Release 2021.10
Headline Changes
Flow Inspector
To better understand how a flow works, and why things might not be working as intended, you can now launch Flows with an inspector enabled. This is simply triggered by adding a
?inspector
to the URL. Currently, only superuser have the permission to access the Inspector.The inspector shows the current stage, previous stages, next planned stages, and the current flow context.
SMS Authenticator
You can now use SMS-based TOTP authenticators. This new Stage supports both Twilio, and a generic API endpoint, if using another provider. This stage does not have to be used for authentication, it can simply be used during enrollment to verify your users phone numbers.
Sign in with Apple
It is now possible to add an Apple OAuth Source, to allow your users to authenticate with their Apple ID.
A huge shoutout to all the people that contributed, helped test and also translated authentik. This is the first release that has as full French translation!
Minor changes
- *: Squash Migrations (#1593)
- admin: clear update notification when notification's version matches current version
- cmd: prevent outposts from panicking when failing to get their config
- core: add default for user's settings attribute
- core: add settings serializer to user/me and update_self endpoints, saved in a key in attributes
- core: improve detection for s3 settings to trigger backup
- core: include group uuids in self serializer
- core: make user's name field fully optional
- flows: inspector (#1469)
- internal: add internal healthchecking to prevent websocket errors
- internal/proxyv2: improve error handling when configuring app
- lifecycle: bump celery healthcheck to 5s timeout
- lifecycle: only lock database when system migrations need to be applied, and during django migrations, and don't double unlock
- lifecycle: only set prometheus_multiproc_dir in ak wrapper to prevent full disk on worker
- managed: don't run managed reconciler in foreground on startup
- outpost/proxy: fix missing negation for internal host ssl verification
- outposts: add additional error checking for docker controller
- outposts: Adding more flexibility to outposts in Kubernetes. (#1617)
- outposts: allow disabling of docker controller port mapping
- outposts: check ports of deployment in kubernetes outpost controller
- outposts: don't always build permissions on outpost.user access, only in signals and tasks
- outposts: fallback to known-good outpost image if configured image cannot be pulled
- outposts: fix error when comparing ports in docker controller when port mapping is disabled
- outposts: handle k8s 422 response code by recreating objects
- outposts: rename docker_image_base to container_image_base, since its not docker specific
- outposts/ldap: Support hard coded
uidNumber
andgidNumber
. (#1582) - outposts/proxy: add new headers with unified naming
- outposts/proxy: fix duplicate protocol in domain auth mode
- outposts/proxy: show full error message when user is authenticated
- policies: add additional filters to create flow charts on frontend
- policies/password: add extra sub_text field in tests
- providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514)
- providers/proxy: always check ingress secret in kubernetes controller
- providers/proxy: update ingress controller to work with k8s 1.22
- recovery: handle error when user doesn't exist
- root: add docker-native healthcheck for web and celery
- root: add translation for backend strings
- root: coverage with toml support
- root: fix error with sentry proxy
- root: migrate docker images to netlify proxy (#1603)
- root: remove redundant internal network from compose
- root: remove structlog.processors.format_exc_info for new structlog version
- root: Use fully qualified names for docker bases base images. (#1490)
- sources/ldap: add support for Active Directory
userAccountControl
attribute - sources/ldap: don't sync ldap source when no property mappings are set
- sources/ldap: fix logic error in Active Directory account disabled status
- sources/oauth: add Sign in with Apple (#1635)
- stages/authenticator_sms: add generic provider (#1595)
- stages/authenticator_sms: Add SMS Authenticator Stage (#1577)
- stages/authenticator_validate: create a default authenticator validate stage with sensible defaults
- stages/email: add activate_user_on_success flag, add for all example flows
- stages/prompt: add sub_text field to add HTML below prompt fields
- stages/prompt: fix sub_text not allowing blank
- stages/prompt: fix wrong field type of field_key
- stages/user_login: add check for user.is_active and tests
- stages/user_write: allow recursive writing to user.attributes
- web: add locale detection
- web: ensure fallback locale is loaded
- web: fix rendering of token copy button in dark mode
- web: fix strings not being translated at all when matching browser locale not found
- web: make table pagination size user-configurable
- web: new default flow background
- web: Translate /web/src/locales/en.po in fr_FR (#1506)
- web/admin: add fallback font for doughnut charts
- web/admin: default to warning state for backup task
- web/admin: don't require username nor name for activate/deactivate toggles
- web/admin: fix description for flow import
- web/admin: fix LDAP Source form not exposing syncParentGroup
- web/admin: fix search group label
- web/admin: fix SMS Authenticator stage not loading state correctly
- web/admin: improve visibility of oauth rsa key
- web/admin: only show outpost deployment info when not embedded
- web/admin: truncate prompt label when too long
- web/elements: fix initialLoad not being done when viewportCheck was disabled
- web/elements: fix model form always loading when viewport check is disabled
- web/elements: use dedicated button for search clear instead of webkit exclusive one
- web/flows: adjust message for email stage
- web/user: don't show managed tokens in user interface
- web/user: initial optimisation for smaller screens
