ContextQMD
Back to Authentik

Release 2024.12

website/docs/releases/2024/v2024.12.md

latest54.1 KB
Original Source

Highlights

  • Redirect stage Conditionally redirect users to other flows and URLs.
  • Application entitlements :ak-preview Additional granular permission configuration on an application-level basis.
  • CloudFormation :ak-preview One-click deploy on AWS.
  • Policies in the application wizard Configure access restriction while creating an application.

Breaking changes

  • Impersonation now requires providing a reason

    You can disable this behavior in the Admin interface under System > Settings.

  • Deprecated PostgreSQL USE_PGBOUNCER and USE_PGPOOL settings

    With this release, the AUTHENTIK_POSTGRESQL__USE_PGBOUNCER and AUTHENTIK_POSTGRESQL__USE_PGPOOL settings have been deprecated in favor of exposing the underlying database settings: AUTHENTIK_POSTGRESQL__CONN_MAX_AGE and AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS.

    If you are using PgBouncer or PgPool as connection poolers and wish to maintain the same behavior as previous versions, AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS must be set to true. Moreover, if you are using PgBouncer AUTHENTIK_POSTGRESQL__CONN_MAX_AGE must be set to null.

    The newly exposed settings allow supporting a wider set of connection pooler configurations. For details on how these settings interact with different configurations of connection poolers, please refer to the PostgreSQL documentation.

    These settings will be removed in a future version.

New features

  • Redirect stage

    This new stage allows redirecting a user to another flow or external URL. This allows for dynamically choosing which flow runs depending on user attributes or other factors, or redirection to another URL.

  • Application entitlements :ak-preview

    Centrally configure permissions by granting entitlements to groups and users on an application-level basis.

  • Policies in the application wizard

    In the application creation wizard, administrators can now configure policies bindings along with the other application settings.

  • CloudFormation :ak-preview

    Deploy authentik in your own AWS environment with one click using our new AWS CloudFormation template.

  • OAuth2 provider federation

    Configure OAuth2 provider federation to allow exchanging authentication tokens between multiple providers.

  • Silent authorization flow

    When authorization flows don't require user interaction, authentik redirects the user directly back to the application, improving user experience.

Upgrading

This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

:::warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. :::

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

shell
wget -O docker-compose.yml https://goauthentik.io/version/2024.12/docker-compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

