Revert "website: latest migration to new structure" (#11634)
Revert "website: latest migration to new structure (#11522)"
This reverts commit 9a89a5f94b.
This commit is contained in:
Tana M Berry
@ -8,13 +8,13 @@ slug: "/releases/2021.1"
|
||||
- New versioning schema (year.month.release)
|
||||
- Add global email settings
|
||||
|
||||
In previous versions, you had to configure email connection details per [Email Stage](../../add-secure-apps/flows-stages/stages/email/index.mdx). Now, you can (and should) configure global settings.
|
||||
In previous versions, you had to configure email connection details per [Email Stage](../../flow/stages/email/index.mdx). Now, you can (and should) configure global settings.
|
||||
|
||||
This is documented under the [docker-compose](../../install-config/install/docker-compose.mdx) and [Kubernetes](../../install-config/install/kubernetes.md) sections.
|
||||
This is documented under the [docker-compose](../../installation/docker-compose.mdx) and [Kubernetes](../../installation/kubernetes.md) sections.
|
||||
|
||||
- New notification system
|
||||
|
||||
More info can be found under [Notifications](../../sys-mgmt/events/notifications.md) and [Transports](../../sys-mgmt/events/transports.md).
|
||||
More info can be found under [Notifications](../../events/notifications.md) and [Transports](../../events/transports.md).
|
||||
|
||||
During the update, some default rules will be created. These rules notify you about policy exceptions, configuration errors and updates.
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ This feature is still in technical preview, so please report any Bugs you run in
|
||||
- Compatibility with forwardAuth/auth_request
|
||||
|
||||
The authentik proxy is now compatible with forwardAuth (traefik) / auth_request (nginx). All that is required is the latest version of the outpost,
|
||||
and the correct config from [here](../../add-secure-apps/providers/proxy/forward_auth.mdx).
|
||||
and the correct config from [here](../../providers/proxy/forward_auth.mdx).
|
||||
|
||||
- Docker images for ARM
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ This release mostly removes legacy fields and features that have been deprecated
|
||||
|
||||
The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`.
|
||||
|
||||
Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [_Proxy provider_](../../add-secure-apps/providers/proxy/forward_auth.mdx) documentation for updated snippets.
|
||||
Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [_Proxy provider_](../providers/proxy/forward_auth) documentation for updated snippets.
|
||||
|
||||
- API:
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ slug: "/releases/2022.10"
|
||||
|
||||
- Support for OAuth2 Device flow
|
||||
|
||||
See more in the OAuth2 provider docs [here](../../add-secure-apps/providers/oauth2/device_code.md). This flow allows users to authenticate on devices that have limited input possibilities and or no browser access.
|
||||
See more in the OAuth2 provider docs [here](../providers/oauth2/device_code). This flow allows users to authenticate on devices that have limited input possibilities and or no browser access.
|
||||
|
||||
- Customizable payload for SMS Authenticator stage when using Generic provider.
|
||||
- Revamped SAML Source
|
||||
@ -3804,7 +3804,7 @@ Changed response : **200 OK**
|
||||
|
||||
## Fixed in 2022.10.2
|
||||
|
||||
- \*: fix [CVE-2022-46145](../../security/cves/CVE-2022-46145.md), Reported by [@sdimovv](https://github.com/sdimovv)
|
||||
- \*: fix [CVE-2022-46145](../security/CVE-2022-46145), Reported by [@sdimovv](https://github.com/sdimovv)
|
||||
|
||||
## Fixed in 2022.10.3
|
||||
|
||||
@ -3812,8 +3812,8 @@ Changed response : **200 OK**
|
||||
|
||||
## Fixed in 2022.10.4
|
||||
|
||||
- \*: fix [CVE-2022-46172](../../security/cves/CVE-2022-46172.md), Reported by [@DreamingRaven](https://github.com/DreamingRaven)
|
||||
- \*: fix [CVE-2022-23555](../../security/cves/CVE-2022-23555.md), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
- \*: fix [CVE-2022-46172](../security/CVE-2022-46172), Reported by [@DreamingRaven](https://github.com/DreamingRaven)
|
||||
- \*: fix [CVE-2022-23555](../security/CVE-2022-23555), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
|
||||
## Upgrading
|
||||
|
||||
|
||||
@ -73,7 +73,7 @@ image:
|
||||
|
||||
## Fixed in 2022.11.2
|
||||
|
||||
- \*: fix [CVE-2022-46145](../../security/cves/CVE-2022-46145.md), Reported by [@sdimovv](https://github.com/sdimovv)
|
||||
- \*: fix [CVE-2022-46145](../security/CVE-2022-46145), Reported by [@sdimovv](https://github.com/sdimovv)
|
||||
|
||||
## Fixed in 2022.11.3
|
||||
|
||||
@ -81,8 +81,8 @@ image:
|
||||
|
||||
## Fixed in 2022.11.4
|
||||
|
||||
- \*: fix [CVE-2022-46172](../../security/cves/CVE-2022-46172.md), Reported by [@DreamingRaven](https://github.com/DreamingRaven)
|
||||
- \*: fix [CVE-2022-23555](../../security/cves/CVE-2022-23555.md), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
- \*: fix [CVE-2022-46172](../security/CVE-2022-46172), Reported by [@DreamingRaven](https://github.com/DreamingRaven)
|
||||
- \*: fix [CVE-2022-23555](../security/CVE-2022-23555), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ slug: "/releases/2022.12"
|
||||
|
||||
- Bundled GeoIP City database
|
||||
|
||||
authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../../install-config/geoip.mdx).
