Release 2023.3 - SCIM support
New features
-
SCIM support
infoThis feature is still in technical preview, so please report any Bugs you run into on GitHub.
authentik can now provision users into other IT systems via the SCIM (System for Cross-domain Identity Management) protocol. The provider synchronizes Users, Groups and the user membership. Objects are synced both when they are saved and based on a pre-defined schedule in the background.
Documentation: SCIM Provider
-
Theming improvements
- The custom.css file is now loaded in ShadowDOMs, allowing for much greater customization, as previously it was only possible to style elements outside of the ShadowDOM. See docs for Flow, User and Admin interfaces.
- Previously, authentik would automatically switch between dark and light theme based on the users' browsers' settings. This can now be overridden to either force the light or dark theme, per user/group/tenant. See docs for Flow, User and Admin interfaces.
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose.yml
file for 2023.3 from here. Afterwards, simply run docker-compose up -d
.
Kubernetes
Update your values to use the new images:
image:
repository: ghcr.io/goauthentik/server
tag: 2023.3.0
Minor changes/fixes included in release 2023.3
- *: add additional Prometheus metrics, remove unusable high entropy metrics
- blueprints: improve error handling in example flow
- core: Add
resolve_dns
andreverse_dns
functions to evaluator (#4769) - core: bootstrap email (#4788)
- core: enforce unique on names where it makes sense (#4866)
- core: fix bug causing whitespace-only names to raise exception when generating avatars (#4746)
- core: fix error when creating token without request in context
- core: improve service account creation (#4751)
- events: fix m2m_change events not being logged
- events: set task start time before start, not on time of init (#4908)
- flows: change default flow stage binding settings (#4784)
- flows: planner error handling (#4812)
- internal: fix crash when port 9000 is in use (#4863)
- providers: SCIM (#4835)
- providers/ldap: improve compatibility with LDAP clients (#4750)
- providers/ldap: making LDAP compatible with Synology (#4694)
- providers/oauth2: fix missing information for revoked token access events
- providers/oauth2: OpenID conformance (#4758)
- providers/proxy: ensure issuer is correct when browser URL override is set
- providers/proxy: strip scheme when comparing redirect URL
- providers/scim: add option to filter out service accounts, parent group (#4862)
- providers/scim: customizable externalId, document behavior (#4868)
- providers/scim: handle ServiceProviderConfig 404 (#4915)
- root: fix session middleware for websocket connections (#4909)
- sources/ldap: improve error handling for password complexity (#4780)
- sources/oauth: fix not all token errors being logged with response
- sources/plex: fix check_token error unusable if token is empty (#4834)
- stages/authenticator_sms: fix twilio sending (#4829)
- stages/user_login: add option to terminate other sessions (#4754)
- stages/user_login: set session expiry before login (#4920)
- tests/e2e: use example blueprints for testing (#4805)
- web: fetch custom.css via fetch and add stylesheet (#4804)
- web: toggle dark/light theme manually (#4876)
- web/admin: fix chart display with no sources (#4782)
- web/admin: fix issue with wizard's Next button incorrectly disabled when radio button is already selected (#4821)
- web/admin: fix SCIM provider layout (#4919)
- web/admin: workaround for tenant certificate selection being cut off (#4820)
- web/elements: add loading spinner for charts, render middle text with CSS
- web/elements: fix center text not scrolling with container (#4853)
- web/elements: fix copy on insecure origins (#4917)
- web/elements: fix flipped theme in codemirror (#4901)
- web/flows: fix compatibility mode (#4910)
- web/flows: fix fa:// icons in sources not shown correctly
- web/user: fix source connections not being filtered (#4778)
Fixed in 2023.3.1
- *: fix mismatched task names for discovery, make output service connection task monitored (#4956)
- core: fix application launch url validator (#4957)
- providers: fix authorization_flow not required in API (#4932)
- providers/ldap: fix duplicate attributes (#4972)
- providers/oauth2: fix response for response_type code and response_mode fragment (#4975)
- stages/authenticator_webauthn: remove credential_id size limit (#4931)
- web/admin: fix wizards with radio selects not working correctly after use (#4933)
- web/common: fix tab label color on dark theme (#4959)
- web/flows: fix authenticator selector in dark mode (#4974)
- web/user: fix custom user interface background with dark theme (#4960)
API Changes
What's New
GET
/propertymappings/scim/
POST
/propertymappings/scim/
GET
/propertymappings/scim/{pm_uuid}/
PUT
/propertymappings/scim/{pm_uuid}/
DELETE
/propertymappings/scim/{pm_uuid}/
PATCH
/propertymappings/scim/{pm_uuid}/
GET
/propertymappings/scim/{pm_uuid}/used_by/
GET
/providers/scim/
POST
/providers/scim/
GET
/providers/scim/{id}/
PUT
/providers/scim/{id}/
DELETE
/providers/scim/{id}/
PATCH
/providers/scim/{id}/
GET
/providers/scim/{id}/sync_status/
GET
/providers/scim/{id}/used_by/
What's Changed
