authentik/website/docs/releases/v2021.10.md

7.5 KiB

title slug
Release 2021.10 2021.10

Headline Changes

  • Flow Inspector

    To better understand how a flow works, and why things might not be working as intended, you can now launch Flows with an inspector enabled. This is simply triggered by adding a ?inspector to the URL. Currently, only superuser have the permission to access the Inspector.

    The inspector shows the current stage, previous stages, next planned stages, and the current flow context.

  • SMS Authenticator

    You can now use SMS-based TOTP authenticators. This new Stage supports both Twilio, and a generic API endpoint, if using another provider. This stage does not have to be used for authentication, it can simply be used during enrollment to verify your users phone numbers.

  • Sign in with Apple

    It is now possible to add an Apple OAuth Source, to allow your users to authenticate with their Apple ID.

A huge shoutout to all the people that contributed, helped test and also translated authentik. This is the first release that has as full French translation!

Minor changes

  • *: Squash Migrations (#1593)
  • admin: clear update notification when notification's version matches current version
  • cmd: prevent outposts from panicking when failing to get their config
  • core: add default for user's settings attribute
  • core: add settings serializer to user/me and update_self endpoints, saved in a key in attributes
  • core: improve detection for s3 settings to trigger backup
  • core: include group uuids in self serializer
  • core: make user's name field fully optional
  • flows: inspector (#1469)
  • internal: add internal healthchecking to prevent websocket errors
  • internal/proxyv2: improve error handling when configuring app
  • lifecycle: bump celery healthcheck to 5s timeout
  • lifecycle: only lock database when system migrations need to be applied, and during django migrations, and don't double unlock
  • lifecycle: only set prometheus_multiproc_dir in ak wrapper to prevent full disk on worker
  • managed: don't run managed reconciler in foreground on startup
  • outpost/proxy: fix missing negation for internal host ssl verification
  • outposts: add additional error checking for docker controller
  • outposts: Adding more flexibility to outposts in Kubernetes. (#1617)
  • outposts: allow disabling of docker controller port mapping
  • outposts: check ports of deployment in kubernetes outpost controller
  • outposts: don't always build permissions on outpost.user access, only in signals and tasks
  • outposts: fallback to known-good outpost image if configured image cannot be pulled
  • outposts: fix error when comparing ports in docker controller when port mapping is disabled
  • outposts: handle k8s 422 response code by recreating objects
  • outposts: rename docker_image_base to container_image_base, since its not docker specific
  • outposts/ldap: Support hard coded uidNumber and gidNumber. (#1582)
  • outposts/proxy: add new headers with unified naming
  • outposts/proxy: fix duplicate protocol in domain auth mode
  • outposts/proxy: show full error message when user is authenticated
  • policies: add additional filters to create flow charts on frontend
  • policies/password: add extra sub_text field in tests
  • providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514)
  • providers/proxy: always check ingress secret in kubernetes controller
  • providers/proxy: update ingress controller to work with k8s 1.22
  • recovery: handle error when user doesn't exist
  • root: add docker-native healthcheck for web and celery
  • root: add translation for backend strings
  • root: coverage with toml support
  • root: fix error with sentry proxy
  • root: migrate docker images to netlify proxy (#1603)
  • root: remove redundant internal network from compose
  • root: remove structlog.processors.format_exc_info for new structlog version
  • root: Use fully qualified names for docker bases base images. (#1490)
  • sources/ldap: add support for Active Directory userAccountControl attribute
  • sources/ldap: don't sync ldap source when no property mappings are set
  • sources/ldap: fix logic error in Active Directory account disabled status
  • sources/oauth: add Sign in with Apple (#1635)
  • stages/authenticator_sms: add generic provider (#1595)
  • stages/authenticator_sms: Add SMS Authenticator Stage (#1577)
  • stages/authenticator_validate: create a default authenticator validate stage with sensible defaults
  • stages/email: add activate_user_on_success flag, add for all example flows
  • stages/prompt: add sub_text field to add HTML below prompt fields
  • stages/prompt: fix sub_text not allowing blank
  • stages/prompt: fix wrong field type of field_key
  • stages/user_login: add check for user.is_active and tests
  • stages/user_write: allow recursive writing to user.attributes
  • web: add locale detection
  • web: ensure fallback locale is loaded
  • web: fix rendering of token copy button in dark mode
  • web: fix strings not being translated at all when matching browser locale not found
  • web: make table pagination size user-configurable
  • web: new default flow background
  • web: Translate /web/src/locales/en.po in fr_FR (#1506)
  • web/admin: add fallback font for doughnut charts
  • web/admin: default to warning state for backup task
  • web/admin: don't require username nor name for activate/deactivate toggles
  • web/admin: fix description for flow import
  • web/admin: fix LDAP Source form not exposing syncParentGroup
  • web/admin: fix search group label
  • web/admin: fix SMS Authenticator stage not loading state correctly
  • web/admin: improve visibility of oauth rsa key
  • web/admin: only show outpost deployment info when not embedded
  • web/admin: truncate prompt label when too long
  • web/elements: fix initialLoad not being done when viewportCheck was disabled
  • web/elements: fix model form always loading when viewport check is disabled
  • web/elements: use dedicated button for search clear instead of webkit exclusive one
  • web/flows: adjust message for email stage
  • web/user: don't show managed tokens in user interface
  • web/user: initial optimisation for smaller screens
  • web/user: load interface settings from user settings

Fixed in 2021.10.1-rc2

  • core: add user flag to prevent users from changing their usernames
  • core: log user for http requests
  • flows: clear cache when deleting bindings
  • outpost/ldap: fix logging for mismatched provider
  • root: add cookie domain setting
  • sources/oauth: add choices to oauth provider_type
  • web: disable Sentry.showReportDialog
  • web/flows: showing of authentik logo in flow executor
  • web/flows: fix authenticator device selection not updating
  • web/flows: show cancel link when choosing authenticator challenge

Fixed in 2021.10.1-rc3

  • api: fix error when connection to websocket via secret_key
  • core: add toggle to completely disable backup mechanism
  • core: add USER_ATTRIBUTE_CHANGE_EMAIL
  • events: fix error when notification transport doesn't exist anymore
  • outposts: fix docker controller not using object_naming_template
  • providers/oauth2: fallback to uid if UPN was selected but isn't available
  • providers/oauth2: fix events being created from /application/o/authorize/
  • sources/ldap: prevent key users from being set as this is an M2M relation
  • sources/ldap: skip values which are of type bytes

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2021.10 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
  repository: goauthentik.io/server
  tag: 2021.10.1