|
||||
authentik now comes with a bundled MaxMind GeoLite2 City database. This allows everyone to take advantage of the extra data provided by GeoIP. The default docker-compose file removes the GeoIP update container as it is no longer needed. See more [here](../core/geoip)
|
||||
|
||||
- Improved UX for user & group management and stage/policy binding
|
||||
|
||||
@ -168,7 +168,7 @@ image:
|
||||
|
||||
## Fixed in 2022.12.3
|
||||
|
||||
- \*: fix [CVE-2023-26481](../../security/cves/CVE-2023-26481.md), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
- \*: fix [CVE-2023-26481](../security/CVE-2023-26481), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ User settings are now configured using flows and stages, allowing administrators
|
||||
|
||||
### `client_credentials` support
|
||||
|
||||
authentik now supports the OAuth `client_credentials` grant for machine-to-machine authentication. See [OAuth2 Provider](../../add-secure-apps/providers/oauth2/index.md)
|
||||
authentik now supports the OAuth `client_credentials` grant for machine-to-machine authentication. See [OAuth2 Provider](../providers/oauth2)
|
||||
|
||||
## Deprecations
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ slug: "/releases/2022.5"
|
||||
|
||||
- Twitter Source has been migrated to OAuth2
|
||||
|
||||
This requires some reconfiguration on both Twitter's and authentik's side. Check out the new Twitter integration docs [here](../../users-sources/sources/social-logins/twitter/index.md).
|
||||
This requires some reconfiguration on both Twitter's and authentik's side. Check out the new Twitter integration docs [here](../../docs/sources/twitter/)
|
||||
|
||||
- OAuth Provider: Redirect URIs are now checked using regular expressions
|
||||
|
||||
@ -19,12 +19,12 @@ slug: "/releases/2022.5"
|
||||
|
||||
Instead of always executing the configured flow when a new Bind request is received, the provider can now be configured to cache the session from the initial flow execution, and directly validate credentials in the outpost. This drastically improves the bind performance.
|
||||
|
||||
See [LDAP provider](../../add-secure-apps/providers/ldap/index.md#cached-bind)
|
||||
See [LDAP provider](../../providers/ldap/index.md#cached-bind)
|
||||
|
||||
- OAuth2: Add support for `form_post` response mode
|
||||
- Don't prompt users for MFA when they've authenticated themselves within a time period
|
||||
|
||||
You can now configure any [Authenticator Validation Stage](../../add-secure-apps/flows-stages/stages/authenticator_validate/index.md) stage to not ask for MFA validation if the user has previously authenticated themselves with an MFA device (of any of the selected classes) in the `Last validation threshold`.
|
||||
You can now configure any [Authenticator Validation Stage](../../flow/stages/authenticator_validate/index.md) stage to not ask for MFA validation if the user has previously authenticated themselves with an MFA device (of any of the selected classes) in the `Last validation threshold`.
|
||||
|
||||
- Optimise bundling of web assets
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ slug: "/releases/2022.8"
|
||||
|
||||
- Blueprints
|
||||
|
||||
Blueprints allow for the configuration, automation and templating of authentik objects and configurations. They can be used to bootstrap new instances, configure them automatically without external tools, and to template configurations for sharing. See more [here](../../customize/blueprints/index.md).
|
||||
Blueprints allow for the configuration, automation and templating of authentik objects and configurations. They can be used to bootstrap new instances, configure them automatically without external tools, and to template configurations for sharing. See more [here](../../developer-docs/blueprints/)
|
||||
|
||||
For installations upgrading to 2022.8, if a single flow exists, then the default blueprints will not be activated, to not overwrite user modifications.
|
||||
|
||||
@ -23,7 +23,7 @@ slug: "/releases/2022.8"
|
||||
|
||||
- Support for Caddy forward auth
|
||||
|
||||
Based on the traefik support, there is now dedicated support for Caddy with configuration examples, see [here](../../add-secure-apps/providers/proxy/forward_auth.mdx).
|
||||
Based on the traefik support, there is now dedicated support for Caddy with configuration examples, see [here](../providers/proxy/forward_auth)
|
||||
|
||||
## Minor changes/fixes
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@ slug: "/releases/2022.9"
|
||||
|
||||
## Breaking changes
|
||||
|
||||
- `WORKERS` environment variable has been renamed to match other config options, see [Configuration](../../install-config/configuration/configuration.mdx#authentik_web__workers-authentik-20229)
|
||||
- `WORKERS` environment variable has been renamed to match other config options, see [Configuration](../../installation/configuration.mdx#authentik_web__workers-authentik-20229)
|
||||
|
||||
## New features
|
||||
|
||||
@ -15,7 +15,7 @@ slug: "/releases/2022.9"
|
||||
|
||||
- Duo Admin API integration
|
||||
|
||||
When using a Duo MFA, Duo Access or Duo Beyond plan, authentik can now automatically import devices from Duo into authentik. More info [here](../../add-secure-apps/flows-stages/stages/authenticator_duo/index.md).
|
||||
When using a Duo MFA, Duo Access or Duo Beyond plan, authentik can now automatically import devices from Duo into authentik. More info [here](../flow/stages/authenticator_duo/).
