Release 2022.12
Breaking changes
- 
Blueprints fetched via OCI require oci:// schema To better detect if a blueprint should be fetched locally or via OCI, all OCI sourced blueprints require an oci://protocol.
New features
- 
Bundled GeoIP City database authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more here. 
- 
Improved UX for user & group management and stage/policy binding Users can now more easily be added to and removed from groups, both when viewing a single user and viewing a group. When creating new stages or policies, authentik will now automatically offer an option to bind them to the object in whose context they were created in. Select inputs were previously limited to showing a single page of items (default size of 100 items). These inputs have been replaced by dynamically loading inputs which support searching and better show the properties of the item. 
- 
Preview for OAuth2 and SAML providers OAuth2 and SAML providers can now preview what the currently selected property/scope mappings's outcome will look like. This helps with seeing what data is sent to the client and implementing and testing custom mappings. 
- 
Customisable Captcha stage The captcha stage now supports alternate compatible providers, like hCaptcha and Turnstile. 
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose file for 2022.12 from here. Afterwards, simply run docker-compose up -d.
Kubernetes
Update your values to use the new images:
image:
    repository: ghcr.io/goauthentik/server
    tag: 2022.12.0
Minor changes/fixes
- blueprints: add !Env tag
- blueprints: add !Iftag (#4264)
- blueprints: add conditions to blueprint schema
- blueprints: Added conditional entry application (#4167)
- blueprints: better OCI support in UI (#4263)
- blueprints: fixed bug causing filtering with an empty query (#4106)
- blueprints: Support nested custom tags in !Findand!Formattags (#4127)
- core: add endpoints to add/remove users from group atomically
- core: bundle geoip (#4250)
- events: fix incorrect EventAction being used
- events: improve handling creation of events with non-pickleable objects
- events: remove legacy logger declaration
- events: save login event in session after login
- flows: fix redirect from plan context "redirect" not being wrapped in flow response
- flows: set stage name and verbose_name for in_memory stages
- internal: dont error if environment config isn't found
- internal: remove sentry proxy
- internal: reuse http transport to prevent leaking connections (#3996)
- lib: enable sentry profiles_sample_rate
- lib: fix uploaded files not being saved correctly, add tests
- lifecycle: don't set user/group in gunicorn
- lifecycle: improve explanation for user: root and docket socket mount
- policies: don't log context when policy returns None
- policies: log correct cache state
- policies: make name required
- policies/password: Always add generic message to failing zxcvbn check (#4100)
- providers: add preview for mappings (#4254)
- providers/ldap: improve mapping of LDAP filters to authentik queries
- providers/oauth2: optimise and cache signing key, prevent key being loaded multiple times
- providers/oauth2: set amr values based on login event
- providers/proxy: correctly set id_token_hint if possible
- providers/saml: set AuthnContextClassRef based on login event
- root: allow custom settings via python module
- root: migrate to hosted sentry with rate-limited DSN
- security: fix CVE 2022 23555 (#4274)
- security: fix CVE 2022 46145 (#4140)
- security: fix CVE 2022 46172 (#4275)
- stages/authenticator_duo: fix imported duo devices not being confirmed
- stages/authenticator_validate: fix validation to ensure configuration stage is set
- stages/authenticator_validate: improve validation for not_configured_action
- stages/authenticator_validate: log duo error
- stages/authenticator_validate: save used mfa devices in login event
- stages/captcha: customisable URLs (#3832)
- stages/invitation: fix incorrect pk check for invitation's flow
- stages/user_login: prevent double success message when logging in via source
- stages/user_write: always ignore componentfield and prevent warning
- web: fix authentication with Plex on iOS (#4095)
- web: ignore d3 circular deps warning, treat unresolved import as error
- web: use version family subdomain for in-app doc links
- web/admin: better show metadata download for saml provider
- web/admin: break all in code blocks in event info
- web/admin: clarify phrasing that user ID is required
- web/admin: fix action button order for blueprints
- web/admin: fix alignment in tables with multiple elements in cell
- web/admin: fix empty request being sent due to multiple forms in duo import modal
- web/admin: improve i18n for documentation link in outpost form
- web/admin: improve UI for removing users from groups and groups from users
- web/admin: improve user/group UX for adding/removing users to and from groups
- web/admin: more consistent label usage, use compact labels
- web/admin: rework markdown, correctly render Admonitions, fix links
- web/admin: show bound policies order first to match stages
- web/admin: show policy binding form when creating policy in bound list
- web/admin: show stage binding form when creating stage in bound list
- web/elements: fix alignment for checkboxes in table
- web/elements: fix alignment with checkbox in table
- web/elements: fix log level for diagram
- web/elements: fix table select-all checkbox being checked with no elements
- web/elements: fix wizard form page changing state before being active
- web/elements: unselect top checkbox in table when not all elements are selected
- web/flows: fix display for long redirect URLs
- web/flows: improve error messages for failed duo push
- web/flows: update flow background
- web/user: fix styling for clear all button in notification drawer
Fixed in 2022.12.1
- api: add filter backend for secret key to allow access to tenants and certificates
- blueprints: fix error when entry with state absent doesn't exist
- blueprints: Resolve yamltags in state and model attributes (#4299)
- outposts: include hostname in outpost heartbeat
- outposts/ldap: only use common cert if cert is configured
- outposts/ldap: use configured certificate for LDAPS when all providers' certificates are identical
- web/admin: migrate selection to ak-search-select
- web/admin: rework outpost health
- web/elements: add grouping and descriptions to search select
- web/elements: make ak-search-select limited in height and scroll
- web/elements: render ak-seach-select dropdown correctly in modals
- web/user: fix user settings stuck loading
Fixed in 2022.12.2
- admin: use matching environment for system API
- crypto: fix type for has_key
- providers/oauth2: fix null amr value not being removed from id_token
- providers/saml: don't error if no request in API serializer context
- stages/captcha: fix captcha not loading correctly, add tests
- stages/dummy: add toggle to throw error for debugging
- stages/email: make template tests less flaky
- stages/email: use pending user correctly
- stages/prompt: use stage.get_pending_user() to fallback to the correct user
- web: add check compile test to prevent compile errors/warnings
- web: ensure locales are built for tsc check
- web: update tsconfig strictness
- web/admin: add Radio control, search-select fixes (#4333)
- web/admin: fix error in outpost form dropdown
- web/admin: fix error when creating SAML Provider from metadata
- web/elements: correctly display selected empty option when blankable is enabled
- web/elements: fix dropdown menu closing before selecting item sometimes
- web/elements: fix selection of blank elements in search-select, fix issue when re-opening dropdown
- web/elements: tabs: only find pages for directly related slots
- web/elements: trigger search select data update on connected callback
- web/flows: add close button to flow inspector
- web/flows: fix alternate captchas not loading
- web/flows: rework error display, always use ak-stage-flow-error instead of shell
Fixed in 2022.12.3
- *: fix CVE-2023-26481, Reported by @fuomag9
API Changes
What's Changed
GET /stages/captcha/{stage_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Added property js_url(string)
- 
Added property api_url(string)
- 
Changed property public_key(string)Public key, acquired your captcha Provider. 
 
