Release 2022.11

Breaking changes

Have I Been Pwned policy is deprecated

The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.
Instead of using multiple redis databases, authentik now uses a single redis database

This will temporarily loose some cached information after the upgrade, like cached system tasks and policy results. This data will be re-cached in the background.

New features

authentik now runs on Python 3.11
Expanded password policy

The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using zxcvbn to provider concise feedback.

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2022.11 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

yaml

image:
    repository: ghcr.io/goauthentik/server
    tag: 2022.11.1

Minor changes/fixes

api: fix missing scheme in securitySchemes
blueprints: Fixed bug causing blueprint instance context be discarded (#3990)
core: fix error when propertymappings return complex value
core: simplify group serializer for user API endpoint (#3899)
events: deepcopy event kwargs to prevent objects being removed, remove workaround
events: sanitize generator for json safety
lib: fix complex objects being included in event context for ak_create_event
lifecycle: fix incorrect messages looped
outposts/kubernetes: ingress class (#4002)
policies: only cache policies for authenticated users
policies/password: merge hibp add zxcvbn (#4001)
providers/oauth2: fix inconsistent expiry encoded in JWT
root: make sentry DSN configurable (#4016)
root: relicense and launch blog post
root: use single redis db (#4009)
sources: add custom icon support (#4022)
stages/authenticator_*: cleanup
stages/authenticator_validate: add flag to configure user_verification for webauthn devices
stages/invitation: directly delete invitation now that flow plan is saved in email token
web: fix twitter icon
web/flows: always hide static user info when its not set in the flow

Fixed in 2022.11.1

blueprints: add desired state attribute to objects (#4061)
core: fix tab-complete in shell
root: fix build on arm64
stages/email: add test for email translation
web/admin: fix error when importing duo devices
web/admin: reset cookie_domain when setting non-domain forward auth

Fixed in 2022.11.2

*: fix CVE-2022-46145, Reported by @sdimovv

Fixed in 2022.11.3

web: fix Flow Form failing to load due to outdated API client

Fixed in 2022.11.4

*: fix CVE-2022-46172, Reported by @DreamingRaven
*: fix CVE-2022-23555, Reported by @fuomag9

API Changes

What's Changed

`GET` /policies/password/{policy_uuid}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Added property check_static_rules (boolean)
- Added property check_have_i_been_pwned (boolean)
- Added property check_zxcvbn (boolean)
- Added property hibp_allowed_count (integer)
  
  How many times the password hash is allowed to be on haveibeenpwned
- Added property zxcvbn_score_threshold (integer)
  
  If the zxcvbn score is equal or less than this value, the policy will fail.

`PUT` /policies/password/{policy_uuid}/

Request:

Changed content type : application/json

Added property check_static_rules (boolean)
Added property check_have_i_been_pwned (boolean)
Added property check_zxcvbn (boolean)
Added property hibp_allowed_count (integer)

How many times the password hash is allowed to be on haveibeenpwned
Added property zxcvbn_score_threshold (integer)

If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Added property check_static_rules (boolean)
- Added property check_have_i_been_pwned (boolean)
- Added property check_zxcvbn (boolean)
- Added property hibp_allowed_count (integer)
  
  How many times the password hash is allowed to be on haveibeenpwned
- Added property zxcvbn_score_threshold (integer)
  
  If the zxcvbn score is equal or less than this value, the policy will fail.

`PATCH` /policies/password/{policy_uuid}/

Request:

Changed content type : application/json

Added property check_static_rules (boolean)
Added property check_have_i_been_pwned (boolean)
Added property check_zxcvbn (boolean)
Added property hibp_allowed_count (integer)

How many times the password hash is allowed to be on haveibeenpwned
Added property zxcvbn_score_threshold (integer)

If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Added property check_static_rules (boolean)
- Added property check_have_i_been_pwned (boolean)
- Added property check_zxcvbn (boolean)
- Added property hibp_allowed_count (integer)
  
  How many times the password hash is allowed to be on haveibeenpwned
- Added property zxcvbn_score_threshold (integer)
  
  If the zxcvbn score is equal or less than this value, the policy will fail.

