Release 2023.3 - SCIM support
New features
- 
SCIM support infoThis feature is still in technical preview, so please report any Bugs you run into on GitHub. authentik can now provision users into other IT systems via the SCIM (System for Cross-domain Identity Management) protocol. The provider synchronizes Users, Groups and the user membership. Objects are synced both when they are saved and based on a pre-defined schedule in the background. Documentation: SCIM Provider 
- 
Theming improvements - The custom.css file is now loaded in ShadowDOMs, allowing for much greater customization, as previously it was only possible to style elements outside of the ShadowDOM. See docs for Flow, User and Admin interfaces.
- Previously, authentik would automatically switch between dark and light theme based on the users' browsers' settings. This can now be overridden to either force the light or dark theme, per user/group/tenant. See docs for Flow, User and Admin interfaces.
 
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose.yml file for 2023.3 from here. Afterwards, simply run docker-compose up -d.
Kubernetes
Update your values to use the new images:
image:
    repository: ghcr.io/goauthentik/server
    tag: 2023.3.0
Minor changes/fixes included in release 2023.3
- *: add additional Prometheus metrics, remove unusable high entropy metrics
- blueprints: improve error handling in example flow
- core: Add resolve_dnsandreverse_dnsfunctions to evaluator (#4769)
- core: bootstrap email (#4788)
- core: enforce unique on names where it makes sense (#4866)
- core: fix bug causing whitespace-only names to raise exception when generating avatars (#4746)
- core: fix error when creating token without request in context
- core: improve service account creation (#4751)
- events: fix m2m_change events not being logged
- events: set task start time before start, not on time of init (#4908)
- flows: change default flow stage binding settings (#4784)
- flows: planner error handling (#4812)
- internal: fix crash when port 9000 is in use (#4863)
- providers: SCIM (#4835)
- providers/ldap: improve compatibility with LDAP clients (#4750)
- providers/ldap: making LDAP compatible with Synology (#4694)
- providers/oauth2: fix missing information for revoked token access events
- providers/oauth2: OpenID conformance (#4758)
- providers/proxy: ensure issuer is correct when browser URL override is set
- providers/proxy: strip scheme when comparing redirect URL
- providers/scim: add option to filter out service accounts, parent group (#4862)
- providers/scim: customizable externalId, document behavior (#4868)
- providers/scim: handle ServiceProviderConfig 404 (#4915)
- root: fix session middleware for websocket connections (#4909)
- sources/ldap: improve error handling for password complexity (#4780)
- sources/oauth: fix not all token errors being logged with response
- sources/plex: fix check_token error unusable if token is empty (#4834)
- stages/authenticator_sms: fix twilio sending (#4829)
- stages/user_login: add option to terminate other sessions (#4754)
- stages/user_login: set session expiry before login (#4920)
- tests/e2e: use example blueprints for testing (#4805)
- web: fetch custom.css via fetch and add stylesheet (#4804)
- web: toggle dark/light theme manually (#4876)
- web/admin: fix chart display with no sources (#4782)
- web/admin: fix issue with wizard's Next button incorrectly disabled when radio button is already selected (#4821)
- web/admin: fix SCIM provider layout (#4919)
- web/admin: workaround for tenant certificate selection being cut off (#4820)
- web/elements: add loading spinner for charts, render middle text with CSS
- web/elements: fix center text not scrolling with container (#4853)
- web/elements: fix copy on insecure origins (#4917)
- web/elements: fix flipped theme in codemirror (#4901)
- web/flows: fix compatibility mode (#4910)
- web/flows: fix fa:// icons in sources not shown correctly
- web/user: fix source connections not being filtered (#4778)
Fixed in 2023.3.1
- *: fix mismatched task names for discovery, make output service connection task monitored (#4956)
- core: fix application launch url validator (#4957)
- providers: fix authorization_flow not required in API (#4932)
- providers/ldap: fix duplicate attributes (#4972)
- providers/oauth2: fix response for response_type code and response_mode fragment (#4975)
- stages/authenticator_webauthn: remove credential_id size limit (#4931)
- web/admin: fix wizards with radio selects not working correctly after use (#4933)
- web/common: fix tab label color on dark theme (#4959)
- web/flows: fix authenticator selector in dark mode (#4974)
- web/user: fix custom user interface background with dark theme (#4960)
API Changes
What's New
GET /propertymappings/scim/
POST /propertymappings/scim/
GET /propertymappings/scim/{pm_uuid}/
PUT /propertymappings/scim/{pm_uuid}/
DELETE /propertymappings/scim/{pm_uuid}/
PATCH /propertymappings/scim/{pm_uuid}/
GET /propertymappings/scim/{pm_uuid}/used_by/
GET /providers/scim/
POST /providers/scim/
GET /providers/scim/{id}/
PUT /providers/scim/{id}/
DELETE /providers/scim/{id}/
PATCH /providers/scim/{id}/
GET /providers/scim/{id}/sync_status/
GET /providers/scim/{id}/used_by/
What's Changed
POST /core/users/service_account/
Request:
Changed content type : application/json
- 
Added property expiring(boolean)
- 
Added property expires(string)If not provided, valid for 360 days 
GET /policies/event_matcher/{policy_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property app(string)Match events created by selected application. When left empty, all applications are matched. Added enum value: - authentik.providers.scim
 
