cfad472e1b
* flows: optimise flow queries Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * index source on slug and name Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * binding index Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add policy parent index Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix migrations Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * cleanup old migrations Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add release note to upgrade Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
626 lines
15 KiB
Markdown
626 lines
15 KiB
Markdown
---
|
|
title: Release 2022.10
|
|
slug: "2022.10"
|
|
---
|
|
|
|
## Breaking changes
|
|
|
|
- This version removes old migrations that have been replaced by squashed versions in previous versions. As such it is only possible to upgrade to this version from **2022.1** or later.
|
|
- Several challenge components have been renamed to better match the rest of the challenges
|
|
- The SAML Source has been updated to use connection objects instead of directly creating users.
|
|
|
|
## New features
|
|
|
|
- Support for OAuth2 Device flow
|
|
|
|
See more in the OAuth2 provider docs [here](../providers/oauth2/device_code). This flow allows users to authenticate on devices that have limited input possibilities and or no browser access.
|
|
|
|
- Customizable payload for SMS Authenticator stage when using Generic provider.
|
|
- Revamped SAML Source
|
|
|
|
The SAML source uses connection objects and the same Flow manager as the OAuth and Plex source. Additionally error-handling has been improved.
|
|
|
|
This also allows for mapping fields from SAML Source to users.
|
|
|
|
## API Changes
|
|
|
|
#### What's New
|
|
|
|
---
|
|
|
|
##### `POST` /flows/instances/import/
|
|
|
|
##### `GET` /sources/user_connections/saml/
|
|
|
|
##### `POST` /sources/user_connections/saml/
|
|
|
|
##### `GET` /sources/user_connections/saml/{id}/
|
|
|
|
##### `PUT` /sources/user_connections/saml/{id}/
|
|
|
|
##### `DELETE` /sources/user_connections/saml/{id}/
|
|
|
|
##### `PATCH` /sources/user_connections/saml/{id}/
|
|
|
|
##### `GET` /sources/user_connections/saml/{id}/used_by/
|
|
|
|
#### What's Deleted
|
|
|
|
---
|
|
|
|
##### `POST` /flows/instances/import_flow/
|
|
|
|
#### What's Changed
|
|
|
|
---
|
|
|
|
##### `GET` /core/tenants/{tenant_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
##### `PUT` /core/tenants/{tenant_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
##### `PATCH` /core/tenants/{tenant_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
##### `GET` /propertymappings/notification/{pm_uuid}/
|
|
|
|
###### Parameters:
|
|
|
|
Changed: `pm_uuid` in `path`
|
|
|
|
> A UUID string identifying this Webhook Mapping.
|
|
|
|
##### `PUT` /propertymappings/notification/{pm_uuid}/
|
|
|
|
###### Parameters:
|
|
|
|
Changed: `pm_uuid` in `path`
|
|
|
|
> A UUID string identifying this Webhook Mapping.
|
|
|
|
##### `DELETE` /propertymappings/notification/{pm_uuid}/
|
|
|
|
###### Parameters:
|
|
|
|
Changed: `pm_uuid` in `path`
|
|
|
|
> A UUID string identifying this Webhook Mapping.
|
|
|
|
##### `PATCH` /propertymappings/notification/{pm_uuid}/
|
|
|
|
###### Parameters:
|
|
|
|
Changed: `pm_uuid` in `path`
|
|
|
|
> A UUID string identifying this Webhook Mapping.
|
|
|
|
##### `GET` /admin/metrics/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `authorizations_per_1h`
|
|
|
|
* Added property `authorizations_per_1h` (array)
|
|
|
|
Items (object): > Coordinates for diagrams
|
|
|
|
- Property `x_cord` (integer)
|
|
|
|
- Property `y_cord` (integer)
|
|
|
|
##### `POST` /core/tenants/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
##### `GET` /core/tenants/
|
|
|
|
###### Parameters:
|
|
|
|
Added: `flow_device_code` in `query`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > Tenant Serializer
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
##### `GET` /core/tenants/current/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `flow_device_code` (string)
|
|
|
|
##### `GET` /crypto/certificatekeypairs/
|
|
|
|
###### Parameters:
|
|
|
|
Added: `include_details` in `query`
|
|
|
|
##### `GET` /propertymappings/notification/{pm_uuid}/used_by/
|
|
|
|
###### Parameters:
|
|
|
|
Changed: `pm_uuid` in `path`
|
|
|
|
> A UUID string identifying this Webhook Mapping.
