habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: use a more consistent version requirement notice (#11400)

Browse Source 
* website/docs: use a more consistent version requirement notice

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* adjust colours

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix some anchors

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
2024-09-23 17:42:17 +02:00
committed by GitHub
parent ab4a125613
commit 27380e9903
27 changed files with 68 additions and 240 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
website/docs/expressions/_functions.md
View File

@ -29,11 +29,7 @@ user = list_flatten(["foo"])
# user = "foo"
```
### `ak_call_policy(name: str, **kwargs) -> PolicyResult`
:::info
Requires authentik 2021.12
:::
### `ak_call_policy(name: str, **kwargs) -> PolicyResult` <span class="badge badge--version">authentik 2021.12+</span>
Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
can be used to modify the request's context.
@ -74,11 +70,7 @@ Example:
other_user = ak_user_by(username="other_user")
```
### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` (2021.9+)
:::info
Only available in property mappings with authentik 2022.9 and newer
:::
### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` <span class="badge badge--version">authentik 2022.9+</span>
Check if a user has any authenticator devices. Only fully validated devices are counted.
@ -95,11 +87,7 @@ Example:
return ak_user_has_authenticator(request.user)
```
### `ak_create_event(action: str, **kwargs) -> None`
:::info
Requires authentik 2022.9
:::
### `ak_create_event(action: str, **kwargs) -> None` <span class="badge badge--version">authentik 2022.9+</span>
Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called.
@ -124,11 +112,7 @@ ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
# evaluates to True
```
## DNS resolution and reverse DNS lookups
:::note
Requires authentik 2023.3 or higher
:::
## DNS resolution and reverse DNS lookups <span class="badge badge--version">authentik 2023.3+</span>
To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`.

20
website/docs/flow/context/index.md
View File

@ -60,7 +60,7 @@ When an unauthenticated user attempts to access a secured resource, they are red
When a user authenticates/enrolls via an external source, this will be set to the source they are using.
#### `outpost` (dictionary) <span class="badge badge--info">authentik 2024.10+</span>
#### `outpost` (dictionary) <span class="badge badge--version">authentik 2024.10+</span>
When a flow is executed by an Outpost (for example the [LDAP](../../providers/ldap/index.md) or [RADIUS](../../providers/radius/index.mdx)), this will be set to a dictionary containing the Outpost instance under the key `"instance"`.
@ -92,11 +92,7 @@ URL that the form will be submitted to.
Key-value pairs of the data that is included in the form and will be submitted to `url`.
#### Captcha stage
:::info
Requires authentik 2024.6
:::
#### Captcha stage <span class="badge badge--version">authentik 2024.6+</span>
##### `captcha` (dictionary)
@ -116,11 +112,7 @@ An optional list of all permissions that will be given to the application by gra
#### Deny stage
##### `deny_message` (string)
:::info
Requires authentik 2023.10
:::
##### `deny_message` (string) <span class="badge badge--version">authentik 2023.10+</span>
Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage.
@ -136,11 +128,7 @@ If set, this must be a list of group objects and not group names.
Path the `pending_user` will be written to. If not set in the flow, falls back to the value set in the user_write stage, and otherwise to the `users` path.
##### `user_type` (string)
:::info
Requires authentik 2023.10
:::
##### `user_type` (string) <span class="badge badge--version">authentik 2023.10+</span>
Type the `pending_user` will be created as. Must be one of `internal`, `external` or `service_account`.

6
website/docs/flow/examples/snippets.md
View File

@ -2,11 +2,7 @@
title: Example policy snippets for flows
---
### Redirect current flow to another URL
:::info
Requires authentik 2022.7
:::
### Redirect current flow to another URL <span class="badge badge--version">authentik 2022.7+</span>
```python
plan = request.context.get("flow_plan")

2
website/docs/flow/executors/sfe.md
View File

@ -2,7 +2,7 @@
title: Simplified flow executor
---
<span class="badge badge--info">authentik 2024.6.1+</span>
<span class="badge badge--version">authentik 2024.6.1+</span>
A simplified web-based flow executor that authentik automatically uses for older browsers that do not support modern web technologies.

6
website/docs/flow/executors/user-settings.md
View File

@ -2,9 +2,9 @@
title: User settings
---
:::info
Requires authentik 2022.3
:::
<span class="badge badge--version">authentik 2023.3+</span>
---
The user interface (/if/user/) uses a specialized flow executor to allow individual users to customize their profile. A user's profile consists of key/value fields, so this executor only supports Prompt or User Write stages. If the configured flow contains another stage, a button will be shown to open the default executor.

12
website/docs/flow/stages/authenticator_duo/index.md
View File

@ -10,25 +10,17 @@ Copy all of the integration key, secret key and API hostname, and paste them in
Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed.
## Importing users
## Importing users <span class="badge badge--version">authentik 2022.9+</span>
:::info
Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
:::
:::info
This requires authentik 2022.9
:::
To import a device, open the Stages list in the authentik Admin interface. On the right next to the import button you'll see an import button, with which you can import Duo devices to authentik users.
The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device.
### Older versions
:::info
This API requires authentik 2021.9.1 or later
:::
### Older versions <span class="badge badge--version">authentik 2021.9.1+</span>
You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:

6
website/docs/flow/stages/authenticator_sms/index.md
View File

@ -46,11 +46,7 @@ return {
}
```
## Verify only
:::info
Requires authentik 2022.6
:::
## Verify only <span class="badge badge--version">authentik 2022.6+</span>
To only verify the validity of a users' phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](../authenticator_validate/) stage.