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ slug: "/releases/2023.1"
|
||||
|
||||
- Proxy provider now accepts HTTP Basic and Bearer authentication
|
||||
|
||||
See [Header authentication](../../add-secure-apps/providers/proxy/header_authentication.md).
|
||||
See [Header authentication](../../providers/proxy/header_authentication.md).
|
||||
|
||||
- LDAP provider now works with Code-based MFA stages
|
||||
|
||||
@ -121,7 +121,7 @@ image:
|
||||
|
||||
## Fixed in 2023.1.3
|
||||
|
||||
- \*: fix [CVE-2023-26481](../../security/cves/CVE-2023-26481.md), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
- \*: fix [CVE-2023-26481](../security/CVE-2023-26481), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ slug: "/releases/2023.10"
|
||||
|
||||
- RBAC (preview)
|
||||
|
||||
With this release we're introducing the ability to finely configure permissions within authentik. These permissions can be used to delegate different tasks, such as user management, application creation and more to users without granting them full superuser permissions. With this system, a least-privilege system can also be implemented much more easily. See more info [here](../../users-sources/access-control/index.mdx)
|
||||
With this release we're introducing the ability to finely configure permissions within authentik. These permissions can be used to delegate different tasks, such as user management, application creation and more to users without granting them full superuser permissions. With this system, a least-privilege system can also be implemented much more easily. See more info [here](../../user-group-role/access-control/index.mdx)
|
||||
|
||||
- LDAP Provider improvements
|
||||
|
||||
@ -127,7 +127,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.10
|
||||
|
||||
## Fixed in 2023.10.2
|
||||
|
||||
- \*: fix [GHSA-rjvp-29xq-f62w.md](../../security/cves/GHSA-rjvp-29xq-f62w.md), reported by [@devSparkle](https://github.com/devSparkle)
|
||||
- \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
|
||||
- blueprints: fix entries with state: absent not being deleted if their serializer has errors (#7345)
|
||||
- crypto: fix race conditions when creating self-signed certificates on startup (#7344)
|
||||
- lifecycle: rework otp_merge migration (#7359)
|
||||
@ -161,7 +161,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.10
|
||||
- providers/proxy: Fix duplicate cookies when using file system store. (cherry-pick #7541) (#7544)
|
||||
- providers/scim: fix missing schemas attribute for User and Group (cherry-pick #7477) (#7596)
|
||||
- root: specify node and python versions in respective config files, deduplicate in CI (#7620)
|
||||
- security: fix [CVE-2023-48228](../../security/cves/CVE-2023-48228.md), Reported by [@Sapd](https://github.com/Sapd) (#7666)
|
||||
- security: fix [CVE-2023-48228](../../security/CVE-2023-48228.md), Reported by [@Sapd](https://github.com/Sapd) (#7666)
|
||||
- stages/email: use uuid for email confirmation token instead of username (cherry-pick #7581) (#7584)
|
||||
- web/admin: fix admins not able to delete MFA devices (#7660)
|
||||
|
||||
@ -186,7 +186,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.10
|
||||
- core: fix PropertyMapping context not being available in request context
|
||||
- outposts: disable deployment and secret reconciler for embedded outpost in code instead of in config (cherry-pick #8021) (#8024)
|
||||
- outposts: fix Outpost reconcile not re-assigning managed attribute (cherry-pick #8014) (#8020)
|
||||
- providers/oauth2: fix [CVE-2024-21637](../../security/cves/CVE-2024-21637.md), Reported by [@lauritzh](https://github.com/lauritzh) (#8104)
|
||||
- providers/oauth2: fix [CVE-2024-21637](../../security/CVE-2024-21637.md), Reported by [@lauritzh](https://github.com/lauritzh) (#8104)
|
||||
- providers/oauth2: remember session_id from initial token (cherry-pick #7976) (#7977)
|
||||
- providers/proxy: use access token (cherry-pick #8022) (#8023)
|
||||
- rbac: fix error when looking up permissions for now uninstalled apps (cherry-pick #8068) (#8070)
|
||||
@ -195,7 +195,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.10
|
||||
|
||||
## Fixed in 2023.10.7
|
||||
|
||||
- providers/oauth2: fix fix [CVE-2024-23647](../../security/cves/CVE-2024-23647.md) (cherry-pick #8345) (#8347)
|
||||
- providers/oauth2: fix fix [CVE-2024-23647](../../security/CVE-2024-23647.md) (cherry-pick #8345) (#8347)
|
||||
- rbac: fix invitations listing with restricted permissions (cherry-pick #8227) (#8229)
|
||||
- root: fix listen trusted_proxy_cidrs config loading from environment (#8075)
|
||||
- root: fix redis config not being updated to match previous change
|
||||
|
||||
@ -21,7 +21,7 @@ slug: "/releases/2023.2"
|
||||
|
||||
- Generated avatars, multiple avatar modes
|
||||
|
||||
authentik now supports multiple avatar modes, and will use the next configured mode when a mode doesn't have an avatar. For example, the new default configuration attempts to use gravatar, but if the user's email does not have a gravatar setup, it will instead use the new generated avatars. See [Configuration](../../sys-mgmt/settings.md#avatars)
|
||||
authentik now supports multiple avatar modes, and will use the next configured mode when a mode doesn't have an avatar. For example, the new default configuration attempts to use gravatar, but if the user's email does not have a gravatar setup, it will instead use the new generated avatars. See [Configuration](../../core/settings.md#avatars)
|
||||
|
||||
## Upgrading
|
||||
|
||||
@ -109,7 +109,7 @@ image:
|
||||
|
||||
## Fixed in 2023.2.3
|
||||
|
||||
- \*: fix [CVE-2023-26481.md](../../security/cves/CVE-2023-26481.md), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
- \*: fix [CVE-2023-26481](../security/CVE-2023-26481), Reported by [@fuomag9](https://github.com/fuomag9)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -13,12 +13,12 @@ slug: "/releases/2023.3"
|
||||
|
||||
authentik can now provision users into other IT systems via the SCIM (System for Cross-domain Identity Management) protocol. The provider synchronizes Users, Groups and the user membership. Objects are synced both when they are saved and based on a pre-defined schedule in the background.