|
|
|
|
##### `GET` /root/config/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `capabilities` (array)
|
|
|
|
Changed items (string):
|
|
|
|
Added enum value:
|
|
|
|
- `can_debug`
|
|
|
|
##### `GET` /sources/oauth/{slug}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `provider_type` (string)
|
|
|
|
Added enum value:
|
|
|
|
- `twitch`
|
|
|
|
##### `PUT` /sources/oauth/{slug}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `provider_type` (string)
|
|
|
|
Added enum value:
|
|
|
|
- `twitch`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `provider_type` (string)
|
|
|
|
Added enum value:
|
|
|
|
- `twitch`
|
|
|
|
##### `PATCH` /sources/oauth/{slug}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `provider_type` (string)
|
|
|
|
Added enum value:
|
|
|
|
- `twitch`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `provider_type` (string)
|
|
|
|
Added enum value:
|
|
|
|
- `twitch`
|
|
|
|
##### `POST` /sources/oauth/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `provider_type` (string)
|
|
|
|
Added enum value:
|
|
|
|
- `twitch`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `provider_type` (string)
|
|
|
|
Added enum value:
|
|
|
|
- `twitch`
|
|
|
|
##### `GET` /sources/oauth/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > OAuth Source Serializer
|
|
|
|
- Changed property `provider_type` (string)
|
|
|
|
Added enum value:
|
|
|
|
- `twitch`
|
|
|
|
##### `GET` /stages/authenticator/sms/{stage_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `mapping` (string)
|
|
> Optionally modify the payload being sent to custom providers.
|
|
|
|
##### `PUT` /stages/authenticator/sms/{stage_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `mapping` (string)
|
|
> Optionally modify the payload being sent to custom providers.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `mapping` (string)
|
|
> Optionally modify the payload being sent to custom providers.
|
|
|
|
##### `PATCH` /stages/authenticator/sms/{stage_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `mapping` (string)
|
|
> Optionally modify the payload being sent to custom providers.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `mapping` (string)
|
|
> Optionally modify the payload being sent to custom providers.
|
|
|
|
##### `GET` /flows/executor/{flow_slug}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
Deleted 'ak-flow-sources-plex' component
|
|
Deleted 'ak-flow-sources-oauth-apple' component
|
|
Added 'ak-provider-oauth2-device-code' component:
|
|
|
|
- Property `type` (string)
|
|
|
|
Enum values:
|
|
|
|
- `native`
|
|
- `shell`
|
|
- `redirect`
|
|
|
|
- Property `flow_info` (object)
|
|
|
|
> Contextual flow information for a challenge
|
|
|
|
- Property `title` (string)
|
|
|
|
- Property `background` (string)
|
|
|
|
- Property `cancel_url` (string)
|
|
|
|
- Property `layout` (string)
|
|
|
|
Enum values:
|
|
|
|
- `stacked`
|
|
- `content_left`
|
|
- `content_right`
|
|
- `sidebar_left`
|
|
- `sidebar_right`
|
|
|
|
- Property `component` (string)
|
|
|
|
- Property `response_errors` (object)
|
|
|
|
Added 'ak-source-oauth-apple' component:
|
|
|
|
- Property `type` (string)
|
|
|
|
- Property `flow_info` (object)
|
|
|
|
> Contextual flow information for a challenge
|
|
|
|
- Property `component` (string)
|
|
|
|
- Property `response_errors` (object)
|
|
|
|
- Property `client_id` (string)
|
|
|
|
- Property `scope` (string)
|
|
|
|
- Property `redirect_uri` (string)
|
|
|
|
- Property `state` (string)
|
|
|
|
Added 'ak-source-plex' component:
|
|
|
|
- Property `type` (string)
|
|
|
|
- Property `flow_info` (object)
|
|
|
|
> Contextual flow information for a challenge
|
|
|
|
- Property `component` (string)
|
|
|
|
- Property `response_errors` (object)
|
|
|
|
- Property `client_id` (string)
|
|
|
|
- Property `slug` (string)
|
|
|
|
Added 'ak-provider-oauth2-device-code-finish' component:
|
|
|
|
- Property `type` (string)
|
|
|
|
- Property `flow_info` (object)
|
|
|
|
> Contextual flow information for a challenge
|
|
|
|
- Property `component` (string)
|
|
|
|
- Property `response_errors` (object)
|
|
|
|
Updated `ak-stage-identification` component:
|
|
|
|
- Changed property `sources` (array)
|
|
|
|
Changed items (object): > Serializer for Login buttons of sources
|
|
|
|
- Changed property `challenge` (object)
|
|
|
|
Deleted 'ak-flow-sources-plex' component
|
|
Deleted 'ak-flow-sources-oauth-apple' component
|
|
Added 'ak-source-oauth-apple' component:
|
|
Added 'ak-source-plex' component:
|
|
|
|
##### `POST` /flows/executor/{flow_slug}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
Deleted 'ak-flow-sources-plex' component
|
|
Deleted 'ak-flow-sources-oauth-apple' component
