_policies_dummy.dummypolicy` - Dummy Policy > - `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy > - `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy > - `authentik_policies_expression.expressionpolicy` - Expression Policy > - `authentik_policies_password.passwordpolicy` - Password Policy > - `authentik_policies_reputation.reputationpolicy` - Reputation Policy > - `authentik_policies_reputation.reputation` - reputation > - `authentik_policies.policybinding` - Policy Binding > - `authentik_providers_ldap.ldapprovider` - LDAP Provider > - `authentik_providers_oauth2.scopemapping` - Scope Mapping > - `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider > - `authentik_providers_oauth2.authorizationcode` - Authorization Code > - `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token > - `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token > - `authentik_providers_proxy.proxyprovider` - Proxy Provider > - `authentik_providers_radius.radiusprovider` - Radius Provider > - `authentik_providers_saml.samlprovider` - SAML Provider > - `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping > - `authentik_providers_scim.scimprovider` - SCIM Provider > - `authentik_providers_scim.scimmapping` - SCIM Mapping > - `authentik_sources_ldap.ldapsource` - LDAP Source > - `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping > - `authentik_sources_oauth.oauthsource` - OAuth Source > - `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection > - `authentik_sources_plex.plexsource` - Plex Source > - `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection > - `authentik_sources_saml.samlsource` - SAML Source > - `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection > - `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage > - `authentik_stages_authenticator_duo.duodevice` - Duo Device > - `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage > - `authentik_stages_authenticator_sms.smsdevice` - SMS Device > - `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage > - `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage > - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage > - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage > - `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device > - `authentik_stages_captcha.captchastage` - Captcha Stage > - `authentik_stages_consent.consentstage` - Consent Stage > - `authentik_stages_consent.userconsent` - User Consent > - `authentik_stages_deny.denystage` - Deny Stage > - `authentik_stages_dummy.dummystage` - Dummy Stage > - `authentik_stages_email.emailstage` - Email Stage > - `authentik_stages_identification.identificationstage` - Identification Stage > - `authentik_stages_invitation.invitationstage` - Invitation Stage > - `authentik_stages_invitation.invitation` - Invitation > - `authentik_stages_password.passwordstage` - Password Stage > - `authentik_stages_prompt.prompt` - Prompt > - `authentik_stages_prompt.promptstage` - Prompt Stage > - `authentik_stages_user_delete.userdeletestage` - User Delete Stage > - `authentik_stages_user_login.userloginstage` - User Login Stage > - `authentik_stages_user_logout.userlogoutstage` - User Logout Stage > - `authentik_stages_user_write.userwritestage` - User Write Stage > - `authentik_tenants.tenant` - Tenant > - `authentik_blueprints.blueprintinstance` - Blueprint Instance > - `authentik_core.group` - group > - `authentik_core.user` - User > - `authentik_core.application` - Application > - `authentik_core.token` - Token ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `model` (object) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. > > - `authentik_crypto.certificatekeypair` - Certificate-Key Pair > - `authentik_events.event` - Event > - `authentik_events.notificationtransport` - Notification Transport > - `authentik_events.notification` - Notification > - `authentik_events.notificationrule` - Notification Rule > - `authentik_events.notificationwebhookmapping` - Webhook Mapping > - `authentik_flows.flow` - Flow > - `authentik_flows.flowstagebinding` - Flow Stage Binding > - `authentik_outposts.dockerserviceconnection` - Docker Service-Connection > - `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection > - `authentik_outposts.outpost` - outpost > - `authentik_policies_dummy.dummypolicy` - Dummy Policy > - `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy > - `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy > - `authentik_policies_expression.expressionpolicy` - Expression Policy > - `authentik_policies_password.passwordpolicy` - Password Policy > - `authentik_policies_reputation.reputationpolicy` - Reputation Policy > - `authentik_policies_reputation.reputation` - reputation > - `authentik_policies.policybinding` - Policy Binding > - `authentik_providers_ldap.ldapprovider` - LDAP Provider > - `authentik_providers_oauth2.scopemapping` - Scope Mapping > - `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider > - `authentik_providers_oauth2.authorizationcode` - Authorization Code > - `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token > - `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token > - `authentik_providers_proxy.proxyprovider` - Proxy Provider > - `authentik_providers_radius.radiusprovider` - Radius