Release 2024.2
Highlights
-
Remote Access Control Enterprise Access machines over RDP, SSH, and VNC from authentik
-
Audit logging Enterprise See what fields were changed when objects are updated
-
Session location and network binding Increase security by preventing session theft
-
Wizard to simplify creating applications and providers
Breaking changes
Manual action is required
-
Tenants have been renamed to brands
Tenants, which were previously used to change branding configuration, default flows, and several other settings have been renamed to brands. The term "Brands" more accurately reflect their usage; to configure branding, logos, colors, and overall login flow behavior.
Existing tenant objects will automatically be renamed to brand objects. The API endpoints associated with brands have also been renamed.
Blueprints using
authentik_tenants.tenant
will need to be changed to useauthentik_brands.brand
.For more information, refer to the documentation for brands.
Also, the event retention settings configured in brands (previously tenants, see above) has been removed and is now a system setting, managed in the Admin interface or via the API (see below).
There is no built-in migration path for this change. If you set something other than the default (
days=365
), you will need to update the setting in the admin interface. -
Helm chart breaking changes
The Helm Chart has a number of breaking changes. Find out more in the chart release notes.
Manual action may be required
-
Required
offline_access
scope for Refresh tokensThe OAuth2 provider ships with a new default scope called
offline_access
, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the Authorization code and Device code OAuth grants.Applications that require a refresh token will need their configuration to be updated to include the
offline_access
scope mapping. -
Database requirement changes
authentik now uses PostgreSQL schemas other than
public
.If you have a custom PostgreSQL deployment, please ensure that the authentik user is allowed to create schemas. Usually, if the authentik user is owner of the database, it already can.
-
Redis and cache configuration options have been improved
Thank you @PKizzle for this contribution!
Cache settings have been moved from the
redis
top-level config key to their owncache
top-level config key.Settings have also been added to configure the Redis instance/database used for tasks and websockets separately from cache. See here.
Typically, no changes to the configuration are required.
-
Configuration options migrated to the Admin interface
The following config options have been moved from the config file and can now be set using the Admin interface (under System -> Settings) or the API:
AUTHENTIK_AVATARS
AUTHENTIK_DEFAULT_USER_CHANGE_NAME
AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
AUTHENTIK_GDPR_COMPLIANCE
AUTHENTIK_IMPERSONATION
AUTHENTIK_FOOTER_LINKS
AUTHENTIK_REPUTATION__EXPIRY
When upgrading to 2024.2, the currently configured options will be automatically migrated to the database, and can be removed from the
.env
or helm values file afterwards. -
Icons are now in a
public/
subfolderIf your media folder is
/media
, icons are now stored in/media/public
. authentik will automatically migrate the icons upon upgrading.Note that even though that folder is named
public
, the files stored here are not automatically public. This is due to the naming of the default PostgreSQL schema. -
User sessions will be invalidated after this upgrade.
As such, users will need to log back in. Immediately after the upgrade completes, users are logged out automatically and are then prompted to log in again. This only occurs once.
-
Removal of deprecated metrics
These metrics were renamed because they did not adhere to Prometheus best practices. The old metrics were kept for backwards compatibility and have now been removed.
authentik_outpost_flow_timing_get
->authentik_outpost_flow_timing_get_seconds
authentik_outpost_flow_timing_post
->authentik_outpost_flow_timing_post_seconds
authentik_outpost_ldap_requests
->authentik_outpost_ldap_request_duration_seconds
authentik_outpost_ldap_requests_rejected
->authentik_outpost_ldap_requests_rejected_total
authentik_outpost_proxy_requests
->authentik_outpost_proxy_request_duration_seconds
authentik_outpost_proxy_upstream_time
->authentik_outpost_proxy_upstream_response_duration_seconds
authentik_outpost_radius_requests
->authentik_outpost_radius_request_duration_seconds
authentik_outpost_radius_requests_rejected
->authentik_outpost_radius_requests_rejected_total
authentik_main_requests
->authentik_main_request_duration_seconds
-
The shorthand parameter for
--stage
,-s
for theak test_email
command has been changed to-S
New features
-
New provider: Remote Access Control Enterprise
The Remote Access Control provider allows you to remotely connect to remote machines over RDP, SSH and VNC through authentik. As such, you can use the same policy engine and customization options that are possible with other providers using the same user and admin interface.