shell
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.12

Minor changes/fixes

  • blueprints: add AtIndex tag (#12386)
  • blueprints: add default Password policy (#11793)
  • core: add None check to a device's extra_description (#11904)
  • core: add ability to provide reason for impersonation (#11951)
  • core: add support to set policy bindings in transactional endpoint (#10399)
  • core: app entitlements (#12090)
  • core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (#12080)
  • core: use versioned_script for path only (#12003)
  • crypto: validate that generated certificate's name is unique (#12015)
  • enterprise/rac: fix API Schema for invalidation_flow (#11907)
  • enterprise/stages/authenticator_endpoint_gdtc: don't set frame options globally (#12311)
  • enterprise: allow deletion/modification of users when in read-only mode (#12289)
  • events: notification_cleanup: avoid unnecessary loop (cherry-pick #12417) (#12418)
  • flows: better test stage's challenge responses (#12316)
  • flows: silent authz flow (#12213)
  • internal: add CSP header to files in /media (#12092)
  • lifecycle: fix ak exit status not being passed (#12024)
  • lifecycle: fix kdc5-config missing (#11826)
  • lifecycle: fix missing krb5 deps for full testing in image (#11815)
  • providers/ldap: fix global search_full_directory permission not being sufficient (#12028)
  • providers/oauth2: Add provider federation between OAuth2 Providers (#12083)
  • providers/oauth2: allow m2m for JWKS without alg in keys (#12196)
  • providers/oauth2: fix manual device code entry (#12017)
  • providers/oauth2: fix migration (#12138)
  • providers/oauth2: fix migration dependencies (#12123)
  • providers/oauth2: fix redirect uri input (#12122)
  • providers/oauth2: fix size limited index for tokens (#11879)
  • providers/oauth2: make session deletion cascade to tokens (#12343)
  • providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968)
  • providers/proxy: fix redirect_uri (#12121)
  • providers/scim: accept string and int for SCIM IDs (#12093)
  • rbac: fix incorrect object_description for object-level permissions (#12029)
  • root: check remote IP for proxy protocol same as HTTP/etc (#12094)
  • root: expose CONN_MAX_AGE, CONN_HEALTH_CHECKS and DISABLE_SERVER_SIDE_CURSORS for PostgreSQL config (cherry-pick #10159) (#12419)
  • root: fix activation of locale not being scoped (#12091)
  • root: fix database ssl options not set correctly (#12180)
  • root: fix health status code (#12255)
  • root: fix missing entries in codeowners (#12369)
  • root: fix override locale only if it is not empty (#12283)
  • root: fix ssl settings for read replicas not being applied (#12341)
  • root: lock setuptools to prevent docker install issue
  • root: support running authentik in subpath (#8675)
  • root: use healthcheck in depends_on for postgres and redis (#12301)
  • security: fix CVE 2024 52287 (#12114)
  • security: fix CVE 2024 52289 (#12113)
  • security: fix CVE 2024 52307 (#12115)
  • sources/kerberos: add kadmin type setting, provide additional context to property mappings (#12286)
  • sources/kerberos: add kiprop to ignored system principals (#11852)
  • sources/kerberos: use new python-kadmin implementation (#11932)
  • sources/oauth: allow creation of user connection objects with parameters (#12195)
  • sources/saml: fix redirect not kept through SAML Source (#12372)
  • stages/captcha: Run interactive captcha in Frame (#11857)
  • stages/identification: fix invalid challenge warning when no captcha stage is set (#12312)
  • stages/password: use recovery flow from brand (#11953)
  • stages/redirect: create redirect stage (#12275)
  • web/admin: add application bindings to the application wizard (#11462)
  • web/admin: auto-prefill user path for new users based on selected path (#12070)
  • web/admin: better footer links (#12004)
  • web/admin: bugfix: dual select initialization revision (#12051)
  • web/admin: fix brand title not respected in application list (#12068)
  • web/admin: fix code-based MFA toggle not working in wizard (#11854)
  • web/admin: fix prompt stage wording (#12384)
  • web/admin: provide default invalidation flows for LDAP and Radius (#11861)
  • web/flows: fix invisible captcha call (#12048)
  • web/flows: resize captcha iframes (#12260)
  • web/flows: update flow background (#12339)
  • web: add italian locale (#11958)
  • web: backport fix impersonate api (#12184)
  • web: fix bug that prevented error reporting in current wizard. (#12033)
  • web: fix missing status code on failed build (#11903)
  • web: simplify ?inline handler for Storybook (#12246)
  • web: update tests for Chromedriver 131 (#12199)

Fixed in 2024.12.1

  • internal: fix URL generation for websocket connection (cherry-pick #12439) (#12440)
  • website/docs: add content about bindings (cherry-pick #11787) (#12428)
  • website/docs: add new section about impersonation (cherry-pick #12328) (#12424)

Fixed in 2024.12.2

  • core: fix error when creating new user with default path (cherry-pick #12609) (#12612)
  • internal: fix missing trailing slash in outpost websocket (cherry-pick #12470) (#12471)
  • providers/saml: fix invalid SAML Response when assertion and response are signed (cherry-pick #12611) (#12613)
  • rbac: permissions endpoint: allow authenticated users (cherry-pick #12608) (#12610)
  • sources/kerberos: authenticate with the user's username instead of the first username in authentik (cherry-pick #12497) (#12579)
  • web: fix source selection and outpost integration health (#12530)

Fixed in 2024.12.3

  • core: fix application entitlements not creatable with blueprints (cherry-pick #12673) (#12784)
  • core: fix permissions for admin device listing (cherry-pick #12787) (#12791)
  • enterprise/rac: Improve client connection status & bugfixes (cherry-pick #12684) (#12727)
  • flows: clear flow state before redirecting to final URL (cherry-pick #12788) (#12801)
  • lifecycle: better pre release test (cherry-pick #12806) (#12808)
  • lifecycle: build binary dependencies which link against SSL directly (#12724)
  • lifecycle: fix cryptography's OpenSSL path (cherry-pick #12753) (#12759)
  • lifecycle: update python to 3.12.8 (cherry-pick #12783) (#12786)
  • rbac: exclude permissions for internal models (cherry-pick #12803) (#12807)
  • sources: allow uuid or slug to be used for retrieving a source (#12772)
  • stages/redirect: fix query parameter when redirecting to flow (cherry-pick #12750) (#12752)

