Release 2021.10

Headline Changes

Flow Inspector
To better understand how a flow works, and why things might not be working as intended, you can now launch Flows with an inspector enabled. This is simply triggered by adding a ?inspector to the URL. Currently, only superuser have the permission to access the Inspector.
The inspector shows the current stage, previous stages, next planned stages, and the current flow context.
SMS Authenticator
You can now use SMS-based TOTP authenticators. This new Stage supports both Twilio, and a generic API endpoint, if using another provider. This stage does not have to be used for authentication, it can simply be used during enrollment to verify your users phone numbers.
Sign in with Apple
It is now possible to add an Apple OAuth Source, to allow your users to authenticate with their Apple ID.

A huge shoutout to all the people that contributed, helped test and also translated authentik. This is the first release that has as full French translation!

Minor changes

*: Squash Migrations (#1593)
admin: clear update notification when notification's version matches current version
cmd: prevent outposts from panicking when failing to get their config
core: add default for user's settings attribute
core: add settings serializer to user/me and update_self endpoints, saved in a key in attributes
core: improve detection for s3 settings to trigger backup
core: include group uuids in self serializer
core: make user's name field fully optional
flows: inspector (#1469)
internal: add internal healthchecking to prevent websocket errors
internal/proxyv2: improve error handling when configuring app
lifecycle: bump celery healthcheck to 5s timeout
lifecycle: only lock database when system migrations need to be applied, and during django migrations, and don't double unlock
lifecycle: only set prometheus_multiproc_dir in ak wrapper to prevent full disk on worker
managed: don't run managed reconciler in foreground on startup
outpost/proxy: fix missing negation for internal host ssl verification
outposts: add additional error checking for docker controller
outposts: Adding more flexibility to outposts in Kubernetes. (#1617)
outposts: allow disabling of docker controller port mapping
outposts: check ports of deployment in kubernetes outpost controller
outposts: don't always build permissions on outpost.user access, only in signals and tasks
outposts: fallback to known-good outpost image if configured image cannot be pulled
outposts: fix error when comparing ports in docker controller when port mapping is disabled
outposts: handle k8s 422 response code by recreating objects
outposts: rename docker_image_base to container_image_base, since its not docker specific
outposts/ldap: Support hard coded uidNumber and gidNumber. (#1582)
outposts/proxy: add new headers with unified naming
outposts/proxy: fix duplicate protocol in domain auth mode
outposts/proxy: show full error message when user is authenticated
policies: add additional filters to create flow charts on frontend
policies/password: add extra sub_text field in tests
providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514)
providers/proxy: always check ingress secret in kubernetes controller
providers/proxy: update ingress controller to work with k8s 1.22
recovery: handle error when user doesn't exist
root: add docker-native healthcheck for web and celery
root: add translation for backend strings
root: coverage with toml support
root: fix error with sentry proxy
root: migrate docker images to netlify proxy (#1603)
root: remove redundant internal network from compose
root: remove structlog.processors.format_exc_info for new structlog version
root: Use fully qualified names for docker bases base images. (#1490)
sources/ldap: add support for Active Directory userAccountControl attribute
sources/ldap: don't sync ldap source when no property mappings are set
sources/ldap: fix logic error in Active Directory account disabled status
sources/oauth: add Sign in with Apple (#1635)
stages/authenticator_sms: add generic provider (#1595)
stages/authenticator_sms: Add SMS Authenticator Stage (#1577)
stages/authenticator_validate: create a default authenticator validate stage with sensible defaults
stages/email: add activate_user_on_success flag, add for all example flows
stages/prompt: add sub_text field to add HTML below prompt fields
stages/prompt: fix sub_text not allowing blank
stages/prompt: fix wrong field type of field_key
stages/user_login: add check for user.is_active and tests
stages/user_write: allow recursive writing to user.attributes
web: add locale detection
web: ensure fallback locale is loaded
web: fix rendering of token copy button in dark mode
web: fix strings not being translated at all when matching browser locale not found
web: make table pagination size user-configurable
web: new default flow background
web: Translate /web/src/locales/en.po in fr_FR (#1506)
web/admin: add fallback font for doughnut charts
web/admin: default to warning state for backup task
web/admin: don't require username nor name for activate/deactivate toggles
web/admin: fix description for flow import
web/admin: fix LDAP Source form not exposing syncParentGroup
web/admin: fix search group label
web/admin: fix SMS Authenticator stage not loading state correctly
web/admin: improve visibility of oauth rsa key
web/admin: only show outpost deployment info when not embedded
web/admin: truncate prompt label when too long
web/elements: fix initialLoad not being done when viewportCheck was disabled
web/elements: fix model form always loading when viewport check is disabled
web/elements: use dedicated button for search clear instead of webkit exclusive one
web/flows: adjust message for email stage
web/user: don't show managed tokens in user interface
web/user: initial optimisation for smaller screens
web/user: load interface settings from user settings

Fixed in 2021.10.1-rc2

core: add user flag to prevent users from changing their usernames
core: log user for http requests
flows: clear cache when deleting bindings
outpost/ldap: fix logging for mismatched provider
root: add cookie domain setting
sources/oauth: add choices to oauth provider_type
web: disable Sentry.showReportDialog
web/flows: showing of authentik logo in flow executor
web/flows: fix authenticator device selection not updating
web/flows: show cancel link when choosing authenticator challenge

