habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'add_mappings_to_azure_ad_documentation' of github.com:tograss/authentik into add_mappings_to_azure_ad_documentation

Browse Source
This commit is contained in:
Tom Grassmann
2024-02-15 15:54:30 +01:00
parent c95f83c103 7a980a08d9
commit bd972f5997
170 changed files with 18582 additions and 6513 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
website/blog/2024-02-07-open-source-devs-are-the-original-content-creators/content-creator.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.4 MiB

BIN
website/blog/2024-02-07-open-source-devs-are-the-original-content-creators/image1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 KiB

BIN
website/blog/2024-02-07-open-source-devs-are-the-original-content-creators/image2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 995 KiB

BIN
website/blog/2024-02-07-open-source-devs-are-the-original-content-creators/image3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
website/blog/2024-02-07-open-source-devs-are-the-original-content-creators/image4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

201
website/blog/2024-02-07-open-source-devs-are-the-original-content-creators/item.md Normal file
View File

@ -0,0 +1,201 @@
---
title: Open source developers are the original content creators
slug: 2024-02-07-open-source-devs-are-the-original-content-creators
authors:
- name: Jens Langhammer
title: CTO at Authentik Security Inc
url: https://github.com/BeryJu
image_url: https://github.com/BeryJu.png
- name: Nick Moore
title: Contributing Writer
url: https://nickmoore.me/
image_url: https://nickmoore.me/assets/images/image01.jpg?v=128b1f3c
tags:
- authentik
- access management
- open source
- content creators
- software
- GNU
- identity provider
- authentication
- Authentik Security
hide_table_of_contents: false
image: content-creator.png
---
> **_authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a [public benefit company](https://github.com/OpenCoreVentures/ocv-public-benefit-company/blob/main/ocv-public-benefit-company-charter.md) building on top of the open source project._**
---
In 2024, Tom Scott and Jynn Nelson, otherwise different people in different worlds, faced very similar problems.
- Tom Scott is a YouTuber who, as of this writing, has gotten nearly 2 billion views across over 700 videos. Nearly 6.5 million people subscribe to Tom Scotts [YouTube channel](https://www.youtube.com/@TomScottGo/videos).
- Jynn Nelson, a senior engineer, is a major maintainer of Rust, an open-source project that 2023 StackOverflow research showed was the [most admired language](https://survey.stackoverflow.co/2023/#productivity-impacts-knowledge-ic) among developers. About [2.2 million people](https://yalantis.com/blog/rust-market-overview/) are Rust developers.
In a [goodbye video](https://youtu.be/7DKv5H5Frt0?feature=shared), Scott announced an extended break from his channel, saying, "I am so tired. There's nothing in my life right now except work.”
In a post called [the rust project has a burnout problem](https://jyn.dev/the-rust-project-has-a-burnout-problem/), Nelson wrote, articulating sentiments across the Rust community, “you want a break, but you have a voice in the back of your head: _the project would be worse without you_.’”
Its unfortunate that this comparison makes the best opening to the point of this post: open source developers are much more like content creators than most people tend to assume.
> If anything, when you look at the history of the Internet and the history of distributing content online, open source developers might be the _original_ content creators.
By looking at the paths they have both paved and recontextualizing their work within a broader view of the creator economy, we can come to a better understanding of the shared futures of content creators and open source developers.
![<a href="https://www.freepik.com/free-photo/content-concept-laptop-screen_2755663.htm#query=content%20creation&position=0&from_view=keyword&track=ais&uuid=875faa67-ef14-4b81-8b12-bcb69973d094">Image by rawpixel.com</a> on Freepik](./content-creator.png)
<!--truncate-->
## Open-source maintainers were creating content before it was cool
In the past decade, a series of similar “economies” have risen and fallen, including the creator economy, the passion economy, and much of web3.
Evan Armstrong captured these collapses well, writing about the [crash of the creator economy](https://every.to/napkin-math/what-happened-to-the-creator-economy) in 2023. “Dollars invested are down 86% to $123M,” he wrote. “Next came the layoffs. The giants of the space have had issues: Patreon laid off 17% of staff, Linktree first sacked 17% of staff, then a few months later another 27%, Cameo has laid off 160 (probably 33%+ of staff).”
But unlike other economies, say, [the paper industry in Maine](https://www.jstor.org/stable/10.7591/j.ctvxkn85v), the factories havent left: influencers are still posting on Instagram, newsletter writers are still growing subscriber numbers on Substack, and TikTok creators are still going viral.
> Its a contradiction with a simple answer: typical conceptualizations of the creator economy are too limited, and the history of content creation is much longer and broader than most thought leaders and investors realize.
### A very brief history of open source
In 1974, software became copyrightable and it quickly shifted from free-by-default to paid. Once companies could control it, closed-source software took off.
Companies enforced copyrights and trademarks and leased the right to use their software. In 1976, Bill Gates wrote an [open letter to hobbyists](https://archive.nytimes.com/www.nytimes.com/library/cyber/surf/072397mind-letter.html), arguing that “most of you steal your software,” and in 1983, IBM stopped distributing source code to people who purchased IBM software.
In reaction to developments like these, Richard Stallman founded the GNU Project in 1983 and the Free Software Foundation in 1985.
He wrote in [The GNU Manifesto](https://www.gnu.org/gnu/manifesto.html) that “Many programmers are unhappy about the commercialization of system software. It may enable them to make more money, but it requires them to feel in conflict with other programmers in general rather than feel as comrades.”
Here, Stallman laid out one of the visions thats continued driving open source to this day: “Once GNU is written, everyone will be able to obtain good system software free, just like air.”
Over the following decades, open-source developers and maintainers used the nascent and eventually mature Internet to build software projects that were hobbies, industry-supporting keystones, and everything in between.
[![cartoon of abstract machine, with unsteady building blocks supporting it.](./image1.png)](https://xkcd.com/2347/)
Amongst this growth, another economy surfaced, too: a huge crop of companies that built tooling and platforms for open source as well as a variety of business models, such as open core, to support open source. Open source, once primarily adversarial to private industry, has become integral to it.
