--- title: Release 2023.1 slug: "/releases/2023.1" --- ## Breaking changes - Deprecated HaveIBeenPwned policy has been removed This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options. ## New features - SLO Support for SAML provider authentik now supports SAML SLO (Single logout). - Proxy provider now accepts HTTP Basic and Bearer authentication See [Header authentication](../../providers/proxy/header_authentication.md). - LDAP provider now works with Code-based MFA stages If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported. ## Upgrading This release does not introduce any new requirements. ### docker-compose Download the docker-compose file for 2023.1 from [here](https://goauthentik.io/version/2023.1/docker-compose.yml). Afterwards, simply run `docker-compose up -d`. ### Kubernetes Update your values to use the new images: ```yaml image: repository: ghcr.io/goauthentik/server tag: 2023.1.0 ``` ## Minor changes/fixes - \*: strip leading and trailing whitespace when reading config values from files - admin: include task duration in API (#4428) - blueprints: Add `!Enumerate`, `!Value` and `!Index` tags (#4338) - blueprints: don't set session_duration in default and example flows (#4448) - blueprints: Fix resolve model_name in `!Find` tag (#4371) - blueprints: internal storage (#4397) - crypto: prevent creation of duplicate self-signed default certs - events: exclude base models from model audit log - events: rework metrics (#4407) - internal: check certificate value and not IsSet - internal: fix race condition with config loading on startup, add index on debug server - internal: improve error handling - outposts: use common config loader for outposts to support loading values from file - outposts/ldap: decrease verbosity - outposts/proxy: add header to prevent redirects - outposts/proxy: allow setting no-redirect via header or query param - outposts/proxy: cache basic and bearer credentials for one minute - outposts/proxy: fix error handling, remove requirement for profile/etc scopes - outposts/proxy: make logged user more consistent, set FlushInterval - outposts/proxy: set http code when no redirect header is set - polices/hibp: remove deprecated (#4363) - providers/ldap: add code-MFA support for ldap provider (#4354) - providers/oauth2: correctly fill claims_supported based on selected scopes (#4429) - providers/oauth2: don't allow spaces in scope_name - providers/oauth2: fallback to anonymous user for policy engine - providers/oauth2: use guardian anonymous user to get claims for provider info - providers/proxy: add initial header token auth (#4421) - providers/proxy: add setting to intercept authorization header (#4457) - providers/proxy: add tests for proxy basic auth (#4357) - providers/saml: initial SLO implementation (#2346) - root: show error when geoIP download fails - sources/ldap: don't run membership sync if group sync is disabled - sources/ldap: make task timeout adjustable - sources/ldap: manual import (#4456) - sources/ldap: only warn about missing groups when source is configured to sync groups - stages/user_write: add more user creation options (#4367) - web: add core-js polyfill for safari - web: ensure img tags have alt attributes - web: fix radio label code in dark mode - web: fix scrollbar corner color in dark mode - web: migrate checkbox to switch (#4409) - web/admin: better show dev build - web/admin: fix certificate filtering for LDAP verification certificate - web/admin: fix overflow in aggregate cards - web/admin: link impersonation user for events - web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399) - web/admin: show GeoIP information inline in events - web/elements: fix pagination page button colours in dark mode - web/elements: use correct Action Label for user related events ## Fixed in 2023.1.1 - add tests to prevent empty SAN - blueprints: fix OOB email field overwriting user settings email field - ci: build beta for amd64 and arm64 (#4468) - crypto: ensure we don't generate an empty SAN certificate - crypto: fallback when no SAN values are given - outposts/ldap: fix queries filtering objectClass with non-lowercase values - outposts/proxy: fix panic due to IsSet misbehaving - providers/oauth2: more x5c and ecdsa x/y tests (#4463) - providers/proxy: fix issuer for embedded outpost (#4480) - sources/ldap: add e2e LDAP source tests (#4462) - stages: always use get_pending_user instead of getting context user - stages/authenticator_sms: fix code not being sent when phone_number is in context - web/admin: don't enable execution logging by default - web/admin: improve display of rule severity - web/admin: improve display of system task exception - web/admin: link group of notification rule - web/elements: fix pf-c-switch not rendering correctly in pure tables - web/elements: fix SearchSelect not working on safari - web/flows: fix flow executor background overlay in safari ## Fixed in 2023.1.2 - stages/user_write: fix migration setting wrong value, fix form ## Fixed in 2023.1.3 - \*: fix [CVE-2023-26481](../security/CVE-2023-26481), Reported by [@fuomag9](https://github.com/fuomag9) ## API Changes #### What's Deleted --- ##### `GET` /policies/haveibeenpwned/ ##### `POST` /policies/haveibeenpwned/ ##### `GET` /policies/haveibeenpwned/{policy_uuid}/ ##### `PUT` /policies/haveibeenpwned/{policy_uuid}/ ##### `DELETE` /policies/haveibeenpwned/{policy_uuid}/ ##### `PATCH` /policies/haveibeenpwned/{policy_uuid}/ ##### `GET` /policies/haveibeenpwned/{policy_uuid}/used_by/ #### What's Changed --- ##### `GET` /admin/metrics/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `authorizations` - `logins` - `logins_failed` New optional properties: - `authorizations_per_1h` - `logins_failed_per_1h` - `logins_per_1h` * Added property `logins` (array) Items (object): > Coordinates for diagrams - Property `x_cord` (integer) - Property `y_cord` (integer) * Added property `logins_failed` (array) * Added property `authorizations` (array) * Deleted property `logins_per_1h` (array) * Deleted property `logins_failed_per_1h` (array) * Deleted property `authorizations_per_1h` (array) ##### `GET` /core/users/{id}/metrics/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `authorizations` - `logins` - `logins_failed` New optional properties: - `authorizations_per_1h` - `logins_failed_per_1h` - `logins_per_1h` * Added property `logins` (array) * Added property `logins_failed` (array) * Added property `authorizations` (array) * Deleted property `logins_per_1h` (array) * Deleted property `logins_failed_per_1h` (array) * Deleted property `authorizations_per_1h` (array) ##### `GET` /managed/blueprints/{instance_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `path` * Added property `content` (string) ##### `PUT` /managed/blueprints/{instance_uuid}/ ###### Request: Changed content type : `application/json` New optional properties: - `path` * Added property `content` (string) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `path` * Added property `content` (string) ##### `PATCH` /managed/blueprints/{instance_uuid}/ ###### Request: Changed content type : `application/json` - Added property `content` (string) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `path` * Added property `content` (string) ##### `POST` /managed/blueprints/{instance_uuid}/apply/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New optional properties: - `path` * Added property `content` (string) ##### `GET` /outposts/proxy/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. ##### `GET` /policies/event_matcher/{policy_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Removed enum value: - `authentik.policies.hibp` ##### `PUT` /policies/event_matcher/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Removed enum value: - `authentik.policies.hibp` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Removed enum value: - `authentik.policies.hibp` ##### `PATCH` /policies/event_matcher/{policy_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Removed enum value: - `authentik.policies.hibp` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Removed enum value: - `authentik.policies.hibp` ##### `GET` /propertymappings/scope/{pm_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `scope_name` (string) > Scope name requested by the client ##### `PUT` /propertymappings/scope/{pm_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `scope_name` (string) > Scope name requested by the client ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `scope_name` (string) > Scope name requested by the client ##### `PATCH` /propertymappings/scope/{pm_uuid}/ ###### Request: Changed content type : `application/json` - Changed property `scope_name` (string) > Scope name requested by the client ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `scope_name` (string) > Scope name requested by the client ##### `GET` /providers/proxy/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `client_id` * Added property `client_id` (string) * Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. * Added property `jwks_sources` (array) Items (string): ##### `PUT` /providers/proxy/{id}/ ###### Request: Changed content type : `application/json` - Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. - Added property `jwks_sources` (array) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `client_id` * Added property `client_id` (string) * Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. * Added property `jwks_sources` (array) ##### `PATCH` /providers/proxy/{id}/ ###### Request: Changed content type : `application/json` - Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. - Added property `jwks_sources` (array) ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `client_id` * Added property `client_id` (string) * Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. * Added property `jwks_sources` (array) ##### `GET` /admin/system_tasks/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` Changed items (object): > Serialize TaskInfo and TaskResult New required properties: - `task_duration` * Added property `task_duration` (integer) ##### `GET` /admin/system_tasks/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `task_duration` * Added property `task_duration` (integer) ##### `POST` /managed/blueprints/ ###### Request: Changed content type : `application/json` New optional properties: - `path` * Added property `content` (string) ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New optional properties: - `path` * Added property `content` (string) ##### `GET` /managed/blueprints/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Info about a single blueprint instance file New optional properties: - `path` * Added property `content` (string) ##### `GET` /outposts/proxy/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Proxy provider serializer for outposts - Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. ##### `POST` /policies/event_matcher/ ###### Request: Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Removed enum value: - `authentik.policies.hibp` ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Removed enum