Fixed in 2024.12.4

  • core: fix generic sources not being fetchable by pk (#12896)
  • core: fix non-exploitable open redirect (#13696)
  • flows: fix inspector permission check (#12907)
  • security: fix CVE-2025-29928 (cherry-pick #13695) (#13701)

Fixed in 2024.12.5

  • Revert "core: fix non-exploitable open redirect (#13696)" (#13827)

API Changes

What's New

GET /core/application_entitlements/
POST /core/application_entitlements/
GET /core/application_entitlements/{pbm_uuid}/
PUT /core/application_entitlements/{pbm_uuid}/
DELETE /core/application_entitlements/{pbm_uuid}/
PATCH /core/application_entitlements/{pbm_uuid}/
GET /core/application_entitlements/{pbm_uuid}/used_by/
GET /stages/redirect/
POST /stages/redirect/
GET /stages/redirect/{stage_uuid}/
PUT /stages/redirect/{stage_uuid}/
DELETE /stages/redirect/{stage_uuid}/
PATCH /stages/redirect/{stage_uuid}/
GET /stages/redirect/{stage_uuid}/used_by/

What's Changed

GET /admin/settings/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property impersonation_require_reason (boolean)

      Require administrators to provide a reason for impersonating a user.

PUT /admin/settings/
Request:

Changed content type : application/json

  • Added property impersonation_require_reason (boolean)

    Require administrators to provide a reason for impersonating a user.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property impersonation_require_reason (boolean)

      Require administrators to provide a reason for impersonating a user.

PATCH /admin/settings/
Request:

Changed content type : application/json

  • Added property impersonation_require_reason (boolean)

    Require administrators to provide a reason for impersonating a user.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property impersonation_require_reason (boolean)

      Require administrators to provide a reason for impersonating a user.

POST /core/users/{id}/impersonate/
Request:

New content type : application/json

GET /policies/event_matcher/{policy_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.stages.redirect

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_stages_redirect.redirectstage
      • authentik_core.applicationentitlement
PUT /policies/event_matcher/{policy_uuid}/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.stages.redirect

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_stages_redirect.redirectstage
    • authentik_core.applicationentitlement
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.stages.redirect

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_stages_redirect.redirectstage
      • authentik_core.applicationentitlement
PATCH /policies/event_matcher/{policy_uuid}/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.stages.redirect

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_stages_redirect.redirectstage
    • authentik_core.applicationentitlement
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.stages.redirect

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_stages_redirect.redirectstage
      • authentik_core.applicationentitlement
GET /sources/group_connections/kerberos/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

      • Property pk (string)

      • Property name (string)

        Source's display Name.

      • Property slug (string)

        Internal source name, used in URLs.

      • Property enabled (boolean)

      • Property authentication_flow (string)

        Flow to use when authenticating existing users.

      • Property enrollment_flow (string)

        Flow to use when enrolling new users.

      • Property user_property_mappings (array)

        Items (string):

      • Property group_property_mappings (array)

      • Property component (string)

        Get object component so that we know how to edit the object

      • Property verbose_name (string)

        Return object's verbose_name

      • Property verbose_name_plural (string)

        Return object's plural verbose_name

      • Property meta_model_name (string)

        Return internal model name

      • Property policy_engine_mode (string)

        Enum values:

        • all
        • any

      • Property user_matching_mode (string)

        How the source determines if an existing user should be authenticated or a new user enrolled.

        Enum values:

        • identifier
        • email_link
        • email_deny
        • username_link
        • username_deny

      • Property managed (string)

        Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update.