|
||||
|
||||
Documentation: [SCIM Provider](../../add-secure-apps/providers/scim/index.md)
|
||||
Documentation: [SCIM Provider](../../../docs/providers/scim/index.md)
|
||||
|
||||
- Theming improvements
|
||||
|
||||
- The custom.css file is now loaded in ShadowDOMs, allowing for much greater customization, as previously it was only possible to style elements outside of the ShadowDOM. See docs for [Flow](../../customize/interfaces/flow/customization.mdx), [User](../../customize/interfaces/user/customization.mdx) and [Admin](../../customize/interfaces/admin/customization.mdx) interfaces.
|
||||
- Previously, authentik would automatically switch between dark and light theme based on the users' browsers' settings. This can now be overridden to either force the light or dark theme, per user/group/tenant. See docs for [Flow](../../customize/interfaces/flow/customization.mdx), [User](../../customize/interfaces/user/customization.mdx) and [Admin](../../customize/interfaces/admin/customization.mdx) interfaces.
|
||||
- The custom.css file is now loaded in ShadowDOMs, allowing for much greater customization, as previously it was only possible to style elements outside of the ShadowDOM. See docs for [Flow](../../interfaces/flow/customization.mdx), [User](../../interfaces/user/customization.mdx) and [Admin](../../interfaces/admin/customization.mdx) interfaces.
|
||||
- Previously, authentik would automatically switch between dark and light theme based on the users' browsers' settings. This can now be overridden to either force the light or dark theme, per user/group/tenant. See docs for [Flow](../../interfaces/flow/customization.mdx), [User](../../interfaces/user/customization.mdx) and [Admin](../../interfaces/admin/customization.mdx) interfaces.
|
||||
|
||||
## Upgrading
|
||||
|
||||
|
||||
@ -21,9 +21,9 @@ slug: "/releases/2023.4"
|
||||
|
||||
authentik now supports the [RADIUS protocol](https://en.wikipedia.org/wiki/RADIUS) for authentication, allowing for the integration of a wider variety of systems such as VPN software, network switches/routers, and others.
|
||||
|
||||
The RADIUS provider also uses a flow to authenticate users, and supports the same stages as the [LDAP Provider](../../add-secure-apps/providers/ldap/index.md).
|
||||
The RADIUS provider also uses a flow to authenticate users, and supports the same stages as the [LDAP Provider](../../../docs/providers/ldap/index.md).
|
||||
|
||||
Documentation: [RADIUS Provider](../../add-secure-apps/providers/radius/index.mdx)
|
||||
Documentation: [RADIUS Provider](../../../docs/providers/radius/index.mdx)
|
||||
|
||||
- Decreased CPU usage for workers
|
||||
|
||||
@ -35,11 +35,11 @@ slug: "/releases/2023.4"
|
||||
|
||||
- "Stay logged in" prompt
|
||||
|
||||
In the [User login stage](../../add-secure-apps/flows-stages/stages/user_login/index.md), an admin can use the new "Stay Logged In" option to add additional minutes or hours to the defined `session duration` value. When this "Stay Logged In" offset time is configured, the user logging in is presented with a prompt asking if they want to extend their session.
|
||||
In the [User login stage](../../../docs/flow/stages/user_login/index.md), an admin can use the new "Stay Logged In" option to add additional minutes or hours to the defined `session duration` value. When this "Stay Logged In" offset time is configured, the user logging in is presented with a prompt asking if they want to extend their session.
|
||||
|
||||
- Prompt preview
|
||||
|
||||
When creating a single prompt for use with a [Prompt stage](../../add-secure-apps/flows-stages/stages/prompt/index.md), a live preview of the prompt is now shown. This makes it easier to test how a prompt will behave, and also shows what data it will send, and how it will be available in the flow context.
|
||||
When creating a single prompt for use with a [Prompt stage](../../../docs/flow/stages/prompt/index.md), a live preview of the prompt is now shown. This makes it easier to test how a prompt will behave, and also shows what data it will send, and how it will be available in the flow context.
|
||||
|
||||
## Upgrading
|
||||
|
||||
@ -109,11 +109,11 @@ image:
|
||||
|
||||
## Fixed in 2023.4.2
|
||||
|
||||
- security: Address pen-test findings from the [2023-06 Cure53 Code audit](../../security/audits-and-certs/2023-06-cure53.md)
|
||||
- security: Address pen-test findings from the [2023-06 Cure53 Code audit](../../security/2023-06-cure53.md)
|
||||
|
||||
## Fixed in 2023.4.3
|
||||
|
||||
- \*: fix [CVE-2023-36456](../../security/cves/CVE-2023-36456.md), Reported by [@thijsa](https://github.com/thijsa)
|
||||
- \*: fix [CVE-2023-36456](../security/CVE-2023-36456), Reported by [@thijsa](https://github.com/thijsa)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ slug: "/releases/2023.5"
|
||||
|
||||
- Backchannel providers
|
||||
|
||||
Backchannel providers can augment the functionality of applications by using additional protocols. The main provider of an application provides the SSO protocol that is used for logging into the application. Then, additional backchannel providers can be used for protocols such as [SCIM](../../add-secure-apps/providers/scim/index.md) and [LDAP](../../add-secure-apps/providers/ldap/index.md) to provide directory syncing.
|
||||
Backchannel providers can augment the functionality of applications by using additional protocols. The main provider of an application provides the SSO protocol that is used for logging into the application. Then, additional backchannel providers can be used for protocols such as [SCIM](../../providers/scim/index.md) and [LDAP](../../providers/ldap/index.md) to provide directory syncing.
