--- title: Release 2021.12 slug: "2021.12" --- ## Headline changes This release does not have any headline features, and mostly fixes bugs. ## Breaking changes - stages/prompt: Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid. ## Minor changes - core: make defaults for _change_email and _change_username configurable - core: remove dump_config, handle directly in config loader without booting django, don't check database - events: add gdpr_compliance option - internal: fix integrated docs not working - internal: use runserver when debug for code reload - lib: add cli option for lib.config - lib: add improved log to sentry events being sent - lib: fix custom URL schemes being overwritten - lib: load json strings in config env variables - lib: log error for file:// in config - lifecycle: allow custom worker count in k8s - lifecycle: improve backup restore by dropping database before - lifecycle: improve redis connection debug py printing full URL - outpost: configure error reporting based off of main instance config - outposts: don't panic when listening for metrics fails - outposts: reload on signal USR1, fix display of reload offset - outposts/ldap: copy boundUsers map when running refresh instead of using blank map - outposts/ldap: fix panic when attempting to update without locked users mutex - outposts/proxy: continue compiling additional regexes even when one fails - outposts/proxy: show better error when hostname isn't configured - outposts/proxy: use disableIndex for static files - policies/expression: fix ak_user_has_authenticator evaluation when not specifying optional device_type (#1849) - providers/saml: fix SessionNotOnOrAfter not being included - root: add lifespan shim to prevent errors - root: fix settings for managed not loaded - root: make sentry sample rate configurable - stages/authenticator_validate: catch error when attempting to configure user without flow - stages/email: fix missing component in response when retrying email send - stages/email: minify email css template - stages/email: prevent error with duplicate token - web: improve dark theme for vertical tabs - web: only show applications with http link - web/admin: allow flow edit on flow view page - web/admin: fix actions column on ip reputation page - web/admin: fix Forms with file uploads not handling errors correctly - web/admin: make object view pages more consistent - web/admin: make user clickable for bound policies list - web/admin: redesign provider pages to provide more info - web/admin: show changelog on user info page - web/admin: unify rendering and sorting of user lists - web/elements: add new API to store attributes in URL, use for table and tabs - web/elements: allow app.model names for ak-object-changelog - web/elements: allow multiple tabs with different state - web/flows: fix spinner during webauthn not centred - web/flows: update default background - web/user: fix filtering for applications based on launchURL - web/user: fix height issues on user interface ## Fixed in 2021.12.1-rc2 - *: don't use go embed to make using custom files easier - crypto: add certificate discovery to automatically import certificates from lets encrypt - crypto: fix default API not having an ordering - outposts: always trigger outpost reconcile on startup - outposts/ldap: Rework/improve LDAP search logic. (#1687) - outposts/proxy: make logging fields more consistent - outposts/proxy: re-add rs256 support - providers/proxy: fix defaults for traefik integration - providers/proxy: use wildcard for traefik headers copy - providers/saml: fix error when using post bindings and user freshly logged in - providers/saml: fix IndexError in signature check - sources/ldap: add optional tls verification certificate - sources/ldap: allow multiple server URIs for loadbalancing and failover - sources/ldap: don't cache LDAP Connection, use random server - sources/ldap: handle typeerror during creation of objects when using wrong keyword params - sources/plex: fix plex token being included in event log - stages/prompt: fix error when both default and required are set - web/admin: add spinner to table refresh button to show progress - web/admin: don't show disabled http basic as red - web/admin: fix wrong description for reputation policy - web/flows: fix linting errors - web/flows: Revise duo authenticator login prompt text (#1872) ## Fixed in 2021.12.1-rc3 - core: add FlowToken which saves the pickled flow plan, replace standard token in email stage to allow finishing flows in different sessions - core: fix missing permission check for group creating when creating service account - outposts/ldap: Fix search case sensitivity. (#1897) - policies/expression: add