habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
40a1e5a9b2f38267d1655a50c78db3667a0d1d28
authentik/website/docs/releases/2024/v2024.1.md

5.4 KiB
Raw Blame History

title, slug
title slug
Release 2024.1 /releases/2024.1

Breaking changes

  • Tenants have been renamed to brands

    The API endpoints associated with brands have also been renamed.

    Blueprints using authentik_tenants.tenant will need to be changed to use authentik_brands.brand.

  • The following config options have been moved from the config file and can now be set using the admin interface (under System -> Settings) or the API:

    • AUTHENTIK_AVATARS
    • AUTHENTIK_DEFAULT_USER_CHANGE_NAME
    • AUTHENTIK_DEFAULT_USER_CHANGE_EMAIL
    • AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME
    • AUTHENTIK_GDPR_COMPLIANCE
    • AUTHENTIK_IMPERSONATION
    • AUTHENTIK_FOOTER_LINKS
    • AUTHENTIK_REPUTATION__EXPIRY

    When upgrading to 2024.1, the currently configured options will be automatically migrated to the database, and can be removed from the .env or helm values file afterwards.

  • Required offline_access scope for Refresh tokens

    The OAuth2 provider ships with a new default scope called offline_access, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the Authorization code and Device code OAuth grants.

    Applications which require will need their configuration update to include the offline_access scope mapping.

  • The event retention settings configured in brands (previously tenants, see above) has been removed and is now a system settings, managed in the admin interface or via the API (see above).

    There is no built-in migration path for this change. If you set something other than the default (days=365), you will need to update the setting in the admin interface.

  • authentik now uses PostgreSQL schemas other than public.

    If you have a custom PostgreSQL deployment, please ensure that the authentik user is allowed to create schemas. Usually, if the authentik user is owner of the database, it already can.

  • Removal of deprecated metrics

    • authentik_outpost_flow_timing_get -> authentik_outpost_flow_timing_get_seconds
    • authentik_outpost_flow_timing_post -> authentik_outpost_flow_timing_post_seconds
    • authentik_outpost_ldap_requests -> authentik_outpost_ldap_request_duration_seconds
    • authentik_outpost_ldap_requests_rejected -> authentik_outpost_ldap_requests_rejected_total
    • authentik_outpost_proxy_requests -> authentik_outpost_proxy_request_duration_seconds
    • authentik_outpost_proxy_upstream_time -> authentik_outpost_proxy_upstream_response_duration_seconds
    • authentik_outpost_radius_requests -> authentik_outpost_radius_request_duration_seconds
    • authentik_outpost_radius_requests_rejected -> authentik_outpost_radius_requests_rejected_total
    • authentik_main_requests -> authentik_main_request_duration_seconds

  • Icons are now in a public/ subfolder

    If your media folder is /media, icons are now stored in /media/public. authentik will automatically migrate the icons upon upgrading.

  • The shorthand parameter for --stage, -s for the ak test_email command has been changed to -S

  • User sessions will be invalidated after this upgrade. As such, users will need to log back in.

  • The Helm Chart has a number of breaking changes. Find out more in the chart release notes.

New features

  • Tenancy Enterprise

    :::warning This feature is in early preview. Use at your own risk. :::

    It allows for authentik operators to manage several authentik installations without having to deploy additional instances.

  • Audit log Enterprise

    authentik instances which have a valid enterprise license installed will log changes made to models including which fields were changed with previous and new values of the fields. The values are censored if they are sensitive (for example a password hash), however a hash of the changed value will still be logged.

  • "Pretend user exists" option for Identification stage

    Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. This feature is enabled by default.

  • S3 file storage

    Media files can now be stored on S3. Follow the setup guide to get started.

Upgrading

This release does not introduce any new requirements.

docker-compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2024.1/docker-compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.1

Minor changes/fixes

API Changes