-
Audit logging Enterprise
authentik instances that have a valid enterprise license installed will log any changes made to models, including which fields were changed with previous and new values of the fields. The values are censored if they are sensitive (for example a password hash), however a hash of the changed value will still be logged.
-
Session location and network binding
Sessions for any users can now be bound to a specific geolocation (Continent, Country, City) or network (Autonomous System, subnet, IP address). If the session is accessed from a location/network that is different than that from which it was initially created, the session will be terminated.
Configuration steps are available here.
-
S3 file storage
Media files can now be stored on S3. Follow the setup guide to get started.
-
Pretend user exists option for Identification stage
Previously the Identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database.
This feature is enabled by default.
UX features
-
Simplified workflow for creating applications and providers
Applications and providers can now be created at the same time using the Application Wizard, found on the Applications -> Applications page of the Admin interface. The new wizard removes the previous requirement of first creating the provider, then the application, and then manually linking the two together.
-
Ability to select more than 20 providers in an outpost
We have introduced a new way of selecting providers in the outpost configuration form, which allows for more than 20 providers to be selected for a single outpost.
This dual-list multiselect prompt is only available for outposts for now, but we plan on extending it to other forms.
-
Attribute preview per user
You can now preview attributes transmitted to SAML and OAuth applications for a specific user.
-
Display applications a user has access to
An administrator can now see all applications a user has access to on the user's page in the Admin interface.
Other noteworthy features
-
New graph for event volume
In the Events -> Log page in the Admin interface, you can see a graph of the event volume matching the search query over the last 7 days.
-
Flows can now be restricted to outposts
You can now restrict a flow to be used only by an outpost using the Require Outpost setting on the flow. This would mainly be used for LDAP flows.
-
System tasks improvements
You can now search through system tasks. We have also improved the task duration calculation and display.
-
LDAP provider: allow overriding gidNumber
Previously, the
gidNumber
attribute on a user was set to the same asuidNumber
. You can now override this behaviour. -
LDAP source: new command to check connectivity
Examples on how to use are available here.
Upgrading
This release does not introduce any new requirements, but contains some breaking changes, see above.
docker-compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2024.2/docker-compose.yml
docker compose up -d
The -O
flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.2
Minor changes/fixes
- blueprints: improve file change handler (#7813)
- blueprints: only watch for fs events we're interested in (#7810)
- core: fix PropertyMapping context not being available in request context
- core: fix pagination in applications list being ignored (#8512)
- core: fix worker beat toggle inverted (#7508)
- core: optimise user list endpoint (#8353)
- core: show all applications a user can access in admin interface (#8343)
- core: use correct .evaluate implementation for testing PropertyMappings (#8459)
- core: use correct .evaluate implementation for testing PropertyMappings (#8459)
- enterprise/providers/rac: add alert that enterprise is required for RAC (#8057)
- enterprise/providers/rac: add option to limit concurrent connections to endpoint (#8053)
- enterprise/providers/rac: connection token management (#8467)
- enterprise/providers/rac: create authorize_application event when creating token (#8050)
- enterprise/providers/rac: fix maximum_connections set to -1 not being effective (#8456)
- enterprise/providers/rac: fix maximum_connections set to -1 not being effective (#8456)
- enterprise/providers: Add RAC (#7291)
- enterprise: add full audit log (#8177)
- enterprise: fix system task missing set_status (#8455)
- enterprise: rework license summary caching (#8501)
