habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website/docs: 2024.2 release notes (#8468)

Browse Source 
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Marc 'risson' Schmitt
2024-02-14 20:52:56 +01:00
committed by GitHub
parent 2c1df6702c
commit a3bfb3d25c
13 changed files with 10235 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -125,7 +125,7 @@ gen-diff: ## (Release) generate the changelog diff between the current schema a
docker run \
--rm -v ${PWD}:/local \
--user ${UID}:${GID} \
docker.io/openapitools/openapi-diff:2.1.0-beta.6 \
docker.io/openapitools/openapi-diff:2.1.0-beta.8 \
--markdown /local/diff.md \
/local/old_schema.yml /local/schema.yml
rm old_schema.yml

10
website/docs/advanced/tenancy.md
View File

@ -2,17 +2,23 @@
title: Tenancy
---
<span class="badge badge--primary">Enterprise</span>
---
::::warning
This feature is in alpha. Use at your own risk.
::::
::::info
This feature is available from 2024.1.1 and is not to be confused with brands, which used to be called tenants.
This feature is available from 2024.2 and is not to be confused with brands, which used to be called tenants.
::::
## Preparations
Starting with 2024.1.1, authentik allows for multiple tenants to be created. This allows an operator to manage several authentik installations without having to deploy additional instances.
Starting with 2024.2, authentik allows an administrator or operator to create multiple tenants. This means that an operator can manage several authentik installations without having to deploy additional instances.
Note that creating and managing tenants is handled using authentik APIs, not in the Admin interface.
authentik manages tenants by storing data for each tenant in a separate PostgreSQL schema.

2
website/docs/events/index.md
View File

@ -306,7 +306,7 @@ A configuration error occurs, for example during the authorization of an applica
Logged when any model is created/updated/deleted, including the user that sent the request.
:::info
Starting with authentik Enterprise 2024.1, `model_*` events also include which fields have been changed and their previous and new values.
Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values.
:::
### `email_sent`

2
website/docs/flow/stages/email/index.mdx
View File

@ -26,7 +26,7 @@ return True
You can also use custom email templates, to use your own design or layout.
:::info
Starting with authentik 2024.1, it is possible to create `.txt` files with the same name as the `.html` template. If a matching `.txt` file exists, the email sent will be a multipart email with both the text and HTML template.
Starting with authentik 2024.2, it is possible to create `.txt` files with the same name as the `.html` template. If a matching `.txt` file exists, the email sent will be a multipart email with both the text and HTML template.
:::
import Tabs from "@theme/Tabs";

2
website/docs/flow/stages/identification/index.md
View File

@ -25,7 +25,7 @@ These fields specify if and which flows are linked on the form. The enrollment f
## Pretend user exists
:::info
Requires authentik 2024.1
Requires authentik 2024.2
:::
When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.

4
website/docs/flow/stages/user_login/index.md
View File

@ -39,8 +39,6 @@ When configured, all sessions authenticated by this stage will be bound to the s
Sessions which break this binding will be terminated on use. The created [`logout`](../../../events/index.md#logout) event will contain additional data related to what caused the binding to be broken:
```json
Context
{
"asn": {
"asn": 6805,
@ -65,7 +63,7 @@ Context
},
"ip": {
"previous": "1.2.3.4",
"new": "5.6.7.8",
"new": "5.6.7.8"
},
"http_request": {
"args": {},

2
website/docs/installation/configuration.mdx
View File

@ -426,7 +426,7 @@ Defaults to 2.
## System settings
:::info
Requires authentik 2024.1.0
Requires authentik 2024.2
:::
Additional settings are configurable using the Admin interface, under **System** -> **Settings** or using the API.

6
website/docs/policies/expression.mdx
View File

@ -59,6 +59,12 @@ import Objects from "../expressions/_objects.md";
return context["geoip"].country.iso_code == "US"
```
- `asn`: ASN object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.ASN)
```python
return context["asn"].autonomous_system_number == 64496
```
- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example

4
website/docs/providers/oauth2/index.md
View File

@ -38,7 +38,7 @@ To access the user's email address, a scope of `user:email` is required. To acce
This grant is used to convert an authorization code to an access token (and optionally refresh token). The authorization code is retrieved through the Authorization flow, and can only be used once, and expires quickly.
:::info
Starting with authentik 2024.1, applications only receive an access token. To receive a refresh token, applications must be allowed to request the `offline_access` scope in authentik and also be configured to request the scope.
Starting with authentik 2024.2, applications only receive an access token. To receive a refresh token, both applications and authentik must be configured to request the `offline_access` scope. In authentik this can be done by selecting the `offline_access` Scope mapping in the provider settings.
:::
### `refresh_token`:
@ -46,7 +46,7 @@ Starting with authentik 2024.1, applications only receive an access token. To re
Refresh tokens can be used as long-lived tokens to access user data, and further renew the refresh token down the road.
:::info
Starting with authentik 2024.1, this grant requires the `offline_access` scope.
Starting with authentik 2024.2, this grant requires the `offline_access` scope.
:::
### `client_credentials`:

115
website/docs/releases/2024/v2024.1.md
View File

@ -1,115 +0,0 @@
---
title: Release 2024.1
slug: /releases/2024.1
---
## Breaking changes
- Tenants have been renamed to brands
The API endpoints associated with brands have also been renamed.
Blueprints using `authentik_tenants.tenant` will need to be changed to use `authentik_brands.brand`.
- The following config options have been moved from the config file and can now be set using the admin interface (under **System** -> **Settings**) or the API:
- `AUTHENTIK_AVATARS`
- `AUTHENTIK_DEFAULT_USER_CHANGE_NAME`
- `AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL`
- `AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME`
- `AUTHENTIK_GDPR_COMPLIANCE`
- `AUTHENTIK_IMPERSONATION`
- `AUTHENTIK_FOOTER_LINKS`
- `AUTHENTIK_REPUTATION__EXPIRY`
When upgrading to 2024.1, the currently configured options will be automatically migrated to the database, and can be removed from the `.env` or helm values file afterwards.
- Required `offline_access` scope for Refresh tokens
The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.
Applications which require will need their configuration update to include the `offline_access` scope mapping.
- The event retention settings configured in brands (previously tenants, see above) has been removed and is now a system settings, managed in the admin interface or via the API (see above).
There is no built-in migration path for this change. If you set something other than the default (`days=365`), you will need to update the setting in the admin interface.
- authentik now uses PostgreSQL schemas other than `public`.
If you have a custom PostgreSQL deployment, please ensure that the authentik user is allowed to create schemas. Usually, if the authentik user is owner of the database, it already can.
- Removal of deprecated metrics
- `authentik_outpost_flow_timing_get` -> `authentik_outpost_flow_timing_get_seconds`
- `authentik_outpost_flow_timing_post` -> `authentik_outpost_flow_timing_post_seconds`
- `authentik_outpost_ldap_requests` -> `authentik_outpost_ldap_request_duration_seconds`
- `authentik_outpost_ldap_requests_rejected` -> `authentik_outpost_ldap_requests_rejected_total`
- `authentik_outpost_proxy_requests` -> `authentik_outpost_proxy_request_duration_seconds`
- `authentik_outpost_proxy_upstream_time` -> `authentik_outpost_proxy_upstream_response_duration_seconds`
- `authentik_outpost_radius_requests` -> `authentik_outpost_radius_request_duration_seconds`
- `authentik_outpost_radius_requests_rejected` -> `authentik_outpost_radius_requests_rejected_total`
- `authentik_main_requests` -> `authentik_main_request_duration_seconds`
- Icons are now in a `public/` subfolder
If your media folder is `/media`, icons are now stored in `/media/public`. authentik will automatically migrate the icons upon upgrading.
- The shorthand parameter for `--stage`, `-s` for the `ak test_email` command has been changed to `-S`
- User sessions will be invalidated after this upgrade. As such, users will need to log back in.
- The Helm Chart has a number of breaking changes. Find out more in the [chart release notes](https://github.com/goauthentik/helm/releases/tag/authentik-2024.1.0).
## New features
- Tenancy <span class="badge badge--primary">Enterprise</span>
:::warning
This feature is in early preview. Use at your own risk.
:::
It allows for authentik operators to manage several authentik installations without having to deploy additional instances.
- Audit log <span class="badge badge--primary">Enterprise</span>
authentik instances which have a valid enterprise license installed will log changes made to models including which fields were changed with previous and new values of the fields. The values are censored if they are sensitive (for example a password hash), however a hash of the changed value will still be logged.
- "Pretend user exists" option for Identification stage
Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. **This feature is enabled by default.**
- S3 file storage
Media files can now be stored on S3. Follow the [setup guide](../../installation/storage-s3.md) to get started.
## Upgrading
This release does not introduce any new requirements.
### docker-compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
```
wget -O docker-compose.yml https://goauthentik.io/version/2024.1/docker-compose.yml
docker compose up -d
```
The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name.
### Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
```shell
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.1
```
## Minor changes/fixes
<!-- _Insert the output of `make gen-changelog` here_ -->
## API Changes
<!-- _Insert output of `make gen-diff` here_ -->

10209
website/docs/releases/2024/v2024.2.md Normal file
View File

File diff suppressed because it is too large Load Diff

3
website/docusaurus.config.ts
View File

@ -156,7 +156,8 @@ module.exports = async function (): Promise<Config> {
repository: "goauthentik/authentik",
// Only replace issues and PR links
buildUrl: function (values) {
return values.type === "issue"
return values.type === "issue" ||
values.type === "mention"
? defaultBuildUrl(values)
: false;
},

3
website/sidebars.js
View File

@ -318,13 +318,14 @@ const docsSidebar = {
description: "Release notes for recent authentik versions",
},
items: [
"releases/2024/v2024.2",
"releases/2023/v2023.10",
"releases/2023/v2023.8",
"releases/2023/v2023.6",
{
type: "category",
label: "Previous versions",
items: [
"releases/2023/v2023.6",
"releases/2023/v2023.5",
"releases/2023/v2023.4",
"releases/2023/v2023.3",