18
website/docs/flow/stages/authenticator_validate/index.md
View File

@ -23,19 +23,11 @@ Keep in mind that when using Code-based devices (TOTP, Static and SMS), values l
### Options
#### Less-frequent validation
:::info
Requires authentik 2022.5.1
:::
#### Less-frequent validation <span class="badge badge--version">authentik 2022.5.1+</span>
You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked.
#### Passwordless authentication
:::info
Requires authentik 2021.12.4
:::
#### Passwordless authentication <span class="badge badge--version">authentik 2021.12.4+</span>
:::caution
Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
@ -76,11 +68,7 @@ Logins which used Passwordless authentication have the _auth_method_ context var
}
```
#### WebAuthn Device type restrictions
:::info
Requires authentik 2024.4
:::
#### WebAuthn Device type restrictions <span class="badge badge--version">authentik 2024.4+</span>
Optionally restrict which WebAuthn device types can be used to authenticate.

6
website/docs/flow/stages/authenticator_webauthn/index.md
View File

@ -18,11 +18,7 @@ Configure if the created authenticator is stored in the encrypted memory on the
Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
#### Device type restrictions
:::info
Requires authentik 2024.4
:::
#### Device type restrictions <span class="badge badge--version">authentik 2024.4+</span>
Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.

8
website/docs/flow/stages/identification/index.md
View File

@ -22,11 +22,7 @@ To prompt users for their password on the same step as identifying themselves, a
These fields specify if and which flows are linked on the form. The enrollment flow is linked as `Need an account? Sign up.`, and the recovery flow is linked as `Forgot username or password?`.
## Pretend user exists
:::info
Requires authentik 2024.2
:::
## Pretend user exists <span class="badge badge--version">authentik 2024.2+</span>
When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
@ -46,7 +42,7 @@ Starting with authentik 2023.5, when no user fields are selected and only one so
### Passwordless flow
See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication).
See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication-authentik-2021124).
### Enrollment flow

2
website/docs/flow/stages/password/index.md
View File

@ -6,7 +6,7 @@ This is a generic password prompt which authenticates the current `pending_user`
## Passwordless login
There are two different ways to configure passwordless authentication; you can follow the instructions [here](../authenticator_validate/index.md#passwordless-authentication) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.
There are two different ways to configure passwordless authentication; you can follow the instructions [here](../authenticator_validate/index.md#passwordless-authentication-authentik-2021124) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.
Depending on what kind of device you want to require the user to have:

2
website/docs/flow/stages/source/index.md
View File

@ -3,7 +3,7 @@ title: Source stage
---
<span class="badge badge--primary">Enterprise</span>
<span class="badge badge--info">authentik 2024.4+</span>
<span class="badge badge--version">authentik 2024.4+</span>
---

12
website/docs/installation/automated-install.md
View File

@ -8,19 +8,11 @@ To install authentik automatically (skipping the Out-of-box experience), you can
Configure the default password for the `akadmin` user. Only read on the first startup. Can be used for any flow executor.
### `AUTHENTIK_BOOTSTRAP_TOKEN`
:::note
Requires authentik 2021.8
:::
### `AUTHENTIK_BOOTSTRAP_TOKEN` <span class="badge badge--version">authentik 2021.8+</span>
Create a token for the default `akadmin` user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API.
### `AUTHENTIK_BOOTSTRAP_EMAIL`
:::note
Requires authentik 2023.3
:::
### `AUTHENTIK_BOOTSTRAP_EMAIL` <span class="badge badge--version">authentik 2023.3+</span>
Set the email address for the default `akadmin` user.

58
website/docs/installation/configuration.mdx
View File

@ -123,7 +123,7 @@ Note that `USE_PGBOUNCER` and `USE_PGPOOL` are inherited from the main database
- `AUTHENTIK_CACHE__TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300
:::info
`AUTHENTIK_CACHE__TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry) to control how long reputation is persisted for.
`AUTHENTIK_CACHE__TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry-authentik-202382) to control how long reputation is persisted for.
:::
## Channel Layer Settings (inter-instance communication)
@ -136,7 +136,7 @@ Note that `USE_PGBOUNCER` and `USE_PGPOOL` are inherited from the main database
- `AUTHENTIK_BROKER__TRANSPORT_OPTIONS`: Base64-encoded broker transport options