- enterrpise: exclude inactive users from license (#8294)
- events: add ASN Database reader (#7793)
- events: add better fallback for sanitize_item to ensure everything can be saved as JSON (#7694)
- events: add graph for event volume (#7639)
- events: fix SystemTask timestamps and scheduling (#8435)
- events: include user agent in events (#7693)
- events: migrate SystemTasks to DB (#8159)
- flows: add "require outpost" authentication_requirement (#7921)
- internal: remove deprecated metrics (#7540)
- internal: remove special route for /outpost.goauthentik.io (#7539)
- outposts/ldap: allow overriding gidNumber for a user (#8003)
- outposts/ldap: avoid nil ptr deref in MemorySearcher (#7767)
- outposts/proxy: better Redis error message (#8044)
- outposts: disable deployment and secret reconciler for embedded outpost in code instead of in config (#8021)(#8024)
- outposts: fix Outpost reconcile not re-assigning managed attribute (#8014)
- providers/oauth2: fix CVE-2024-21637 (#8104)
- providers/oauth2: fix missing nonce in id_token (#8072)
- providers/oauth2: fix missing nonce in token endpoint not being saved (#8073)
- providers/oauth2: offline access (#8026)
- providers/oauth2: remember session_id from initial token (#7976)
- providers/oauth2: set auth_via for token and other endpoints (#7417)
- providers/proxy: Fix duplicate cookies when using file system store. (#7541)
- providers/proxy: fix closed redis client (#7385)
- providers/proxy: use access token (#8022)
- providers/rac: fix property mapping without enterprise (#8144)
- providers/scim: change familyName default (#7904)
- providers/scim: fix missing schemas attribute for User and Group (#7477)
- providers/scim: set timeout based on page and page count (#7941)
- providers/scim: use lock for sync (#7948)
- providers: allow previewing mappings for other users (#8297)
- rbac: fix error when looking up permissions for now uninstalled apps (#8068)
- rbac: fix invitations listing with restricted permissions (#8227)
- root: Multi-tenancy (#7590)
- root: Restructure broker / cache / channel / result configuration (#7097)
- root: bump python deps (django 5) (#7862)
- root: fix listen trusted_proxy_cidrs config loading from environment (#8075)
- root: fix redis config not being updated to match previous change
- root: fix system check warnings (#8277)
- root: include ca-certificates in container (#7763)
- root: make test database name configurable (#7591)
- root: simplify task signal imports (#8454)
- security: fix CVE-2023-48228 (#7666)
- security: fix CVE-2024-23647 (#8345)
- sources/ldap: add check command to verify ldap connectivity (#7263)
- sources/ldap: clean-up certs written from db (#7617)
- sources/ldap: fix Issue with changing passwords with eDirectory (#7997)
- sources/oauth: fix OAuth source type serializer (#8140)
- sources/oauth: fix URLs being overwritten by OIDC urls (#8147)
- sources/oauth: fix azure_ad user_id and add test and fallback (#8146)
- sources/oauth: fix missing get_user_id for OIDC-like sources (Azure AD) (#7970)
- sources/oauth: fix patreon (#7454)
- sources/oauth: revert azure_ad profile URL change (#8139)
- stages/authenticator_totp: fix API validation error due to choices (#7608)
- stages/authenticator_validate: fix error when using pretend_user (#8447)
- stages/authenticator_validate: fix error when using pretend_user (#8447)
- stages/authenticator_validate: use friendly_name for stage selector when enrolling (#8255)
- stages/email: fix duplicate querystring encoding (#7386)
- stages/email: improve error handling for incorrect template syntax (#7758)
- stages/email: prevent authentik emails from being marked as spam (also add text template support) (#7949)
- stages/email: use uuid for email confirmation token instead of username (#7581)
- stages/identification: add option to pretend user exists (#7610)
- stages/user_login: only set last_ip in session if a binding is given (#8074)
- stages/user_login: session binding (#7881)
- web/admin: add RAC Provider to the list of providers understood by the wizard (#8149)
- web/admin: always show oidc well-known URL fields when they're set (#7560)
- web/admin: contextually add user to group when creating user from group page (#7586)
- web/admin: fix admins not able to delete MFA devices (#7660)