|
|
Added 'ak-provider-oauth2-device-code' component:
|
|
|
|
- Property `component` (string)
|
|
|
|
- Property `code` (integer)
|
|
|
|
Added 'ak-source-oauth-apple' component:
|
|
|
|
- Property `component` (string)
|
|
|
|
Added 'ak-source-plex' component:
|
|
|
|
- Property `component` (string)
|
|
|
|
Added 'ak-provider-oauth2-device-code-finish' component:
|
|
|
|
- Property `component` (string)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
Deleted 'ak-flow-sources-plex' component
|
|
Deleted 'ak-flow-sources-oauth-apple' component
|
|
Added 'ak-provider-oauth2-device-code' component:
|
|
Added 'ak-source-oauth-apple' component:
|
|
Added 'ak-source-plex' component:
|
|
Added 'ak-provider-oauth2-device-code-finish' component:
|
|
Updated `ak-stage-identification` component:
|
|
|
|
- Changed property `sources` (array)
|
|
|
|
Changed items (object): > Serializer for Login buttons of sources
|
|
|
|
- Changed property `challenge` (object)
|
|
|
|
Deleted 'ak-flow-sources-plex' component
|
|
Deleted 'ak-flow-sources-oauth-apple' component
|
|
Added 'ak-source-oauth-apple' component:
|
|
Added 'ak-source-plex' component:
|
|
|
|
##### `POST` /stages/authenticator/sms/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `mapping` (string)
|
|
> Optionally modify the payload being sent to custom providers.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `mapping` (string)
|
|
> Optionally modify the payload being sent to custom providers.
|
|
|
|
##### `GET` /stages/authenticator/sms/
|
|
|
|
###### Parameters:
|
|
|
|
Added: `mapping` in `query`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > AuthenticatorSMSStage Serializer
|
|
|
|
- Added property `mapping` (string)
|
|
> Optionally modify the payload being sent to custom providers.
|
|
|
|
## Minor changes/fixes
|
|
|
|
- \*: improve error handling in ldap outpost, ignore additional errors
|
|
- admin: add authorisations metric (#3811)
|
|
- blueprints: fix error when exporting objects with lazily translated strings
|
|
- core: fallback to empty user object for PropertyMappingEvaluator
|
|
- core: fix messages not being shown when no client is connected
|
|
- core: fix title in generic error template
|
|
- crypto: fix cert_expiry not having the correct format
|
|
- crypto: fix import_certificate checking private key as certificate
|
|
- crypto: make certificate parsing optional for crypto api (#3711)
|
|
- flows: always show flow inspector in debug mode, don't require admin in debug (#3786)
|
|
- flows: improved import (show logs, improve UI) (#3807)
|
|
- flows: optimise queries for flow and stage API endpoints
|
|
- internal: limit body size
|
|
- outposts/ldap: increase compatibility with different types in user and group attributes
|
|
- providers/oauth2: add all hardcoded claims to claims_supported list
|
|
- providers/oauth2: add device flow (#3334)
|
|
- providers/oauth2: exclude at_hash claim if not set instead of being null
|
|
- providers/oauth2: fix issues with es256 and add tests (#3808)
|
|
- providers/saml: don't attempt verification of SAML request when no verification certificate is configured
|
|
- root: add global fallback throttle
|
|
- root: Add setting to adjust database config for pgbouncer (#3769)
|
|
- root: decrease default token size to 60 chars for compatibility (#3710)
|
|
- root: save email template directory in config
|
|
- sources/oauth: add Twitch OAuth source (#3746)
|
|
- sources/oauth: allow overriding of all scopes
|
|
- sources/saml: improve error handling for missing assertion and missing subject
|
|
- sources/saml: revamp SAML Source (#3785)
|
|
- stages/authenticator_sms: make sms stage payload customisable (#3780)
|
|
- stages/email: don't check that email templates exist on startup
|
|
- web: use drawSelection to workaround cursor bug when using CodeMirror with ShadowDOM in firefox
|
|
- web/\*: fix blank api drawer
|
|
- web/admin: allow web-based sources to have empty enrollment/authentication flow
|
|
- web/admin: rework scrolling in modals, ensure overlay covers everything
|
|
- web/admin: set card headers and icons in card class
|
|
- web/flows: improve display for action-showing stages
|
|
- web/flows: update flow background
|
|
- website/docs: add warning to trace log level
|
|
|
|
## Upgrading
|
|
|
|
This release does not introduce any new requirements.
|
|
|
|
### docker-compose
|
|
|
|
Download the docker-compose file for 2022.10 from [here](https://goauthentik.io/version/2022.10/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
|
|
|
|
### Kubernetes
|
|
|
|
Update your values to use the new images:
|
|
|
|
```yaml
|
|
image:
|
|
repository: ghcr.io/goauthentik/server
|
|
tag: 2022.10.1
|
|
```
|