7.0 KiB
title, slug
| title | slug |
|---|---|
| Release 2025.4 | /releases/2025.4 |
:::::note 2025.4 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.4.0-rc2. You can find the latest one in the latest releases on GitHub. If you don't find any, it means we haven't released one yet. :::::
Highlights
-
Improve membership resolution for the LDAP Source Allow lookups of LDAP group memberships from user attributes as an alternative to lookups from group attributes. This also allows for nested group lookups in Active Directory.
-
Support for PostgreSQL Connection Pools PostgreSQL Connection Pools provides a set of open connections in order to reduce latency.
-
RBAC: Initial Permissions :ak-preview Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use Initial Permissions as a pragmatic way to implement the principle of least privilege.
-
Password History Policy :ak-enterprise A new policy can prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for fedRAMP compliance.
-
Source Sync Dry Run :ak-preview Add the option for dry-run syncs for SCIM, Google Workspace, and Entra to preview the results of a sync without affecting live accounts.
Breaking changes
-
Reputation score limit: The default value for the new limits on Reputation score is between
-5and5. This might break some current setups which count on the possibility of scores decreasing or increasing beyond these limits. You can set your custom limits under System > Settings. -
Deprecated and frozen
:latestcontainer image tag after 2025.2Using the
:latesttag with container images is not recommended as it can lead to unintentional updates and potentially broken setups.The tag will not be removed, however it will also not be updated past 2025.2.
We strongly recommended the use of a specific version tag for authentik instances' container images like
:2025.4. -
Helm chart dependencies update: Following Bitnami's changes to only publish latest version of containers, the Helm chart dependencies (PostgreSQL and Redis) will now be updated with each release.
For this release:
- The Redis chart will be upgraded to the latest version. As the image is not pinned, it will also get upgraded.
- The PostgreSQL chart will be upgraded to the latest version, but the image will remain pinned to
15.8.0-debian-12-r18.
For the next release:
- The Redis chart will be upgraded to the latest version again.
- The PostgreSQL chart will be upgraded to the latest version again, and the image will no longer be pinned, which will bring it to PostgreSQL major version
17. This will require following PostgreSQL major upgrade steps, for which we provide documentation.
For subsequent releases:
- The Redis chart will be upgraded to the latest version.
- The PostgreSQL chart will be upgraded to the latest version, with major upgrades being called out in authentik release notes.
We encourage users to pin their PostgreSQL image version.
Manual action might be required
Sessions are now stored in the database
Previously, sessions were stored by default in the cache. Now, they are stored in the database. This allows for numerous other performance improvements. On high traffic instances, requests to old instances after the upgrade has started will fail to authenticate.
New features
-
Remember me: Users can now choose to skip entering their usernames after their first login on the same device. This feature is optional and admins can enable it in the Identification stage.
-
RBAC: Initial Permissions
In hardened authentik installations, it is possible for a user to have permission to create an object type, but not to view/change/delete(/etc) objects of that type. Previously, this could result in a user creating an object and then not having any access to that object.
InitialPermissionsis a mechanism to automatically add permissions to any object on creation. -
Reputation score limit
Reputation scores now have a configurable numerical limit in addition to the already existing temporal limit.
-
Support for PostgreSQL Connection Pools: See description under Highlights. Refer to our documentation.
-
Password History Policy: See description under Highlights. Refer to our documentation.
New integration guides
An integration is a how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.
- Apple Business Manager
- FleetDM
- Gravity
- Homarr
- KnocKnoc
- Mautic
- Mailcow
- Mealie
- OpenProject
- Sidero Omni
- Tandoor
- Wazuh
- XCreds
- Zipline
Upgrading
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.
:::warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. :::
Docker Compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/xxxx.x/docker-compose.yml
docker compose up -d
The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.4