This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/releases/2023/v2023.3.md

1308 lines
29 KiB
Markdown

---
title: Release 2023.3 - SCIM support
slug: "/releases/2023.3"
---
## New features
- SCIM support
:::info
This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues).
:::
authentik can now provision users from other IT systems via the SCIM (System for Cross-domain Identity Management) protocol. The provider synchronizes Users, Groups and the user membership. Objects are synced both when they are saved and based on a pre-defined schedule in the background.
- Theming improvements
- The custom.css file is now loaded in ShadowDOMs, allowing for much greater customization, as previously it was only possible to style elements outside of the ShadowDOM. See docs for [Flow](../../interfaces/flow/customization.mdx), [User](../../interfaces/user/customization.mdx) and [Admin](../../interfaces/admin/customization.mdx) interfaces.
- Previously, authentik would automatically switch between dark and light theme based on the users' browsers' settings. This can now be overridden to either force the light or dark theme, per user/group/tenant. See docs for [Flow](../../interfaces/flow/customization.mdx), [User](../../interfaces/user/customization.mdx) and [Admin](../../interfaces/admin/customization.mdx) interfaces.
## Upgrading
This release does not introduce any new requirements.
### docker-compose
Download the `docker-compose.yml` file for 2023.3 from [here](https://goauthentik.io/version/2023.3/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
### Kubernetes
Update your values to use the new images:
```yaml
image:
repository: ghcr.io/goauthentik/server
tag: 2023.3.0
```
## Minor changes/fixes included in release 2023.3
- \*: add additional Prometheus metrics, remove unusable high entropy metrics
- blueprints: improve error handling in example flow
- core: Add `resolve_dns` and `reverse_dns` functions to evaluator (#4769)
- core: bootstrap email (#4788)
- core: enforce unique on names where it makes sense (#4866)
- core: fix bug causing whitespace-only names to raise exception when generating avatars (#4746)
- core: fix error when creating token without request in context
- core: improve service account creation (#4751)
- events: fix m2m_change events not being logged
- flows: change default flow stage binding settings (#4784)
- flows: planner error handling (#4812)
- internal: fix crash when port 9000 is in use (#4863)
- providers: SCIM (#4835)
- providers/ldap: improve compatibility with LDAP clients (#4750)
- providers/ldap: making LDAP compatible with Synology (#4694)
- providers/oauth2: fix missing information for revoked token access events
- providers/oauth2: OpenID conformance (#4758)
- providers/proxy: ensure issuer is correct when browser URL override is set
- providers/proxy: strip scheme when comparing redirect URL
- providers/scim: add option to filter out service accounts, parent group (#4862)
- providers/scim: customizable externalId, document behavior (#4868)
- sources/ldap: improve error handling for password complexity (#4780)
- sources/oauth: fix not all token errors being logged with response
- sources/plex: fix check_token error unusable if token is empty (#4834)
- stages/authenticator_sms: fix twilio sending (#4829)
- stages/user_login: add option to terminate other sessions (#4754)
- tests/e2e: use example blueprints for testing (#4805)
- web: fetch custom.css via fetch and add stylesheet (#4804)
- web: toggle dark/light theme manually (#4876)
- web/admin: fix chart display with no sources (#4782)
- web/admin: fix issue with wizard's Next button incorrectly disabled when radio button is already selected (#4821)
- web/admin: workaround for tenant certificate selection being cut off (#4820)
- web/elements: add loading spinner for charts, render middle text with CSS
- web/elements: fix center text not scrolling with container (#4853)
- web/flows: fix fa:// icons in sources not shown correctly
- web/user: fix source connections not being filtered (#4778)
## API Changes
#### What's New
---
##### `GET` /propertymappings/scim/
##### `POST` /propertymappings/scim/
##### `GET` /propertymappings/scim/{pm_uuid}/
##### `PUT` /propertymappings/scim/{pm_uuid}/
##### `DELETE` /propertymappings/scim/{pm_uuid}/
##### `PATCH` /propertymappings/scim/{pm_uuid}/
##### `GET` /propertymappings/scim/{pm_uuid}/used_by/
##### `GET` /providers/scim/
##### `POST` /providers/scim/
##### `GET` /providers/scim/{id}/
##### `PUT` /providers/scim/{id}/
##### `DELETE` /providers/scim/{id}/
##### `PATCH` /providers/scim/{id}/
##### `GET` /providers/scim/{id}/sync_status/
##### `GET` /providers/scim/{id}/used_by/
#### What's Changed
---
##### `POST` /core/users/service_account/
###### Request:
Changed content type : `application/json`
- Added property `expiring` (boolean)
- Added property `expires` (string)
> If not provided, valid for 360 days
##### `GET` /policies/event_matcher/{policy_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Added enum value:
- `authentik.providers.scim`
##### `PUT` /policies/event_matcher/{policy_uuid}/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Added enum value:
- `authentik.providers.scim`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Added enum value:
- `authentik.providers.scim`
##### `PATCH` /policies/event_matcher/{policy_uuid}/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Added enum value:
- `authentik.providers.scim`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Added enum value:
- `authentik.providers.scim`
##### `GET` /providers/oauth2/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `PUT` /providers/oauth2/{id}/
###### Request:
Changed content type : `application/json`
New optional properties:
- `authorization_flow`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `PATCH` /providers/oauth2/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `GET` /providers/proxy/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `PUT` /providers/proxy/{id}/
###### Request:
Changed content type : `application/json`
New optional properties:
- `authorization_flow`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `PATCH` /providers/proxy/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `GET` /core/groups/{group_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `PUT` /core/groups/{group_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `PATCH` /core/groups/{group_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `GET` /core/tenants/current/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New required properties:
- `ui_theme`
* Added property `ui_theme` (object)
Enum values:
- `automatic`
- `light`
- `dark`
##### `GET` /events/rules/{pbm_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `PUT` /events/rules/{pbm_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `PATCH` /events/rules/{pbm_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `GET` /policies/bindings/{policy_binding_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `PUT` /policies/bindings/{policy_binding_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `PATCH` /policies/bindings/{policy_binding_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `POST` /policies/event_matcher/
###### Request:
Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Added enum value:
- `authentik.providers.scim`
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Added enum value:
- `authentik.providers.scim`
##### `GET` /policies/event_matcher/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Event Matcher Policy Serializer
- Changed property `app` (string)
> Match events created by selected application. When left empty, all applications are matched.
Added enum value:
- `authentik.providers.scim`
##### `GET` /providers/ldap/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `PUT` /providers/ldap/{id}/
###### Request:
Changed content type : `application/json`
New optional properties:
- `authorization_flow`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `PATCH` /providers/ldap/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `POST` /providers/oauth2/
###### Request:
Changed content type : `application/json`
New optional properties:
- `authorization_flow`
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `GET` /providers/oauth2/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > OAuth2Provider Serializer
New optional properties:
- `authorization_flow`
##### `POST` /providers/proxy/
###### Request:
Changed content type : `application/json`
New optional properties:
- `authorization_flow`
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `GET` /providers/proxy/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > ProxyProvider Serializer
New optional properties:
- `authorization_flow`
##### `GET` /providers/saml/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `PUT` /providers/saml/{id}/
###### Request:
Changed content type : `application/json`
New optional properties:
- `authorization_flow`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `PATCH` /providers/saml/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `GET` /stages/invitation/invitations/{invite_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `created_by` (object)
> Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `PUT` /stages/invitation/invitations/{invite_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `created_by` (object)
> Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `PATCH` /stages/invitation/invitations/{invite_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `created_by` (object)
> Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `POST` /core/groups/
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `GET` /core/groups/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `POST` /events/rules/
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `GET` /events/rules/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > NotificationRule Serializer
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `GET` /flows/bindings/{fsb_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
##### `PUT` /flows/bindings/{fsb_uuid}/
###### Request:
Changed content type : `application/json`
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
##### `PATCH` /flows/bindings/{fsb_uuid}/
###### Request:
Changed content type : `application/json`
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
##### `GET` /oauth2/access_tokens/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `provider` (object)
> OAuth2Provider Serializer
