Release 2024.4
Highlights
-
OAuth/SAML as authentication factor Enterprise Use an external provider as part of an MFA authentication flow, including custom implementations
-
SCIM Source Preview Provision users and groups in authentik using an SCIM API
-
Configurable WebAuthn device restrictions Configure which types of WebAuthn devices can be used to enroll and validate for different authorization levels.
-
Performance improvements The API Endpoints to list Users, Groups, and Events have been optimized by 94%, 41% and 53% respectively
Breaking changes
Manual action may be required
-
Configuration options migrated to the Admin interface
The following config options have been moved from the config file and can now be set using the Admin interface (under System -> Settings) or the API:
AUTHENTIK_DEFAULT_TOKEN_LENGTH
When upgrading to 2024.4, the currently configured options will be automatically migrated to the database, and can be removed from the
.env
or helm values file afterwards.
New features
-
Source stage Enterprise
The source stage allows for an inclusion of a source as part of a flow. This can be used to link a user to a source as part of their authentication/enrollment, or it can be used as an external multi-factor to provide device health attestation for example.
For details refer to Source stage
-
SCIM Source Preview
Provision users and groups in authentik using an SCIM API.
For details refer to SCIM Source
-
Configurable WebAuthn device restrictions
Configure which types of WebAuthn devices can be used to enroll and validate for different authorization levels.
For details refer to WebAuthn authenticator setup stage
-
Revamped UI for log messages
Log messages from several API endpoints are now shown with much greater detail, which helps with implementing custom policies and property mappings.
-
Python API Client
There's now an official API Client for Python: https://pypi.org/project/authentik-client/. This API Client can be used to create/update/delete objects within authentik as well as using the Flow executor to authenticate.
-
Configure LDAP sources to not store hashed password in authentik
When authentik is configured to federate with an LDAP source, upon authentication, authentik hashed the password and stored it in its own database. This allows authentication to function when LDAP is unreachable. Admins can now configure this behavior for when this is not desirable.
For details refer to LDAP Source
-
Configurable app password token expiring
Thanks @jmdilly for contributing this feature!
Admins can now configure the default token duration (which defaults to
minutes=30
) in the admin interface as specified above. This value can also be overridden per-user with thegoauthentik.io/user/token-maximum-lifetime
attribute.
Upgrading
This release does not introduce any new requirements.
docker-compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2024.4/docker-compose.yml
docker compose up -d
The -O
flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.4
Minor changes/fixes
- admin: Handle latest version unknown in admin dashboard (#8858)
- api: capabilities: properly set can_save_media when s3 is enabled (#8896)
- api: fix authentication schema (#9238)
- blueprints: fix default username field in user-settings flow (#9136)
- blueprints: fix schema generation for PrimaryKeyRelated fields with non-int PK (#9140)
- blueprints: only create default brand if no other default brand exists (#9222)
- blueprints: use reconcile decorator instead of relying on function name prefix (#8483)
- brands: add indexes to brand domain and default (#9343)
- brands: fix context processor when request doesn't have a tenant (#8643)
- core: add user settable token durations (#7410)
- core: cache user application list under policies (#8895)
- core: delegated group member management (#9254)
- core: fix api schema for users and groups (#9298)
- core: fix blueprint export (#8695)
- core: optionally don't return groups' users and users' groups by default (#9179)
- core: replace authentik_signals_ignored_fields with audit_ignore (#9291)
- core: rework recovery API to return better error messages (#8655)
- enterprise/rac: fix connection token management (#8909)
- enterprise: fix audit middleware import (#9177)
- enterprise: fix read_only activating when no license is installed (#8697)
- enterprise: force license usage update after change to license (#8723)
- enterprise: only check for valid license existing for creating Enterprise objects (#8813)
- enterprise: use tenant uuid instead of install_id when tenants are enabled (#8823)
- events: add context manager to ignore/modify audit events being written (#9181)
- events: add indexes (#9272)
- events: discard notification if user has empty email (#8938)
- events: fix incorrect user logged when using API token authentication (#9302)
- events: fix log_capture (#9075)
- events: rework log messages returned from API and their rendering (#8770)
