dc1359a763
* providers/saml: initial SLO implementation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/saml: add logout request tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * providers/saml: add tests for POST SLO Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * matrix e2e tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix import Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * set e2e matrix name Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix imports Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * separate oidc and oauth tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add basic saml slo e2e tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add better metadata download url Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * kinda prepare release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * sort releases into folders Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add slo urls to website Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * fix linking Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add api tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
93 lines
4.2 KiB
Markdown
93 lines
4.2 KiB
Markdown
---
|
|
title: Release 2021.3
|
|
slug: "/releases/2021.3"
|
|
---
|
|
|
|
## Headline Changes
|
|
|
|
- WebAuthn support
|
|
|
|
This release introduces support for [WebAuthn](https://webauthn.io/), an open standard for the use of hardware authentication keys like YubiKeys on the web.
|
|
|
|
You can configure a WebAuthn device using the "WebAuthn Authenticator Setup Stage" stage. Afterwards, it can be used as an n-th factor, just like TOTP authenticators.
|
|
|
|
- Simplify role-based access
|
|
|
|
Instead of having to create a Group Membership policy for every group you want to use, you can now select a Group and even a User directly in a binding.
|
|
|
|
When a group is selected, the binding behaves the same as if a Group Membership policy exists.
|
|
|
|
When a user is selected, the binding checks the user of the request, and denies the request when the user doesn't match.
|
|
|
|
Group Membership policies are automatically migrated to use this simplified access.
|
|
|
|
- Invisible reCAPTCHA
|
|
|
|
The checkbox-based reCAPTCHA has been replaced with [reCAPTCHA v2 Invisible](https://developers.google.com/recaptcha/docs/invisible).
|
|
|
|
This is a breaking change, as a set of reCAPTCHA keys are only valid for a single type. For this, go to https://www.google.com/recaptcha/admin and create a new set of keys with the "reCAPTCHA v2" type and "Invisible reCAPTCHA badge" mode.
|
|
|
|
- Migration of Flow Executor to SPA/API
|
|
|
|
The flow executor has been migrated to a full SPA/API architecture. This was required for WebAuthn, but also allows for greater customizability.
|
|
|
|
It also allows other services to use the flow executor via an API, which will be used by the outpost further down the road.
|
|
|
|
- Deny stage
|
|
|
|
A new stage which simply denies access. This can be used to conditionally deny access to users during a flow. Authorization flows for example required an authenticated user, but there was no previous way to block access for un-authenticated users.
|
|
|
|
If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs.
|
|
|
|
## Fixed in 2021.3.2
|
|
|
|
- sources/ldap: fix sync for Users without pwdLastSet
|
|
- web: fix date display issue
|
|
- web: fix submit in Modal reloading page in firefox
|
|
|
|
## Fixed in 2021.3.3
|
|
|
|
- providers/oauth2: allow protected_resource_view when method is OPTIONS
|
|
- stages/authenticator_static: fix error when disable static tokens
|
|
- stages/authenticator_webauthn: add missing migration
|
|
- web: fix Colours for user settings in dark mode
|
|
- web: fix Flow executor not showing spinner when redirecting
|
|
- web: fix Source icons not being displayed on firefox
|
|
- web: fix styling for static token list
|
|
|
|
## Fixed in 2021.3.4
|
|
|
|
- admin: include git build hash in gh-\* tags and show build hash in admin overview
|
|
- events: don't fail on boot when geoip can't be opened
|
|
- helm: add initial geoip
|
|
- outposts: improve logs for outpost connection
|
|
- policies: fix error when clearing policy cache when no policies are cached
|
|
- root: add comment for error reporting to compose
|
|
- root: add geoip config to docker-compose
|
|
- sources/oauth: fix error on user enrollment when no enrollment flow is defined
|
|
- web: add close button to messages
|
|
- web: backport fix: add missing background filter
|
|
- web: fix outpost health display
|
|
- web: fix path for fallback flow view
|
|
- web: fix system task index
|
|
- web: improve compatibility with password managers
|
|
- web: improve layout of expanded event info
|
|
- web: improve styling for application list
|
|
- web: prevent duplicate messages
|
|
- web: show related edit button for bound stages and policies
|
|
- web: use chunking for vendor and api
|
|
- web: use loadingState for autosubmitStage
|
|
- web: use sections in sidebar, adjust colouring
|
|
|
|
## Upgrading
|
|
|
|
This release does not introduce any new requirements.
|
|
|
|
### docker-compose
|
|
|
|
Download the docker-compose file for 2021.3 from [here](https://goauthentik.io/version/2021.3/docker-compose.yml). Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`.
|
|
|
|
### Kubernetes
|
|
|
|
Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`.
|