|
||||
|
||||
Access restrictions that are configured on an application apply to all of its backchannel providers.
|
||||
|
||||
@ -146,15 +146,15 @@ image:
|
||||
|
||||
## Fixed in 2023.5.4
|
||||
|
||||
- security: Address pen-test findings from the [2023-06 Cure53 Code audit](../../security/audits-and-certs/2023-06-cure53.md)
|
||||
- security: Address pen-test findings from the [2023-06 Cure53 Code audit](../../security/2023-06-cure53.md)
|
||||
|
||||
## Fixed in 2023.5.5
|
||||
|
||||
- \*: fix [CVE-2023-36456](../../security/cves/CVE-2023-36456.md), Reported by [@thijsa](https://github.com/thijsa)
|
||||
- \*: fix [CVE-2023-36456](../security/CVE-2023-36456), Reported by [@thijsa](https://github.com/thijsa)
|
||||
|
||||
## Fixed in 2023.5.6
|
||||
|
||||
- \*: fix [CVE-2023-39522](../../security/cves/CVE-2023-39522.md), Reported by [@markrassamni](https://github.com/markrassamni)
|
||||
- \*: fix [CVE-2023-39522](../security/CVE-2023-39522), Reported by [@markrassamni](https://github.com/markrassamni)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -9,7 +9,7 @@ slug: "/releases/2023.6"
|
||||
|
||||
- LDAP StartTLS support
|
||||
|
||||
authentik's [LDAP Provider](../../add-secure-apps/providers/ldap/index.md) now supports StartTLS in addition to supporting SSL. The StartTLS is a more modern method of encrypting LDAP traffic. With this added support, the LDAP [Outpost](../../add-secure-apps/outposts/index.mdx) can now support multiple certificates.
|
||||
authentik's [LDAP Provider](../../providers/ldap/index.md) now supports StartTLS in addition to supporting SSL. The StartTLS is a more modern method of encrypting LDAP traffic. With this added support, the LDAP [Outpost](../../outposts/index.mdx) can now support multiple certificates.
|
||||
|
||||
- LDAP Schema improvements
|
||||
|
||||
@ -90,7 +90,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.6
|
||||
|
||||
## Fixed in 2023.6.2
|
||||
|
||||
- \*: fix [CVE-2023-39522](../security/cves/CVE-2023-39522), Reported by [@markrassamni](https://github.com/markrassamni)
|
||||
- \*: fix [CVE-2023-39522](../security/CVE-2023-39522), Reported by [@markrassamni](https://github.com/markrassamni)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -157,19 +157,19 @@ image:
|
||||
|
||||
## Fixed in 2023.8.4
|
||||
|
||||
- security: fix [GHSA-rjvp-29xq-f62w.md](../../security/cves/GHSA-rjvp-29xq-f62w.md), Reported by [@devSparkle](https://github.com/devSparkle)
|
||||
- security: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
|
||||
|
||||
## Fixed in 2023.8.5
|
||||
|
||||
- security: fix [CVE-2023-48228](../../security/cves/CVE-2023-48228.md), Reported by [@Sapd](https://github.com/Sapd) (#7666)
|
||||
- security: fix [CVE-2023-48228](../../security/CVE-2023-48228.md), Reported by [@Sapd](https://github.com/Sapd) (#7666)
|
||||
|
||||
## Fixed in 2023.8.6
|
||||
|
||||
- providers/oauth2: fix [CVE-2024-21637](../../security/cves/CVE-2024-21637.md), Reported by [@lauritzh](https://github.com/lauritzh) (#8104)
|
||||
- providers/oauth2: fix [CVE-2024-21637](../../security/CVE-2024-21637.md), Reported by [@lauritzh](https://github.com/lauritzh) (#8104)
|
||||
|
||||
## Fixed in 2023.8.7
|
||||
|
||||
- providers/oauth2: fix fix [CVE-2024-23647](../../security/cves/CVE-2024-23647.md) (cherry-pick #8345) (#8347)
|
||||
- providers/oauth2: fix fix [CVE-2024-23647](../../security/CVE-2024-23647.md) (cherry-pick #8345) (#8347)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ slug: /releases/2024.2
|
||||
|
||||
Blueprints using `authentik_tenants.tenant` will need to be changed to use `authentik_brands.brand`.
|
||||
|
||||
For more information, refer to the [documentation for _brands_](../../customize/brands.md).
|
||||
For more information, refer to the [documentation for _brands_](../../core/brands.md).
|
||||
|
||||
Also, **the event retention settings configured in brands (previously tenants, see above) has been removed and is now a system setting**, managed in the Admin interface or via the API (see below).
|
||||
|
||||
@ -55,7 +55,7 @@ slug: /releases/2024.2
|
||||
|
||||
Cache settings have been moved from the `redis` top-level config key to their own `cache` top-level config key.
|
||||
|
||||
Settings have also been added to configure the Redis instance/database used for tasks and websockets separately from cache. See [here](../../install-config/configuration/configuration.mdx#redis-settings).
|
||||
Settings have also been added to configure the Redis instance/database used for tasks and websockets separately from cache. See [here](../../installation/configuration.mdx#redis-settings).
|
||||
|
||||
Typically, _no changes to the configuration are required_.
|
||||
|
||||
@ -114,11 +114,11 @@ slug: /releases/2024.2
|
||||
|
||||
Sessions for any users can now be bound to a specific geolocation (Continent, Country, City) or network (Autonomous System, subnet, IP address). If the session is accessed from a location/network that is different than that from which it was initially created, the session will be terminated.
|
||||
|
||||
Configuration steps are available [here](../../add-secure-apps/flows-stages/stages/user_login/index.md#user-login-stage-configuration-options).
