Skip to main content

Release 2021.5

Headline Changes

  • LDAP Provider

This feature is still in technical preview, so please report any Bugs you run into on GitHub

You can now configure an LDAP Provider for applications that don't support any newer protocols or require LDAP.

All users and groups in authentik's database are searchable. Currently, there is a limited support for filters (you can only search for objectClass), but this will be expanded in further releases.

Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works.

  • Compatibility with forwardAuth/auth_request

    The authentik proxy is now compatible with forwardAuth (traefik) / auth_request (nginx). All that is required is the latest version of the outpost, and the correct config from here.

  • Docker images for ARM

    Docker images are now built for amd64 and arm64.

  • Reduced setup complexity

    The authentik server now requires less containers. The static container (as well as the traefik when using docker-compose) are no longer required. As the first stage of a migration to Golang instead of Python, authentik now runs behind an in-container reverse proxy, which hosts the static files.

  • New Plex authentication source

    The plex source (previously a provider for the OAuth Source) has been rewritten to a dedicated Source.

    You can now limit access to authentik based on which servers a Plex user is member of.

  • Configurable source behaviour

    You can now configure how a source behaves after the user has authenticated themselves to the source. Previously, authentik always checked the unique identifier from the source, enrolled the user when the identifier didn't exist and authenticated the user otherwise.

    Now you can configure how the matching should be done:

    • Identifier: Keeps the old behaviour, can lead to duplicate user accounts
    • Email (link): If a user with the same Email address exists, they are linked. Can have security implications when a source doesn't validate email addresses.
    • Email (deny): Deny the flow if the Email address is already used.
    • Username (link): If a user with the same username address exists, they are linked. Can have security implications when a username is used with another source.
    • Username (deny): Deny the flow if the username address is already used.

Minor changes

  • Improved compatibility of the flow interface with password managers.
  • Improved compatibility when using SAML Sources with a redirect binding.
  • Improved configurability of outpost docker image name for managed Outposts.
  • Add customization of access code validity for OAuth2 Providers.
  • Add ability to configure no login fields on identification stage to only allow logins with Sources.
  • Add single-use flag for invitations to delete token after use.
  • Fix sidebar not collapsible on mobile.

Fixed in 2021.5.2

  • core: fix application's slug field not being set to unique
  • flows: fix error when using cancel flow
  • lib: Fix config loading of secrets from files (#887)
  • lib: fix parsing of remote IP header when behind multiple reverse proxies
  • lifecycle: check if group of docker socket exists
  • lifecycle: fix error when worker is not running as root
  • outposts: fix error when controller loads from cache but cache has expired
  • outposts: fix missing default for OutpostState.for_channel
  • outposts: fix reload notification not working due to wrong ID being cached
  • outposts/ldap: fix AUTHENTIK_INSECURE not being respected for API client during bind
  • outposts/proxy: fix error redeeming code when using non-standard ports
  • outposts/proxy: fix insecure TLS Skip
  • providers/ldap: use username instead of name for user dn (#883)
  • providers/proxy: connect ingress to https instead of http
  • root: only load debug secret key when debug is enabled
  • web: fix chunks overwriting each other
  • web/admin: add notice for LDAP Provider's group selection
  • web/admin: fix PropertyMappings not loading correctly
  • website/docs: add example ldapsearch command

Fixed in 2021.5.3

  • outposts: fix update signal not being sent to correct instances
  • providers/oauth2: fix double login required when prompt=login
  • providers/proxy: fix redirect_uris not always being set on save
  • sources/plex: force setting of plex token
  • web: fix t.reset is not a function
  • web: remove nginx config, add caching headers to static files
  • web/admin: fix flow form not loading data

Fixed in 2021.5.4

  • providers/oauth2: add missing kid header to JWT Tokens
  • stages/authenticator_*: fix Permission Error when disabling Authenticator as non-superuser
  • web: fix missing flow and policy cache clearing UI
  • web: set x-forwarded-proto based on upstream TLS Status


This release does not introduce any new requirements.


Download the docker-compose file for 2021.5 from here. Afterwards, simply run docker-compose up -d.


The public port of the compose stack has been changed from 443 to 9000 and 9443 to prevent port contention.


The helm chart has been rewritten by @dirtycajunrice and now lives on

Please upgrade to the new chart using values from ArtifactHub.

The old repository will still exist for backwards-compatibility.