716584bbae
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
772 lines
18 KiB
Markdown
772 lines
18 KiB
Markdown
---
|
|
title: Release 2022.11
|
|
slug: "2022.11"
|
|
---
|
|
|
|
## Breaking changes
|
|
|
|
- Have I Been Pwned policy is deprecated
|
|
|
|
The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.
|
|
|
|
- Instead of using multiple redis databases, authentik now uses a single redis database
|
|
|
|
This will temporarily loose some cached information after the upgrade, like cached system tasks and policy results. This data will be re-cached in the background.
|
|
|
|
## New features
|
|
|
|
- authentik now runs on Python 3.11
|
|
- Expanded password policy
|
|
|
|
The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using [zxcvbn](https://github.com/dropbox/zxcvbn) to provider concise feedback.
|
|
|
|
## Upgrading
|
|
|
|
This release does not introduce any new requirements.
|
|
|
|
### docker-compose
|
|
|
|
Download the docker-compose file for 2022.11 from [here](https://goauthentik.io/version/2022.11/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
|
|
|
|
### Kubernetes
|
|
|
|
Update your values to use the new images:
|
|
|
|
```yaml
|
|
image:
|
|
repository: ghcr.io/goauthentik/server
|
|
tag: 2022.11.1
|
|
```
|
|
|
|
## Minor changes/fixes
|
|
|
|
- api: fix missing scheme in securitySchemes
|
|
- blueprints: Fixed bug causing blueprint instance context be discarded (#3990)
|
|
- core: fix error when propertymappings return complex value
|
|
- core: simplify group serializer for user API endpoint (#3899)
|
|
- events: deepcopy event kwargs to prevent objects being removed, remove workaround
|
|
- events: sanitize generator for json safety
|
|
- lib: fix complex objects being included in event context for ak_create_event
|
|
- lifecycle: fix incorrect messages looped
|
|
- outposts/kubernetes: ingress class (#4002)
|
|
- policies: only cache policies for authenticated users
|
|
- policies/password: merge hibp add zxcvbn (#4001)
|
|
- providers/oauth2: fix inconsistent expiry encoded in JWT
|
|
- root: make sentry DSN configurable (#4016)
|
|
- root: relicense and launch blog post
|
|
- root: use single redis db (#4009)
|
|
- sources: add custom icon support (#4022)
|
|
- stages/authenticator\_\*: cleanup
|
|
- stages/authenticator_validate: add flag to configure user_verification for webauthn devices
|
|
- stages/invitation: directly delete invitation now that flow plan is saved in email token
|
|
- web: fix twitter icon
|
|
- web/flows: always hide static user info when its not set in the flow
|
|
|
|
## Fixed in 2022.11.1
|
|
|
|
- blueprints: add desired state attribute to objects (#4061)
|
|
- core: fix tab-complete in shell
|
|
- root: fix build on arm64
|
|
- stages/email: add test for email translation
|
|
- web/admin: fix error when importing duo devices
|
|
- web/admin: reset cookie_domain when setting non-domain forward auth
|
|
|
|
## Fixed in 2022.11.2
|
|
|
|
- \*: fix CVE-2022-46145
|
|
|
|
## Fixed in 2022.11.3
|
|
|
|
- web: fix Flow Form failing to load due to outdated API client
|
|
|
|
## Fixed in 2022.11.4
|
|
|
|
- \*: fix CVE-2022-46172
|
|
- \*: fix CVE-2022-23555
|
|
|
|
## API Changes
|
|
|
|
#### What's Changed
|
|
|
|
---
|
|
|
|
##### `GET` /policies/password/{policy_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `check_static_rules` (boolean)
|
|
|
|
- Added property `check_have_i_been_pwned` (boolean)
|
|
|
|
- Added property `check_zxcvbn` (boolean)
|
|
|
|
- Added property `hibp_allowed_count` (integer)
|
|
|
|
> How many times the password hash is allowed to be on haveibeenpwned
|
|
|
|
- Added property `zxcvbn_score_threshold` (integer)
|
|
> If the zxcvbn score is equal or less than this value, the policy will fail.
|
|
|
|
##### `PUT` /policies/password/{policy_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `check_static_rules` (boolean)
|
|
|
|
- Added property `check_have_i_been_pwned` (boolean)
|
|
|
|
- Added property `check_zxcvbn` (boolean)
|
|
|
|
- Added property `hibp_allowed_count` (integer)
|
|
|
|
> How many times the password hash is allowed to be on haveibeenpwned
|
|
|
|
- Added property `zxcvbn_score_threshold` (integer)
|
|
> If the zxcvbn score is equal or less than this value, the policy will fail.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `check_static_rules` (boolean)
|
|
|
|
- Added property `check_have_i_been_pwned` (boolean)
|
|
|
|
- Added property `check_zxcvbn` (boolean)
|
|
|
|
- Added property `hibp_allowed_count` (integer)
|
|
|
|
> How many times the password hash is allowed to be on haveibeenpwned
|
|
|
|
- Added property `zxcvbn_score_threshold` (integer)
|
|
> If the zxcvbn score is equal or less than this value, the policy will fail.
