Release 2023.2 - Signout and Avatar improvements
New features
-
Proxy provider logout improvements
In previous versions, logging out of a single proxied application would only invalidate that application's session. Starting with this release, when logging out of a proxied application (via the /outpost.goauthentik.io/sign_out URL), all the users session within the outpost are terminated. Sessions in other outposts and with other protocols are unaffected.
Additionally, different providers now have different cookies, instead of all using the same "authentik_proxy" token.
-
UX Improvements
As with the previous improvements, we've made a lot of minor improvements to the general authentik UX to make your life easier.
-
OAuth2 Provider improvements
The OAuth2 provider has been reworked to be closer to OAuth specifications and better support refresh tokens and offline access. Additionally the expiry for access tokens and refresh tokens can be adjusted separately now.
-
Generated avatars, multiple avatar modes
authentik now supports multiple avatar modes, and will use the next configured mode when a mode doesn't have an avatar. For example, the new default configuration attempts to use gravatar, but if the user's email does not have a gravatar setup, it will instead use the new generated avatars. See Configuration
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose file for 2023.2 from here. Afterwards, simply run docker-compose up -d
.
Kubernetes
Update your values to use the new images:
image:
repository: ghcr.io/goauthentik/server
tag: 2023.2.0
Minor changes/fixes
- */saml: disable pretty_print, add signature tests
- blueprints: don't update default tenant
- blueprints: handle error when blueprint entry identifier field does not exist
- core: Add support for auto generating unique avatars based on the user's initials (#4663)
- core: delete session when user is set to inactive
- core: fix inconsistent branding in end_session view
- core: fix missing uniqueness validator on user api
- core: fix token's set_key accessing data incorrectly
- events: dont log oauth temporary model creation
- events: improve sanitising for tuples and sets
- events: prevent error when request fails without response
- internal: better error message when outpost API controller couldn't fetch outposts
- internal: fix cache-control header
- policies/event_matcher: fix empty app label not being allowed, require at least 1 criteria
- providers/ldap: add unbind flow execution (#4484)
- providers/ldap: fix error not being checked correctly when fetching users
- providers/oauth2: add user id as "sub" mode
- providers/oauth2: don't use policy cache for token requests
- providers/oauth2: only set auth_time in ID token when a login event is stored in the session
- providers/oauth2: optimise client credentials JWT database lookup (#4606)
- providers/oauth2: rework OAuth2 Provider (#4652)
- providers/proxy: add token support for basic auth
- providers/proxy: different cookie name based on hashed client id (#4666)
- providers/proxy: outpost wide logout implementation (#4605)
- providers/saml: fix invalid SAML provider metadata, add schema tests
- providers/saml: fix mismatched SAML SLO Urls (#4655)
- stages/authenticator_validate: fix error with passwordless webauthn login
- stages/prompt: field name (#4497)
- stages/user_write: fix migration setting wrong value, fix form
- web: fix token delete form not showing token identifiers
- web/admin: add notice for user_login stage session cookie behaviour
- web/admin: clarify access code expiration
- web/admin: default to disable policy execution logging
- web/admin: fix certificate filtering for SAML verification certificate
- web/admin: rework event info page to show all event infos
- web/elements: add dropdown css to DOM directly instead of including
- web/elements: fix ak-expand not using correct font
- web/elements: fix clashing page url param
- web/elements: improve codemirror contrast in dark theme
- web/elements: make table rows clickable to select items
- web/elements: persist table page in URL parameters
- web/flows: fix flow background overlay on firefox
- web/user: filter tokens by username
- web/user: refactor loading of data in userinterface
Fixed in 2023.2.1
- internal: fix scheme not being forwarded correctly for host intercepted requests
- sources/ldap: add LDAP Debug endpoint
- web/admin: improve action button spinner on ldap source page
- web/admin: remove groups and users from users and group form to prevent accidental removal when updating
- web/admin: use full page size for modals
Fixed in 2023.2.2
- flows: include flow authentication requirement in diagram
- lib: don't try to cache generated avatar with full user, only cache with name
- providers/ldap: check MFA password on password stage
- providers/proxy: fix client credential flows not using http interceptor
- providers/proxy: fix value is too long with filesystem sessions
- root: use channel send workaround for sync sending of websocket messages
- web/admin: fix error when creating new users
- web/user: revert truncate behaviour for application description
Fixed in 2023.2.3
- *: fix CVE-2023-26481.md, Reported by @fuomag9
API Changes
What's New
POST
/admin/system/
What's Changed
POST
/core/tokens/{identifier}/set_key/
GET
/providers/oauth2/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
sub_mode
(string)Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
user_id
-
PUT
/providers/oauth2/{id}/
Request:
Changed content type : application/json
-
Changed property
sub_mode
(string)Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
user_id
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
sub_mode
(string)Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
user_id
-
PATCH
/providers/oauth2/{id}/
Request:
Changed content type : application/json
-
Changed property
sub_mode
(string)Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
user_id
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
sub_mode
(string)Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
user_id
-
POST
/providers/oauth2/
Request:
Changed content type : application/json
-
Changed property
sub_mode
(string)Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
user_id