|
||||
Configuration steps are available [here](../../flow/stages/user_login/index.md#user-login-stage-configuration-options).
|
||||
|
||||
- **S3 file storage**
|
||||
|
||||
Media files can now be stored on S3. Follow the [setup guide](../../install-config/storage-s3.md) to get started.
|
||||
Media files can now be stored on S3. Follow the [setup guide](../../installation/storage-s3.md) to get started.
|
||||
|
||||
- **_Pretend user exists_ option for Identification stage**
|
||||
|
||||
@ -166,7 +166,7 @@ slug: /releases/2024.2
|
||||
|
||||
- **LDAP source: new command to check connectivity**
|
||||
|
||||
Examples on how to use are available [here](../../troubleshooting/ldap_source.md).
|
||||
Examples on how to use are available [here](../..//troubleshooting/ldap_source.md).
|
||||
|
||||
---
|
||||
|
||||
@ -349,8 +349,8 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.2
|
||||
|
||||
## Fixed in 2024.2.4
|
||||
|
||||
- security: fix [CVE-2024-37905](../../security/cves/CVE-2024-37905.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #10230) (#10238)
|
||||
- security: fix [CVE-2024-38371](../../security/cves/CVE-2024-38371.md), reported by Stefan Zwanenburg (cherry-pick #10229) (#10235)
|
||||
- security: fix [CVE-2024-37905](../../security/CVE-2024-37905.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #10230) (#10238)
|
||||
- security: fix [CVE-2024-38371](../../security/CVE-2024-38371.md), reported by Stefan Zwanenburg (cherry-pick #10229) (#10235)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -31,19 +31,19 @@ slug: /releases/2024.4
|
||||
|
||||
The source stage allows for an inclusion of a source as part of a flow. This can be used to link a user to a source as part of their authentication/enrollment, or it can be used as an external multi-factor to provide device health attestation for example.
|
||||
|
||||
For details refer to [Source stage](../../add-secure-apps/flows-stages/stages/source/index.md)
|
||||
For details refer to [Source stage](../../flow/stages/source/index.md)
|
||||
|
||||
- **SCIM Source** <span class="badge badge--info">Preview</span>
|
||||
|
||||
Provision users and groups in authentik using an SCIM API.
|
||||
|
||||
For details refer to [SCIM Source](../../users-sources/sources/protocols/scim/index.md)
|
||||
For details refer to [SCIM Source](../../../docs/sources/scim/)
|
||||
|
||||
- **Configurable WebAuthn device restrictions**
|
||||
|
||||
Configure which types of WebAuthn devices can be used to enroll and validate for different authorization levels.
|
||||
|
||||
For details refer to [WebAuthn authenticator setup stage](../../add-secure-apps/flows-stages/stages/authenticator_webauthn/index.md)
|
||||
For details refer to [WebAuthn authenticator setup stage](../../flow/stages/authenticator_webauthn/index.md)
|
||||
|
||||
- **Revamped UI for log messages**
|
||||
|
||||
@ -57,7 +57,7 @@ slug: /releases/2024.4
|
||||
|
||||
When authentik is configured to federate with an LDAP source, upon authentication, authentik hashed the password and stored it in its own database. This allows authentication to function when LDAP is unreachable. Admins can now configure this behavior for when this is not desirable.
|
||||
|
||||
For details refer to [LDAP Source](../../users-sources/sources/protocols/ldap/index.md)
|
||||
For details refer to [LDAP Source](../../../docs/sources/ldap/)
|
||||
|
||||
- **Configurable app password token expiring**
|
||||
|
||||
@ -238,14 +238,14 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.4
|
||||
## Fixed in 2024.4.3
|
||||
|
||||
- core: fix source flow_manager not always appending save stage (cherry-pick #9659) (#9662)
|
||||
- security: fix [CVE-2024-37905](../../security/cves/CVE-2024-37905.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #10230) (#10236)
|
||||
- security: fix [CVE-2024-38371](../../security/cves/CVE-2024-38371.md), reported by Stefan Zwanenburg (cherry-pick #10229) (#10233)
|
||||
- security: fix [CVE-2024-37905](../../security/CVE-2024-37905.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #10230) (#10236)
|
||||
- security: fix [CVE-2024-38371](../../security/CVE-2024-38371.md), reported by Stefan Zwanenburg (cherry-pick #10229) (#10233)
|
||||
- sources/saml: fix FlowPlanner error due to pickle (cherry-pick #9708) (#9709)
|
||||
- web: fix value handling inside controlled components (cherry-pick #9648) (#9685)
|
||||
|
||||
## Fixed in 2024.4.4
|
||||
|
||||
- security: fix [CVE-2024-42490](../../security/cves/CVE-2024-42490.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #11022) #11024
|
||||
- security: fix [CVE-2024-42490](../../security/CVE-2024-42490.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #11022) #11024
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ With this release, authentik now enforces unique group names. Existing groups wi
|
||||
|
||||
### GeoIP and ASN context object
|
||||
|
||||
The `context["geoip"]` and `context["asn"]` objects available in expression policies are now dictionaries. Attributes must now be accessed via dictionary accessors. See [our policy examples](../../customize/policies/expression.mdx) for the updated syntax.
|
||||
The `context["geoip"]` and `context["asn"]` objects available in expression policies are now dictionaries. Attributes must now be accessed via dictionary accessors. See [our policy examples](../../policies/expression.mdx) for the updated syntax.
|
||||
|
||||
## New features
|
||||
|
||||
@ -33,25 +33,25 @@ The `context["geoip"]` and `context["asn"]` objects available in expression poli
|
||||
|
||||
With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.