- web/user: load interface settings from user settings
Fixed in 2021.10.1-rc2
- core: add user flag to prevent users from changing their usernames
- core: log user for http requests
- flows: clear cache when deleting bindings
- outpost/ldap: fix logging for mismatched provider
- root: add cookie domain setting
- sources/oauth: add choices to oauth provider_type
- web: disable Sentry.showReportDialog
- web/flows: showing of authentik logo in flow executor
- web/flows: fix authenticator device selection not updating
- web/flows: show cancel link when choosing authenticator challenge
Fixed in 2021.10.1-rc3
- api: fix error when connection to websocket via secret_key
- core: add toggle to completely disable backup mechanism
- core: add USER_ATTRIBUTE_CHANGE_EMAIL
- events: fix error when notification transport doesn't exist anymore
- outposts: fix docker controller not using object_naming_template
- providers/oauth2: fallback to uid if UPN was selected but isn't available
- providers/oauth2: fix events being created from /application/o/authorize/
- sources/ldap: prevent key
users
from being set as this is an M2M relation - sources/ldap: skip values which are of type bytes
Fixed in 2021.10.1
- core: add API for all user-source connections
- core: add API to list all authenticator devices
- core: add created field to source connection
- flows: optimise stage user_settings API
- outposts: separate websocket re-connection logic to decrease requests on reconnect
- root: pin node images to v16
- root: update golang ldap server package
- web/user: fix wrong device being selected in user's mfa update form
- web/user: rework MFA Device UI to support multiple devices
- web/user: update form to update mfa devices
Fixed in 2021.10.2
- api: replace django sentry proxy with go proxy to prevent login issues
- providers/proxy: allow configuring of additional scope mappings for proxy
- providers/saml: fix error on missing AssertionConsumerServiceURL, fall back to default ACS
- root: fix Detection of S3 settings for backups
- root: fix postgres install on bullseye
- root: update base images for outposts
- root: update to buster
- stages/identification: add show_source_labels option, to show labels for sources
- stages/invitation: don't throw 404 error in stage
- stages/invitation: remove invitation from plan context after deletion
- stages/prompt: fix type in Prompt not having enum set
- web/flows: fix invalid validation for static tokens
- web/flows: fix sub_text not rendering for static fields
- web/user: fix configureUrl not being passed to
<ak-user-settings-password>
Fixed in 2021.10.3
- admin: improve check to remove version notifications
- cmd/server: improve cleanup on shutdown
- core: add command to output full config
- core: fix auth_method for tokens
- core: include parent group name
- core: make group membership lookup respect parent groups (upwards)
- events: ignore creation/deletion of AuthenticatedSession objects
- internal: start embedded outpost directly after backend is healthy instead of waiting
- lifecycle: revert to non-h11 worker
- outpost/ldap: don't cleanup user info as it is overwritten on bind
- providers/*: include list of outposts
- providers/ldap: add/squash migrations
- providers/ldap: memory Query (#1681)
- recovery: add create_admin_group management command
- root: fix defaults for EMAIL_USE_TLS
- root: improve compose detection, add anonymous stats
- root: keep last 30 backups
- sources/ldap: remove deprecated default
- sources/oauth: set prompt=none for Discord provider
- sources/plex: allow users to connect their plex account without login flow
- sources/plex: use exception_to_string in tasks
- stages/authenticator_*: add default name for authenticators
- stages/identification: only allow limited challenges for login sources
- stages/identification: use random sleep
- stages/prompt: add text_read_only field
- stages/prompt: default prompts to the current value of the context
- stages/prompt: only set placeholder when in context
- stages/prompt: set field placeholder based on plan context
- stages/prompt: use initial instead of default
- web: fix linting errors by adding a wrapper for next param
- web/admin: only show flows with an invitation stage configured instead of all enrollment flows
- web/admin: show warning on invitation list when no stage exists or is bound
- web/admin: show warning on provider when not used with outpost
- web/flows: fix authenticator_validate not allowing alphanumeric codes due to empty pattern
- web/flows: improve display of static tokens
- web/user: fix ak-user-settings-password getting wrong configureUrl
- web/user: fix device type for static tokens
- web/user: fix empty page when no sources to connect exist
- web/user: fix redirect after starting configuration flow from user interface
Fixed in 2021.10.4
- core: force lowercase emails for gravatar usage
- outposts: fix MFA Challenges not working with outpost
- outposts/ldap: fix logic error in cached ldap searcher
- outposts/proxy: fix static files not being served in proxy mode
- providers/proxy: return list of configured scope names so outpost requests custom scopes
- root: use python slim-bullseye as base
- sources/ldap: fix user/group sync overwriting attributes instead of merging them
- sources/ldap: set connect/receive timeout (default to 15s)
- stages/*: disable trim_whitespace on important fields
- stages/authenticator_duo: fix devices created with name
- stages/authenticator_validate: enable all device classes by default
- web: write interfaces to different folders and remove custom chunk names
- web/admin: fix display issues with flow execute buttons
- web/admin: show warnings above tab bar
- web/admin: use more natural default ordering for objects
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose file for 2021.10 from here. Afterwards, simply run docker-compose up -d
.
Kubernetes
Update your values to use the new images:
image:
repository: ghcr.io/goauthentik/server
tag: 2021.10.1