`GET` /core/tokens/{identifier}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user_obj (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`PUT` /core/tokens/{identifier}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user_obj (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`PATCH` /core/tokens/{identifier}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user_obj (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`GET` /core/users/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property groups_obj (array)
  
  Changed items (object): > Simplified Group Serializer for user's groups
  
  New optional properties:
  - users_obj
  - Deleted property users (array)
  - Deleted property users_obj (array)

`PUT` /core/users/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property groups_obj (array)
  
  Changed items (object): > Simplified Group Serializer for user's groups
  
  New optional properties:
  - users_obj
  - Deleted property users (array)
  - Deleted property users_obj (array)

`PATCH` /core/users/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property groups_obj (array)
  
  Changed items (object): > Simplified Group Serializer for user's groups
  
  New optional properties:
  - users_obj
  - Deleted property users (array)
  - Deleted property users_obj (array)

`GET` /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user_obj (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`PUT` /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user_obj (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`PATCH` /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user_obj (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`POST` /policies/password/

Request:

Changed content type : application/json

Added property check_static_rules (boolean)
Added property check_have_i_been_pwned (boolean)
Added property check_zxcvbn (boolean)
Added property hibp_allowed_count (integer)

How many times the password hash is allowed to be on haveibeenpwned
Added property zxcvbn_score_threshold (integer)

If the zxcvbn score is equal or less than this value, the policy will fail.

Return Type:

Changed response : 201 Created

Changed content type : application/json
- Added property check_static_rules (boolean)
- Added property check_have_i_been_pwned (boolean)
- Added property check_zxcvbn (boolean)
- Added property hibp_allowed_count (integer)
  
  How many times the password hash is allowed to be on haveibeenpwned
- Added property zxcvbn_score_threshold (integer)
  
  If the zxcvbn score is equal or less than this value, the policy will fail.

`GET` /policies/password/

Parameters:

Added: check_have_i_been_pwned in query

Added: check_static_rules in query

Added: check_zxcvbn in query

Added: hibp_allowed_count in query

Added: zxcvbn_score_threshold in query

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > Password Policy Serializer
  - Added property check_static_rules (boolean)
  - Added property check_have_i_been_pwned (boolean)
  - Added property check_zxcvbn (boolean)
  - Added property hibp_allowed_count (integer)
    
    How many times the password hash is allowed to be on haveibeenpwned
  - Added property zxcvbn_score_threshold (integer)
    
    If the zxcvbn score is equal or less than this value, the policy will fail.

`POST` /core/tokens/

Return Type:

Changed response : 201 Created

Changed content type : application/json
- Changed property user_obj (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`GET` /core/tokens/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > Token Serializer
  - Changed property user_obj (object)
    
    User Serializer
    - Changed property groups_obj (array)
      
      Changed items (object): > Simplified Group Serializer for user's groups
      
      New optional properties:
      - users_obj
      - Deleted property users (array)
      - Deleted property users_obj (array)

`GET` /core/user_consent/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`POST` /core/users/

Return Type:

Changed response : 201 Created

Changed content type : application/json
- Changed property groups_obj (array)
  
  Changed items (object): > Simplified Group Serializer for user's groups
  
  New optional properties:
  - users_obj
  - Deleted property users (array)
  - Deleted property users_obj (array)

`GET` /core/users/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`GET` /oauth2/authorization_codes/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`GET` /oauth2/refresh_tokens/{id}/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property user (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`POST` /policies/bindings/

Return Type:

Changed response : 201 Created

Changed content type : application/json
- Changed property user_obj (object)
  
  User Serializer
  - Changed property groups_obj (array)
    
    Changed items (object): > Simplified Group Serializer for user's groups
    
    New optional properties:
    - users_obj
    - Deleted property users (array)
    - Deleted property users_obj (array)

`GET` /policies/bindings/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > PolicyBinding Serializer
  - Changed property user_obj (object)
    
    User Serializer
    - Changed property groups_obj (array)
      