Provider > - `authentik_providers_saml.samlprovider` - SAML Provider > - `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping > - `authentik_providers_scim.scimprovider` - SCIM Provider > - `authentik_providers_scim.scimmapping` - SCIM Mapping > - `authentik_sources_ldap.ldapsource` - LDAP Source > - `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping > - `authentik_sources_oauth.oauthsource` - OAuth Source > - `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection > - `authentik_sources_plex.plexsource` - Plex Source > - `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection > - `authentik_sources_saml.samlsource` - SAML Source > - `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection > - `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage > - `authentik_stages_authenticator_duo.duodevice` - Duo Device > - `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage > - `authentik_stages_authenticator_sms.smsdevice` - SMS Device > - `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage > - `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage > - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage > - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage > - `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device > - `authentik_stages_captcha.captchastage` - Captcha Stage > - `authentik_stages_consent.consentstage` - Consent Stage > - `authentik_stages_consent.userconsent` - User Consent > - `authentik_stages_deny.denystage` - Deny Stage > - `authentik_stages_dummy.dummystage` - Dummy Stage > - `authentik_stages_email.emailstage` - Email Stage > - `authentik_stages_identification.identificationstage` - Identification Stage > - `authentik_stages_invitation.invitationstage` - Invitation Stage > - `authentik_stages_invitation.invitation` - Invitation > - `authentik_stages_password.passwordstage` - Password Stage > - `authentik_stages_prompt.prompt` - Prompt > - `authentik_stages_prompt.promptstage` - Prompt Stage > - `authentik_stages_user_delete.userdeletestage` - User Delete Stage > - `authentik_stages_user_login.userloginstage` - User Login Stage > - `authentik_stages_user_logout.userlogoutstage` - User Logout Stage > - `authentik_stages_user_write.userwritestage` - User Write Stage > - `authentik_tenants.tenant` - Tenant > - `authentik_blueprints.blueprintinstance` - Blueprint Instance > - `authentik_core.group` - group > - `authentik_core.user` - User > - `authentik_core.application` - Application > - `authentik_core.token` - Token ##### `GET` /outposts/ldap/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ##### `POST` /policies/event_matcher/ ###### Request: Changed content type : `application/json` - Added property `model` (object) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. > > - `authentik_crypto.certificatekeypair` - Certificate-Key Pair > - `authentik_events.event` - Event > - `authentik_events.notificationtransport` - Notification Transport > - `authentik_events.notification` - Notification > - `authentik_events.notificationrule` - Notification Rule > - `authentik_events.notificationwebhookmapping` - Webhook Mapping > - `authentik_flows.flow` - Flow > - `authentik_flows.flowstagebinding` - Flow Stage Binding > - `authentik_outposts.dockerserviceconnection` - Docker Service-Connection > - `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection > - `authentik_outposts.outpost` - outpost > - `authentik_policies_dummy.dummypolicy` - Dummy Policy > - `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy > - `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy > - `authentik_policies_expression.expressionpolicy` - Expression Policy > - `authentik_policies_password.passwordpolicy` - Password Policy > - `authentik_policies_reputation.reputationpolicy` - Reputation Policy > - `authentik_policies_reputation.reputation` - reputation > - `authentik_policies.policybinding` - Policy Binding > - `authentik_providers_ldap.ldapprovider` - LDAP Provider > - `authentik_providers_oauth2.scopemapping` - Scope Mapping > - `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider > - `authentik_providers_oauth2.authorizationcode` - Authorization Code > - `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token > - `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token > - `authentik_providers_proxy.proxyprovider` - Proxy Provider > - `authentik_providers_radius.radiusprovider` - Radius Provider > - `authentik_providers_saml.samlprovider` - SAML Provider > - `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping > - `authentik_providers_scim.scimprovider` - SCIM Provider > - `authentik_providers_scim.scimmapping` - SCIM Mapping > - `authentik_sources_ldap.ldapsource` - LDAP Source > - `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping > - `authentik_sources_oauth.oauthsource` - OAuth Source > - `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection > - `authentik_sources_plex.plexsource` - Plex Source > - `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection > - `authentik_sources_saml.samlsource` - SAML Source > - `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection > - `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage > - `authentik_stages_authenticator_duo.duodevice` - Duo