Fixed in 2021.10.1-rc3

api: fix error when connection to websocket via secret_key
core: add toggle to completely disable backup mechanism
core: add USER_ATTRIBUTE_CHANGE_EMAIL
events: fix error when notification transport doesn't exist anymore
outposts: fix docker controller not using object_naming_template
providers/oauth2: fallback to uid if UPN was selected but isn't available
providers/oauth2: fix events being created from /application/o/authorize/
sources/ldap: prevent key users from being set as this is an M2M relation
sources/ldap: skip values which are of type bytes

Fixed in 2021.10.1

core: add API for all user-source connections
core: add API to list all authenticator devices
core: add created field to source connection
flows: optimise stage user_settings API
outposts: separate websocket re-connection logic to decrease requests on reconnect
root: pin node images to v16
root: update golang ldap server package
web/user: fix wrong device being selected in user's mfa update form
web/user: rework MFA Device UI to support multiple devices
web/user: update form to update mfa devices

Fixed in 2021.10.2

api: replace django sentry proxy with go proxy to prevent login issues
providers/proxy: allow configuring of additional scope mappings for proxy
providers/saml: fix error on missing AssertionConsumerServiceURL, fall back to default ACS
root: fix Detection of S3 settings for backups
root: fix postgres install on bullseye
root: update base images for outposts
root: update to buster
stages/identification: add show_source_labels option, to show labels for sources
stages/invitation: don't throw 404 error in stage
stages/invitation: remove invitation from plan context after deletion
stages/prompt: fix type in Prompt not having enum set
web/flows: fix invalid validation for static tokens
web/flows: fix sub_text not rendering for static fields
web/user: fix configureUrl not being passed to <ak-user-settings-password>

Fixed in 2021.10.3

admin: improve check to remove version notifications
cmd/server: improve cleanup on shutdown
core: add command to output full config
core: fix auth_method for tokens
core: include parent group name
core: make group membership lookup respect parent groups (upwards)
events: ignore creation/deletion of AuthenticatedSession objects
internal: start embedded outpost directly after backend is healthy instead of waiting
lifecycle: revert to non-h11 worker
outpost/ldap: don't cleanup user info as it is overwritten on bind
providers/*: include list of outposts
providers/ldap: add/squash migrations
providers/ldap: memory Query (#1681)
recovery: add create_admin_group management command
root: fix defaults for EMAIL_USE_TLS
root: improve compose detection, add anonymous stats
root: keep last 30 backups
sources/ldap: remove deprecated default
sources/oauth: set prompt=none for Discord provider
sources/plex: allow users to connect their plex account without login flow
sources/plex: use exception_to_string in tasks
stages/authenticator_*: add default name for authenticators
stages/identification: only allow limited challenges for login sources
stages/identification: use random sleep
stages/prompt: add text_read_only field
stages/prompt: default prompts to the current value of the context
stages/prompt: only set placeholder when in context
stages/prompt: set field placeholder based on plan context
stages/prompt: use initial instead of default
web: fix linting errors by adding a wrapper for next param
web/admin: only show flows with an invitation stage configured instead of all enrollment flows
web/admin: show warning on invitation list when no stage exists or is bound
web/admin: show warning on provider when not used with outpost
web/flows: fix authenticator_validate not allowing alphanumeric codes due to empty pattern
web/flows: improve display of static tokens
web/user: fix ak-user-settings-password getting wrong configureUrl
web/user: fix device type for static tokens
web/user: fix empty page when no sources to connect exist
web/user: fix redirect after starting configuration flow from user interface

Fixed in 2021.10.4

core: force lowercase emails for gravatar usage
outposts: fix MFA Challenges not working with outpost
outposts/ldap: fix logic error in cached ldap searcher
outposts/proxy: fix static files not being served in proxy mode
providers/proxy: return list of configured scope names so outpost requests custom scopes
root: use python slim-bullseye as base
sources/ldap: fix user/group sync overwriting attributes instead of merging them
sources/ldap: set connect/receive timeout (default to 15s)
stages/*: disable trim_whitespace on important fields
stages/authenticator_duo: fix devices created with name
stages/authenticator_validate: enable all device classes by default
web: write interfaces to different folders and remove custom chunk names
web/admin: fix display issues with flow execute buttons
web/admin: show warnings above tab bar
web/admin: use more natural default ordering for objects

Upgrading

This release does not introduce any new requirements.

docker-compose

Download the docker-compose file for 2021.10 from here. Afterwards, simply run docker-compose up -d.

Kubernetes

Update your values to use the new images:

image:
    repository: ghcr.io/goauthentik/server
    tag: 2021.10.1

Headline Changes​

Minor changes​

Fixed in 2021.10.1-rc2​

Fixed in 2021.10.1-rc3​

Fixed in 2021.10.1​

Fixed in 2021.10.2​

Fixed in 2021.10.3​

Fixed in 2021.10.4​

Upgrading​

docker-compose​

Kubernetes​