      • Property user_path_template (string)

      • Property icon (string)

        Get the URL to the Icon. If the name is /static or starts with http it is returned as-is

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

PUT /sources/group_connections/kerberos/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

PATCH /sources/group_connections/kerberos/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

GET /sources/group_connections/oauth/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

PUT /sources/group_connections/oauth/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

PATCH /sources/group_connections/oauth/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

GET /sources/group_connections/plex/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

PUT /sources/group_connections/plex/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

PATCH /sources/group_connections/plex/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

GET /sources/group_connections/saml/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

PUT /sources/group_connections/saml/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

PATCH /sources/group_connections/saml/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

GET /sources/user_connections/all/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

PUT /sources/user_connections/all/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

PATCH /sources/user_connections/all/{id}/
Request:

New content type : application/json

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

GET /sources/user_connections/kerberos/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property source (object -> string)

PUT /sources/user_connections/kerberos/{id}/
Request:

Changed content type : application/json

New required properties:

  • source
  • Added property source (string)
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property source (object -> string)

PATCH /sources/user_connections/kerberos/{id}/
Request:

Changed content type : application/json

  • Added property source (string)
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property source (object -> string)

GET /sources/user_connections/oauth/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

PUT /sources/user_connections/oauth/{id}/
Request:

Changed content type : application/json

New required properties:

  • source
  • user

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

PATCH /sources/user_connections/oauth/{id}/
Request:

Changed content type : application/json

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

GET /sources/user_connections/plex/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

PUT /sources/user_connections/plex/{id}/
Request:

Changed content type : application/json

New required properties:

  • source
  • user

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

PATCH /sources/user_connections/plex/{id}/
Request:

Changed content type : application/json

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

GET /sources/user_connections/saml/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

PUT /sources/user_connections/saml/{id}/
Request:

Changed content type : application/json

New required properties:

  • source
  • user

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

PATCH /sources/user_connections/saml/{id}/
Request:

Changed content type : application/json

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

GET /flows/instances/{slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property authentication (string)

      Required level of authentication and authorization to access a flow.

      Added enum value:

      • require_redirect
PUT /flows/instances/{slug}/
Request:

Changed content type : application/json

  • Changed property authentication (string)

    Required level of authentication and authorization to access a flow.

    Added enum value:

    • require_redirect
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property authentication (string)

      Required level of authentication and authorization to access a flow.

      Added enum value:

      • require_redirect
PATCH /flows/instances/{slug}/
Request:

Changed content type : application/json

  • Changed property authentication (string)

    Required level of authentication and authorization to access a flow.

    Added enum value:

    • require_redirect
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property authentication (string)

      Required level of authentication and authorization to access a flow.

      Added enum value:

      • require_redirect
POST /policies/event_matcher/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.stages.redirect

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_stages_redirect.redirectstage
    • authentik_core.applicationentitlement
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.stages.redirect

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_stages_redirect.redirectstage
      • authentik_core.applicationentitlement
GET /policies/event_matcher/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Event Matcher Policy Serializer

      • Changed property app (string)

        Match events created by selected application. When left empty, all applications are matched.

        Added enum value:

        • authentik.stages.redirect

      • Changed property model (string)

        Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

        Added enum values:

        • authentik_stages_redirect.redirectstage
        • authentik_core.applicationentitlement
POST /rbac/permissions/assigned_by_roles/{uuid}/assign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum values:

    • authentik_stages_redirect.redirectstage
    • authentik_core.applicationentitlement
PATCH /rbac/permissions/assigned_by_roles/{uuid}/unassign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum values:

    • authentik_stages_redirect.redirectstage
    • authentik_core.applicationentitlement
POST /rbac/permissions/assigned_by_users/{id}/assign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum values:

    • authentik_stages_redirect.redirectstage
    • authentik_core.applicationentitlement
PATCH /rbac/permissions/assigned_by_users/{id}/unassign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum values:

    • authentik_stages_redirect.redirectstage
    • authentik_core.applicationentitlement
GET /sources/group_connections/kerberos/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > OAuth Group-Source connection Serializer

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property group (string)

      • Changed property source (object -> string)

      • Changed property identifier (string)

POST /sources/group_connections/oauth/
Request:

New content type : application/json

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

GET /sources/group_connections/oauth/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > OAuth Group-Source connection Serializer

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property group (string)

      • Changed property source (object -> string)

      • Changed property identifier (string)

POST /sources/group_connections/plex/
Request:

New content type : application/json

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property group (string)

    • Changed property source (object -> string)

    • Changed property identifier (string)

GET /sources/group_connections/plex/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Plex Group-Source connection Serializer

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property group (string)

      • Changed property source (object -> string)

      • Changed property identifier (string)

GET /sources/group_connections/saml/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > OAuth Group-Source connection Serializer

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property group (string)

      • Changed property source (object -> string)

      • Changed property identifier (string)