Device > - `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage > - `authentik_stages_authenticator_sms.smsdevice` - SMS Device > - `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage > - `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage > - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage > - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage > - `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device > - `authentik_stages_captcha.captchastage` - Captcha Stage > - `authentik_stages_consent.consentstage` - Consent Stage > - `authentik_stages_consent.userconsent` - User Consent > - `authentik_stages_deny.denystage` - Deny Stage > - `authentik_stages_dummy.dummystage` - Dummy Stage > - `authentik_stages_email.emailstage` - Email Stage > - `authentik_stages_identification.identificationstage` - Identification Stage > - `authentik_stages_invitation.invitationstage` - Invitation Stage > - `authentik_stages_invitation.invitation` - Invitation > - `authentik_stages_password.passwordstage` - Password Stage > - `authentik_stages_prompt.prompt` - Prompt > - `authentik_stages_prompt.promptstage` - Prompt Stage > - `authentik_stages_user_delete.userdeletestage` - User Delete Stage > - `authentik_stages_user_login.userloginstage` - User Login Stage > - `authentik_stages_user_logout.userlogoutstage` - User Logout Stage > - `authentik_stages_user_write.userwritestage` - User Write Stage > - `authentik_tenants.tenant` - Tenant > - `authentik_blueprints.blueprintinstance` - Blueprint Instance > - `authentik_core.group` - group > - `authentik_core.user` - User > - `authentik_core.application` - Application > - `authentik_core.token` - Token ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Added property `model` (object) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. > > - `authentik_crypto.certificatekeypair` - Certificate-Key Pair > - `authentik_events.event` - Event > - `authentik_events.notificationtransport` - Notification Transport > - `authentik_events.notification` - Notification > - `authentik_events.notificationrule` - Notification Rule > - `authentik_events.notificationwebhookmapping` - Webhook Mapping > - `authentik_flows.flow` - Flow > - `authentik_flows.flowstagebinding` - Flow Stage Binding > - `authentik_outposts.dockerserviceconnection` - Docker Service-Connection > - `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection > - `authentik_outposts.outpost` - outpost > - `authentik_policies_dummy.dummypolicy` - Dummy Policy > - `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy > - `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy > - `authentik_policies_expression.expressionpolicy` - Expression Policy > - `authentik_policies_password.passwordpolicy` - Password Policy > - `authentik_policies_reputation.reputationpolicy` - Reputation Policy > - `authentik_policies_reputation.reputation` - reputation > - `authentik_policies.policybinding` - Policy Binding > - `authentik_providers_ldap.ldapprovider` - LDAP Provider > - `authentik_providers_oauth2.scopemapping` - Scope Mapping > - `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider > - `authentik_providers_oauth2.authorizationcode` - Authorization Code > - `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token > - `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token > - `authentik_providers_proxy.proxyprovider` - Proxy Provider > - `authentik_providers_radius.radiusprovider` - Radius Provider > - `authentik_providers_saml.samlprovider` - SAML Provider > - `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping > - `authentik_providers_scim.scimprovider` - SCIM Provider > - `authentik_providers_scim.scimmapping` - SCIM Mapping > - `authentik_sources_ldap.ldapsource` - LDAP Source > - `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping > - `authentik_sources_oauth.oauthsource` - OAuth Source > - `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection > - `authentik_sources_plex.plexsource` - Plex Source > - `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection > - `authentik_sources_saml.samlsource` - SAML Source > - `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection > - `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage > - `authentik_stages_authenticator_duo.duodevice` - Duo Device > - `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage > - `authentik_stages_authenticator_sms.smsdevice` - SMS Device > - `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage > - `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage > - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage > - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage > - `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device > - `authentik_stages_captcha.captchastage` - Captcha Stage > - `authentik_stages_consent.consentstage` - Consent Stage > - `authentik_stages_consent.userconsent` - User Consent > - `authentik_stages_deny.denystage` - Deny Stage > - `authentik_stages_dummy.dummystage` - Dummy Stage > - `authentik_stages_email.emailstage` - Email Stage > - `authentik_stages_identification.identificationstage` - Identification Stage > - `authentik_stages_invitation.invitationstage` - Invitation Stage > - `authentik_stages_invitation.invitation` - Invitation > - `authentik_stages_password.passwordstage` - Password Stage > - `authentik_stages_prompt.prompt` - Prompt > - `authentik_stages_prompt.promptstage` - Prompt Stage > - `authentik_stages_user_delete.userdeletestage` - User Delete Stage > - `authentik_stages_user_login.userloginstage` - User Login Stage > - `authentik_stages_user_logout.userlogoutstage` - User Logout Stage > - `authentik_stages_user_write.userwritestage` - User Write Stage > - `authentik_tenants.tenant` - Tenant > - `authentik_blueprints.blueprintinstance` - Blueprint Instance > - `authentik_core.group` - group > - `authentik_core.user` - User > - `authentik_core.application` - Application > - `authentik_core.token` - Token ##### `GET` /policies/event_matcher/ ###### Parameters: Added: `model` in `query` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Event Matcher Policy Serializer - Added property `model` (object) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. > > - `authentik_crypto.certificatekeypair` - Certificate-Key Pair > - `authentik_events.event` - Event > - `authentik_events.notificationtransport` - Notification Transport > - `authentik_events.notification` - Notification > - `authentik_events.notificationrule` - Notification Rule > - `authentik_events.notificationwebhookmapping` - Webhook Mapping > - `authentik_flows.flow` - Flow > - `authentik_flows.flowstagebinding` - Flow Stage Binding > - `authentik_outposts.dockerserviceconnection` - Docker Service-Connection > - `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection > - `authentik_outposts.outpost` - outpost > - `authentik_policies_dummy.dummypolicy` - Dummy Policy > - `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy > - `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy > - `authentik_policies_expression.expressionpolicy` - Expression Policy > - `authentik_policies_password.passwordpolicy` - Password Policy > - `authentik_policies_reputation.reputationpolicy` - Reputation Policy > - `authentik_policies_reputation.reputation` - reputation > - `authentik_policies.policybinding` - Policy Binding > - `authentik_providers_ldap.ldapprovider` - LDAP Provider > - `authentik_providers_oauth2.scopemapping` - Scope Mapping > - `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider > - `authentik_providers_oauth2.authorizationcode` - Authorization Code > - `authentik_providers_oauth2.accesstoken` - OAuth2 Access Token > - `authentik_providers_oauth2.refreshtoken` - OAuth2 Refresh Token > - `authentik_providers_proxy.proxyprovider` - Proxy Provider > - `authentik_providers_radius.radiusprovider` - Radius Provider > - `authentik_providers_saml.samlprovider` - SAML Provider > - `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping > - `authentik_providers_scim.scimprovider` - SCIM Provider > - `authentik_providers_scim.scimmapping` - SCIM Mapping > - `authentik_sources_ldap.ldapsource` - LDAP Source > - `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping > - `authentik_sources_oauth.oauthsource` - OAuth Source > - `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection > - `authentik_sources_plex.plexsource` - Plex Source > - `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection > - `authentik_sources_saml.samlsource` - SAML Source > - `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection > - `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage > - `authentik_stages_authenticator_duo.duodevice` - Duo Device > - `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage > - `authentik_stages_authenticator_sms.smsdevice` - SMS Device > - `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Stage > - `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage > - `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage > - `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage > - `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device > - `authentik_stages_captcha.captchastage` - Captcha Stage > - `authentik_stages_consent.consentstage` - Consent Stage > - `authentik_stages_consent.userconsent` - User Consent > - `authentik_stages_deny.denystage` - Deny Stage > - `authentik_stages_dummy.dummystage` - Dummy Stage > - `authentik_stages_email.emailstage` - Email Stage > - `authentik_stages_identification.identificationstage` - Identification Stage > - `authentik_stages_invitation.invitationstage` - Invitation Stage > - `authentik_stages_invitation.invitation` - Invitation > - `authentik_stages_password.passwordstage` - Password Stage > - `authentik_stages_prompt.prompt` - Prompt > - `authentik_stages_prompt.promptstage` - Prompt Stage > - `authentik_stages_user_delete.userdeletestage` - User Delete Stage > - `authentik_stages_user_login.userloginstage` - User Login Stage > - `authentik_stages_user_logout.userlogoutstage` - User Logout Stage > - `authentik_stages_user_write.userwritestage` - User Write Stage > - `authentik_tenants.tenant` - Tenant > - `authentik_blueprints.blueprintinstance` - Blueprint Instance > - `authentik_core.group` - group > - `authentik_core.user` - User > - `authentik_core.application` - Application > - `authentik_core.token` - Token ##### `GET` /providers/ldap/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ##### `PUT` /providers/ldap/{id}/ ###### Request: Changed content type : `application/json` - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ##### `PATCH` /providers/ldap/{id}/ ###### Request: Changed content type : `application/json` - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ##### `GET` /sources/ldap/{slug}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `client_certificate` (string) > Client certificate to authenticate against the LDAP Server's Certificate. - Added property `sni` (boolean) ##### `PUT` /sources/ldap/{slug}/ ###### Request: Changed content type : `application/json` - Added property `client_certificate` (string) > Client certificate to authenticate against the LDAP Server's Certificate. - Added property `sni` (boolean) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `client_certificate` (string) > Client certificate to authenticate against the LDAP Server's Certificate. - Added property `sni` (boolean) ##### `PATCH` /sources/ldap/{slug}/ ###### Request: Changed content type : `application/json` - Added property `client_certificate` (string) > Client certificate to authenticate against the LDAP Server's Certificate. - Added property `sni` (boolean) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `client_certificate` (string) > Client certificate to authenticate against the LDAP Server's Certificate. - Added property `sni` (boolean) ##### `GET` /sources/saml/{slug}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `verification_kp` (string) > When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. - Changed property `signing_kp` (string) > Keypair used to sign outgoing Responses going to the Identity Provider. ##### `PUT` /sources/saml/{slug}/ ###### Request: Changed content type : `application/json` - Added property `verification_kp` (string) > When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. - Changed property `signing_kp` (string) > Keypair used to sign outgoing Responses going to the Identity Provider. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `verification_kp` (string) > When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. - Changed property `signing_kp` (string) > Keypair used to sign outgoing Responses going to the Identity Provider. ##### `PATCH` /sources/saml/{slug}/ ###### Request: Changed content type : `application/json` - Added property `verification_kp` (string) > When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. - Changed property `signing_kp` (string) > Keypair used to sign outgoing Responses going to the Identity Provider. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `verification_kp` (string) > When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. - Changed property `signing_kp` (string) > Keypair used to sign outgoing Responses going to the Identity Provider. ##### `GET` /core/tokens/ ###### Parameters: Changed: `intent` in `query` > - `verification` - Intent Verification > - `api` - Intent Api > - `recovery` - Intent Recovery > - `app_password` - Intent App Password ##### `GET` /events/transports/ ###### Parameters: Changed: `mode` in `query` > - `local` - authentik inbuilt notifications > - `webhook` - Generic Webhook > - `webhook_slack` - Slack Webhook (Slack/Discord) > - `email` - Email ##### `GET` /outposts/ldap/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > LDAPProvider Serializer - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ##### `POST` /providers/ldap/ ###### Request: Changed content type : `application/json` - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ##### `GET` /providers/ldap/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > LDAPProvider Serializer - Added property `mfa_support` (boolean) > When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. - Changed property `uid_start_number` (integer) > The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber - Changed property `gid_start_number` (integer) > The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber ##### `GET` /providers/saml/ ###### Parameters: Changed: `digest_algorithm` in `query` > - `http://www.w3.org/2000/09/xmldsig#sha1` - SHA1 > - `http://www.w3.org/2001/04/xmlenc#sha256` - SHA256 > - `http://www.w3.org/2001/04/xmldsig-more#sha384` - SHA384 > - `http://www.w3.org/2001/04/xmlenc#sha512` - SHA512 Changed: `signature_algorithm` in `query` > - `http://www.w3.org/2000/09/xmldsig#rsa-sha1` - RSA-SHA1 > - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` - RSA-SHA256 > - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` - RSA-SHA384 > - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` - RSA-SHA512 > - `http://www.w3.org/2000/09/xmldsig#dsa-sha1` - DSA-SHA1 ##### `POST` /sources/ldap/ ###### Request: Changed content type : `application/json` - Added property `client_certificate` (string) > Client certificate to authenticate against the LDAP Server's Certificate. - Added property `sni` (boolean) ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Added property `client_certificate` (string) > Client certificate to authenticate against the LDAP Server's Certificate. - Added property `sni` (boolean) ##### `GET` /sources/ldap/ ###### Parameters: Added: `client_certificate` in `query` Added: `sni` in `query` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > LDAP