ContextQMD
Back to Authentik

Release 2025.2

website/docs/releases/2025/v2025.2.md

latest55.4 KB
Original Source

Highlights

  • SSF Provider :ak-enterprise :ak-preview Add support for Shared Signals Framework.
  • RAC moved open source Remote access is now available to everyone!
  • GeoIP distance and impossible travel checks Add the ability to check for the distance a user has moved compared to a previous login, and if the user could have travelled the distance.
  • Email OTP Stage Allow users to use their email accounts as a one-time-password during authentication.
  • Fine-grained permission for superuser toggle on groups Setting the Is superuser toggle on a group now requires a separate permission.

Breaking changes

  • Fixed behaviour in Source stage :ak-enterprise

    In previous versions, the Source stage would incorrectly continue with the initial flow after returning from the source, which didn't match the documented behaviour.

    With this release this behaviour has been corrected and the source stage will now correctly run the selected enrollment/authentication flow before returning to the flow from which the source stage was executed.

  • Deprecated and frozen :latest container image tag after 2025.2

    Using the :latest tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups.

    The tag will not be removed, however it will also not be updated past 2025.2.

    We strongly recommended the use of a specific version tag for authentik instances' container images like :2025.2.

New features

  • SSF Provider :ak-enterprise :ak-preview

    Shared Signals Framework allows applications to register a stream with authentik within which they can received events from authentik such as when a session was revoked or a credential was add/changed/deleted and execute actions based on these events.

    Using a SSF provider as a backchannel provider allows admins to integrate authentik with Apple Business School Manager for federated Apple IDs.

  • RAC moved to open source

    Remote access (RDP, VNC and SSH) has moved from enterprise to our free, open source code. We try our best to limit enterprise-specific functionality to features that would be non-essential to homelab users and far more valuable to enterprise use cases. We've had a variety of homelab users reach out with excellent use cases for RAC functionality, so while this will mean giving up some potential revenue, we think that opening up RAC to the community is the right thing to do!

  • GeoIP distance and impossible travel checks

    Add the ability to check for the distance a user has moved compared to a previous login, and add the option to check impossible travel distances based on client IP.

    These options can be used to detect and prevent access from potentially stolen authentik sessions or stolen devices. Refer to our documentation.

  • Email OTP Authenticator Setup Stage

    Admins now have the ability to configure the option for users to use their email address as an authenticator. Users that already have an email address set on their account will be able to use that address to receive one-time-passwords. It is also possible to configure authentik to allow users to add additional email addresses as authenticators.

    See Email Authenticator Setup Stage.

  • Application Wizard is the default way to create applications

    The default way of creating an application now allows admins to configure the application and provider at the same time, and also add any kind of bindings without having to navigate through different sections of the UI. The previous way of creating a standalone application is and will stay available alongside the new and streamlined method.

  • Fine-grained permission for superuser toggle on groups

    Setting the Is superuser toggle on a group now requires a separate permission, making it much easier to allow for delegated management of groups without risking the ability for users to self-elevate permissions. For details, refer to our documentation.

  • Improved debugging experience

    For people developing authentik or building very complex, custom integrations, how to configure debugging in authentik is documented here.

Upgrading

This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

:::warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. :::

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

shell
wget -O docker-compose.yml https://goauthentik.io/version/2025.2/docker-compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

