authentik/website/docs/releases/v2021.12.md

10 KiB

title slug
Release 2021.12 2021.12

Headline changes

This release does not have any headline features, and mostly fixes bugs.

Breaking changes

  • stages/prompt: Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid.

Minor changes

  • core: make defaults for _change_email and _change_username configurable
  • core: remove dump_config, handle directly in config loader without booting django, don't check database
  • events: add gdpr_compliance option
  • internal: fix integrated docs not working
  • internal: use runserver when debug for code reload
  • lib: add cli option for lib.config
  • lib: add improved log to sentry events being sent
  • lib: fix custom URL schemes being overwritten
  • lib: load json strings in config env variables
  • lib: log error for file:// in config
  • lifecycle: allow custom worker count in k8s
  • lifecycle: improve backup restore by dropping database before
  • lifecycle: improve redis connection debug py printing full URL
  • outpost: configure error reporting based off of main instance config
  • outposts: don't panic when listening for metrics fails
  • outposts: reload on signal USR1, fix display of reload offset
  • outposts/ldap: copy boundUsers map when running refresh instead of using blank map
  • outposts/ldap: fix panic when attempting to update without locked users mutex
  • outposts/proxy: continue compiling additional regexes even when one fails
  • outposts/proxy: show better error when hostname isn't configured
  • outposts/proxy: use disableIndex for static files
  • policies/expression: fix ak_user_has_authenticator evaluation when not specifying optional device_type (#1849)
  • providers/saml: fix SessionNotOnOrAfter not being included
  • root: add lifespan shim to prevent errors
  • root: fix settings for managed not loaded
  • root: make sentry sample rate configurable
  • stages/authenticator_validate: catch error when attempting to configure user without flow
  • stages/email: fix missing component in response when retrying email send
  • stages/email: minify email css template
  • stages/email: prevent error with duplicate token
  • web: improve dark theme for vertical tabs
  • web: only show applications with http link
  • web/admin: allow flow edit on flow view page
  • web/admin: fix actions column on ip reputation page
  • web/admin: fix Forms with file uploads not handling errors correctly
  • web/admin: make object view pages more consistent
  • web/admin: make user clickable for bound policies list
  • web/admin: redesign provider pages to provide more info
  • web/admin: show changelog on user info page
  • web/admin: unify rendering and sorting of user lists
  • web/elements: add new API to store attributes in URL, use for table and tabs
  • web/elements: allow app.model names for ak-object-changelog
  • web/elements: allow multiple tabs with different state
  • web/flows: fix spinner during webauthn not centred
  • web/flows: update default background
  • web/user: fix filtering for applications based on launchURL
  • web/user: fix height issues on user interface

Fixed in 2021.12.1-rc2

  • *: don't use go embed to make using custom files easier
  • crypto: add certificate discovery to automatically import certificates from lets encrypt
  • crypto: fix default API not having an ordering
  • outposts: always trigger outpost reconcile on startup
  • outposts/ldap: Rework/improve LDAP search logic. (#1687)
  • outposts/proxy: make logging fields more consistent
  • outposts/proxy: re-add rs256 support
  • providers/proxy: fix defaults for traefik integration
  • providers/proxy: use wildcard for traefik headers copy
  • providers/saml: fix error when using post bindings and user freshly logged in
  • providers/saml: fix IndexError in signature check
  • sources/ldap: add optional tls verification certificate
  • sources/ldap: allow multiple server URIs for loadbalancing and failover
  • sources/ldap: don't cache LDAP Connection, use random server
  • sources/ldap: handle typeerror during creation of objects when using wrong keyword params
  • sources/plex: fix plex token being included in event log
  • stages/prompt: fix error when both default and required are set
  • web/admin: add spinner to table refresh button to show progress
  • web/admin: don't show disabled http basic as red
  • web/admin: fix wrong description for reputation policy
  • web/flows: fix linting errors
  • web/flows: Revise duo authenticator login prompt text (#1872)

Fixed in 2021.12.1-rc3

  • core: add FlowToken which saves the pickled flow plan, replace standard token in email stage to allow finishing flows in different sessions
  • core: fix missing permission check for group creating when creating service account
  • outposts/ldap: Fix search case sensitivity. (#1897)
  • policies/expression: add ak_call_policy
  • providers/saml: add ?force_binding to limit bindings for metadata endpoint
  • root: add request_id to celery tasks, prefixed with "task-"
  • sources/*: Allow creation of source connections via API
  • stages/prompt: use policyenginemode all
  • tests/e2e: add post binding test
  • web: fix duplicate classes, make generic icon clickable
  • web: fix text colour for bad request on light mode
  • web/admin: show outpost warning on application page too
  • web/elements: close dropdown when refresh event is dispatched
  • web/user: allow custom font-awesome icons for applications