|
||||
|
||||
For details refer to the [Google Workspace Provider documentation](../../add-secure-apps/providers/gws/index.md)
|
||||
For details refer to the [Google Workspace Provider documentation](../../providers/gws/index.md)
|
||||
|
||||
- **Microsoft Entra ID Provider** <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>
|
||||
|
||||
With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.
|
||||
|
||||
For details refer to the [Microsoft Entra ID documentation](../../add-secure-apps/providers/entra/index.md)
|
||||
For details refer to the [Microsoft Entra ID documentation](../../providers/entra/index.md)
|
||||
|
||||
- **Read-replica DB support**
|
||||
|
||||
Multiple read-only databases can be configured to route read-only requests to the non-primary database instance so that the main database can be reserved to write requests.
|
||||
|
||||
For details refer to the [PostgreSQL configuration](../../install-config/configuration/configuration.mdx#postgresql-settings)
|
||||
For details refer to the [PostgreSQL configuration](../../installation/configuration.mdx#postgresql-settings)
|
||||
|
||||
- **Improved CAPTCHA stage**
|
||||
|
||||
Thresholds can now be configured on the CAPTCHA stage to customize its result. Additionally, the stage can be configured to continue the flow if the CAPTCHA score is outside of those thresholds for further decision making via expression policies.
|
||||
|
||||
For details refer to the [CAPTCHA stage](../../add-secure-apps/flows-stages/stages/captcha/index.md)
|
||||
For details refer to the [CAPTCHA stage](../../flow/stages/captcha/index.md)
|
||||
|
||||
- **Optimize sync and property mapping execution**
|
||||
|
||||
@ -65,7 +65,7 @@ The `context["geoip"]` and `context["asn"]` objects available in expression poli
|
||||
|
||||
- **Reworked proxy provider redirect**
|
||||
|
||||
Following-up on a [highly requested issue](https://github.com/goauthentik/authentik/issues/6886), we've reworked our [Proxy provider](../../add-secure-apps/providers/proxy/index.md) to avoid invalid user-facing redirects.
|
||||
Following-up on a [highly requested issue](https://github.com/goauthentik/authentik/issues/6886), we've reworked our [Proxy provider](../../providers/proxy/index.md) to avoid invalid user-facing redirects.
|
||||
|
||||
## Upgrading
|
||||
|
||||
@ -151,8 +151,8 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.6
|
||||
- root: handle asgi exception (#10085)
|
||||
- root: include task_id in events and logs (#9749)
|
||||
- root: use custom model serializer that saves m2m without bulk (cherry-pick #10139) (#10151)
|
||||
- security: fix [CVE-2024-37905](../../security/cves/CVE-2024-37905.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #10230) (#10237)
|
||||
- security: fix [CVE-2024-38371](../../security/cves/CVE-2024-38371.md), reported by Stefan Zwanenburg (cherry-pick #10229) (#10234)
|
||||
- security: fix [CVE-2024-37905](../../security/CVE-2024-37905.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #10230) (#10237)
|
||||
- security: fix [CVE-2024-38371](../../security/CVE-2024-38371.md), reported by Stefan Zwanenburg (cherry-pick #10229) (#10234)
|
||||
- sources/oauth: ensure all UI sources return a valid source (#9401)
|
||||
- sources/oauth: fix OAuth Client sending token request incorrectly (#9474)
|
||||
- sources/oauth: modernizes discord icon (#9817)
|
||||
@ -233,12 +233,12 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.6
|
||||
|
||||
## Fixed in 2024.6.4
|
||||
|
||||
- security: fix [CVE-2024-42490](../../security/cves/CVE-2024-42490.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #11022) #11025
|
||||
- security: fix [CVE-2024-42490](../../security/CVE-2024-42490.md), reported by [@m2a2](https://github.com/m2a2) (cherry-pick #11022) #11025
|
||||
|
||||
## Fixed in 2024.6.5
|
||||
|
||||
- security: fix [CVE-2024-47070](../../security/cves/CVE-2024-47070.md), reported by [@efpi-bot](https://github.com/efpi-bot) from [LogicalTrust](https://logicaltrust.net/en/) (cherry-pick #11536) (#11540)
|
||||
- security: fix [CVE-2024-47077](../../security/cves/CVE-2024-47077.md), reported by [@quentinmit](https://github.com/quentinmit) (cherry-pick #11535) (#11538)
|
||||
- security: fix [CVE-2024-47070](../../security/CVE-2024-47070.md), reported by [@efpi-bot](https://github.com/efpi-bot) from [LogicalTrust](https://logicaltrust.net/en/) (cherry-pick #11536) (#11540)
|
||||
- security: fix [CVE-2024-47077](../../security/CVE-2024-47077.md), reported by [@quentinmit](https://github.com/quentinmit) (cherry-pick #11535) (#11538)
|
||||
|
||||
## API Changes
|
||||
|
||||
|
||||
@ -81,19 +81,19 @@ slug: "/releases/2024.8"
|
||||
|
||||
- **Source property mappings for SCIM, OAuth, SAML and Plex sources**
|
||||
|
||||
All source types now support property mappings to customize how authentik should interpret the data the source provides. In addition to that, it is also now possible to sync groups and group membership from sources that provide group information. See [Property Mappings](../../users-sources/sources/property-mappings/index.md).
|
||||
All source types now support property mappings to customize how authentik should interpret the data the source provides. In addition to that, it is also now possible to sync groups and group membership from sources that provide group information. See [Property Mappings](../../sources/property-mappings/index.md).