GET /sources/kerberos/{slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property kadmin_type (object)

      KAdmin server type

      Enum values:

      • MIT
      • Heimdal
      • other
PUT /sources/kerberos/{slug}/
Request:

Changed content type : application/json

  • Added property kadmin_type (object)

    KAdmin server type

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property kadmin_type (object)

      KAdmin server type

PATCH /sources/kerberos/{slug}/
Request:

Changed content type : application/json

  • Added property kadmin_type (object)

    KAdmin server type

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property kadmin_type (object)

      KAdmin server type

GET /sources/user_connections/all/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > User source connection

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property user (integer)

      • Changed property source (object -> string)

POST /sources/user_connections/kerberos/
Request:

Changed content type : application/json

New required properties:

  • source
  • Added property source (string)
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property source (object -> string)

GET /sources/user_connections/kerberos/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Kerberos Source Serializer

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property source (object -> string)

POST /sources/user_connections/oauth/
Request:

Changed content type : application/json

New required properties:

  • source
  • user

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

GET /sources/user_connections/oauth/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > OAuth Source Serializer

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property user (integer)

      • Changed property source (object -> string)

POST /sources/user_connections/plex/
Request:

Changed content type : application/json

New required properties:

  • source
  • user

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

GET /sources/user_connections/plex/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Plex Source connection Serializer

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property user (integer)

      • Changed property source (object -> string)

POST /sources/user_connections/saml/
Request:

Changed content type : application/json

New required properties:

  • source
  • user

  • Added property user (integer)

  • Added property source (string)

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • source_obj

    • Added property source_obj (object)

    • Changed property user (integer)

    • Changed property source (object -> string)

GET /sources/user_connections/saml/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > SAML Source Serializer

      New required properties:

      • source_obj

      • Added property source_obj (object)

      • Changed property user (integer)

      • Changed property source (object -> string)

GET /stages/invitation/invitations/{invite_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property flow_obj (object)

      Flow Serializer

      • Changed property authentication (string)

        Required level of authentication and authorization to access a flow.

        Added enum value:

        • require_redirect
PUT /stages/invitation/invitations/{invite_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property flow_obj (object)

      Flow Serializer

      • Changed property authentication (string)

        Required level of authentication and authorization to access a flow.

        Added enum value:

        • require_redirect
PATCH /stages/invitation/invitations/{invite_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property flow_obj (object)

      Flow Serializer

      • Changed property authentication (string)

        Required level of authentication and authorization to access a flow.

        Added enum value:

        • require_redirect
POST /flows/instances/
Request:

Changed content type : application/json

  • Changed property authentication (string)

    Required level of authentication and authorization to access a flow.

    Added enum value:

    • require_redirect
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property authentication (string)

      Required level of authentication and authorization to access a flow.

      Added enum value:

      • require_redirect
GET /flows/instances/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Flow Serializer

      • Changed property authentication (string)

        Required level of authentication and authorization to access a flow.

        Added enum value:

        • require_redirect
GET /providers/oauth2/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property jwt_federation_sources (array)

      Items (string):

    • Added property jwt_federation_providers (array)

      Items (integer):

    • Deleted property jwks_sources (array)

PUT /providers/oauth2/{id}/
Request:

Changed content type : application/json

  • Added property jwt_federation_sources (array)

  • Added property jwt_federation_providers (array)

  • Deleted property jwks_sources (array)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

PATCH /providers/oauth2/{id}/
Request:

Changed content type : application/json

  • Added property jwt_federation_sources (array)

  • Added property jwt_federation_providers (array)

  • Deleted property jwks_sources (array)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

GET /providers/proxy/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

PUT /providers/proxy/{id}/
Request:

Changed content type : application/json

  • Added property jwt_federation_sources (array)

  • Added property jwt_federation_providers (array)

  • Deleted property jwks_sources (array)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

PATCH /providers/proxy/{id}/
Request:

Changed content type : application/json

  • Added property jwt_federation_sources (array)

  • Added property jwt_federation_providers (array)

  • Deleted property jwks_sources (array)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

GET /rbac/permissions/assigned_by_roles/
Parameters:

Changed: model in query

GET /rbac/permissions/assigned_by_users/
Parameters:

Changed: model in query

POST /sources/kerberos/
Request:

Changed content type : application/json

  • Added property kadmin_type (object)

    KAdmin server type

Return Type:

Changed response : 201 Created

  • Changed content type : application/json
    • Added property kadmin_type (object)

      KAdmin server type

GET /sources/kerberos/
Parameters:

Added: kadmin_type in query

KAdmin server type

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Kerberos Source Serializer

      • Added property kadmin_type (object)

        KAdmin server type

POST /stages/invitation/invitations/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property flow_obj (object)

      Flow Serializer

      • Changed property authentication (string)

        Required level of authentication and authorization to access a flow.