### Is software content?
Open-source developers were creating content and distributing it on the Internet long before everyone else. The pioneering work of what we might now call the creator economy often goes unrecognized for three major reasons:
- Software isnt always seen as content in the same way video content and text content are.
- The original philosophy of open source emphasized community and collaboration emphasizing a movement that extended beyond any individual developer.
- Early open-source developers emphasized a “[gift culture](http://www.catb.org/~esr/writings/cathedral-bazaar/homesteading/index.html),” with people like Eric Raymond arguing that software should be “freely shared.” Content creators, however, have long depended on centralized platforms like YouTube that often offer built-in monetization tools.
These distinctions, as significant as they might seem at first glance, are collapsing. Two decades after Raymonds _The Cathedral and the Bazaar_, Nadia Eghbal wrote _Working in Public,_ and in it, she notes: “Like any other creator, these developers create work that is intertwined with, and influenced by, their users, but its not collaborative in the way that we typically think of online communities. Rather than the users of forums or Facebook groups, GitHubs open source developers have more in common with solo creators on Twitter, Instagram, YouTube, or Twitch.”
Of all people, considering the open letter cited earlier, Bill Gates might have been the first to realize this, [writing in 1996](https://medium.com/@HeathEvans/content-is-king-essay-by-bill-gates-1996-df74552f80d9) that “When it comes to an interactive network such as the Internet, the definition of content becomes very wide. For example, computer software is a form of contentan extremely important one, and the one that for Microsoft will remain by far the most important.”
Open source led the way, but now, this pioneering work is curling back on itself and the future of open source requires recognizing its connection to the creator economy as a whole.
## 5 ways open source paved the way for content creators
Open source developers pioneered new ways of creating and distributing content on the Internet lessons that are worth re-contextualizing and re-learning for the sake of open source and for a new, larger understanding of the creator economy.
### 1. Misleading margins abound
One of the major reasons the creator economy took off as a target for venture capital is because content creation has zero margin in theory. Like software, these venture capitalists proposed, you could create once and reproduce freely forever.
Theoretically, a YouTube creator should be able to make a library of great videos and make ad money for as long as the videos remain online. Unless its covering breaking news, a great video should still be great in six months, two years, and five years. Create once. Profit forever.
This isnt how it works. On YouTube, views can plummet if you dont stay in peoples minds and if you dont keep on trend. YouTube creators are building a brand and benefit from uploading regularly even if it leads to creators like Tom Scott uploading a video every week for ten years without break.
Of course, investors could have learned this lesson sooner by looking at open source. A similar mistaken assumption applies: build the software once and distribute it forever. But, again, this isnt how it works.
As Eghbal writes, open source maintainers are “expected to maintain the code they published for as long as people use it. In some cases, this could be literally decades, unless the maintainer formally steps away from the project.”
![screenshot of Apache website's download page.](./image2.png)
[Apache](https://httpd.apache.org/), for example, launched in 1995, celebrated its 25th anniversary in 2020, and released its most recent version in 2023.
Software degrades over time (think of tech debt, integration issues, changing standards, etc.) in much the same way a YouTubers brand degrades over time. Both need maintenance just to persist, much less grow.
### 2. Firewalls require vigilance
In traditional journalism, the “firewall” (sometimes referred to as a separation between church and state) is a conceptual and logistical distinction between the editorial department and the advertising department. If the two were to mix, advertising needs would bias editorial goals and subscribers wouldnt trust the publisher that mixed them.
The same distinction extends to content creation and open source.
In content creation, the trust a creator has built with their audience is paramount, and maintaining the firewall between their content and their sponsors is essential.
On Instagram, for example, an influencer needs to be very clear about whether a given post is an ad or not. There are legal standards around this issue the [SEC charged Kim Kardashian](https://www.sec.gov/news/press-release/2022-183) a fine in 2022, for example, for not disclosing that the crypto company she was promoting had paid her but the bigger issue is maintaining audience trust.
Without trust, you cant influence.
These kinds of controversies are not novel for open source developers. Similar discussions arise when vendors offer to support or acquire an open source project and when an open source maintainer starts taking sponsorships.
Charity Majors, CEO and cofounder of Honeycomb, came up through open source and when she founded a for-profit company, the firewall singed her. “I came from open source,” she writes in a [2023 post](https://charity.wtf/2023/03/29/questionable-advice-people-used-to-take-me-seriously-then-i-became-a-software-vendor/), “where contempt for software vendors was apparently _de rigueur_.”
Back then, she writes, she and others assumed vendors were “liars” that would “say anything to get you to buy.” Majors eventually learned that vendors werent all bad, but her experience exemplifies how the separation between open source and vendors (as well as content creators and advertisers) can be fraught.
She now recommends vendors “lead with [their] bias” and says that she “discloses [her] own vested interest up front.” The boundaries can be crossed, either by projects seeking sponsorships or by developers seeking employment, but the boundary requires respect.
### 3. Audiences are a source of survival and stress
Influencers require a significant level of fame to achieve success: enough viewers to earn brand deals, enough fans to clamor outside makeup stores, enough listeners to sell out live shows.
But even though creators depend on their audiences, those same audiences can be a huge source of stress. A big audience can mean pressure and it can also sometimes mean a [public pillorying](https://www.distractify.com/p/influencers-canceled-quickly).
Open source developers rarely have fans in the same way but they frequently run into a similar dynamic. As an open source project becomes popular, more people want to contribute but because contributions are rarely perfect, PR review can become a job unto itself.