- 
PUT /stages/captcha/{stage_uuid}/
Request:
Changed content type : application/json
- 
Added property js_url(string)
- 
Added property api_url(string)
- 
Changed property public_key(string)Public key, acquired your captcha Provider. 
- 
Changed property private_key(string)Private key, acquired your captcha Provider. 
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Added property js_url(string)
- 
Added property api_url(string)
- 
Changed property public_key(string)Public key, acquired your captcha Provider. 
 
- 
PATCH /stages/captcha/{stage_uuid}/
Request:
Changed content type : application/json
- 
Added property js_url(string)
- 
Added property api_url(string)
- 
Changed property public_key(string)Public key, acquired your captcha Provider. 
- 
Changed property private_key(string)Private key, acquired your captcha Provider. 
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Added property js_url(string)
- 
Added property api_url(string)
- 
Changed property public_key(string)Public key, acquired your captcha Provider. 
 
- 
GET /flows/executor/{flow_slug}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonUpdated ak-stage-captchacomponent: New required properties:- 
js_url
 - Added property js_url(string)
 
- 
POST /flows/executor/{flow_slug}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonUpdated ak-stage-captchacomponent: New required properties:- 
js_url
 - Added property js_url(string)
 
- 
POST /stages/captcha/
Request:
Changed content type : application/json
- 
Added property js_url(string)
- 
Added property api_url(string)
- 
Changed property public_key(string)Public key, acquired your captcha Provider. 
- 
Changed property private_key(string)Private key, acquired your captcha Provider. 
Return Type:
Changed response : 201 Created
- 
Changed content type : application/json- 
Added property js_url(string)
- 
Added property api_url(string)
- 
Changed property public_key(string)Public key, acquired your captcha Provider. 
 
- 
GET /stages/captcha/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > CaptchaStage Serializer - 
Added property js_url(string)
- 
Added property api_url(string)
- 
Changed property public_key(string)Public key, acquired your captcha Provider. 
 
- 
 
-