shell
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.2

Minor changes/fixes

  • admin: monitor worker version (#12463)
  • api: cleanup owner permissions (#12598)
  • blueprints: add REPL for blueprint YAML tags (#9223)
  • blueprints: fix schema for meta models (#12421)
  • core: add indexes on ExpiringModel (#12658)
  • core: fix application entitlements not creatable with blueprints (#12673)
  • core: fix error when creating new user with default path (#12609)
  • core: fix generic sources not being fetchable by pk (#12896)
  • core: fix permissions for admin device listing (#12787)
  • core: search users' attributes (#12740)
  • core: show last password change date (#12958)
  • enterprise/providers: SSF (#12327)
  • enterprise/providers/SSF: fix a couple of bugs after real world testing (#12987)
  • enterprise/rac: Improve client connection status & bugfixes (#12684)
  • events: make sure password set event has the correct IP (#12585)
  • events: notification_cleanup: avoid unnecessary loop (#12417)
  • flows: clear flow state before redirecting to final URL (#12788)
  • flows: fix history containing other plans (#12655)
  • flows: fix inspector permission check (#12907)
  • flows: more tests (#11587)
  • flows: show policy messages in reevaluate marker (#12855)
  • flows/inspector: add button to open flow inspector (#12656)
  • internal: fix missing trailing slash in outpost websocket (#12470)
  • internal: fix URL generation for websocket connection (#12439)
  • lifecycle: update python to 3.12.8 (#12783)
  • lifecycle/migrate: don't migrate tenants if not enabled (#12850)
  • outposts: fix version label (#12486)
  • providers/oauth2: include scope in token response (#12921)
  • providers/oauth2: support token revocation for public clients (#12704)
  • providers/saml: fix handle Accept: application/xml for SAML Metadata endpoint (#12483) (#12518)
  • providers/saml: fix invalid SAML Response when assertion and response are signed (#12611)
  • providers/saml: provide generic metadata url when possible (#12413)
  • rbac: exclude permissions for internal models (#12803)
  • rbac: permissions endpoint: allow authenticated users (#12608)
  • root: backport version bump (#12426)
  • root: docker: ensure apt packages are up-to-date (#12683)
  • root: expose CONN_MAX_AGE, CONN_HEALTH_CHECKS and DISABLE_SERVER_SIDE_CURSORS for PostgreSQL config (#10159)
  • root: fix dev build version being invalid semver (#12472)
  • root: redis, make sure tlscacert isn't an empty string (#12407)
  • sources: allow uuid or slug to be used for retrieving a source (#12780)
  • sources: allow uuid or slug to be used for retrieving a source (2024.12 fix) (#12772)
  • sources/kerberos: authenticate with the user's username instead of the first username in authentik (#12497)
  • sources/kerberos: handle principal expire time (#12748)
  • sources/oauth: fix authentication only being sent in form body (#12713)
  • sources/scim: fix user creation (duplicate userName) (#12547)
  • stages/authenticator: add user field to devices (#12636)
  • stages/prompt: always show policy messages (#12765)
  • stages/redirect: fix query parameter when redirecting to flow (#12750)
  • web, core: fix grammatical issue in stage bindings (#10799)
  • web: fix build dev build (#12473)
  • web: fix error handling bug in ApplicationWizard.RACProviderForm (#12640)
  • web: Fix issue where Codemirror partially applies OneDark theme. (#12811)
  • web: fix mobile scrolling bug (#12601)
  • web: fix source selection and outpost integration health (#12530)
  • web: fix source selection and outpost integration health (#12530)
  • web: fixes broken docLinks - url missing s (#12789)
  • web: housekeeping, optimizations and small fixes (#12450)
  • web: improve notification and API drawers (#12659)
  • web: misc fixes for admin and flow inspector (#12461)
  • web: only load version context when authenticated (#12482)
  • web: update gen-client-ts to OpenAPI 7.11.0 (#12756)
  • web/admin: fix role changelog missing primary key filter (#12671)
  • web/admin: improve user display view (#12988)
  • web/admin: more cleanup and consistency (#12657)
  • web/admin: Refine navigation (#12441)
  • web/components: ak-number-input: add support for min (#12703)
  • web/flows: fix login / log in inconsistency (#12526)

Fixed in 2025.2.1

  • core: add pre-hydrated relative URL (cherry-pick #13243) (#13246)
  • stages/authenticator_email: Email Authenticator Stage Documentation (cherry-pick #12853) (#13218)
  • stages/authenticator_email: fix session cleanup test b (cherry-pick #13264) (#13276)
  • stages/email: Fix email stage serialization (cherry-pick #13256) (#13273)