- events: sanitize args and kwargs saved in system tasks (#8644)
- flows: fix mismatched redirect behaviour for invalid and valid flows (#8794)
- internal: add tests to go flow executor (#9219)
- internal: cleanup static file serving setup code (#8965)
- lib: cache gravatar connection status (#9248)
- lifecycle: gunicorn: fix app preload (#9274)
- lifecycle: migrate: ensure template schema exists before migrating (#8952)
- outposts: improved set secret answers for flow execution (#8013)
- outposts/proxy: Fix invalid redirect on external hosts containing path components (#8915)
- outposts: Enhance config options for k8s outposts (#7363)
- providers/oauth2: fix inconsistent
sub
value when setting via mapping (#8677) - providers/oauth2: fix interactive device flow (#9076)
- providers/oauth2: fix offline_access requests when prompt doesn't include consent (#8731)
- providers/oauth2: fix refresh_token grant returning incorrect id_token (#9275)
- providers/oauth2: fix validation ordering (#8793)
- providers/oauth2: improve conformance with client_credentials standard (#8471)
- providers/scim: allow custom user and group schemas (#9255)
- rbac: fix permission decorator for global permissions (#8591)
- root: cherry-pick version bump
- root: early spring clean for linting (#8498)
- root: ensure consistent install_id (#8775)
- root: expose session storage configuration (#9337)
- root: fix app settings load order (#8569)
- root: generate python client (#9107)
- root: make redis settings more consistent (#9335)
- root: move database calls from ready() to dedicated startup signal (#9081)
- root: support redis username (#8935)
- sources/ldap: add ability to disable password write on login (#8377)
- sources/ldap: fix default blueprint for mapping user DN to path (#9355)
- sources/oauth: add gitlab type [AUTH-323] (#8195)
- sources/oauth: make URLs not required, only check when no OIDC URLs are defined (#9182)
- sources/scim: cleanup service account when source is deleted (#9319)
- sources/scim: service account should be internal (#9321)
- sources: add SCIM source (#3051)
- stages/authenticator_validate: add ability to limit webauthn device types (#9180)
- stages/authenticator_validate: fix error with get_webauthn_challenge_without_user (#8625)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#9268)
- stages/authenticator_webauthn: add MDS support (#9114)
- stages/authenticator_webauthn: fix attestation value (#9333)
- stages/authenticator_webauthn: fix error when enrolling new device (#8738)
- stages/email: Disable autoescape for text templates (#8812)
- stages/email: fix issue when sending emails to users with same display as email (#8850)
- stages/prompt: fix username field throwing error with existing user (#9342)
- stages/user_write: ensure user data is json-serializable (#8926)
- stages: source stage (#8330)
- tenants: really ensure default tenant cannot be deleted (#8875)
- web/admin: allow custom sorting for bound* tables (#9080)
- web/admin: don't mark LDAP group property mappings as required (#8772)
- web/admin: don't mark property mappings as required anywhere (#8752)
- web/admin: fix SAML Provider preview (#9192)
- web/admin: fix document title for admin interface (#9362)
- web/admin: fix error in admin interface due to un-hydrated context (#9336)
- web/admin: fix log viewer empty state (#9315)
- web/admin: fix markdown table rendering (#8908)
- web/admin: fix user_write stage's user type input (#9344)
- web/admin: group form dual select (#9354)
- web/admin: remove enterprise preview banner (#8991)
- web/admin: rework captcha stage (#9256)
- web/admin: small fixes (#9002)
- web/flows: fix form input rendering issue (#9297)
- web/flows: general ux improvements (#8558)
- web/flows: fix passwordless hidden without input (#9273)
- web/flows: fix webauthn retry (#8599)
- web/flows: improve authenticator styling (#8560)
- web/flows: update flow background (#9305)
- web: a few minor bugfixes and lintfixes (#9044)
- web: ak-checkbox-group for short, static, multi-select events (#9138)
- web: change "delete" verb to "remove" for one-to-many relationships (#8535)
- web: clean up UserInterface in prep for OAuth and Silo Projects (#8278)
- web: clean up and remove redundant alias '@goauthentik/app' (#8889)
- web: consistent style declarations internally (#9077)
- web: fix save & reset behavior on System ➲ Settings page. (#8528)
- web: improve build speeds even moar!!!!!! (#8954)
- web: maintenance: split tsconfig into “base” and “build” variants. (#9036)
- web: manage stacked modals with a stack (#9193)
- web: move context controllers into reactive controller plugins (#8996)
- web: preserve selected list when provider updates (#9200)
- web: provide InstallID on EnterpriseListPage (#8898)
- web: replace rollup with esbuild (#8699)
- web: restore sourcemaps (#9300)
- web: spell customization with a Z (#8596)
- web: upgrade to lit 3 (#8781)
Fixed in 2024.4.1