POST
/core/users/service_account/
Request:
Changed content type : application/json
-
Added property
expiring
(boolean) -
Added property
expires
(string)If not provided, valid for 360 days
GET
/policies/event_matcher/{policy_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.providers.scim
-
PUT
/policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.providers.scim
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.providers.scim
-
PATCH
/policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.providers.scim
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.providers.scim
-
GET
/providers/oauth2/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
PUT
/providers/oauth2/{id}/
Request:
Changed content type : application/json
New optional properties:
authorization_flow
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
PATCH
/providers/oauth2/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
GET
/providers/proxy/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
PUT
/providers/proxy/{id}/
Request:
Changed content type : application/json
New optional properties:
authorization_flow
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
PATCH
/providers/proxy/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
GET
/core/groups/{group_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
PUT
/core/groups/{group_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
PATCH
/core/groups/{group_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
GET
/core/tenants/current/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New required properties:
-
ui_theme
-
Added property
ui_theme
(object)Enum values:
automatic
light
dark
-
GET
/events/rules/{pbm_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
PUT
/events/rules/{pbm_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
PATCH
/events/rules/{pbm_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
GET
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
PUT
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
PATCH
/policies/bindings/{policy_binding_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
POST
/policies/event_matcher/
Request:
Changed content type : application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.providers.scim
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.providers.scim
-
GET
/policies/event_matcher/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Event Matcher Policy Serializer
-
Changed property
app
(string)Match events created by selected application. When left empty, all applications are matched.
Added enum value:
authentik.providers.scim
-
-
GET
/providers/ldap/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
PUT
/providers/ldap/{id}/
Request:
Changed content type : application/json
New optional properties:
authorization_flow
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
PATCH
/providers/ldap/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
POST
/providers/oauth2/
Request:
Changed content type : application/json
New optional properties:
authorization_flow
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
New optional properties:
authorization_flow
GET
/providers/oauth2/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > OAuth2Provider Serializer
New optional properties:
authorization_flow
-
POST
/providers/proxy/
Request:
Changed content type : application/json
New optional properties:
authorization_flow
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
New optional properties:
authorization_flow
GET
/providers/proxy/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > ProxyProvider Serializer
New optional properties:
authorization_flow
-
GET
/providers/saml/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
PUT
/providers/saml/{id}/
Request:
Changed content type : application/json
New optional properties:
authorization_flow
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
PATCH
/providers/saml/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
New optional properties:
authorization_flow
GET
/stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
created_by
(object)Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
PUT
/stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
created_by
(object)Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
PATCH
/stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
created_by
(object)Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
POST
/core/groups/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
GET
/core/groups/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
POST
/events/rules/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
GET
/events/rules/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > NotificationRule Serializer
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
-
GET
/flows/bindings/{fsb_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
- Changed property
PUT
/flows/bindings/{fsb_uuid}/
Request:
Changed content type : application/json
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
- Changed property
PATCH
/flows/bindings/{fsb_uuid}/
Request:
Changed content type : application/json
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
- Changed property
GET