Nolan Lawson, for example, a major contributor to PouchDB told Eghbal that open source popularity can create “a perverse effect where, the more successful you are, the more you get punished with GitHub notifications.”
[![screenshot showing number of notifications at 2,495, from blog page of Anthony Fu writing about how he manages GitHub notifications.](./image3.png)](https://antfu.me/posts/manage-github-notifcations-2023)
As [Alex Danco writes](https://danco.substack.com/p/making-is-show-business-now), “Success brings attention, interaction, and maintenance - both of the code itself, and of the creators reputation. This all takes work, and its often not the kind of work the creators like doing.”
Success can then breed disillusionment and sometimes burnout. Many early open source proponents imagined free-flowing collaboration sustaining the movement, but many maintainers arent finding as much collaboration as theyd like or need. As Eghbal writes, “Its not the excessive consumption of code but the excessive participation from users vying for a maintainers attention that has made the work untenable for maintainers today.”
Both open source developers and content creators can suffer from success.
### 4. Sustainability vs. selling out
Open-source maintainers faced the issue of “selling out” long before content creators faced it. And yet, ironically, even current open source developers struggle with monetization more than content creators do.
The modern, if limited, definition of the creator economy arose after numerous important creator platforms were established (YouTube, Instagram, etc.). With YouTube, especially, monetization was eventually built in. The highest-earning creators tend to seek partnerships but advertising money flows through the platform itself.
In open source, the original culture has proven much more resistant to monetization. Raymond emphasized an abundance mindset and a gift culture, fostering a perspective that sometimes prioritizes the movement above any individual maintainers sustainability.
But things might be changing. When Majors worked at Facebook, for example, she realized that “Open source successes like Apache, Haproxy, Nginx, etc. are exceptions, not the norm; that this model is only viable for certain types of general-purpose infrastructure software… If steady progress is being made, at the end of the day, somewhere somebody is probably paying those developers.”
On the other side of these success stories are open source developers working for little recompense. Alex Clark, for example, maintains Pillow, an open source project that has been downloaded millions of times and has even been used by NASA in its Mars Ingenuity helicopter.
But the income didnt [keep up with the influence](https://www.techtarget.com/searchitoperations/feature/Who-profits-from-open-source-maintainers-work). “Our income is disproportionate if this thing is everywhere across the entire globe, used by Fortune-whatever companies,” Clark said. “It's disproportionate. And there's no easy way to fix that."
This isnt an isolated feeling. According to [2023 Tidelift research](https://4008838.fs1.hubspotusercontent-na1.net/hubfs/4008838/Tidelift-2023-open-source-maintainer-survey.pdf), 77% of the maintainers who are not paid would prefer to get paid, 22% have quit open source, and 36% have considered quitting.
[![graphic depicted poll showing that 77% of unpaid maintainers of open source projects would prefer to be paid.](./image4.png)](https://4008838.fs1.hubspotusercontent-na1.net/hubfs/4008838/Tidelift-2023-open-source-maintainer-survey.pdf)
Open source developers learned the hard way that monetization is hard even if influence is indisputable.
### 5. Building despite the bus factor
Mr. Beast, the YouTube channel, has gotten over 42 billion views across nearly 800 videos and [employs about 250 people](https://www.businessinsider.com/whats-it-like-to-work-for-mrbeast-biggest-youtuber-world-2023-11#:~:text=MrBeast%20is%20likely%20the%20most,June%202023%2C%20according%20to%20Forbes.).
But if Mr. Beast, the person, were hit by a bus tomorrow, a channel that routinely earns hundreds of millions of views per video would likely plummet in popularity. Its a grim example of the [bus factor](https://en.wikipedia.org/wiki/Bus_factor) the idea that companies with employees who have centralized knowledge or power create immense risk for the companies as a whole.
Few open source maintainers have anything nearing the celebrity status of Mr. Beast and few open source projects could even really be considered personality-driven. And yet, many open source projects would suffer a similar fate from a similar bus factor.
Tidelift research shows that nearly half of all open source maintainers work alone; [Synopsis research](https://thenewstack.io/open-source-needs-maintainers-but-how-can-they-get-paid/) shows that 91% of codebases contained open source software that had had no developer activity in the past two years; and [Linux Foundation research](https://thenewstack.io/open-source-needs-maintainers-but-how-can-they-get-paid/) found that only 35% of projects had a strong new contributor pipeline.
In other words, the bus factor is alive and well in open source. If anything, the differences between open source and content creation make the result of this dynamic relatively worse for open source.
If Mr. Beast retires, every one of his fans will know; if a key open source maintainer retires, their project could continue on, zombie-like, until a security issue reveals everyone was depending on a project with no one at the helm.
## The bazaar will outlast the creator economy
Open source developers are frequently undervalued but between Raymond and Eghbal, as well as some lessons from traditional content creators, we can see a path toward greater recognition.
Raymond writes that in open source, “the only available measure of competitive success is reputation among one's peers,” but reputation is not automatically granted upon merging code.
Eghbal clarifies, writing that “Open source developers are chronically undervalued because, unlike other creators, theyre tied to a platform that doesnt enable them to realize the value of their work. Instead of operating quietly in the background, open source developers ought to come to the forefront again.”
More and more open source developers are coming to the foreground, including [Cassidy Williams](https://cassidoo.co/), who has a strong Twitter and TikTok presence, and Shawn Wang (popularly known as @swyx) who runs an influential blog and advocates for devs [learning in public](https://www.swyx.io/learn-in-public).
As Danco writes, “Making technology seems like a world apart from entertainment and show business. But in this new world, making _is_ show business.”
The more that open source developers and the content creators that came up after them can learn from each other, the more sustainable the whole creator economy will be.
As always, we want to hear your thoughts. Reach out to us via email at [hello@goauthentik.io](mailto:hello@goauthentik.io) or on [Discord](https://discord.com/channels/809154715984199690/809154716507963434)!