:::info
`AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry) to control how long reputation is persisted for.
`AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry-authentik-202382) to control how long reputation is persisted for.
:::
## Listen Settings
@ -299,89 +299,53 @@ Disable the inbuilt update-checker. Defaults to `false`.
- Kubeconfig
- Existence of a docker socket
### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS`
:::info
Requires authentik 2023.1
:::
### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS` <span class="badge badge--version">authentik 2023.1+</span>
Timeout in hours for LDAP synchronization tasks.
Defaults to `2`.
### `AUTHENTIK_LDAP__PAGE_SIZE`
:::info
Requires authentik 2023.6.1
:::
### `AUTHENTIK_LDAP__PAGE_SIZE` <span class="badge badge--version">authentik 2023.6.1+</span>
Page size for LDAP synchronization. Controls the number of objects created in a single task.
Defaults to `50`.
### `AUTHENTIK_LDAP__TLS__CIPHERS`
:::info
Requires authentik 2022.7
:::
### `AUTHENTIK_LDAP__TLS__CIPHERS` <span class="badge badge--version">authentik 2022.7+</span>
Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.
Defaults to `null`.
### `AUTHENTIK_REPUTATION__EXPIRY`
:::info
Requires authentik 2023.8.2
:::
### `AUTHENTIK_REPUTATION__EXPIRY` <span class="badge badge--version">authentik 2023.8.2+</span>
Configure how long reputation scores should be saved for in seconds. Note that this is different than [`AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`](#redis-settings), as reputation is saved to the database every 5 minutes.
Defaults to `86400`.
### `AUTHENTIK_SESSION_STORAGE`
:::info
Requires authentik 2024.4
:::
### `AUTHENTIK_SESSION_STORAGE` <span class="badge badge--version">authentik 2024.4+</span>
Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
### `AUTHENTIK_WEB__WORKERS`
:::info
Requires authentik 2022.9
:::
### `AUTHENTIK_WEB__WORKERS` <span class="badge badge--version">authentik 2022.9+</span>
Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).
Defaults to 2. A value below 2 workers is not recommended. In environments where scaling with multiple replicas of the authentik server is not possible, this number can be increased to handle higher loads.
### `AUTHENTIK_WEB__THREADS`
:::info
Requires authentik 2022.9
:::
### `AUTHENTIK_WEB__THREADS` <span class="badge badge--version">authentik 2022.9+</span>
Configure how many gunicorn threads a worker processes should have (see https://docs.gunicorn.org/en/stable/design.html).
Defaults to 4.
### `AUTHENTIK_WORKER__CONCURRENCY`
:::info
Requires authentik 2023.9.0
:::
### `AUTHENTIK_WORKER__CONCURRENCY` <span class="badge badge--version">authentik 2023.9+</span>
Configure Celery worker concurrency for authentik worker (see https://docs.celeryq.dev/en/latest/userguide/configuration.html#worker-concurrency). This essentially defines the number of worker processes spawned for a single worker.
Defaults to 2.
## System settings
:::info
Requires authentik 2024.2
:::
## System settings <span class="badge badge--version">authentik 2024.2+</span>
Additional settings are configurable using the Admin interface, under **System** -> **Settings** or using the API.

6
website/docs/providers/oauth2/index.md
View File

@ -77,11 +77,7 @@ return True
- `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user
## Default scopes
:::info
Requires authentik 2022.7
:::
## Default scopes <span class="badge badge--version">authentik 2022.7+</span>
When a client does not request any scopes, authentik will treat the request as if all configured scopes were requested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there.

12
website/docs/providers/proxy/header_authentication.md
View File

@ -25,11 +25,7 @@ By default, when _Intercept header authentication_ is enabled, authentik will in
If the proxied application requires usage of the "Authorization" header, the setting should be disabled. When this setting is disabled, authentik will still attempt to interpret the "Authorization" header, and fall back to the default behaviour if it can't.
### Receiving HTTP Basic authentication
:::info
Requires authentik 2023.1
:::
### Receiving HTTP Basic authentication <span class="badge badge--version">authentik 2023.1+</span>
Proxy providers can receive HTTP basic authentication credentials. The password is expected to be an _App password_, as the credentials are used internally with the [OAuth2 machine-to-machine authentication flow](../oauth2/client_credentials.md).
@ -43,11 +39,7 @@ It is **strongly** recommended that the client sending requests with HTTP-Basic