ak_call_policy - providers/saml: add ?force_binding to limit bindings for metadata endpoint - root: add request_id to celery tasks, prefixed with "task-" - sources/*: Allow creation of source connections via API - stages/prompt: use policyenginemode all - tests/e2e: add post binding test - web: fix duplicate classes, make generic icon clickable - web: fix text colour for bad request on light mode - web/admin: show outpost warning on application page too - web/elements: close dropdown when refresh event is dispatched - web/user: allow custom font-awesome icons for applications ## Fixed in 2021.12.1-rc4 - core: fix error when using invalid key-values in attributes query - flows: fix error in inspector view - flows: fix error when trying to print FlowToken objects - lib: correctly report "faked" IPs to sentry - outposts: add additional checks for websocket connection - outposts: cleanup logs for failed binds - outposts: don't try to create docker client for embedded outpost - outposts: fix docker controller not stopping containers - outposts: fix unlabeled transaction - outposts: handle RuntimeError during websocket connect - outposts: rewrite re-connect logic without recws - outposts: set display name for outpost service account - outposts/ldap: fix searches with mixed casing - outposts/proxy: use filesystem storage for non-embedded outposts - policies: don't always clear application cache on post_save - stagse/authenticator_webauthn: remove pydantic import - web: fix borders of sidebars in dark mode ## Fixed in 2021.12.1-rc5 - crypto: add additional validation before importing a certificate - events: add flow_execution event type - events: fix schema for top_per_user - flows: fix wrong exception being caught in flow inspector - outposts: reset backoff after successful connect - outposts/proxy: fix securecookie: the value is too long again, since it can happen even with filesystem storage - providers/oauth2: add additional logging to show with token path is taken - providers/oauth2: use generate_key instead of uuid4 - sources/ldap: fix incorrect task names being referenced, use source native slug - sources/oauth: add initial okta type - sources/oauth: allow oauth types to override their login button challenge - sources/oauth: implement apple native sign-in using the apple JS SDK - sources/oauth: strip parts of custom apple client_id - stages/authenticator_webauthn: make user_verification configurable - stages/identification: fix miscalculated sleep - stages/invitation: use GroupMemberSerializer serializer to prevent all of the user's groups and their users from being returned - web: add link to open API Browser for API Drawer - web/admin: add dashboard with user creation/login statistics - web/admin: fix invalid display for LDAP Source sync status - web/admin: fix rendering for applications on view page - web/admin: fix rendering of applications with custom icon - web/admin: improve wording for froward_auth, don't show setup when using proxy mode - web/admin: show warning when deleting currently logged in user - web/admin: update overview page - web/flows: fix error when attempting to enroll new webauthn device ## Fixed in 2021.12.1 - core: fix error when attempting to provider from cached application - events: improve app lookup for event creation - internal: cleanup duplicate and redundant code, properly set sentry SDK scope settings - lifecycle: add -Ofair to celery - web/admin: add sidebar to applications - web/admin: fix notification unread colours not matching on user and admin interface - web/admin: fix stage related flows not being shown in a list - web/elements: add Markdown component to improve rendering - web/elements: add support for sidebar on table page - web/elements: close notification drawer when clearing all notifications ## Fixed in 2021.12.2 - core: don't rotate non-api tokens - crypto: fix private keys not being imported correctly - outposts: release binary outposts (#1954) - outposts/proxy: match skipPathRegex against full URL on domain auth - policies/password: add minimum digits - providers/oauth2: don't rely on expiry task for access codes and refresh tokens - sources/oauth: allow writing to user in SourceConnection - web: ignore instantSearchSDKJSBridgeClearHighlight error on edge on iOS - web/admin: fix background colour for application sidebar - web/elements: fix border between search buttons ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the docker-compose file for 2021.12 from [here](https://goauthentik.io/version/2021.12/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes Update your values to use the new images: ```yaml image: repository: ghcr.io/goauthentik/server tag: 2021.12.1-rc1 ```