10
website/docs/advanced/tenancy.md
View File

@ -2,17 +2,23 @@
title: Tenancy
---
<span class="badge badge--primary">Enterprise</span>
---
::::warning
This feature is in alpha. Use at your own risk.
::::
::::info
This feature is available from 2024.1.1 and is not to be confused with brands, which used to be called tenants.
This feature is available from 2024.2 and is not to be confused with brands, which used to be called tenants.
::::
## Preparations
Starting with 2024.1.1, authentik allows for multiple tenants to be created. This allows an operator to manage several authentik installations without having to deploy additional instances.
Starting with 2024.2, authentik allows an administrator or operator to create multiple tenants. This means that an operator can manage several authentik installations without having to deploy additional instances.
Note that creating and managing tenants is handled using authentik APIs, not in the Admin interface.
authentik manages tenants by storing data for each tenant in a separate PostgreSQL schema.

2
website/docs/core/applications.md
View File

@ -33,7 +33,7 @@ The following aspects can be configured:
If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`.
If there is a mount under `/media`, you'll instead see a field to upload a file.
If there is a mount under `/media` or if [S3 storage](../installation/storage-s3.md) is configured, you'll instead see a field to upload a file.
- _Publisher_: Text shown below the application
- _Description_: Subtext shown on the application card below the publisher

2
website/docs/events/index.md
View File

@ -306,7 +306,7 @@ A configuration error occurs, for example during the authorization of an applica
Logged when any model is created/updated/deleted, including the user that sent the request.
:::info
Starting with authentik Enterprise 2024.1, `model_*` events also include which fields have been changed and their previous and new values.
Starting with authentik 2024.2, when a valid enterprise license is installed, these entries will contain additional audit data, including which fields were changed with this event, their previous values and their new values.
:::
### `email_sent`

2
website/docs/flow/stages/email/index.mdx
View File

@ -26,7 +26,7 @@ return True
You can also use custom email templates, to use your own design or layout.
:::info
Starting with authentik 2024.1, it is possible to create `.txt` files with the same name as the `.html` template. If a matching `.txt` file exists, the email sent will be a multipart email with both the text and HTML template.
Starting with authentik 2024.2, it is possible to create `.txt` files with the same name as the `.html` template. If a matching `.txt` file exists, the email sent will be a multipart email with both the text and HTML template.
:::
import Tabs from "@theme/Tabs";

2
website/docs/flow/stages/identification/index.md
View File

@ -25,7 +25,7 @@ These fields specify if and which flows are linked on the form. The enrollment f
## Pretend user exists
:::info
Requires authentik 2024.1
Requires authentik 2024.2
:::
When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.

4
website/docs/flow/stages/user_login/index.md
View File

@ -39,8 +39,6 @@ When configured, all sessions authenticated by this stage will be bound to the s
Sessions which break this binding will be terminated on use. The created [`logout`](../../../events/index.md#logout) event will contain additional data related to what caused the binding to be broken:
```json
Context
{
"asn": {
"asn": 6805,
@ -65,7 +63,7 @@ Context
},
"ip": {
"previous": "1.2.3.4",
"new": "5.6.7.8",
"new": "5.6.7.8"
},
"http_request": {
"args": {},

2
website/docs/installation/configuration.mdx
View File

@ -426,7 +426,7 @@ Defaults to 2.
## System settings
:::info
Requires authentik 2024.1.0
Requires authentik 2024.2
:::
Additional settings are configurable using the Admin interface, under **System** -> **Settings** or using the API.

6
website/docs/policies/expression.mdx
View File

@ -59,6 +59,12 @@ import Objects from "../expressions/_objects.md";
return context["geoip"].country.iso_code == "US"
```
- `asn`: ASN object, see [GeoIP](https://geoip2.readthedocs.io/en/latest/#geoip2.models.ASN)
```python
return context["asn"].autonomous_system_number == 64496
```
- `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider.
- `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](#comparing-ip-addresses), for example

4
website/docs/providers/oauth2/index.md
View File

@ -38,7 +38,7 @@ To access the user's email address, a scope of `user:email` is required. To acce
This grant is used to convert an authorization code to an access token (and optionally refresh token). The authorization code is retrieved through the Authorization flow, and can only be used once, and expires quickly.
:::info
Starting with authentik 2024.1, applications only receive an access token. To receive a refresh token, applications must be allowed to request the `offline_access` scope in authentik and also be configured to request the scope.
Starting with authentik 2024.2, applications only receive an access token. To receive a refresh token, both applications and authentik must be configured to request the `offline_access` scope. In authentik this can be done by selecting the `offline_access` Scope mapping in the provider settings.
:::
### `refresh_token`:
@ -46,7 +46,7 @@ Starting with authentik 2024.1, applications only receive an access token. To re
Refresh tokens can be used as long-lived tokens to access user data, and further renew the refresh token down the road.
:::info
Starting with authentik 2024.1, this grant requires the `offline_access` scope.
Starting with authentik 2024.2, this grant requires the `offline_access` scope.
:::
### `client_credentials`:

115
website/docs/releases/2024/v2024.1.md
View File

@ -1,115 +0,0 @@
---
title: Release 2024.1
slug: /releases/2024.1
---
## Breaking changes
- Tenants have been renamed to brands
The API endpoints associated with brands have also been renamed.
Blueprints using `authentik_tenants.tenant` will need to be changed to use `authentik_brands.brand`.
- The following config options have been moved from the config file and can now be set using the admin interface (under **System** -> **Settings**) or the API:
- `AUTHENTIK_AVATARS`
- `AUTHENTIK_DEFAULT_USER_CHANGE_NAME`
- `AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL`
- `AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME`
- `AUTHENTIK_GDPR_COMPLIANCE`
- `AUTHENTIK_IMPERSONATION`
- `AUTHENTIK_FOOTER_LINKS`
- `AUTHENTIK_REPUTATION__EXPIRY`
When upgrading to 2024.1, the currently configured options will be automatically migrated to the database, and can be removed from the `.env` or helm values file afterwards.
- Required `offline_access` scope for Refresh tokens
The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.
Applications which require will need their configuration update to include the `offline_access` scope mapping.
- The event retention settings configured in brands (previously tenants, see above) has been removed and is now a system settings, managed in the admin interface or via the API (see above).
There is no built-in migration path for this change. If you set something other than the default (`days=365`), you will need to update the setting in the admin interface.
- authentik now uses PostgreSQL schemas other than `public`.
If you have a custom PostgreSQL deployment, please ensure that the authentik user is allowed to create schemas. Usually, if the authentik user is owner of the database, it already can.
- Removal of deprecated metrics
- `authentik_outpost_flow_timing_get` -> `authentik_outpost_flow_timing_get_seconds`
- `authentik_outpost_flow_timing_post` -> `authentik_outpost_flow_timing_post_seconds`
- `authentik_outpost_ldap_requests` -> `authentik_outpost_ldap_request_duration_seconds`
- `authentik_outpost_ldap_requests_rejected` -> `authentik_outpost_ldap_requests_rejected_total`
- `authentik_outpost_proxy_requests` -> `authentik_outpost_proxy_request_duration_seconds`
- `authentik_outpost_proxy_upstream_time` -> `authentik_outpost_proxy_upstream_response_duration_seconds`
- `authentik_outpost_radius_requests` -> `authentik_outpost_radius_request_duration_seconds`
- `authentik_outpost_radius_requests_rejected` -> `authentik_outpost_radius_requests_rejected_total`
- `authentik_main_requests` -> `authentik_main_request_duration_seconds`
- Icons are now in a `public/` subfolder
If your media folder is `/media`, icons are now stored in `/media/public`. authentik will automatically migrate the icons upon upgrading.
- The shorthand parameter for `--stage`, `-s` for the `ak test_email` command has been changed to `-S`
- User sessions will be invalidated after this upgrade. As such, users will need to log back in.
- The Helm Chart has a number of breaking changes. Find out more in the [chart release notes](https://github.com/goauthentik/helm/releases/tag/authentik-2024.1.0).
## New features
- Tenancy <span class="badge badge--primary">Enterprise</span>
:::warning
This feature is in early preview. Use at your own risk.
:::
It allows for authentik operators to manage several authentik installations without having to deploy additional instances.
- Audit log <span class="badge badge--primary">Enterprise</span>
authentik instances which have a valid enterprise license installed will log changes made to models including which fields were changed with previous and new values of the fields. The values are censored if they are sensitive (for example a password hash), however a hash of the changed value will still be logged.
- "Pretend user exists" option for Identification stage
Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. **This feature is enabled by default.**
- S3 file storage
Media files can now be stored on S3. Follow the [setup guide](../../installation/storage-s3.md) to get started.
## Upgrading
This release does not introduce any new requirements.
### docker-compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
```
wget -O docker-compose.yml https://goauthentik.io/version/2024.1/docker-compose.yml
docker compose up -d
```
The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name.
### Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
```shell
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.1
```
## Minor changes/fixes
<!-- _Insert the output of `make gen-changelog` here_ -->
## API Changes
<!-- _Insert output of `make gen-diff` here_ -->

10211
website/docs/releases/2024/v2024.2.md Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
website/docs/user-group-role/access-control/flow-page.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 116 KiB