Source Serializer - Added property `client_certificate` (string) > Client certificate to authenticate against the LDAP Server's Certificate. - Added property `sni` (boolean) ##### `GET` /sources/oauth/ ###### Parameters: Changed: `policy_engine_mode` in `query` > - `all` - all, all policies must pass > - `any` - any, any policy must pass ##### `GET` /sources/plex/ ###### Parameters: Changed: `policy_engine_mode` in `query` > - `all` - all, all policies must pass > - `any` - any, any policy must pass ##### `POST` /sources/saml/ ###### Request: Changed content type : `application/json` - Added property `verification_kp` (string) > When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. - Changed property `signing_kp` (string) > Keypair used to sign outgoing Responses going to the Identity Provider. ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Added property `verification_kp` (string) > When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. - Changed property `signing_kp` (string) > Keypair used to sign outgoing Responses going to the Identity Provider. ##### `GET` /sources/saml/ ###### Parameters: Added: `verification_kp` in `query` Changed: `binding_type` in `query` > - `REDIRECT` - Redirect Binding > - `POST` - POST Binding > - `POST_AUTO` - POST Binding with auto-confirmation Changed: `digest_algorithm` in `query` > - `http://www.w3.org/2000/09/xmldsig#sha1` - SHA1 > - `http://www.w3.org/2001/04/xmlenc#sha256` - SHA256 > - `http://www.w3.org/2001/04/xmldsig-more#sha384` - SHA384 > - `http://www.w3.org/2001/04/xmlenc#sha512` - SHA512 Changed: `policy_engine_mode` in `query` > - `all` - all, all policies must pass > - `any` - any, any policy must pass Changed: `signature_algorithm` in `query` > - `http://www.w3.org/2000/09/xmldsig#rsa-sha1` - RSA-SHA1 > - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` - RSA-SHA256 > - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` - RSA-SHA384 > - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` - RSA-SHA512 > - `http://www.w3.org/2000/09/xmldsig#dsa-sha1` - DSA-SHA1 ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > SAMLSource Serializer - Added property `verification_kp` (string) > When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. - Changed property `signing_kp` (string) > Keypair used to sign outgoing Responses going to the Identity Provider. ##### `GET` /events/notifications/ ###### Parameters: Changed: `severity` in `query` > - `notice` - Notice > - `warning` - Warning > - `alert` - Alert ##### `GET` /flows/bindings/ ###### Parameters: Changed: `policy_engine_mode` in `query` > - `all` - all, all policies must pass > - `any` - any, any policy must pass ##### `GET` /stages/authenticator/sms/ ###### Parameters: Changed: `auth_type` in `query` > - `basic` - Basic > - `bearer` - Bearer Changed: `provider` in `query` > - `twilio` - Twilio > - `generic` - Generic ##### `GET` /stages/authenticator/totp/ ###### Parameters: Changed: `digits` in `query` > - `6` - 6 digits, widely compatible > - `8` - 8 digits, not compatible with apps like Google Authenticator ##### `GET` /stages/authenticator/validate/ ###### Parameters: Changed: `not_configured_action` in `query` > - `skip` - Skip > - `deny` - Deny > - `configure` - Configure ##### `GET` /stages/authenticator/webauthn/ ###### Parameters: Changed: `authenticator_attachment` in `query` > - `platform` - Platform > - `cross-platform` - Cross Platform Changed: `resident_key_requirement` in `query` > - `discouraged` - Discouraged > - `preferred` - Preferred > - `required` - Required Changed: `user_verification` in `query` > - `required` - Required > - `preferred` - Preferred > - `discouraged` - Discouraged ##### `GET` /stages/consent/ ###### Parameters: Changed: `mode` in `query` > - `always_require` - Always Require > - `permanent` - Permanent > - `expiring` - Expiring ##### `GET` /stages/user_write/ ###### Parameters: Changed: `user_creation_mode` in `query` > - `never_create` - Never Create > - `create_when_required` - Create When Required > - `always_create` - Always Create ##### `GET` /stages/prompt/prompts/ ###### Parameters: Changed: `type` in `query` > - `text` - Text: Simple Text input > - `text_area` - Text area: Multiline Text Input. > - `text_read_only` - Text (read-only): Simple Text input, but cannot be edited. > - `text_area_read_only` - Text area (read-only): Multiline Text input, but cannot be edited. > - `username` - Username: Same as Text input, but checks for and prevents duplicate usernames. > - `email` - Email: Text field with Email type. > - `password` - Password: Masked input, multiple inputs of this type on the same prompt need to be identical. > - `number` - Number > - `checkbox` - Checkbox > - `radio-button-group` - Fixed choice field rendered as a group of radio buttons. > - `dropdown` - Fixed choice field rendered as a dropdown. > - `date` - Date > - `date-time` - Date Time > - `file` - File: File upload for arbitrary files. File content will be available in flow context as data-URI > - `separator` - Separator: Static Separator Line > - `hidden` - Hidden: Hidden field, can be used to insert data into form. > - `static` - Static: Static value, displayed as-is. > - `ak-locale` - authentik: Selection of locales authentik supports