New optional properties:
- `authorization_flow`
##### `GET` /oauth2/authorization_codes/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `provider` (object)
> OAuth2Provider Serializer
New optional properties:
- `authorization_flow`
##### `GET` /oauth2/refresh_tokens/{id}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `provider` (object)
> OAuth2Provider Serializer
New optional properties:
- `authorization_flow`
##### `POST` /policies/bindings/
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `GET` /policies/bindings/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > PolicyBinding Serializer
- Changed property `group_obj` (object)
> Group Serializer
- Changed property `users_obj` (array)
Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `POST` /providers/ldap/
###### Request:
Changed content type : `application/json`
New optional properties:
- `authorization_flow`
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `GET` /providers/ldap/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > LDAPProvider Serializer
New optional properties:
- `authorization_flow`
##### `POST` /providers/saml/
###### Request:
Changed content type : `application/json`
New optional properties:
- `authorization_flow`
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
New optional properties:
- `authorization_flow`
##### `GET` /providers/saml/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > SAMLProvider Serializer
New optional properties:
- `authorization_flow`
##### `GET` /sources/user_connections/all/
###### Parameters:
Added: `user` in `query`
##### `POST` /stages/invitation/invitations/
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `created_by` (object)
> Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `GET` /stages/invitation/invitations/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Invitation Serializer
- Changed property `created_by` (object)
> Stripped down user serializer to show relevant users for groups
New optional properties:
- `avatar`
* Deleted property `avatar` (string)
##### `GET` /stages/user_login/{stage_uuid}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `terminate_other_sessions` (boolean)
> Terminate all other sessions of the user logging in.
##### `PUT` /stages/user_login/{stage_uuid}/
###### Request:
Changed content type : `application/json`
- Added property `terminate_other_sessions` (boolean)
> Terminate all other sessions of the user logging in.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `terminate_other_sessions` (boolean)
> Terminate all other sessions of the user logging in.
##### `PATCH` /stages/user_login/{stage_uuid}/
###### Request:
Changed content type : `application/json`
- Added property `terminate_other_sessions` (boolean)
> Terminate all other sessions of the user logging in.
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Added property `terminate_other_sessions` (boolean)
> Terminate all other sessions of the user logging in.
##### `POST` /flows/bindings/
###### Request:
Changed content type : `application/json`
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
##### `GET` /flows/bindings/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > FlowStageBinding Serializer
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
##### `GET` /flows/inspector/{flow_slug}/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `plans` (array)
Changed items (object): > Serializer for an active FlowPlan
- Changed property `next_planned_stage` (object)
> FlowStageBinding Serializer
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
- Changed property `current_stage` (object)
> FlowStageBinding Serializer
- Changed property `evaluate_on_plan` (boolean)
> Evaluate policies during the Flow planning process.
##### `GET` /oauth2/access_tokens/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Serializer for BaseGrantModel and RefreshToken
- Changed property `provider` (object)
> OAuth2Provider Serializer
New optional properties:
- `authorization_flow`
##### `GET` /oauth2/authorization_codes/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
- Changed property `provider` (object)
> OAuth2Provider Serializer
New optional properties:
- `authorization_flow`
##### `GET` /oauth2/refresh_tokens/
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > Serializer for BaseGrantModel and RefreshToken
- Changed property `provider` (object)
> OAuth2Provider Serializer
New optional properties:
- `authorization_flow`
##### `POST` /stages/user_login/
###### Request:
Changed content type : `application/json`
- Added property `terminate_other_sessions` (boolean)
> Terminate all other sessions of the user logging in.
###### Return Type:
Changed response : **201 Created**
- Changed content type : `application/json`
- Added property `terminate_other_sessions` (boolean)
> Terminate all other sessions of the user logging in.
##### `GET` /stages/user_login/
###### Parameters:
Added: `terminate_other_sessions` in `query`
###### Return Type:
Changed response : **200 OK**
- Changed content type : `application/json`
- Changed property `results` (array)
Changed items (object): > UserLoginStage Serializer
- Added property `terminate_other_sessions` (boolean)
> Terminate all other sessions of the user logging in.