After

Width:  |  Height:  |  Size: 72 KiB

50
website/docs/user-group-role/access-control/manage_permissions.md
View File

@ -32,9 +32,9 @@ To view _object_ permissions for a specific user or role:
\_These instructions apply to all objects that **do not** have a detail page.\_\_
1. Go to the Admin interface and navigate to **Flows and Stages -> Stagess**.
2. On the row for the specific stage whose permissions you want to view, click the lock icon.
3. On the **Update Permissions** tab, you can view the assigned permissions using the **User Object Permissions** and the **Role Object Permissions** tabs.
1. Go to the Admin interface and navigate to **Flows and Stages -> Stages**.
2. On the row for the specific stage whose permissions you want to view, click the **lock icon**.
3. On the **Update Permissions** window, you can view the assigned permissions using the **User Object Permissions** and the **Role Object Permissions** tabs.
## Manage permissions
@ -48,21 +48,25 @@ To assign or remove _object_ permissions for a specific user:
2. Select a specific user by clicking on the user's name.
3. Click the **Permissions** tab at the top of the page.
4. To assign or remove permissions that another _user_ has on this specific user:
1. Click the **User Object Permissions** tab, click **Assign to new user**.
1. Click the **User Object Permissions** tab, and then click **Assign to new user**.
2. In the **User** drop-down, select the user object.
3. Use the toggles to set which permissions on that selected user object you want to grant to (or remove from) the specific user.
4. Click **Assign** to save your settings and close the modal.
5. To assign or remove permissions that another _role_ has on this specific user:
Click the **Role Object Permissions** tab, click **Assign to new role**. 2. In the **User** drop-down, select the user object. 3. Use the toggles to set which permissions you want to grant to (or remove from) the selected role. 4. Click **Assign** to save your settings and close the modal.
1. Click the **Role Object Permissions** tab, and then click **Assign to new role**.
2. In the **User** drop-down, select the user object.
3. Use the toggles to set which permissions you want to grant to (or remove from) the selected role.
4. Click **Assign** to save your settings and close the modal.
To assign or remove _global_ permissions for a user:
1. Go to the Admin interface and navigate to **Directory -> Users**.
2. Select a specific user the clicking on the user's name.
3. Click the **Assigned Permissions** tab at the top of the page (to the right of the **Permissions** tab).
4. In the **Assigned Global Permissions** area, click **Assign Permission**.
5. In the **Assign permissions to user** modal, click the plus sign (**+**) and then click the checkbox beside each permission that you want to assign to the user. To remove permissions, deselect the checkbox.
6. Click **Add**, and then click **Assign** to save your changes and close the modal.
3. Click the **Permissions** tab at the top of the page.
4. Click **Assigned Global Permissions** to the left.
5. In the **Assign permissions** area, click **Assign Permission**.
6. In the **Assign permission to user** modal box, click the plus sign (**+**) and then click the checkbox beside each permission that you want to assign to the user. To remove permissions, deselect the checkbox.
7. Click **Add**, and then click **Assign** to save your changes and close the modal.
### Assign or remove permissions on a specific group
@ -74,15 +78,18 @@ Also there are no global permissions for groups.
To assign or remove _object_ permissions on a specific group by users and roles:
1. Go to the Admin interface and navigate to **Directory -> Groups**.
2. Select a specific group by clicking the the group's name.
2. Select a specific group by clicking the group's name.
3. Click the **Permissions** tab at the top of the page.
To assign or remove permissions that another _user_ has on this specific group:
1. Click the **User Object Permissions** tab, click **Assign to new user**.
1. Click **User Object Permissions** to the left, and then click **Assign to new user**.
2. In the **User** drop-down, select the user object.
3. Use the toggles to set which permissions on that selected group you want to grant to (or remove from) the specific user.
4. Click **Assign** to save your settings and close the modal.
4. To assign or remove permissions that another _role_ has on this specific group:
Click the **Role Object Permissions** tab, click **Assign to new role**. 2. In the **Role** drop-down, select the role. 3. Use the toggles to set which permissions you want to grant to (or remove from ) the selected role. 4. Click **Assign** to save your settings and close the modal.
1. Click **Role Object Permissions** to the left, and then click **Assign to new role**.
2. In the **Role** drop-down, select the role.
3. Use the toggles to set which permissions you want to grant to (or remove from ) the selected role.
4. Click **Assign** to save your settings and close the modal.
### Assign or remove permissions for a specific role
@ -91,16 +98,23 @@ To assign or remove _object_ permissions for a specific role:
1. Go to the Admin interface and navigate to **Directory -> Roles**.
2. Select a specific role the clicking on the role's name.
3. Click the **Permissions** tab at the top of the page.
To assign or remove permissions that another _user_ has on this specific role: 1. Click the **User Object Permissions** tab, click **Assign to new user**. 2. In the **User** drop-down, select the user object. 3. Use the toggles to set which permissions on that role you want to grant to (or remove from) the selected user. 4. Click **Assign** to save your settings and close the modal.
To assign or remove permissions that another _user_ has on this specific role:
1. Click **User Object Permissions** to the left, and then click **Assign to new user**.
2. In the **User** drop-down, select the user object.
3. Use the toggles to set which permissions on that role you want to grant to (or remove from) the selected user.
4. Click **Assign** to save your settings and close the modal.
4. To assign or remove permissions that another _role_ has on this specific group:
Click the **Role Object Permissions** tab, click **Assign to new role**. 2. In the **Role** drop-down, select the role. 3. Use the toggles to set which permissions you want to grant to (or remove from) the selected role. 4. Click **Assign** to save your settings and close the modal.
1. Click **Role Object Permissions** to the left, and then click **Assign to new role**.
2. In the **Role** drop-down, select the role.
3. Use the toggles to set which permissions you want to grant to (or remove from) the selected role.
4. Click **Assign** to save your settings and close the modal.
To assign or remove _global_ permissions for a role:
1. Go to the Admin interface and navigate to **Directory -> Roles**.
2. Select a specific role by clicking on the role's name.
3. The **Overview** tab at the top of the page displays all assigned global permissions for the role.
4. In the **Assigned Global Permissions** area, click **Assign Permission**.
3. Click the **Permissions** tab at the top of the page.
4. Click **Assigned Global Permissions** to the left, and then click **Assign Permission**.
5. In the **Assign permissions to role** modal, click the plus sign (**+**) and then click the checkbox beside each permission that you want to assign to the role. To remove permissions, deselect the checkbox.
6. Click **Assign** to save your changes and close the modal.
@ -114,5 +128,5 @@ To assign or remove _global_ permissions for a role:
### Assign or remove stage permissions
1. Go to the Admin interface and navigate to **Flows and Stages -> Stagess**.
2. On the row for the specific stage that you want to manage permissions, click the lock icon.
3. On the **Update Permissions** tab, you can add or remove the assigned permissions using the **User Object Permissions** and the **Role Object Permissions** tabs.
2. On the row for the specific stage that you want to manage permissions, click the **lock icon**.
3. On the **Update Permissions** modal window, you can add or remove the assigned permissions using the **User Object Permissions** and the **Role Object Permissions** tabs.

