Release 2022.11
Breaking changes
Have I Been Pwned policy is deprecated
The policy has been merged with the password policy which provides the same functionality. Existing Have I Been Pwned policies will automatically be migrated.
Instead of using multiple redis databases, authentik now uses a single redis database
This will temporarily loose some cached information after the upgrade, like cached system tasks and policy results. This data will be re-cached in the background.
New features
authentik now runs on Python 3.11
Expanded password policy
The "Have I been Pwned" policy has been merged into the password policy, and additionally passwords can be checked using zxcvbn to provider concise feedback.
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose file for 2022.11 from here. Afterwards, simply run docker-compose up -d
.
Kubernetes
Update your values to use the new images:
image:
repository: ghcr.io/goauthentik/server
tag: 2022.11.1
Minor changes/fixes
- api: fix missing scheme in securitySchemes
- blueprints: Fixed bug causing blueprint instance context be discarded (#3990)
- core: fix error when propertymappings return complex value
- core: simplify group serializer for user API endpoint (#3899)
- events: deepcopy event kwargs to prevent objects being removed, remove workaround
- events: sanitize generator for json safety
- lib: fix complex objects being included in event context for ak_create_event
- lifecycle: fix incorrect messages looped
- outposts/kubernetes: ingress class (#4002)
- policies: only cache policies for authenticated users
- policies/password: merge hibp add zxcvbn (#4001)
- providers/oauth2: fix inconsistent expiry encoded in JWT
- root: make sentry DSN configurable (#4016)
- root: relicense and launch blog post
- root: use single redis db (#4009)
- sources: add custom icon support (#4022)
- stages/authenticator_*: cleanup
- stages/authenticator_validate: add flag to configure user_verification for webauthn devices
- stages/invitation: directly delete invitation now that flow plan is saved in email token
- web: fix twitter icon
- web/flows: always hide static user info when its not set in the flow
Fixed in 2022.11.1
- blueprints: add desired state attribute to objects (#4061)
- core: fix tab-complete in shell
- root: fix build on arm64
- stages/email: add test for email translation
- web/admin: fix error when importing duo devices
- web/admin: reset cookie_domain when setting non-domain forward auth
Fixed in 2022.11.2
- *: fix CVE-2022-46145, Reported by @sdimovv
Fixed in 2022.11.3
- web: fix Flow Form failing to load due to outdated API client
Fixed in 2022.11.4
- *: fix CVE-2022-46172, Reported by @DreamingRaven
- *: fix CVE-2022-23555, Reported by @fuomag9
API Changes
What's Changed
GET
/policies/password/{policy_uuid}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Added property
check_static_rules
(boolean)Added property
check_have_i_been_pwned
(boolean)Added property
check_zxcvbn
(boolean)Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
PUT
/policies/password/{policy_uuid}/
Request:
Changed content type : application/json
Added property
check_static_rules
(boolean)Added property
check_have_i_been_pwned
(boolean)Added property
check_zxcvbn
(boolean)Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Added property
check_static_rules
(boolean)Added property
check_have_i_been_pwned
(boolean)Added property
check_zxcvbn
(boolean)Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
PATCH
/policies/password/{policy_uuid}/
Request:
Changed content type : application/json
Added property
check_static_rules
(boolean)Added property
check_have_i_been_pwned
(boolean)Added property
check_zxcvbn
(boolean)Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Added property
check_static_rules
(boolean)Added property
check_have_i_been_pwned
(boolean)Added property
check_zxcvbn
(boolean)Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
GET
/core/tokens/{identifier}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
PUT
/core/tokens/{identifier}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
PATCH
/core/tokens/{identifier}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/core/users/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
PUT
/core/users/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
PATCH
/core/users/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
PUT
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
PATCH
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
POST
/policies/password/
Request:
Changed content type : application/json
Added property
check_static_rules
(boolean)Added property
check_have_i_been_pwned
(boolean)Added property
check_zxcvbn
(boolean)Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
Return Type:
Changed response : 201 Created
Changed content type :
application/json
Added property
check_static_rules
(boolean)Added property
check_have_i_been_pwned
(boolean)Added property
check_zxcvbn
(boolean)Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
GET
/policies/password/
Parameters:
Added: check_have_i_been_pwned
in query
Added: check_static_rules
in query
Added: check_zxcvbn
in query
Added: hibp_allowed_count
in query
Added: zxcvbn_score_threshold
in query
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > Password Policy Serializer
Added property
check_static_rules
(boolean)Added property
check_have_i_been_pwned
(boolean)Added property
check_zxcvbn
(boolean)Added property
hibp_allowed_count
(integer)How many times the password hash is allowed to be on haveibeenpwned
Added property
zxcvbn_score_threshold
(integer)If the zxcvbn score is equal or less than this value, the policy will fail.
POST
/core/tokens/
Return Type:
Changed response : 201 Created
Changed content type :
application/json
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/core/tokens/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > Token Serializer
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/core/user_consent/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
POST
/core/users/
Return Type:
Changed response : 201 Created
Changed content type :
application/json
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/core/users/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/oauth2/authorization_codes/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/oauth2/refresh_tokens/{id}/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
user
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
POST
/policies/bindings/
Return Type:
Changed response : 201 Created
Changed content type :
application/json
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/policies/bindings/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > PolicyBinding Serializer
Changed property
user_obj
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/core/user_consent/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > UserConsent Serializer
Changed property
user
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/oauth2/authorization_codes/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
Changed property
user
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)
GET
/oauth2/refresh_tokens/
Return Type:
Changed response : 200 OK
Changed content type :
application/json
Changed property
results
(array)Changed items (object): > Serializer for BaseGrantModel and RefreshToken
Changed property
user
(object)User Serializer
Changed property
groups_obj
(array)Changed items (object): > Simplified Group Serializer for user's groups
New optional properties:
users_obj
Deleted property
users
(array)Deleted property
users_obj
(array)