Fixed in 2025.2.2

  • *: fix stage incorrectly being inserted instead of appended (cherry-pick #13304) (#13327)
  • enterprise/stages/source: fix dispatch method signature (cherry-pick #13321) (#13326)
  • lib/config: fix conn_max_age parsing (cherry-pick #13370) (#13415)
  • providers/SCIM: fix object exists error for users, attempt to look up user ID in remote system (#13437)
  • providers/proxy: kubernetes outpost: fix reconcile when only annotations changed (cherry-pick #13372) (#13384)
  • providers/rac: fix signals and Endpoint caching (cherry-pick #13529) (#13531)
  • sources/oauth: fix duplicate authentication (cherry-pick #13322) (#13535)
  • sources/oauth: ignore missing well-known keys (cherry-pick #13468) (#13470)
  • stages/authenticator_email: Fix Enroll dropdown in the MFA Devices page (cherry-pick #13404) (#13414)
  • stages/identification: check captcha after checking authentication (cherry-pick #13533) (#13551)
  • web/admin: fix display bug for assigned users in application bindings in the wizard (cherry-pick #13435) (#13452)
  • web/flows: fix missing padding on authenticator_validate card (cherry-pick #13420) (#13519)
  • web/user: ensure modal container on user-settings page is min-height: 100% (cherry-pick #13402) (#13413)
  • web/user: show admin interface button on mobile (cherry-pick #13421) (#13518)

Fixed in 2025.2.3

  • admin: fix system API when using bearer token (cherry-pick #13651) (#13654)
  • core: fix core/user is_superuser filter (cherry-pick #13693) (#13694)
  • core: fix non-exploitable open redirect, reported by @dominic-r (cherry-pick #13696) (#13698)
  • outposts/ldap: fix paginator going into infinite loop (cherry-pick #13677) (#13679)
  • security: fix CVE-2025-29928 (cherry-pick #13695) (#13700)
  • stages/email: Clean newline characters in TemplateEmailMessage (cherry-pick #13666) (#13667)
  • stages/identification: refresh captcha on failure (cherry-pick #13697) (#13699)
  • web/admin: reworked sync status card (cherry-pick #13625) (#13692)

Fixed in 2025.2.4

  • Revert "core: fix non-exploitable open redirect (#13696)" (cherry-pick #13824) (#13826)
  • providers/scim: fix group membership check failing (cherry-pick #13644) (#13825)
  • stages/email: fix for newlines in emails (#13712)

API Changes

What's New

GET /authenticators/admin/email/
POST /authenticators/admin/email/
GET /authenticators/admin/email/{id}/
PUT /authenticators/admin/email/{id}/
DELETE /authenticators/admin/email/{id}/
PATCH /authenticators/admin/email/{id}/
GET /authenticators/email/
GET /authenticators/email/{id}/
PUT /authenticators/email/{id}/
DELETE /authenticators/email/{id}/
PATCH /authenticators/email/{id}/
GET /authenticators/email/{id}/used_by/
GET /providers/ssf/
POST /providers/ssf/
GET /providers/ssf/{id}/
PUT /providers/ssf/{id}/
DELETE /providers/ssf/{id}/
PATCH /providers/ssf/{id}/
GET /providers/ssf/{id}/used_by/
GET /ssf/streams/
GET /ssf/streams/{uuid}/
GET /stages/authenticator/email/
POST /stages/authenticator/email/
GET /stages/authenticator/email/{stage_uuid}/
PUT /stages/authenticator/email/{stage_uuid}/
DELETE /stages/authenticator/email/{stage_uuid}/
PATCH /stages/authenticator/email/{stage_uuid}/
GET /stages/authenticator/email/{stage_uuid}/used_by/

What's Changed

GET /admin/workers/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json
GET /authenticators/admin/duo/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)

      • Property pk (integer)

      • Property username (string)

        Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.

      • Property name (string)

        User's display name.

      • Property is_active (boolean)

        Designates whether this user should be treated as active. Unselect this instead of deleting accounts.