|
|
|
|
##### `PATCH` /policies/password/{policy_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `check_static_rules` (boolean)
|
|
|
|
- Added property `check_have_i_been_pwned` (boolean)
|
|
|
|
- Added property `check_zxcvbn` (boolean)
|
|
|
|
- Added property `hibp_allowed_count` (integer)
|
|
|
|
> How many times the password hash is allowed to be on haveibeenpwned
|
|
|
|
- Added property `zxcvbn_score_threshold` (integer)
|
|
> If the zxcvbn score is equal or less than this value, the policy will fail.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `check_static_rules` (boolean)
|
|
|
|
- Added property `check_have_i_been_pwned` (boolean)
|
|
|
|
- Added property `check_zxcvbn` (boolean)
|
|
|
|
- Added property `hibp_allowed_count` (integer)
|
|
|
|
> How many times the password hash is allowed to be on haveibeenpwned
|
|
|
|
- Added property `zxcvbn_score_threshold` (integer)
|
|
> If the zxcvbn score is equal or less than this value, the policy will fail.
|
|
|
|
##### `GET` /core/tokens/{identifier}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `PUT` /core/tokens/{identifier}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `PATCH` /core/tokens/{identifier}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /core/users/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `PUT` /core/users/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `PATCH` /core/users/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /policies/bindings/{policy_binding_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `PUT` /policies/bindings/{policy_binding_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `PATCH` /policies/bindings/{policy_binding_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `POST` /policies/password/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `check_static_rules` (boolean)
|
|
|
|
- Added property `check_have_i_been_pwned` (boolean)
|
|
|
|
- Added property `check_zxcvbn` (boolean)
|
|
|
|
- Added property `hibp_allowed_count` (integer)
|
|
|
|
> How many times the password hash is allowed to be on haveibeenpwned
|
|
|
|
- Added property `zxcvbn_score_threshold` (integer)
|
|
> If the zxcvbn score is equal or less than this value, the policy will fail.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `check_static_rules` (boolean)
|
|
|
|
- Added property `check_have_i_been_pwned` (boolean)
|
|
|
|
- Added property `check_zxcvbn` (boolean)
|
|
|
|
- Added property `hibp_allowed_count` (integer)
|
|
|
|
> How many times the password hash is allowed to be on haveibeenpwned
|
|
|
|
- Added property `zxcvbn_score_threshold` (integer)
|
|
> If the zxcvbn score is equal or less than this value, the policy will fail.
|
|
|
|
##### `GET` /policies/password/
|
|
|
|
###### Parameters:
|
|
|
|
Added: `check_have_i_been_pwned` in `query`
|
|
|
|
Added: `check_static_rules` in `query`
|
|
|
|
Added: `check_zxcvbn` in `query`
|
|
|
|
Added: `hibp_allowed_count` in `query`
|
|
|
|
Added: `zxcvbn_score_threshold` in `query`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > Password Policy Serializer
|
|
|
|
- Added property `check_static_rules` (boolean)
|
|
|
|
- Added property `check_have_i_been_pwned` (boolean)
|
|
|
|
- Added property `check_zxcvbn` (boolean)
|
|
|
|
- Added property `hibp_allowed_count` (integer)
|
|
|
|
> How many times the password hash is allowed to be on haveibeenpwned
|
|
|
|
- Added property `zxcvbn_score_threshold` (integer)
|
|
> If the zxcvbn score is equal or less than this value, the policy will fail.
|
|
|
|
##### `POST` /core/tokens/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /core/tokens/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > Token Serializer
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /core/user_consent/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `POST` /core/users/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /core/users/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /oauth2/authorization_codes/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /oauth2/refresh_tokens/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `POST` /policies/bindings/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /policies/bindings/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > PolicyBinding Serializer
|
|
|
|
- Changed property `user_obj` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /core/user_consent/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > UserConsent Serializer
|
|
|
|
- Changed property `user` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /oauth2/authorization_codes/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
|
|
|
|
- Changed property `user` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|
|
|
|
##### `GET` /oauth2/refresh_tokens/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > Serializer for BaseGrantModel and RefreshToken
|
|
|
|
- Changed property `user` (object)
|
|
|
|
> User Serializer
|
|
|
|
- Changed property `groups_obj` (array)
|
|
|
|
Changed items (object): > Simplified Group Serializer for user's groups
|
|
|
|
New optional properties:
|
|
|
|
- `users_obj`
|
|
|
|
* Deleted property `users` (array)
|
|
|
|
* Deleted property `users_obj` (array)
|