dc1359a763
* providers/saml: initial SLO implementation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/saml: add logout request tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/saml: add tests for POST SLO Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * matrix e2e tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix import Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * set e2e matrix name Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix imports Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * separate oidc and oauth tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add basic saml slo e2e tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add better metadata download url Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * kinda prepare release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * sort releases into folders Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add slo urls to website Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix linking Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
239 lines
12 KiB
Markdown
239 lines
12 KiB
Markdown
---
|
|
title: Release 2021.10
|
|
slug: "/releases/2021.10"
|
|
---
|
|
|
|
## Headline Changes
|
|
|
|
- Flow Inspector
|
|
|
|
To better understand how a flow works, and why things might not be working as intended, you can now launch Flows with an inspector enabled. This is simply triggered by adding a `?inspector` to the URL. Currently, only superuser have the permission to access the Inspector.
|
|
|
|
The inspector shows the current stage, previous stages, next planned stages, and the current flow context.
|
|
|
|
- SMS Authenticator
|
|
|
|
You can now use SMS-based TOTP authenticators. This new Stage supports both Twilio, and a generic API endpoint, if using another provider. This stage does not have to be used for authentication, it can simply be used during enrollment to verify your users phone numbers.
|
|
|
|
- Sign in with Apple
|
|
|
|
It is now possible to add an Apple OAuth Source, to allow your users to authenticate with their Apple ID.
|
|
|
|
A huge shoutout to all the people that contributed, helped test and also translated authentik. This is the first release that has as full French translation!
|
|
|
|
## Minor changes
|
|
|
|
- \*: Squash Migrations (#1593)
|
|
- admin: clear update notification when notification's version matches current version
|
|
- cmd: prevent outposts from panicking when failing to get their config
|
|
- core: add default for user's settings attribute
|
|
- core: add settings serializer to user/me and update_self endpoints, saved in a key in attributes
|
|
- core: improve detection for s3 settings to trigger backup
|
|
- core: include group uuids in self serializer
|
|
- core: make user's name field fully optional
|
|
- flows: inspector (#1469)
|
|
- internal: add internal healthchecking to prevent websocket errors
|
|
- internal/proxyv2: improve error handling when configuring app
|
|
- lifecycle: bump celery healthcheck to 5s timeout
|
|
- lifecycle: only lock database when system migrations need to be applied, and during django migrations, and don't double unlock
|
|
- lifecycle: only set prometheus_multiproc_dir in ak wrapper to prevent full disk on worker
|
|
- managed: don't run managed reconciler in foreground on startup
|
|
- outpost/proxy: fix missing negation for internal host ssl verification
|
|
- outposts: add additional error checking for docker controller
|
|
- outposts: Adding more flexibility to outposts in Kubernetes. (#1617)
|
|
- outposts: allow disabling of docker controller port mapping
|
|
- outposts: check ports of deployment in kubernetes outpost controller
|
|
- outposts: don't always build permissions on outpost.user access, only in signals and tasks
|
|
- outposts: fallback to known-good outpost image if configured image cannot be pulled
|
|
- outposts: fix error when comparing ports in docker controller when port mapping is disabled
|
|
- outposts: handle k8s 422 response code by recreating objects
|
|
- outposts: rename docker_image_base to container_image_base, since its not docker specific
|
|
- outposts/ldap: Support hard coded `uidNumber` and `gidNumber`. (#1582)
|
|
- outposts/proxy: add new headers with unified naming
|
|
- outposts/proxy: fix duplicate protocol in domain auth mode
|
|
- outposts/proxy: show full error message when user is authenticated
|
|
- policies: add additional filters to create flow charts on frontend
|
|
- policies/password: add extra sub_text field in tests
|
|
- providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514)
|
|
- providers/proxy: always check ingress secret in kubernetes controller
|
|
- providers/proxy: update ingress controller to work with k8s 1.22