 
- 
PUT /policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
- 
Changed property app(string)Match events created by selected application. When left empty, all applications are matched. Added enum value: - authentik.providers.scim
 
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property app(string)Match events created by selected application. When left empty, all applications are matched. Added enum value: - authentik.providers.scim
 
 
- 
PATCH /policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
- 
Changed property app(string)Match events created by selected application. When left empty, all applications are matched. Added enum value: - authentik.providers.scim
 
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property app(string)Match events created by selected application. When left empty, all applications are matched. Added enum value: - authentik.providers.scim
 
 
- 
GET /providers/oauth2/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
PUT /providers/oauth2/{id}/
Request:
Changed content type : application/json
New optional properties:
- authorization_flow
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
PATCH /providers/oauth2/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
GET /providers/proxy/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
PUT /providers/proxy/{id}/
Request:
Changed content type : application/json
New optional properties:
- authorization_flow
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
PATCH /providers/proxy/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
GET /core/groups/{group_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
PUT /core/groups/{group_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
PATCH /core/groups/{group_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
GET /core/tenants/current/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew required properties: - 
ui_theme
 - 
Added property ui_theme(object)Enum values: - automatic
- light
- dark
 
 
- 
GET /events/rules/{pbm_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
PUT /events/rules/{pbm_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
PATCH /events/rules/{pbm_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
GET /policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
PUT /policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
PATCH /policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
POST /policies/event_matcher/
Request:
Changed content type : application/json
- 
Changed property app(string)Match events created by selected application. When left empty, all applications are matched. Added enum value: - authentik.providers.scim
 
Return Type:
Changed response : 201 Created
- 
Changed content type : application/json- 
Changed property app(string)Match events created by selected application. When left empty, all applications are matched. Added enum value: - authentik.providers.scim
 
 
- 
GET /policies/event_matcher/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > Event Matcher Policy Serializer - 
Changed property app(string)Match events created by selected application. When left empty, all applications are matched. Added enum value: - authentik.providers.scim
 
 
- 
 
- 
GET /providers/ldap/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
PUT /providers/ldap/{id}/
Request:
Changed content type : application/json
New optional properties:
- authorization_flow
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
PATCH /providers/ldap/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
POST /providers/oauth2/
Request:
Changed content type : application/json
New optional properties:
- authorization_flow
Return Type:
Changed response : 201 Created
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
GET /providers/oauth2/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > OAuth2Provider Serializer New optional properties: - authorization_flow
 
 
- 
POST /providers/proxy/
Request:
Changed content type : application/json
New optional properties:
- authorization_flow
Return Type:
Changed response : 201 Created
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
GET /providers/proxy/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > ProxyProvider Serializer New optional properties: - authorization_flow
 
 
- 
GET /providers/saml/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
PUT /providers/saml/{id}/
Request:
Changed content type : application/json
New optional properties:
- authorization_flow
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
PATCH /providers/saml/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
GET /stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property created_by(object)Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
PUT /stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property created_by(object)Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
PATCH /stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property created_by(object)Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
POST /core/groups/
Return Type:
Changed response : 201 Created
- 
Changed content type : application/json- 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
GET /core/groups/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
POST /events/rules/
Return Type:
Changed response : 201 Created
- 
Changed content type : application/json- 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
GET /events/rules/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > NotificationRule Serializer - 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
 
- 
GET /flows/bindings/{fsb_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
 
- Changed property 
PUT /flows/bindings/{fsb_uuid}/
Request:
Changed content type : application/json
- Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
 
- Changed property 
PATCH /flows/bindings/{fsb_uuid}/
Request:
Changed content type : application/json
- Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
 