- web/admin: fix chart label on dashboard user page (#7434)
- web/admin: fix footer links not being parsed on settings page (#8289)
- web/admin: fix html error on oauth2 provider page (#7384)
- web/admin: fix incorrectly encoded chars in translation (#7580)
- web/admin: hide expiry time if item is set to not expire (#8457)
- web/admin: hide expiry time if item is set to not expire (#8457)
- web/admin: revamped rbac and user settings tabs (#8299)
- web/admin: revise wizard form handling (#7331)
- web/admin: show connected services on user view page, fix styling (#8416)
- web/components: improve error handling in ak-search-select (#8228)
- web/elements: keep selected elements in table when fetching (#7519)
- web/flows: attempt to fix bitwareden android compatibility (#7455)
- web/flows: don't auto-redirect to first source when passwordless is configured (#7579)
- web/flows: fix device picker incorrect foreground color (#8067)
- web/flows: fix icon for generic oauth source with dark theme (#8148)
- web/flows: fix logo height (#7834)
- web/flows: show logo in card (#7824)
- web/flows: use aria-invalid attribute to better show invalid input fields (#7661)
- web/user: fix search not updating selected app in user interface (#7825)
- web: clear "blanked" placeholder when present (#15) (#5948)
- web: clear out selecteds list after an API event to ensure a fresh copy of the policies-to-delete list (#8125)
- web: dark/light theme fixes (#7872)
- web: fix broken backchannel selector (#7480)
- web: fix labels on group view page (#7677)
- web: fix overflow glitch on ak-page-header (#7883)
- web: provide dual-list multiselect with pagination (#8004)
Fixed in 2024.2.1
- brands: fix context processor when request doesn't have a tenant (cherry-pick #8643) (#8646)
- ci: fix missing tags from release (cherry-pick #8645) (#8647)
- core: bump cbor2 from 5.5.1 to 5.6.2 (#8607)
- core: bump cryptography from 42.0.0 to 42.0.2 (#8553)
- core: bump cryptography from 42.0.2 to 42.0.4 (#8629)
- events: sanitize args and kwargs saved in system tasks (cherry-pick #8644) (#8648)
- stages/authenticator_validate: fix error with get_webauthn_challenge_without_user (cherry-pick #8625) (#8626)
Fixed in 2024.2.2
- core: fix blueprint export (cherry-pick #8695) (#8696)
- enterprise: fix read_only activating when no license is installed (cherry-pick #8697) (#8698)
- enterprise: force license usage update after change to license (cherry-pick #8723) (#8725)
- flows: fix mismatched redirect behaviour for invalid and valid flows (cherry-pick #8794) (#8796)
- providers/oauth2: fix inconsistent
sub
value when setting via mapping (cherry-pick #8677) (#8682) - providers/oauth2: fix offline_access requests when prompt doesn't include consent (cherry-pick #8731) (#8732)
- providers/oauth2: fix validation ordering (cherry-pick #8793) (#8795)
- root: ensure consistent install_id (cherry-pick #8775) (#8776)
- root: fix container build (cherry-pick #8727) (#8728)
- stages/authenticator_webauthn: fix error when enrolling new device (cherry-pick #8738) (#8740)
- web/admin: don't mark property mappings as required anywhere (cherry-pick #8752) (#8755)
- web/admin: don't mark remaining property mappings as required (cherry-pick #8772) (#8773)
Fixed in 2024.2.3
- api: capabilities: properly set can_save_media when s3 is enabled (cherry-pick #8896) (#8897)
- enterprise: only check for valid license existing for creating Enterprise objects (cherry-pick #8813) (#8822)
- enterprise/rac: fix connection token management (cherry-pick #8909) (#8912)
- events: discard notification if user has empty email (cherry-pick #8938) (#8951)
- events: fix incorrect user logged when using API token authentication (#9302)
- lifecycle: migrate: ensure template schema exists before migrating (cherry-pick #8952) (#9022)
- stages/email: Disable autoescape for text templates (cherry-pick #8812) (#8824)
- stages/email: fix issue when sending emails to users with same display as email (cherry-pick #8850) (#8852)
- stages/user_write: ensure user data is json-serializable (cherry-pick #8926) (#8928)
- tenants: really ensure default tenant cannot be deleted (cherry-pick #8875) (#8876)
Fixed in 2024.2.4
- security: fix CVE-2024-37905, reported by @m2a2 (cherry-pick #10230) (#10238)
- security: fix CVE-2024-38371, reported by Stefan Zwanenburg (cherry-pick #10229) (#10235)