|
|
- recovery: handle error when user doesn't exist
|
|
- root: add docker-native healthcheck for web and celery
|
|
- root: add translation for backend strings
|
|
- root: coverage with toml support
|
|
- root: fix error with sentry proxy
|
|
- root: migrate docker images to netlify proxy (#1603)
|
|
- root: remove redundant internal network from compose
|
|
- root: remove structlog.processors.format_exc_info for new structlog version
|
|
- root: Use fully qualified names for docker bases base images. (#1490)
|
|
- sources/ldap: add support for Active Directory `userAccountControl` attribute
|
|
- sources/ldap: don't sync ldap source when no property mappings are set
|
|
- sources/ldap: fix logic error in Active Directory account disabled status
|
|
- sources/oauth: add Sign in with Apple (#1635)
|
|
- stages/authenticator_sms: add generic provider (#1595)
|
|
- stages/authenticator_sms: Add SMS Authenticator Stage (#1577)
|
|
- stages/authenticator_validate: create a default authenticator validate stage with sensible defaults
|
|
- stages/email: add activate_user_on_success flag, add for all example flows
|
|
- stages/prompt: add sub_text field to add HTML below prompt fields
|
|
- stages/prompt: fix sub_text not allowing blank
|
|
- stages/prompt: fix wrong field type of field_key
|
|
- stages/user_login: add check for user.is_active and tests
|
|
- stages/user_write: allow recursive writing to user.attributes
|
|
- web: add locale detection
|
|
- web: ensure fallback locale is loaded
|
|
- web: fix rendering of token copy button in dark mode
|
|
- web: fix strings not being translated at all when matching browser locale not found
|
|
- web: make table pagination size user-configurable
|
|
- web: new default flow background
|
|
- web: Translate /web/src/locales/en.po in fr_FR (#1506)
|
|
- web/admin: add fallback font for doughnut charts
|
|
- web/admin: default to warning state for backup task
|
|
- web/admin: don't require username nor name for activate/deactivate toggles
|
|
- web/admin: fix description for flow import
|
|
- web/admin: fix LDAP Source form not exposing syncParentGroup
|
|
- web/admin: fix search group label
|
|
- web/admin: fix SMS Authenticator stage not loading state correctly
|
|
- web/admin: improve visibility of oauth rsa key
|
|
- web/admin: only show outpost deployment info when not embedded
|
|
- web/admin: truncate prompt label when too long
|
|
- web/elements: fix initialLoad not being done when viewportCheck was disabled
|
|
- web/elements: fix model form always loading when viewport check is disabled
|
|
- web/elements: use dedicated button for search clear instead of webkit exclusive one
|
|
- web/flows: adjust message for email stage
|
|
- web/user: don't show managed tokens in user interface
|
|
- web/user: initial optimisation for smaller screens
|
|
- web/user: load interface settings from user settings
|
|
|
|
## Fixed in 2021.10.1-rc2
|
|
|
|
- core: add user flag to prevent users from changing their usernames
|
|
- core: log user for http requests
|
|
- flows: clear cache when deleting bindings
|
|
- outpost/ldap: fix logging for mismatched provider
|
|
- root: add cookie domain setting
|
|
- sources/oauth: add choices to oauth provider_type
|
|
- web: disable Sentry.showReportDialog
|
|
- web/flows: showing of authentik logo in flow executor
|
|
- web/flows: fix authenticator device selection not updating
|
|
- web/flows: show cancel link when choosing authenticator challenge
|
|
|
|
## Fixed in 2021.10.1-rc3
|
|
|
|
- api: fix error when connection to websocket via secret_key
|
|
- core: add toggle to completely disable backup mechanism
|
|
- core: add USER_ATTRIBUTE_CHANGE_EMAIL
|
|
- events: fix error when notification transport doesn't exist anymore
|
|
- outposts: fix docker controller not using object_naming_template
|
|
- providers/oauth2: fallback to uid if UPN was selected but isn't available
|
|
- providers/oauth2: fix events being created from /application/o/authorize/
|
|
- sources/ldap: prevent key `users` from being set as this is an M2M relation
|
|
- sources/ldap: skip values which are of type bytes
|
|
|
|
## Fixed in 2021.10.1
|
|
|
|
- core: add API for all user-source connections
|
|
- core: add API to list all authenticator devices
|
|
- core: add created field to source connection
|
|
- flows: optimise stage user_settings API
|
|
- outposts: separate websocket re-connection logic to decrease requests on reconnect
|
|
- root: pin node images to v16
|
|
- root: update golang ldap server package
|
|
- web/user: fix wrong device being selected in user's mfa update form
|
|
- web/user: rework MFA Device UI to support multiple devices
|
|
- web/user: update form to update mfa devices
|
|
|
|
## Fixed in 2021.10.2
|