- core: fix logic for token expiration (cherry-pick #9426) (#9428)
- lifecycle: always try custom redis URL (cherry-pick #9441) (#9458)
- sources/oauth: ensure all UI sources return a valid source (cherry-pick #9401) (#9406)
- sources/scim: fix service account user path (cherry-pick #9463) (#9470)
- stages/identification: don't check source component (cherry-pick #9410) (#9420)
- web/admin: fix disabled button color with dark theme (cherry-pick #9465) (#9468)
- web/admin: show user internal service account as disabled (cherry-pick #9464) (#9467)
- web/common: fix locale detection for user-set locale (cherry-pick #9436) (#9439)
- web: Add resolved and integrity fields back to package-lock.json (cherry-pick #9419) (#9421)
- web: markdown: display markdown even when frontmatter is missing (cherry-pick #9404) (#9405)
Fixed in 2024.4.2
- core: fix source_flow_manager saving user-source connection too early (cherry-pick #9559) (#9578)
- core: fix task clean_expiring_models removing valid sessions with using database storage (cherry-pick #9598) (#9601)
- core: only prefetch related objects when required (cherry-pick #9476) (#9510)
- enterprise/audit: fix audit logging with m2m relations (cherry-pick #9571) (#9572)
- events: ensure all models'
__str__
can be called without any further lookups (cherry-pick #9480) (#9485) - flows: fix execute API endpoint (cherry-pick #9478) (#9481)
- lifecycle: close database connection after migrating (cherry-pick #9516) (#9531)
- providers/saml: fix ECDSA support (cherry-pick #9537) (#9544)
- providers/scim: fix SCIM ID incorrectly used as primary key (cherry-pick #9557) (#9579)
- providers/scim: fix Sync task's time_limit not set correctly (cherry-pick #9546) (#9553)
- sources/oauth: fix OAuth2 Client sending token request incorrectly (cherry-pick #9474) (#9475)
- sources/scim: fix duplicate groups and invalid schema (cherry-pick #9466) (#9606)
- tenants: fix scheduled tasks not running on default tenant (cherry-pick #9583) (#9586)
- web/flows: fix error when enrolling multiple WebAuthn devices consecutively (cherry-pick #9545) (#9547)
- web/flows: fix missing fallback for flow logo (cherry-pick #9487) (#9492)
- web: Add missing integrity hashes to package-lock.json (#9527)
Fixed in 2024.4.3
- core: fix source flow_manager not always appending save stage (cherry-pick #9659) (#9662)
- security: fix CVE-2024-37905, reported by @m2a2 (cherry-pick #10230) (#10236)
- security: fix CVE-2024-38371, reported by Stefan Zwanenburg (cherry-pick #10229) (#10233)
- sources/saml: fix FlowPlanner error due to pickle (cherry-pick #9708) (#9709)
- web: fix value handling inside controlled components (cherry-pick #9648) (#9685)
Fixed in 2024.4.4
- security: fix CVE-2024-42490, reported by @m2a2 (cherry-pick #11022) #11024
API Changes
What's New
GET
/sources/scim/
POST
/sources/scim/
GET
/sources/scim/{slug}/
PUT
/sources/scim/{slug}/
DELETE
/sources/scim/{slug}/
PATCH
/sources/scim/{slug}/
GET
/sources/scim/{slug}/used_by/
GET
/sources/scim_groups/
POST
/sources/scim_groups/
GET
/sources/scim_groups/{id}/
PUT
/sources/scim_groups/{id}/
DELETE
/sources/scim_groups/{id}/
PATCH
/sources/scim_groups/{id}/
GET
/sources/scim_groups/{id}/used_by/
GET
/sources/scim_users/
POST
/sources/scim_users/
GET
/sources/scim_users/{id}/
PUT
/sources/scim_users/{id}/
DELETE
/sources/scim_users/{id}/
PATCH
/sources/scim_users/{id}/
GET
/sources/scim_users/{id}/used_by/
GET
/stages/authenticator/webauthn_device_types/
GET
/stages/authenticator/webauthn_device_types/{aaguid}/
GET
/stages/source/
POST
/stages/source/
GET
/stages/source/{stage_uuid}/
PUT
/stages/source/{stage_uuid}/
DELETE
/stages/source/{stage_uuid}/
PATCH
/stages/source/{stage_uuid}/
GET
/stages/source/{stage_uuid}/used_by/
POST
/core/users/{id}/recovery/
POST
/core/users/{id}/recovery_email/
What's Deleted
GET
/core/users/{id}/recovery/
GET
/core/users/{id}/recovery_email/
What's Changed
GET
/admin/apps/
GET
/admin/models/
GET
/admin/settings/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
default_token_duration
(string)Default token duration
-
Added property
default_token_length
(integer)Default token length
-
PUT
/admin/settings/
Request:
Changed content type : application/json
-
Added property
default_token_duration
(string)Default token duration
-
Added property
default_token_length
(integer)Default token length
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
default_token_duration
(string)Default token duration
-
Added property
default_token_length
(integer)Default token length
-
PATCH
/admin/settings/
Request:
Changed content type : application/json
-
Added property
default_token_duration
(string)Default token duration
-
Added property
default_token_length
(integer)Default token length
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Added property
default_token_duration
(string)Default token duration
-
Added property
default_token_length
(integer)Default token length
-