10
website/docs/user-group-role/access-control/permissions.md
View File

@ -29,16 +29,16 @@ Object permissions have two categories:
- **_User_ object permissions**: defines WHO (which user) can change the **_object_**
- **_Role_ object permissions**: defines which ROLE can change the **_object_**
Object permissions are assigned, as the name indicates, to an object (users, [groups](../groups/index.mdx), roles, flows, and stages), and the assigned permissions state exactly what a user or role can do TO the object (i.e. what permissions does the user or role have on that object).
Object permissions are assigned, as the name indicates, to an object ([users](../user/index.mdx), [groups](../groups/index.mdx), [roles](../roles/index.mdx), [flows](../../flow/index.md), and stages), and the assigned permissions state exactly what a user or role can do TO the object (i.e. what permissions does the user or role have on that object).
When working with object permissions, it is important to understand that when you are viewing the page for an object the permissions table shows which users or roles have permissions ON that object. Those permissions describe what those users or roles can do TO the object detailed on the page.
When working with object permissions it is important to understand that when you are viewing the page for an object, the permissions table shows which users or roles have permissions ON that specific object. Those permissions describe what those users or roles can do TO the object detailed on the page.
For example, the UI below shows a user page for the user named Peter.
For example, the Admin interface UI shown below shows a user page for the user named Peter.
![](./user-page.png)
You can see in the **User Object Permissions** table that another user, roberto, has permissions on Peter (that is, on the user object Peter).
You can see in the **User Object Permissions** table that the Admin user (`akadmin`) and one other user (roberto) has permissions on Peter (that is, on the user object named Peter).
Looking at another example, with a flow object called `default-recovery-flow` you can see that the Admin user (akadmin) has all object permissions on the flow, but roberto only has a few permissions on that flow.
Looking at another example, with a flow object called `default-recovery-flow`, you can see that the Admin user (akadmin) has all object permissions on the flow, but roberto only has a few permissions on that flow.
![](./flow-page.png)

BIN
website/docs/user-group-role/access-control/user-page.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 119 KiB

After

Width:  |  Height:  |  Size: 71 KiB

3
website/docusaurus.config.ts
View File

@ -156,7 +156,8 @@ module.exports = async function (): Promise<Config> {
repository: "goauthentik/authentik",
// Only replace issues and PR links
buildUrl: function (values) {
return values.type === "issue"
return values.type === "issue" ||
values.type === "mention"
? defaultBuildUrl(values)
: false;
},