|
|
|
- api: replace django sentry proxy with go proxy to prevent login issues
|
|
- providers/proxy: allow configuring of additional scope mappings for proxy
|
|
- providers/saml: fix error on missing AssertionConsumerServiceURL, fall back to default ACS
|
|
- root: fix Detection of S3 settings for backups
|
|
- root: fix postgres install on bullseye
|
|
- root: update base images for outposts
|
|
- root: update to buster
|
|
- stages/identification: add show_source_labels option, to show labels for sources
|
|
- stages/invitation: don't throw 404 error in stage
|
|
- stages/invitation: remove invitation from plan context after deletion
|
|
- stages/prompt: fix type in Prompt not having enum set
|
|
- web/flows: fix invalid validation for static tokens
|
|
- web/flows: fix sub_text not rendering for static fields
|
|
- web/user: fix configureUrl not being passed to `<ak-user-settings-password>`
|
|
|
|
## Fixed in 2021.10.3
|
|
|
|
- admin: improve check to remove version notifications
|
|
- cmd/server: improve cleanup on shutdown
|
|
- core: add command to output full config
|
|
- core: fix auth_method for tokens
|
|
- core: include parent group name
|
|
- core: make group membership lookup respect parent groups (upwards)
|
|
- events: ignore creation/deletion of AuthenticatedSession objects
|
|
- internal: start embedded outpost directly after backend is healthy instead of waiting
|
|
- lifecycle: revert to non-h11 worker
|
|
- outpost/ldap: don't cleanup user info as it is overwritten on bind
|
|
- providers/\*: include list of outposts
|
|
- providers/ldap: add/squash migrations
|
|
- providers/ldap: memory Query (#1681)
|
|
- recovery: add create_admin_group management command
|
|
- root: fix defaults for EMAIL_USE_TLS
|
|
- root: improve compose detection, add anonymous stats
|
|
- root: keep last 30 backups
|
|
- sources/ldap: remove deprecated default
|
|
- sources/oauth: set prompt=none for Discord provider
|
|
- sources/plex: allow users to connect their plex account without login flow
|
|
- sources/plex: use exception_to_string in tasks
|
|
- stages/authenticator\_\*: add default name for authenticators
|
|
- stages/identification: only allow limited challenges for login sources
|
|
- stages/identification: use random sleep
|
|
- stages/prompt: add text_read_only field
|
|
- stages/prompt: default prompts to the current value of the context
|
|
- stages/prompt: only set placeholder when in context
|
|
- stages/prompt: set field placeholder based on plan context
|
|
- stages/prompt: use initial instead of default
|
|
- web: fix linting errors by adding a wrapper for next param
|
|
- web/admin: only show flows with an invitation stage configured instead of all enrollment flows
|
|
- web/admin: show warning on invitation list when no stage exists or is bound
|
|
- web/admin: show warning on provider when not used with outpost
|
|
- web/flows: fix authenticator_validate not allowing alphanumeric codes due to empty pattern
|
|
- web/flows: improve display of static tokens
|
|
- web/user: fix ak-user-settings-password getting wrong configureUrl
|
|
- web/user: fix device type for static tokens
|
|
- web/user: fix empty page when no sources to connect exist
|
|
- web/user: fix redirect after starting configuration flow from user interface
|
|
|
|
## Fixed in 2021.10.4
|
|
|
|
- core: force lowercase emails for gravatar usage
|
|
- outposts: fix MFA Challenges not working with outpost
|
|
- outposts/ldap: fix logic error in cached ldap searcher
|
|
- outposts/proxy: fix static files not being served in proxy mode
|
|
- providers/proxy: return list of configured scope names so outpost requests custom scopes
|
|
- root: use python slim-bullseye as base
|
|
- sources/ldap: fix user/group sync overwriting attributes instead of merging them
|
|
- sources/ldap: set connect/receive timeout (default to 15s)
|
|
- stages/\*: disable trim_whitespace on important fields
|
|
- stages/authenticator_duo: fix devices created with name
|
|
- stages/authenticator_validate: enable all device classes by default
|
|
- web: write interfaces to different folders and remove custom chunk names
|
|
- web/admin: fix display issues with flow execute buttons
|
|
- web/admin: show warnings above tab bar
|
|
- web/admin: use more natural default ordering for objects
|
|
|
|
## Upgrading
|
|
|
|
This release does not introduce any new requirements.
|
|
|
|
### docker-compose
|
|
|
|
Download the docker-compose file for 2021.10 from [here](https://goauthentik.io/version/2021.10/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
|
|
|
|
### Kubernetes
|
|
|
|
Update your values to use the new images:
|
|
|
|
```yaml
|
|
image:
|
|
repository: ghcr.io/goauthentik/server
|
|
tag: 2021.10.1
|
|
```
|