        Added enum value:

        • require_redirect
GET /stages/invitation/invitations/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Invitation Serializer

      • Changed property flow_obj (object)

        Flow Serializer

        • Changed property authentication (string)

          Required level of authentication and authorization to access a flow.

          Added enum value:

          • require_redirect
GET /flows/executor/{flow_slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    Updated ak-stage-identification component:

    • Changed property captcha_stage (object -> object)

      Site public key

POST /flows/executor/{flow_slug}/
Request:

Changed content type : application/json

Added 'xak-flow-redirect' component:

  • Property component (string)

  • Property to (string)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    Updated ak-stage-identification component:

    • Changed property captcha_stage (object -> object)

      Site public key

GET /oauth2/access_tokens/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property provider (object)

      OAuth2Provider Serializer

      • Added property jwt_federation_sources (array)

      • Added property jwt_federation_providers (array)

      • Deleted property jwks_sources (array)

GET /oauth2/authorization_codes/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property provider (object)

      OAuth2Provider Serializer

      • Added property jwt_federation_sources (array)

      • Added property jwt_federation_providers (array)

      • Deleted property jwks_sources (array)

GET /oauth2/refresh_tokens/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property provider (object)

      OAuth2Provider Serializer

      • Added property jwt_federation_sources (array)

      • Added property jwt_federation_providers (array)

      • Deleted property jwks_sources (array)

POST /providers/oauth2/
Request:

Changed content type : application/json

  • Added property jwt_federation_sources (array)

  • Added property jwt_federation_providers (array)

  • Deleted property jwks_sources (array)

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

GET /providers/oauth2/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > OAuth2Provider Serializer

      • Added property jwt_federation_sources (array)

      • Added property jwt_federation_providers (array)

      • Deleted property jwks_sources (array)

POST /providers/proxy/
Request:

Changed content type : application/json

  • Added property jwt_federation_sources (array)

  • Added property jwt_federation_providers (array)

  • Deleted property jwks_sources (array)

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

GET /providers/proxy/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > ProxyProvider Serializer

      • Added property jwt_federation_sources (array)

      • Added property jwt_federation_providers (array)

      • Deleted property jwks_sources (array)

PUT /core/transactional/applications/
Request:

Changed content type : application/json

  • Added property policy_bindings (array)

    Items (object): > PolicyBindingSerializer which does not require target as target is set implicitly

    • Property policy (string)

    • Property group (string)

    • Property user (integer)

    • Property negate (boolean)

      Negates the outcome of the policy. Messages are unaffected.

    • Property enabled (boolean)

    • Property order (integer)

    • Property timeout (integer)

      Timeout after which Policy execution is terminated.

    • Property failure_result (boolean)

      Result if the Policy execution fails.

  • Changed property provider (object)

    Updated authentik_providers_proxy.proxyprovider provider_model:

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

    Updated authentik_providers_oauth2.oauth2provider provider_model:

    • Added property jwt_federation_sources (array)

    • Added property jwt_federation_providers (array)

    • Deleted property jwks_sources (array)

GET /oauth2/access_tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and RefreshToken

      • Changed property provider (object)

        OAuth2Provider Serializer

        • Added property jwt_federation_sources (array)

        • Added property jwt_federation_providers (array)

        • Deleted property jwks_sources (array)

GET /oauth2/authorization_codes/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

      • Changed property provider (object)

        OAuth2Provider Serializer

        • Added property jwt_federation_sources (array)

        • Added property jwt_federation_providers (array)

        • Deleted property jwks_sources (array)

GET /oauth2/refresh_tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and RefreshToken

      • Changed property provider (object)

        OAuth2Provider Serializer

        • Added property jwt_federation_sources (array)

        • Added property jwt_federation_providers (array)

        • Deleted property jwks_sources (array)