authentik/website/docs/releases/2024/v2024.4.md

title, slug

title	slug
Release 2024.4	/releases/2024.4

:::::note 2024.4 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.

To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2024.4.0-rc1. You can find the latest one in the latest releases on GitHub. If you don't find any, it means we haven't released one yet. :::::

Highlights

• OAuth/SAML as authentication factor Enterprise Use an external provider as part of an MFA authentication flow, including custom implementations

• SCIM Source Preview Provision users and groups in authentik using an SCIM API

• Configurable WebAuthn device restrictions Configure which types of WebAuthn devices can be used to enroll and validate for different authorization levels.

• Performance improvements The API Endpoints to list Users, Groups, and Events have been optimized by 100%, y% and z% respectively

Breaking changes

Manual action may be required

• Configuration options migrated to the Admin interface

  The following config options have been moved from the config file and can now be set using the Admin interface (under System -> Settings) or the API:

  • AUTHENTIK_DEFAULT_TOKEN_LENGTH

  When upgrading to 2024.4, the currently configured options will be automatically migrated to the database, and can be removed from the .env or helm values file afterwards.

New features

• Source stage Enterprise

  The source stage allows for an inclusion of a source as part of a flow. This can be used to link a user to a source as part of their authentication/enrollment, or it can be used as an external multi-factor to provide device health attestation for example.

  For details refer to Source stage

• SCIM Source Preview

  Provision users and groups in authentik using an SCIM API.

  For details refer to SCIM Source

• Configurable WebAuthn device restrictions

  Configure which types of WebAuthn devices can be used to enroll and validate for different authorization levels.

  For details refer to WebAuthn authenticator setup stage

• Revamped UI for log messages

  Log messages from several API endpoints are now shown with much greater detail, which helps with implementing custom policies and property mappings.

• Python API Client

  There's now an official API Client for Python: https://pypi.org/project/authentik-client/. This API Client can be used to create/update/delete objects within authentik as well as using the Flow executor to authenticate.

• Configure LDAP sources to not store hashed password in authentik

  When authentik is configured to federate with an LDAP source, upon authentication, authentik hashed the password and stored it in its own database. This allows authentication to function when LDAP is unreachable. Admins can now configure this behavior for when this is not desirable.

  For details refer to LDAP Source

• Configurable app password token expiring

  Thanks @jmdilly for contributing this feature!

  Admins can now configure the default token duration (which defaults to minutes=30) in the admin interface as specified above. This value can also be overridden per-user with the goauthentik.io/user/token-maximum-lifetime attribute.

Upgrading

This release does not introduce any new requirements.

docker-compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2024.4/docker-compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.4

Minor changes/fixes

API Changes