      • Property last_login (string)

      • Property email (string)

      • Property attributes (object)

      • Property uid (string)

PUT /authenticators/admin/duo/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/admin/duo/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/admin/sms/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/admin/sms/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/admin/sms/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/admin/totp/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/admin/totp/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/admin/totp/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/admin/webauthn/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/admin/webauthn/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/admin/webauthn/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/duo/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/duo/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/duo/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/sms/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/sms/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/sms/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/totp/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/totp/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/totp/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/webauthn/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/webauthn/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/webauthn/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /policies/event_matcher/{policy_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum values:

      • authentik.providers.rac

      • authentik.stages.authenticator_email

      • authentik.enterprise.providers.ssf Removed enum value:

      • authentik.enterprise.providers.rac

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_stages_authenticator_email.authenticatoremailstage
      • authentik_stages_authenticator_email.emaildevice
      • authentik_providers_ssf.ssfprovider
PUT /policies/event_matcher/{policy_uuid}/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum values:

    • authentik.providers.rac

    • authentik.stages.authenticator_email

    • authentik.enterprise.providers.ssf Removed enum value:

    • authentik.enterprise.providers.rac

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_stages_authenticator_email.authenticatoremailstage
    • authentik_stages_authenticator_email.emaildevice
    • authentik_providers_ssf.ssfprovider
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum values:

      • authentik.providers.rac

      • authentik.stages.authenticator_email

      • authentik.enterprise.providers.ssf Removed enum value:

      • authentik.enterprise.providers.rac

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_stages_authenticator_email.authenticatoremailstage
      • authentik_stages_authenticator_email.emaildevice
      • authentik_providers_ssf.ssfprovider
PATCH /policies/event_matcher/{policy_uuid}/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum values:

    • authentik.providers.rac

    • authentik.stages.authenticator_email

    • authentik.enterprise.providers.ssf Removed enum value:

    • authentik.enterprise.providers.rac

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_stages_authenticator_email.authenticatoremailstage
    • authentik_stages_authenticator_email.emaildevice
    • authentik_providers_ssf.ssfprovider
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum values:

      • authentik.providers.rac

      • authentik.stages.authenticator_email

      • authentik.enterprise.providers.ssf Removed enum value:

      • authentik.enterprise.providers.rac

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_stages_authenticator_email.authenticatoremailstage
      • authentik_stages_authenticator_email.emaildevice
      • authentik_providers_ssf.ssfprovider
GET /providers/saml/{id}/metadata/
Return Type:

Changed response : 200 OK

  • New content type : application/xml
POST /authenticators/admin/duo/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/admin/duo/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for Duo authenticator devices

      New required properties:

      • user
      • Added property user (object)
POST /authenticators/admin/sms/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/admin/sms/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for sms authenticator devices

      New required properties:

      • user
      • Added property user (object)
GET /authenticators/admin/static/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/admin/static/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/admin/static/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
POST /authenticators/admin/totp/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/admin/totp/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for totp authenticator devices

      New required properties:

      • user
      • Added property user (object)
POST /authenticators/admin/webauthn/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/admin/webauthn/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for WebAuthn authenticator devices

      New required properties:

      • user
      • Added property user (object)
GET /authenticators/duo/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for Duo authenticator devices

      New required properties:

      • user
      • Added property user (object)
GET /authenticators/sms/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for sms authenticator devices

      New required properties:

      • user
      • Added property user (object)
GET /authenticators/static/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PUT /authenticators/static/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
PATCH /authenticators/static/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/totp/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for totp authenticator devices

      New required properties:

      • user
      • Added property user (object)
GET /authenticators/webauthn/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for WebAuthn authenticator devices

      New required properties:

      • user
      • Added property user (object)
GET /core/tokens/{identifier}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
PUT /core/tokens/{identifier}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
PATCH /core/tokens/{identifier}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
GET /core/users/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • password_change_date
    • Added property password_change_date (string)
PUT /core/users/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • password_change_date
    • Added property password_change_date (string)
PATCH /core/users/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    New required properties:

    • password_change_date
    • Added property password_change_date (string)
GET /policies/bindings/{policy_binding_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
PUT /policies/bindings/{policy_binding_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
PATCH /policies/bindings/{policy_binding_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
POST /policies/event_matcher/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum values:

    • authentik.providers.rac

    • authentik.stages.authenticator_email

    • authentik.enterprise.providers.ssf Removed enum value:

    • authentik.enterprise.providers.rac

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_stages_authenticator_email.authenticatoremailstage
    • authentik_stages_authenticator_email.emaildevice
    • authentik_providers_ssf.ssfprovider
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum values:

      • authentik.providers.rac

      • authentik.stages.authenticator_email

      • authentik.enterprise.providers.ssf Removed enum value:

      • authentik.enterprise.providers.rac

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_stages_authenticator_email.authenticatoremailstage
      • authentik_stages_authenticator_email.emaildevice
      • authentik_providers_ssf.ssfprovider
GET /policies/event_matcher/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Event Matcher Policy Serializer

      • Changed property app (string)

        Match events created by selected application. When left empty, all applications are matched.

        Added enum values:

        • authentik.providers.rac

        • authentik.stages.authenticator_email

        • authentik.enterprise.providers.ssf Removed enum value:

        • authentik.enterprise.providers.rac

      • Changed property model (string)

        Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

        Added enum values:

        • authentik_stages_authenticator_email.authenticatoremailstage
        • authentik_stages_authenticator_email.emaildevice
        • authentik_providers_ssf.ssfprovider
GET /policies/geoip/{policy_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_history_distance (boolean)

    • Added property history_max_distance_km (integer)

    • Added property distance_tolerance_km (integer)

    • Added property history_login_count (integer)

    • Added property check_impossible_travel (boolean)

    • Added property impossible_tolerance_km (integer)

PUT /policies/geoip/{policy_uuid}/
Request:

Changed content type : application/json

  • Added property check_history_distance (boolean)

  • Added property history_max_distance_km (integer)

  • Added property distance_tolerance_km (integer)

  • Added property history_login_count (integer)

  • Added property check_impossible_travel (boolean)

  • Added property impossible_tolerance_km (integer)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_history_distance (boolean)

    • Added property history_max_distance_km (integer)

    • Added property distance_tolerance_km (integer)

    • Added property history_login_count (integer)

    • Added property check_impossible_travel (boolean)

    • Added property impossible_tolerance_km (integer)

PATCH /policies/geoip/{policy_uuid}/
Request:

Changed content type : application/json

  • Added property check_history_distance (boolean)

  • Added property history_max_distance_km (integer)

  • Added property distance_tolerance_km (integer)

  • Added property history_login_count (integer)

  • Added property check_impossible_travel (boolean)

  • Added property impossible_tolerance_km (integer)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property check_history_distance (boolean)

    • Added property history_max_distance_km (integer)

    • Added property distance_tolerance_km (integer)

    • Added property history_login_count (integer)

    • Added property check_impossible_travel (boolean)

    • Added property impossible_tolerance_km (integer)

POST /rbac/permissions/assigned_by_roles/{uuid}/assign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum values:

    • authentik_stages_authenticator_email.authenticatoremailstage
    • authentik_stages_authenticator_email.emaildevice
    • authentik_providers_ssf.ssfprovider
PATCH /rbac/permissions/assigned_by_roles/{uuid}/unassign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum values:

    • authentik_stages_authenticator_email.authenticatoremailstage
    • authentik_stages_authenticator_email.emaildevice
    • authentik_providers_ssf.ssfprovider
POST /rbac/permissions/assigned_by_users/{id}/assign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum values:

    • authentik_stages_authenticator_email.authenticatoremailstage
    • authentik_stages_authenticator_email.emaildevice
    • authentik_providers_ssf.ssfprovider
PATCH /rbac/permissions/assigned_by_users/{id}/unassign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum values:

    • authentik_stages_authenticator_email.authenticatoremailstage
    • authentik_stages_authenticator_email.emaildevice
    • authentik_providers_ssf.ssfprovider
GET /sources/scim/{slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property token_obj (object)

      Token Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
PUT /sources/scim/{slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property token_obj (object)

      Token Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
PATCH /sources/scim/{slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property token_obj (object)

      Token Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
POST /authenticators/admin/static/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • user
    • Added property user (object)
GET /authenticators/admin/static/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for static authenticator devices

      New required properties:

      • user
      • Added property user (object)
GET /authenticators/static/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for static authenticator devices

      New required properties:

      • user
      • Added property user (object)
POST /core/tokens/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
GET /core/tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Token Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
GET /core/user_consent/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
POST /core/users/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    New required properties:

    • password_change_date
    • Added property password_change_date (string)
GET /core/users/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
GET /flows/bindings/{fsb_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Changed property re_evaluate_policies (boolean)

      Evaluate policies when the Stage is presented to the user.

PUT /flows/bindings/{fsb_uuid}/
Request:

Changed content type : application/json

  • Changed property re_evaluate_policies (boolean)

    Evaluate policies when the Stage is presented to the user.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Changed property re_evaluate_policies (boolean)

      Evaluate policies when the Stage is presented to the user.

PATCH /flows/bindings/{fsb_uuid}/
Request:

Changed content type : application/json

  • Changed property re_evaluate_policies (boolean)

    Evaluate policies when the Stage is presented to the user.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Changed property re_evaluate_policies (boolean)

      Evaluate policies when the Stage is presented to the user.

POST /policies/bindings/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
GET /policies/bindings/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > PolicyBinding Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
POST /policies/geoip/
Request:

Changed content type : application/json

  • Added property check_history_distance (boolean)

  • Added property history_max_distance_km (integer)

  • Added property distance_tolerance_km (integer)

  • Added property history_login_count (integer)

  • Added property check_impossible_travel (boolean)

  • Added property impossible_tolerance_km (integer)

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Added property check_history_distance (boolean)

    • Added property history_max_distance_km (integer)

    • Added property distance_tolerance_km (integer)

    • Added property history_login_count (integer)

    • Added property check_impossible_travel (boolean)

    • Added property impossible_tolerance_km (integer)

GET /policies/geoip/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > GeoIP Policy Serializer

      • Added property check_history_distance (boolean)

      • Added property history_max_distance_km (integer)

      • Added property distance_tolerance_km (integer)

      • Added property history_login_count (integer)

      • Added property check_impossible_travel (boolean)

      • Added property impossible_tolerance_km (integer)

GET /rbac/permissions/assigned_by_roles/
Parameters:

Changed: model in query

GET /rbac/permissions/assigned_by_users/
Parameters:

Changed: model in query

GET /sources/all/
Parameters:

Added: pbm_uuid in query

GET /sources/kerberos/
Parameters:

Added: pbm_uuid in query

GET /sources/ldap/
Parameters:

Added: pbm_uuid in query

GET /sources/oauth/
Parameters:

Added: pbm_uuid in query

GET /sources/plex/
Parameters:

Added: pbm_uuid in query

GET /sources/saml/
Parameters:

Added: pbm_uuid in query

POST /sources/scim/
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property token_obj (object)

      Token Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
GET /sources/scim/
Parameters:

Added: pbm_uuid in query

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > SCIMSource Serializer

      • Changed property token_obj (object)

        Token Serializer

        • Changed property user_obj (object)

          User Serializer

          New required properties:

          • password_change_date
          • Added property password_change_date (string)
GET /stages/authenticator/validate/{stage_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property device_classes (array)

      Device classes which can be used to authenticate

      Changed items (string):

      Added enum value:

      • email
PUT /stages/authenticator/validate/{stage_uuid}/
Request:

Changed content type : application/json

  • Changed property device_classes (array)

    Device classes which can be used to authenticate

    Changed items (string):