- Changed property 
GET /oauth2/access_tokens/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property provider(object)OAuth2Provider Serializer New optional properties: - authorization_flow
 
 
- 
GET /oauth2/authorization_codes/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property provider(object)OAuth2Provider Serializer New optional properties: - authorization_flow
 
 
- 
GET /oauth2/refresh_tokens/{id}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property provider(object)OAuth2Provider Serializer New optional properties: - authorization_flow
 
 
- 
POST /policies/bindings/
Return Type:
Changed response : 201 Created
- 
Changed content type : application/json- 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
GET /policies/bindings/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > PolicyBinding Serializer - 
Changed property group_obj(object)Group Serializer - 
Changed property users_obj(array)Changed items (object): > Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
 
- 
POST /providers/ldap/
Request:
Changed content type : application/json
New optional properties:
- authorization_flow
Return Type:
Changed response : 201 Created
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
GET /providers/ldap/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > LDAPProvider Serializer New optional properties: - authorization_flow
 
 
- 
POST /providers/saml/
Request:
Changed content type : application/json
New optional properties:
- authorization_flow
Return Type:
Changed response : 201 Created
- 
Changed content type : application/jsonNew optional properties: - authorization_flow
 
GET /providers/saml/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > SAMLProvider Serializer New optional properties: - authorization_flow
 
 
- 
GET /sources/user_connections/all/
Parameters:
Added: user in query
POST /stages/invitation/invitations/
Return Type:
Changed response : 201 Created
- 
Changed content type : application/json- 
Changed property created_by(object)Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
GET /stages/invitation/invitations/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > Invitation Serializer - 
Changed property created_by(object)Stripped down user serializer to show relevant users for groups New optional properties: - 
avatar
 - Deleted property avatar(string)
 
- 
 
- 
 
- 
GET /stages/user_login/{stage_uuid}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- Added property terminate_other_sessions(boolean)Terminate all other sessions of the user logging in. 
 
- Added property 
PUT /stages/user_login/{stage_uuid}/
Request:
Changed content type : application/json
- Added property terminate_other_sessions(boolean)Terminate all other sessions of the user logging in. 
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- Added property terminate_other_sessions(boolean)Terminate all other sessions of the user logging in. 
 
- Added property 
PATCH /stages/user_login/{stage_uuid}/
Request:
Changed content type : application/json
- Added property terminate_other_sessions(boolean)Terminate all other sessions of the user logging in. 
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- Added property terminate_other_sessions(boolean)Terminate all other sessions of the user logging in. 
 
- Added property 
POST /flows/bindings/
Request:
Changed content type : application/json
- Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
Return Type:
Changed response : 201 Created
- 
Changed content type : application/json- Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
 
- Changed property 
GET /flows/bindings/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > FlowStageBinding Serializer - Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
 
- Changed property 
 
- 
GET /flows/inspector/{flow_slug}/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property plans(array)Changed items (object): > Serializer for an active FlowPlan - 
Changed property next_planned_stage(object)FlowStageBinding Serializer - Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
 
- Changed property 
- 
Changed property current_stage(object)FlowStageBinding Serializer - Changed property evaluate_on_plan(boolean)Evaluate policies during the Flow planning process. 
 
- Changed property 
 
- 
 
- 
GET /oauth2/access_tokens/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > Serializer for BaseGrantModel and RefreshToken - 
Changed property provider(object)OAuth2Provider Serializer New optional properties: - authorization_flow
 
 
- 
 
- 
GET /oauth2/authorization_codes/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant - 
Changed property provider(object)OAuth2Provider Serializer New optional properties: - authorization_flow
 
 
- 
 
- 
GET /oauth2/refresh_tokens/
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > Serializer for BaseGrantModel and RefreshToken - 
Changed property provider(object)OAuth2Provider Serializer New optional properties: - authorization_flow
 
 
- 
 
- 
POST /stages/user_login/
Request:
Changed content type : application/json
- Added property terminate_other_sessions(boolean)Terminate all other sessions of the user logging in. 
Return Type:
Changed response : 201 Created
- 
Changed content type : application/json- Added property terminate_other_sessions(boolean)Terminate all other sessions of the user logging in. 
 
- Added property 
GET /stages/user_login/
Parameters:
Added: terminate_other_sessions in query
Return Type:
Changed response : 200 OK
- 
Changed content type : application/json- 
Changed property results(array)Changed items (object): > UserLoginStage Serializer - Added property terminate_other_sessions(boolean)Terminate all other sessions of the user logging in. 
 
- Added property 
 
-