Starting with authentik 2023.2, logging in with the reserved username `goauthentik.io/token` will behave as if a bearer token was used. All the same options as below apply. This is to allow token-based authentication for applications which might only support basic authentication.
### Receiving HTTP Bearer authentication
:::info
Requires authentik 2023.1
:::
### Receiving HTTP Bearer authentication <span class="badge badge--version">authentik 2023.1+</span>
Proxy providers can receive HTTP bearer authentication credentials. The token is expected to be a JWT token issued for the proxy provider. This is described [here](../oauth2/client_credentials.md), using the _client_id_ value shown in the admin interface. Both static and JWT authentication methods are supported.

6
website/docs/providers/proxy/server_caddy.mdx
View File

@ -1,14 +1,10 @@
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
# Caddy
# Caddy <span class="badge badge--version">authentik 2022.8+</span>
The configuration template shown below apply to both single-application and domain-level forward auth.
:::info
Requires authentik 2022.8
:::
import Placeholders from "./__placeholders.md";
<Placeholders />

6
website/docs/providers/proxy/server_envoy.mdx
View File

@ -1,14 +1,10 @@
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
# Envoy
# Envoy <span class="badge badge--version">authentik 2022.6+</span>
The configuration template shown below apply to both single-application and domain-level forward auth.
:::info
Requires authentik 2022.6
:::
:::info
If you are using Istio and Kubernetes, use the port number that is exposed for your cluster.
:::

2
website/docs/releases/2022/v2022.9.md
View File

@ -5,7 +5,7 @@ slug: "/releases/2022.9"
## Breaking changes
- `WORKERS` environment variable has been renamed to match other config options, see [Configuration](../installation/configuration#authentik_web__workers)
- `WORKERS` environment variable has been renamed to match other config options, see [Configuration](../../installation/configuration.mdx#authentik_web__workers-authentik-20229)
## New features

6
website/docs/sources/github/index.md
View File

@ -50,11 +50,7 @@ Save, and you now have Github as a source.
For more details on how-to have the new source display on the Login Page see [here](../index.md#add-sources-to-default-login-page).
:::
### Checking for membership of a GitHub Organisation
:::info
Requires authentik 2021.12.5.
:::
### Checking for membership of a GitHub Organisation <span class="badge badge--version">authentik 2021.12.5.+</span>
To check if the user is member of an organisation, you can use the following policy on your flows:

6
website/docs/sources/oauth/index.md
View File

@ -14,11 +14,7 @@ This source allows users to enroll themselves with an external OAuth-based Ident
Starting with authentik 2022.10, the default scopes can be replaced by prefix the value for scopes with `*`.
### OpenID Connect
:::info
Requires authentik 2022.6
:::
### OpenID Connect <span class="badge badge--version">authentik 2022.6+</span>
#### Well-known

6
website/docs/user-group-role/groups/manage_groups.md
View File

@ -43,11 +43,7 @@ To delete a group, follow these steps:
You can assign a role to a group, and then all users in the group inherit the permissions assigned to that role. For instructions and more information, see ["Assign a role to a group"](../roles/manage_roles.md#assign-a-role-to-a-group).
## Delegating group member management
:::info
Requires authentik 2024.4
:::
## Delegating group member management <span class="badge badge--version">authentik 2024.4+</span>
To give a specific Role or User the ability to manage group members, the following permissions need to be granted on the matching Group object:

8
website/docs/user-group-role/user/user_ref.md
View File

@ -14,7 +14,7 @@ The User object has the following properties:
- `is_active` Boolean field if user is active.
- `date_joined` Date user joined/was created.
- `password_change_date` Date password was last changed.
- `path` User's path, see [Path](#path)
- `path` User's path, see [Path](#path-authentik-20227)
- `attributes` Dynamic attributes, see [Attributes](#attributes)
- `group_attributes()` Merged attributes of all groups the user is member of and the user's own attributes.
- `ak_groups` This is a queryset of all the user's groups.
@ -42,11 +42,7 @@ for group in user.ak_groups.all():
yield group.name
```
## Path
:::info
Requires authentik 2022.7
:::
## Path <span class="badge badge--version">authentik 2022.7+</span>
Paths can be used to organize users into folders depending on which source created them or organizational structure. Paths may not start or end with a slash, but they can contain any other character as path segments. The paths are currently purely used for organization, it does not affect their permissions, group memberships, or anything else.