    Added enum value:

    • email
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property device_classes (array)

      Device classes which can be used to authenticate

      Changed items (string):

      Added enum value:

      • email
PATCH /stages/authenticator/validate/{stage_uuid}/
Request:

Changed content type : application/json

  • Changed property device_classes (array)

    Device classes which can be used to authenticate

    Changed items (string):

    Added enum value:

    • email
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property device_classes (array)

      Device classes which can be used to authenticate

      Changed items (string):

      Added enum value:

      • email
GET /core/user_consent/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > UserConsent Serializer

      • Changed property user (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
POST /flows/bindings/
Request:

Changed content type : application/json

  • Changed property re_evaluate_policies (boolean)

    Evaluate policies when the Stage is presented to the user.

Return Type:

Changed response : 201 Created

  • Changed content type : application/json
    • Changed property re_evaluate_policies (boolean)

      Evaluate policies when the Stage is presented to the user.

GET /flows/bindings/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > FlowStageBinding Serializer

      • Changed property re_evaluate_policies (boolean)

        Evaluate policies when the Stage is presented to the user.

GET /flows/executor/{flow_slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    Added 'ak-stage-authenticator-email' component:

    • Property flow_info (object)

      Contextual flow information for a challenge

      • Property title (string)

      • Property background (string)

      • Property cancel_url (string)

      • Property layout (string)

        Enum values:

        • stacked
        • content_left
        • content_right
        • sidebar_left
        • sidebar_right

    • Property component (string)

    • Property response_errors (object)

    • Property pending_user (string)

    • Property pending_user_avatar (string)

    • Property email (string)

    • Property email_required (boolean)

POST /flows/executor/{flow_slug}/
Request:

Changed content type : application/json

Added 'ak-stage-authenticator-email' component:

  • Property component (string)

  • Property code (integer)

  • Property email (string)

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    Added 'ak-stage-authenticator-email' component:

GET /flows/inspector/{flow_slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property plans (array)

      Changed items (object): > Serializer for an active FlowPlan

      • Changed property next_planned_stage (object)

        FlowStageBinding Serializer

        • Changed property re_evaluate_policies (boolean)

          Evaluate policies when the Stage is presented to the user.

      • Changed property current_stage (object)

        FlowStageBinding Serializer

        • Changed property re_evaluate_policies (boolean)

          Evaluate policies when the Stage is presented to the user.

GET /oauth2/access_tokens/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
GET /oauth2/authorization_codes/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
GET /oauth2/refresh_tokens/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property user (object)

      User Serializer

      New required properties:

      • password_change_date
      • Added property password_change_date (string)
POST /stages/authenticator/validate/
Request:

Changed content type : application/json

  • Changed property device_classes (array)

    Device classes which can be used to authenticate

    Changed items (string):

    Added enum value:

    • email
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property device_classes (array)

      Device classes which can be used to authenticate

      Changed items (string):

      Added enum value:

      • email
GET /stages/authenticator/validate/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > AuthenticatorValidateStage Serializer

      • Changed property device_classes (array)

        Device classes which can be used to authenticate

        Changed items (string):

        Added enum value:

        • email
PUT /core/transactional/applications/
Request:

Changed content type : application/json

  • Changed property provider_model (string)

    Added enum value:

    • authentik_providers_ssf.ssfprovider

  • Changed property provider (object)

    Added 'authentik_providers_ssf.ssfprovider' provider_model:

    • Property name (string)

    • Property signing_key (string)

      Key used to sign the SSF Events.

    • Property oidc_auth_providers (array)

      Items (integer):

    • Property event_retention (string)

GET /oauth2/access_tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and RefreshToken

      • Changed property user (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
GET /oauth2/authorization_codes/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

      • Changed property user (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)
GET /oauth2/refresh_tokens/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Serializer for BaseGrantModel and RefreshToken

      • Changed property user (object)

        User Serializer

        New required properties:

        • password_change_date
        • Added property password_change_date (string)