/oauth2/access_tokens/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
provider
(object)OAuth2Provider Serializer
New optional properties:
authorization_flow
-
GET
/oauth2/authorization_codes/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
provider
(object)OAuth2Provider Serializer
New optional properties:
authorization_flow
-
GET
/oauth2/refresh_tokens/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
provider
(object)OAuth2Provider Serializer
New optional properties:
authorization_flow
-
POST
/policies/bindings/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
GET
/policies/bindings/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > PolicyBinding Serializer
-
Changed property
group_obj
(object)Group Serializer
-
Changed property
users_obj
(array)Changed items (object): > Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
-
POST
/providers/ldap/
Request:
Changed content type : application/json
New optional properties:
authorization_flow
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
New optional properties:
authorization_flow
GET
/providers/ldap/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > LDAPProvider Serializer
New optional properties:
authorization_flow
-
POST
/providers/saml/
Request:
Changed content type : application/json
New optional properties:
authorization_flow
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
New optional properties:
authorization_flow
GET
/providers/saml/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > SAMLProvider Serializer
New optional properties:
authorization_flow
-
GET
/sources/user_connections/all/
Parameters:
Added: user
in query
POST
/stages/invitation/invitations/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
-
Changed property
created_by
(object)Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
GET
/stages/invitation/invitations/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Invitation Serializer
-
Changed property
created_by
(object)Stripped down user serializer to show relevant users for groups
New optional properties:
-
avatar
- Deleted property
avatar
(string)
-
-
-
GET
/stages/user_login/{stage_uuid}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Added property
terminate_other_sessions
(boolean)Terminate all other sessions of the user logging in.
- Added property
PUT
/stages/user_login/{stage_uuid}/
Request:
Changed content type : application/json
- Added property
terminate_other_sessions
(boolean)Terminate all other sessions of the user logging in.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Added property
terminate_other_sessions
(boolean)Terminate all other sessions of the user logging in.
- Added property
PATCH
/stages/user_login/{stage_uuid}/
Request:
Changed content type : application/json
- Added property
terminate_other_sessions
(boolean)Terminate all other sessions of the user logging in.
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
- Added property
terminate_other_sessions
(boolean)Terminate all other sessions of the user logging in.
- Added property
POST
/flows/bindings/
Request:
Changed content type : application/json
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
- Changed property
GET
/flows/bindings/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > FlowStageBinding Serializer
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
- Changed property
-
GET
/flows/inspector/{flow_slug}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
plans
(array)Changed items (object): > Serializer for an active FlowPlan
-
Changed property
next_planned_stage
(object)FlowStageBinding Serializer
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
- Changed property
-
Changed property
current_stage
(object)FlowStageBinding Serializer
- Changed property
evaluate_on_plan
(boolean)Evaluate policies during the Flow planning process.
- Changed property
-
-
GET
/oauth2/access_tokens/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Serializer for BaseGrantModel and RefreshToken
-
Changed property
provider
(object)OAuth2Provider Serializer
New optional properties:
authorization_flow
-
-
GET
/oauth2/authorization_codes/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
-
Changed property
provider
(object)OAuth2Provider Serializer
New optional properties:
authorization_flow
-
-
GET
/oauth2/refresh_tokens/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > Serializer for BaseGrantModel and RefreshToken
-
Changed property
provider
(object)OAuth2Provider Serializer
New optional properties:
authorization_flow
-
-
POST
/stages/user_login/
Request:
Changed content type : application/json
- Added property
terminate_other_sessions
(boolean)Terminate all other sessions of the user logging in.
Return Type:
Changed response : 201 Created
-
Changed content type :
application/json
- Added property
terminate_other_sessions
(boolean)Terminate all other sessions of the user logging in.
- Added property
GET
/stages/user_login/
Parameters:
Added: terminate_other_sessions
in query
Return Type:
Changed response : 200 OK
-
Changed content type :
application/json
-
Changed property
results
(array)Changed items (object): > UserLoginStage Serializer
- Added property
terminate_other_sessions
(boolean)Terminate all other sessions of the user logging in.
- Added property
-