66
website/package-lock.json generated
View File

@ -15,10 +15,10 @@
"@docusaurus/preset-classic": "^3.1.1",
"@docusaurus/theme-common": "^3.1.1",
"@docusaurus/theme-mermaid": "^3.1.1",
"@mdx-js/react": "^3.0.0",
"@mdx-js/react": "^3.0.1",
"clsx": "^2.1.0",
"disqus-react": "^1.1.5",
"postcss": "^8.4.33",
"postcss": "^8.4.35",
"prism-react-renderer": "^2.3.1",
"rapidoc": "^9.3.4",
"react": "^18.2.0",
@ -26,15 +26,15 @@
"react-dom": "^18.2.0",
"react-feather": "^2.0.10",
"react-toggle": "^4.1.3",
"react-tooltip": "^5.26.0",
"react-tooltip": "^5.26.2",
"remark-github": "^12.0.0"
},
"devDependencies": {
"@docusaurus/module-type-aliases": "3.1.1",
"@docusaurus/tsconfig": "3.1.1",
"@docusaurus/types": "3.1.1",
"@types/react": "^18.2.48",
"prettier": "3.2.4",
"@types/react": "^18.2.55",
"prettier": "3.2.5",
"typescript": "~5.3.3"
},
"engines": {
@ -3119,26 +3119,26 @@
}
},
"node_modules/@floating-ui/core": {
"version": "1.5.0",
"resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.5.0.tgz",
"integrity": "sha512-kK1h4m36DQ0UHGj5Ah4db7R0rHemTqqO0QLvUqi1/mUUp3LuAWbWxdxSIf/XsnH9VS6rRVPLJCncjRzUvyCLXg==",
"version": "1.6.0",
"resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.6.0.tgz",
"integrity": "sha512-PcF++MykgmTj3CIyOQbKA/hDzOAiqI3mhuoN44WRCopIs1sgoDoU4oty4Jtqaj/y3oDU6fnVSm4QG0a3t5i0+g==",
"dependencies": {
"@floating-ui/utils": "^0.1.3"
"@floating-ui/utils": "^0.2.1"
}
},
"node_modules/@floating-ui/dom": {
"version": "1.5.3",
"resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.5.3.tgz",
"integrity": "sha512-ClAbQnEqJAKCJOEbbLo5IUlZHkNszqhuxS4fHAVxRPXPya6Ysf2G8KypnYcOTpx6I8xcgF9bbHb6g/2KpbV8qA==",
"version": "1.6.2",
"resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.6.2.tgz",
"integrity": "sha512-xymkSSowKdGqo0SRr2Mp4czH5A8o2Pum35PAD0ftb3gCcPacWzwhvtUeUqmVXm9EVtm2hThD/lRrFNcahMOaSQ==",
"dependencies": {
"@floating-ui/core": "^1.4.2",
"@floating-ui/utils": "^0.1.3"
"@floating-ui/core": "^1.0.0",
"@floating-ui/utils": "^0.2.0"
}
},
"node_modules/@floating-ui/utils": {
"version": "0.1.6",
"resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.1.6.tgz",
"integrity": "sha512-OfX7E2oUDYxtBvsuS4e/jSn4Q9Qb6DzgeYtsAdkPZ47znpoNsMgZw0+tVijiv3uGNR6dgNlty6r9rzIzHjtd/A=="
"version": "0.2.1",
"resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.1.tgz",
"integrity": "sha512-9TANp6GPoMtYzQdt54kfAyMmz1+osLlXdg2ENroU7zzrtflTLrrC/lgrIfaSe+Wu0b89GKccT7vxXA0MoAIO+Q=="
},
"node_modules/@hapi/hoek": {
"version": "9.3.0",
@ -3285,9 +3285,9 @@
}
},
"node_modules/@mdx-js/react": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/@mdx-js/react/-/react-3.0.0.tgz",
"integrity": "sha512-nDctevR9KyYFyV+m+/+S4cpzCWHqj+iHDHq3QrsWezcC+B17uZdIWgCguESUkwFhM3n/56KxWVE3V6EokrmONQ==",
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/@mdx-js/react/-/react-3.0.1.tgz",
"integrity": "sha512-9ZrPIU4MGf6et1m1ov3zKf+q9+deetI51zprKB1D/z3NOb+rUxxtEl3mCjW5wTGh6VhRdwPueh1oRzi6ezkA8A==",
"dependencies": {
"@types/mdx": "^2.0.0"
},
@ -4374,9 +4374,9 @@
"integrity": "sha512-+0autS93xyXizIYiyL02FCY8N+KkKPhILhcUSA276HxzreZ16kl+cmwvV2qAM/PuCCwPXzOXOWhiPcw20uSFcA=="
},
"node_modules/@types/react": {
"version": "18.2.48",
"resolved": "https://registry.npmjs.org/@types/react/-/react-18.2.48.tgz",
"integrity": "sha512-qboRCl6Ie70DQQG9hhNREz81jqC1cs9EVNcjQ1AU+jH6NFfSAhVVbrrY/+nSF+Bsk4AOwm9Qa61InvMCyV+H3w==",
"version": "18.2.55",
"resolved": "https://registry.npmjs.org/@types/react/-/react-18.2.55.tgz",
"integrity": "sha512-Y2Tz5P4yz23brwm2d7jNon39qoAtMMmalOQv6+fEFt1mT+FcM3D841wDpoUvFXhaYenuROCy3FZYqdTjM7qVyA==",
"dependencies": {
"@types/prop-types": "*",
"@types/scheduler": "*",
@ -13161,9 +13161,9 @@
}
},
"node_modules/postcss": {
"version": "8.4.33",
"resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.33.tgz",
"integrity": "sha512-Kkpbhhdjw2qQs2O2DGX+8m5OVqEcbB9HRBvuYM9pgrjEFUg30A9LmXNlTAUj4S9kgtGyrMbTzVjH7E+s5Re2yg==",
"version": "8.4.35",
"resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.35.tgz",
"integrity": "sha512-u5U8qYpBCpN13BsiEB0CbR1Hhh4Gc0zLFuedrHJKMctHCHAGrMdG0PRM/KErzAL3CU6/eckEtmHNB3x6e3c0vA==",
"funding": [
{
"type": "opencollective",
@ -13778,9 +13778,9 @@
}
},
"node_modules/prettier": {
"version": "3.2.4",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.4.tgz",
"integrity": "sha512-FWu1oLHKCrtpO1ypU6J0SbK2d9Ckwysq6bHj/uaCP26DxrPpppCLQRGVuqAxSTvhF00AcvDRyYrLNW7ocBhFFQ==",
"version": "3.2.5",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz",
"integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==",
"dev": true,
"bin": {
"prettier": "bin/prettier.cjs"
@ -14389,11 +14389,11 @@
}
},
"node_modules/react-tooltip": {
"version": "5.26.0",
"resolved": "https://registry.npmjs.org/react-tooltip/-/react-tooltip-5.26.0.tgz",
"integrity": "sha512-UBbwy3fo1KYDwRCOWwM6AEfQsk9shgVfNkXFqgwS33QHplzg7xao/7mX/6wd+lE6KSZzhUNTkB5TNk9SMaBV/A==",
"version": "5.26.2",
"resolved": "https://registry.npmjs.org/react-tooltip/-/react-tooltip-5.26.2.tgz",
"integrity": "sha512-C1qHiqWYn6l5c98kL/NKFyJSw5G11vUVJkgOPcKgn306c5iL5317LxMNn5Qg1GSSM7Qvtsd6KA5MvwfgxFF7Dg==",
"dependencies": {
"@floating-ui/dom": "^1.0.0",
"@floating-ui/dom": "^1.6.1",
"classnames": "^2.3.0"
},
"peerDependencies": {

10
website/package.json
View File

@ -22,17 +22,17 @@
"@docusaurus/preset-classic": "^3.1.1",
"@docusaurus/theme-common": "^3.1.1",
"@docusaurus/theme-mermaid": "^3.1.1",
"@mdx-js/react": "^3.0.0",
"@mdx-js/react": "^3.0.1",
"clsx": "^2.1.0",
"disqus-react": "^1.1.5",
"postcss": "^8.4.33",
"postcss": "^8.4.35",
"prism-react-renderer": "^2.3.1",
"rapidoc": "^9.3.4",
"react-before-after-slider-component": "^1.1.8",
"react-dom": "^18.2.0",
"react-feather": "^2.0.10",
"react-toggle": "^4.1.3",
"react-tooltip": "^5.26.0",
"react-tooltip": "^5.26.2",
"react": "^18.2.0",
"remark-github": "^12.0.0"
},
@ -52,8 +52,8 @@
"@docusaurus/module-type-aliases": "3.1.1",
"@docusaurus/tsconfig": "3.1.1",
"@docusaurus/types": "3.1.1",
"@types/react": "^18.2.48",
"prettier": "3.2.4",
"@types/react": "^18.2.55",
"prettier": "3.2.5",
"typescript": "~5.3.3"
},
"engines": {

3
website/sidebars.js
View File

@ -318,13 +318,14 @@ const docsSidebar = {
description: "Release notes for recent authentik versions",
},
items: [
"releases/2024/v2024.2",
"releases/2023/v2023.10",
"releases/2023/v2023.8",
"releases/2023/v2023.6",
{
type: "category",
label: "Previous versions",
items: [
"releases/2023/v2023.6",
"releases/2023/v2023.5",
"releases/2023/v2023.4",
"releases/2023/v2023.3",