      Changed items (object): > Simplified Group Serializer for user's groups
      
      New optional properties:
      - users_obj
      - Deleted property users (array)
      - Deleted property users_obj (array)

`GET` /core/user_consent/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > UserConsent Serializer
  - Changed property user (object)
    
    User Serializer
    - Changed property groups_obj (array)
      
      Changed items (object): > Simplified Group Serializer for user's groups
      
      New optional properties:
      - users_obj
      - Deleted property users (array)
      - Deleted property users_obj (array)

`GET` /oauth2/authorization_codes/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
  - Changed property user (object)
    
    User Serializer
    - Changed property groups_obj (array)
      
      Changed items (object): > Simplified Group Serializer for user's groups
      
      New optional properties:
      - users_obj
      - Deleted property users (array)
      - Deleted property users_obj (array)

`GET` /oauth2/refresh_tokens/

Return Type:

Changed response : 200 OK

Changed content type : application/json
- Changed property results (array)
  
  Changed items (object): > Serializer for BaseGrantModel and RefreshToken
  - Changed property user (object)
    
    User Serializer
    - Changed property groups_obj (array)
      
      Changed items (object): > Simplified Group Serializer for user's groups
      
      New optional properties:
      - users_obj
      - Deleted property users (array)
      - Deleted property users_obj (array)

Breaking changes

New features

Upgrading

docker-compose

Kubernetes

Minor changes/fixes

Fixed in 2022.11.1

Fixed in 2022.11.2

Fixed in 2022.11.3

Fixed in 2022.11.4

API Changes

What's Changed

GET /policies/password/{policy_uuid}/

Return Type:

PUT /policies/password/{policy_uuid}/

Request:

Return Type:

PATCH /policies/password/{policy_uuid}/

Request:

Return Type:

GET /core/tokens/{identifier}/

Return Type:

PUT /core/tokens/{identifier}/

Return Type:

PATCH /core/tokens/{identifier}/

Return Type:

GET /core/users/{id}/

Return Type:

PUT /core/users/{id}/

Return Type:

PATCH /core/users/{id}/

Return Type:

GET /policies/bindings/{policy_binding_uuid}/

Return Type:

PUT /policies/bindings/{policy_binding_uuid}/

Return Type:

PATCH /policies/bindings/{policy_binding_uuid}/

Return Type:

POST /policies/password/

Request:

Return Type:

GET /policies/password/

Parameters:

Return Type:

POST /core/tokens/

Return Type:

GET /core/tokens/

Return Type:

GET /core/user_consent/{id}/

Return Type:

POST /core/users/

Return Type:

GET /core/users/

Return Type:

GET /oauth2/authorization_codes/{id}/

Return Type:

GET /oauth2/refresh_tokens/{id}/

Return Type:

POST /policies/bindings/

Return Type:

GET /policies/bindings/

Return Type:

GET /core/user_consent/

Return Type:

GET /oauth2/authorization_codes/

Return Type:

GET /oauth2/refresh_tokens/

Return Type:

`GET` /policies/password/{policy_uuid}/

`PUT` /policies/password/{policy_uuid}/

`PATCH` /policies/password/{policy_uuid}/

`GET` /core/tokens/{identifier}/

`PUT` /core/tokens/{identifier}/

`PATCH` /core/tokens/{identifier}/

`GET` /core/users/{id}/

`PUT` /core/users/{id}/

`PATCH` /core/users/{id}/

`GET` /policies/bindings/{policy_binding_uuid}/

`PUT` /policies/bindings/{policy_binding_uuid}/

`PATCH` /policies/bindings/{policy_binding_uuid}/

`POST` /policies/password/

`GET` /policies/password/

`POST` /core/tokens/

`GET` /core/tokens/

`GET` /core/user_consent/{id}/

`POST` /core/users/

`GET` /core/users/

`GET` /oauth2/authorization_codes/{id}/

`GET` /oauth2/refresh_tokens/{id}/

`POST` /policies/bindings/

`GET` /policies/bindings/

`GET` /core/user_consent/

`GET` /oauth2/authorization_codes/

`GET` /oauth2/refresh_tokens/