value: - `authentik.policies.hibp` ##### `GET` /policies/event_matcher/ ###### Parameters: Changed: `app` in `query` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > Event Matcher Policy Serializer - Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Removed enum value: - `authentik.policies.hibp` ##### `POST` /propertymappings/scope/ ###### Request: Changed content type : `application/json` - Changed property `scope_name` (string) > Scope name requested by the client ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Changed property `scope_name` (string) > Scope name requested by the client ##### `GET` /propertymappings/scope/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > ScopeMapping Serializer - Changed property `scope_name` (string) > Scope name requested by the client ##### `POST` /providers/proxy/ ###### Request: Changed content type : `application/json` - Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. - Added property `jwks_sources` (array) ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `client_id` * Added property `client_id` (string) * Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. * Added property `jwks_sources` (array) ##### `GET` /providers/proxy/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > ProxyProvider Serializer New required properties: - `client_id` * Added property `client_id` (string) * Added property `intercept_header_auth` (boolean) > When enabled, this provider will intercept the authorization header and authenticate requests based on its value. * Added property `jwks_sources` (array) ##### `GET` /providers/saml/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `url_slo_post` - `url_slo_redirect` * Added property `url_slo_post` (string) * Added property `url_slo_redirect` (string) ##### `PUT` /providers/saml/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `url_slo_post` - `url_slo_redirect` * Added property `url_slo_post` (string) * Added property `url_slo_redirect` (string) ##### `PATCH` /providers/saml/{id}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` New required properties: - `url_slo_post` - `url_slo_redirect` * Added property `url_slo_post` (string) * Added property `url_slo_redirect` (string) ##### `GET` /sources/ldap/{slug}/sync_status/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` Changed items (object): > Serialize TaskInfo and TaskResult New required properties: - `task_duration` * Added property `task_duration` (integer) ##### `POST` /providers/saml/ ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` New required properties: - `url_slo_post` - `url_slo_redirect` * Added property `url_slo_post` (string) * Added property `url_slo_redirect` (string) ##### `GET` /providers/saml/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > SAMLProvider Serializer New required properties: - `url_slo_post` - `url_slo_redirect` * Added property `url_slo_post` (string) * Added property `url_slo_redirect` (string) ##### `GET` /sources/oauth/ ###### Parameters: Added: `has_jwks` in `query` > Only return sources with JWKS data ##### `GET` /stages/user_write/{stage_uuid}/ ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `user_creation_mode` (string) Enum values: - `never_create` - `create_when_required` - `always_create` - Deleted property `can_create_users` (boolean) > When set, this stage can create users. If not enabled and no user is available, stage will fail. ##### `PUT` /stages/user_write/{stage_uuid}/ ###### Request: Changed content type : `application/json` - Added property `user_creation_mode` (string) - Deleted property `can_create_users` (boolean) > When set, this stage can create users. If not enabled and no user is available, stage will fail. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `user_creation_mode` (string) - Deleted property `can_create_users` (boolean) > When set, this stage can create users. If not enabled and no user is available, stage will fail. ##### `PATCH` /stages/user_write/{stage_uuid}/ ###### Request: Changed content type : `application/json` - Added property `user_creation_mode` (string) - Deleted property `can_create_users` (boolean) > When set, this stage can create users. If not enabled and no user is available, stage will fail. ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Added property `user_creation_mode` (string) - Deleted property `can_create_users` (boolean) > When set, this stage can create users. If not enabled and no user is available, stage will fail. ##### `POST` /stages/user_write/ ###### Request: Changed content type : `application/json` - Added property `user_creation_mode` (string) - Deleted property `can_create_users` (boolean) > When set, this stage can create users. If not enabled and no user is available, stage will fail. ###### Return Type: Changed response : **201 Created** - Changed content type : `application/json` - Added property `user_creation_mode` (string) - Deleted property `can_create_users` (boolean) > When set, this stage can create users. If not enabled and no user is available, stage will fail. ##### `GET` /stages/user_write/ ###### Parameters: Added: `user_creation_mode` in `query` Deleted: `can_create_users` in `query` ###### Return Type: Changed response : **200 OK** - Changed content type : `application/json` - Changed property `results` (array) Changed items (object): > UserWriteStage Serializer - Added property `user_creation_mode` (string) - Deleted property `can_create_users` (boolean) > When set, this stage can create users. If not enabled and no user is available, stage will fail.