|
||||
|
||||
- **RADIUS provider custom attribute support**
|
||||
|
||||
With 2024.8 it is possible to define custom attributes for the RADIUS provider, for example vendor-specific attributes like Cisco's `AV-Pair` attribute. These attributes are defined in property mappings which means they can be dynamically defined based on the user authenticating. See [RADIUS Provider](../../add-secure-apps/providers/radius/index.mdx#radius-attributes)
|
||||
With 2024.8 it is possible to define custom attributes for the RADIUS provider, for example vendor-specific attributes like Cisco's `AV-Pair` attribute. These attributes are defined in property mappings which means they can be dynamically defined based on the user authenticating. See [RADIUS Provider](../../providers/radius/index.mdx#radius-attributes)
|
||||
|
||||
- **SAML encryption support**
|
||||
|
||||
It is now possible to configure SAML sources and providers to decrypt and validate encrypted assertions. This can be configured by creating a [Certificate-keypair](../../sys-mgmt/certificates.md) and selecting it in the SAML source or provider.
|
||||
It is now possible to configure SAML sources and providers to decrypt and validate encrypted assertions. This can be configured by creating a [Certificate-keypair](../../core/certificates.md) and selecting it in the SAML source or provider.
|
||||
|
||||
- **GeoIP Policy**
|
||||
|
||||
With the new [GeoIP Policy](../../customize/policies/index.md#geoip-policy) it is possible to grant/deny access based on Country and ASN, without having to write an expression policy.
|
||||
With the new [GeoIP Policy](../../policies/index.md#geoip-policy) it is possible to grant/deny access based on Country and ASN, without having to write an expression policy.
|
||||
|
||||
- **Simplification of LDAP Provider permissions**
|
||||
|
||||
@ -109,11 +109,11 @@ slug: "/releases/2024.8"
|
||||
|
||||
- **WebFinger support**
|
||||
|
||||
With the addition of the [default application](../../customize/brands.md#external-user-settings) setting, when the default application uses an OIDC provider, a WebFinger endpoint is available now.
|
||||
With the addition of the [default application](../../core/brands.md#external-user-settings) setting, when the default application uses an OIDC provider, a WebFinger endpoint is available now.
|
||||
|
||||
## Upgrading
|
||||
|
||||
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).
|
||||
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../installation/upgrade.mdx).
|
||||
|
||||
:::warning
|
||||
When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
|
||||
@ -279,8 +279,8 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.8
|
||||
|
||||
- events: always use expiry from current tenant for events, not only when creating from HTTP request (cherry-pick #11415) (#11416)
|
||||
- providers/proxy: fix traefik label generation (cherry-pick #11460) (#11480)
|
||||
- security: [CVE-2024-47070](../../security/cves/CVE-2024-47070.md), reported by [@efpi-bot](https://github.com/efpi-bot) from [LogicalTrust](https://logicaltrust.net/en/) (cherry-pick #11536) (#11539)
|
||||
- security: [CVE-2024-47077](../../security/cves/CVE-2024-47077.md), reported by [@quentinmit](https://github.com/quentinmit) (cherry-pick #11535) (#11537)
|
||||
- security: [CVE-2024-47070](../../security/CVE-2024-47070.md), reported by [@efpi-bot](https://github.com/efpi-bot) from [LogicalTrust](https://logicaltrust.net/en/) (cherry-pick #11536) (#11539)
|
||||
- security: [CVE-2024-47077](../../security/CVE-2024-47077.md), reported by [@quentinmit](https://github.com/quentinmit) (cherry-pick #11535) (#11537)
|
||||
- sources/ldap: fix mapping check, fix debug endpoint (cherry-pick #11442) (#11498)
|
||||
- sources/ldap: fix ms_ad userAccountControl not checking for lockout (cherry-pick #11532) (#11534)
|
||||
- web: Fix missing integrity fields in package-lock.json (#11509)
|
||||
|
||||
@ -15,7 +15,7 @@ To try out the release candidate, replace your Docker image tag with the latest
|
||||
|
||||
## Upgrading
|
||||
|
||||
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../install-config/upgrade.mdx).
|
||||
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../installation/upgrade.mdx).
|
||||
|
||||
:::warning
|
||||
When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
|
||||
|
||||
@ -13,13 +13,13 @@ This update brings a lot of big features, such as:
|
||||
|
||||
Due to this new OAuth2 Provider, the Application Gateway Provider, now simply called "Proxy Provider" has been revamped as well. The new authentik Proxy integrates more tightly with authentik via the new Outposts system. The new proxy also supports multiple applications per proxy instance, can configure TLS based on authentik Keypairs, and more.
|
||||
|
||||
See [Proxy](../../add-secure-apps/providers/proxy/index.md)
|
||||
See [Proxy](../../providers/proxy/index.md)
|
||||
|
||||
- Outpost System
|
||||
|
||||
This is a new Object type, currently used only by the Proxy Provider. It manages the creation and permissions of service accounts, which are used by the outposts to communicate with authentik.
|
||||
|
||||
See [Outposts](../../add-secure-apps/outposts/index.mdx)
|
||||
See [Outposts](../../outposts/index.mdx)
|
||||
|
||||
- Flow Import/Export
|
||||
|
||||
@ -73,4 +73,4 @@ This upgrade only applies if you are upgrading from a running 0.9 instance. auth
|
||||
|
||||
Because this upgrade brings the new OAuth2 Provider, the old providers will be lost in the process. Make sure to take note of the providers you want to bring over.
|
||||
|
||||
Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](../../add-secure-apps/providers/oauth2/index.md).
|
||||
Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](../providers/oauth2).
|
||||
|
||||
Reference in New Issue
Block a user