This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/releases/2023/v2023.2.md
Jens L af43330fd6
providers/oauth2: rework OAuth2 Provider (#4652)
* always treat flow as openid flow

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* improve issuer URL generation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more refactoring

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update introspection

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more refinement

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate more

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix more things, update api

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* regen migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix a bunch of things

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start updating tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix implicit flow, auto set exp

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix timeozone not used correctly

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix revoke

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more timezone shenanigans

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix userinfo tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix proxy outpost

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing at_hash for implicit flows

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-include at_hash in implicit auth flow

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use folder context for outpost build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-09 20:19:48 +01:00

9.7 KiB

title slug
Release 2023.2 /releases/2023.2

New features

  • Proxy provider logout improvements

    In previous versions, logging out of a single proxied application would only invalidate that application's session. Starting with this release, when logging out of a proxied application (via the /outpost.goauthentik.io/sign_out URL), all the users session within the outpost are terminated. Sessions in other outposts and with other protocols are unaffected.

  • UX Improvements

    As with the previous improvements, we've made a lot of minor improvements to the general authentik UX to make your life easier.

  • OAuth2 Provider improvements

    The OAuth2 provider has been reworked to be closer to OAuth specifications and better support refresh tokens and offline access. Additionally the expiry for access tokens and refresh tokens can be adjusted separately now.

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2023.2 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
    repository: ghcr.io/goauthentik/server
    tag: 2023.2.0

Minor changes/fixes

  • */saml: disable pretty_print, add signature tests
  • blueprints: don't update default tenant
  • blueprints: handle error when blueprint entry identifier field does not exist
  • core: delete session when user is set to inactive
  • core: fix inconsistent branding in end_session view
  • core: fix token's set_key accessing data incorrectly
  • events: improve sanitising for tuples and sets
  • events: prevent error when request fails without response
  • internal: fix cache-control header
  • providers/ldap: add unbind flow execution (#4484)
  • providers/ldap: fix error not being checked correctly when fetching users
  • providers/oauth2: add user id as "sub" mode
  • providers/oauth2: only set auth_time in ID token when a login event is stored in the session
  • providers/oauth2: optimise client credentials JWT database lookup (#4606)
  • providers/proxy: outpost wide logout implementation (#4605)
  • stages/authenticator_validate: fix error with passwordless webauthn login
  • stages/prompt: field name (#4497)
  • stages/prompt: fix mismatched name field in migration
  • stages/user_write: fix migration setting wrong value, fix form
  • web/admin: fix certificate filtering for SAML verification certificate
  • web/admin: fix dark theme for hover on tables
  • web/admin: fix token edit button
  • web/admin: rework event info page to show all event infos
  • web/elements: add dropdown css to DOM directly instead of including
  • web/elements: fix ak-expand not using correct font
  • web/elements: fix clashing page url param
  • web/elements: fix click propagation from modal into table
  • web/elements: improve codemirror contrast in dark theme
  • web/elements: make table rows clickable to select items
  • web/elements: persist table page in URL parameters
  • web/flows: improve handling of flow info
  • web/user: filter tokens by username
  • web/user: refactor loading of data in userinterface

API Changes

What's New


POST /admin/system/

What's Changed


POST /core/tokens/{identifier}/set_key/
GET /providers/oauth2/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property sub_mode (string)

      Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

      Added enum value:

      • user_id
PUT /providers/oauth2/{id}/
Request:

Changed content type : application/json

  • Changed property sub_mode (string)

    Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    • user_id
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property sub_mode (string)

      Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

      Added enum value:

      • user_id
PATCH /providers/oauth2/{id}/
Request:

Changed content type : application/json

  • Changed property sub_mode (string)

    Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    • user_id
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property sub_mode (string)

      Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

      Added enum value:

      • user_id
POST /providers/oauth2/
Request:

Changed content type : application/json

  • Changed property sub_mode (string)

    Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    • user_id
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property sub_mode (string)

      Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

      Added enum value:

      • user_id
GET /providers/oauth2/
Parameters:

Changed: sub_mode in query

Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > OAuth2Provider Serializer

      • Changed property sub_mode (string)

        Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        • user_id
GET /oauth2/authorization_codes/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property provider (object)

      OAuth2Provider Serializer

      • Changed property sub_mode (string)

        Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        • user_id
GET /oauth2/refresh_tokens/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property provider (object)

      OAuth2Provider Serializer

      • Changed property sub_mode (string)

        Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        • user_id
GET /oauth2/authorization_codes/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

      • Changed property provider (object)

        OAuth2Provider Serializer

        • Changed property sub_mode (string)

          Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

          Added enum value:

          • user_id
GET /oauth2/refresh_tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and RefreshToken

      • Changed property provider (object)

        OAuth2Provider Serializer

        • Changed property sub_mode (string)

          Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

          Added enum value:

          • user_id
GET /stages/prompt/prompts/{prompt_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • name
    • Added property name (string)
PUT /stages/prompt/prompts/{prompt_uuid}/
Request:

Changed content type : application/json

New required properties:

  • name
  • Added property name (string)
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • name
    • Added property name (string)
PATCH /stages/prompt/prompts/{prompt_uuid}/
Request:

Changed content type : application/json

  • Added property name (string)
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • name
    • Added property name (string)
POST /stages/prompt/prompts/
Request:

Changed content type : application/json

New required properties:

  • name
  • Added property name (string)
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • name
    • Added property name (string)
GET /stages/prompt/prompts/
Parameters:

Added: name in query

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Prompt Serializer

      New required properties:

      • name
      • Added property name (string)