Fixed in 2021.12.1-rc4

  • core: fix error when using invalid key-values in attributes query
  • flows: fix error in inspector view
  • flows: fix error when trying to print FlowToken objects
  • lib: correctly report "faked" IPs to sentry
  • outposts: add additional checks for websocket connection
  • outposts: cleanup logs for failed binds
  • outposts: don't try to create docker client for embedded outpost
  • outposts: fix docker controller not stopping containers
  • outposts: fix unlabeled transaction
  • outposts: handle RuntimeError during websocket connect
  • outposts: rewrite re-connect logic without recws
  • outposts: set display name for outpost service account
  • outposts/ldap: fix searches with mixed casing
  • outposts/proxy: use filesystem storage for non-embedded outposts
  • policies: don't always clear application cache on post_save
  • stagse/authenticator_webauthn: remove pydantic import
  • web: fix borders of sidebars in dark mode

Fixed in 2021.12.1-rc5

  • crypto: add additional validation before importing a certificate
  • events: add flow_execution event type
  • events: fix schema for top_per_user
  • flows: fix wrong exception being caught in flow inspector
  • outposts: reset backoff after successful connect
  • outposts/proxy: fix securecookie: the value is too long again, since it can happen even with filesystem storage
  • providers/oauth2: add additional logging to show with token path is taken
  • providers/oauth2: use generate_key instead of uuid4
  • sources/ldap: fix incorrect task names being referenced, use source native slug
  • sources/oauth: add initial okta type
  • sources/oauth: allow oauth types to override their login button challenge
  • sources/oauth: implement apple native sign-in using the apple JS SDK
  • sources/oauth: strip parts of custom apple client_id
  • stages/authenticator_webauthn: make user_verification configurable
  • stages/identification: fix miscalculated sleep
  • stages/invitation: use GroupMemberSerializer serializer to prevent all of the user's groups and their users from being returned
  • web: add link to open API Browser for API Drawer
  • web/admin: add dashboard with user creation/login statistics
  • web/admin: fix invalid display for LDAP Source sync status
  • web/admin: fix rendering for applications on view page
  • web/admin: fix rendering of applications with custom icon
  • web/admin: improve wording for froward_auth, don't show setup when using proxy mode
  • web/admin: show warning when deleting currently logged in user
  • web/admin: update overview page
  • web/flows: fix error when attempting to enroll new webauthn device

Fixed in 2021.12.1

  • core: fix error when attempting to provider from cached application
  • events: improve app lookup for event creation
  • internal: cleanup duplicate and redundant code, properly set sentry SDK scope settings
  • lifecycle: add -Ofair to celery
  • web/admin: add sidebar to applications
  • web/admin: fix notification unread colours not matching on user and admin interface
  • web/admin: fix stage related flows not being shown in a list
  • web/elements: add Markdown component to improve rendering
  • web/elements: add support for sidebar on table page
  • web/elements: close notification drawer when clearing all notifications

Fixed in 2021.12.2

  • core: don't rotate non-api tokens
  • crypto: fix private keys not being imported correctly
  • outposts: release binary outposts (#1954)
  • outposts/proxy: match skipPathRegex against full URL on domain auth
  • policies/password: add minimum digits
  • providers/oauth2: don't rely on expiry task for access codes and refresh tokens
  • sources/oauth: allow writing to user in SourceConnection
  • web: ignore instantSearchSDKJSBridgeClearHighlight error on edge on iOS
  • web/admin: fix background colour for application sidebar
  • web/elements: fix border between search buttons

Fixed in 2021.12.3

  • *: revert to using GHCR directly
  • core: fix error when getting launch URL for application with non-existent Provider
  • internal: fix sentry sample rate not applying to proxy
  • internal: rework global logging settings, embedded outpost no longer overwrites core
  • outpost: re-run globalSetup when updating config, allowing for live log level changes
  • outposts: handle/ignore http Abort handler
  • outposts/ldap: fix log formatter and level not being set correctly
  • outposts/proxy: add initial redirect-loop prevention
  • outposts/proxy: fix allowlist for forward_auth and traefik
  • outposts/proxy: fix ping URI not being routed
  • outposts/proxy: fix session not expiring correctly due to miscalculation
  • root: allow trace log level to work for core/embedded
  • root: don't set secure cross opener policy
  • root: drop redis cache sentry errors
  • root: fix inconsistent URL quoting of redis URLs
  • web/admin: add outpost type to list
  • web/admin: auto set the embedded outpost's authentik_host on first view
  • web/admin: don't auto-select certificate for LDAP source verification
  • web/admin: fix border for outpost health status

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2021.12 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
  repository: ghcr.io/goauthentik/server
  tag: 2021.12.1-rc1