Skip to main content

Release 2021.9

Headline Changes

  • Split user interface

    This release splits the administration interface from the end-user interface. This makes things clearer for end-users, as all their options are laid out more clearly.

    Additionally, the new end-user interface will be more customisable than the admin interface, allowing Administrators to configure what their users can see.

    The admin interface remains the same, and familiar buttons will redirect you between interfaces.

  • New proxy

    The proxy outpost has been rewritten from scratch. This replaces the old proxy, which was based on oauth2_proxy. The new proxy allows us a much greater degree of flexibility, is much lighter and reports errors better.

    When using a managed outpost, authentik will automatically upgrade to the new proxy outpost. The embedded outpost also uses the new proxy.

    authentik also now deploys ServiceMonitor CRDs in your Kubernetes cluster (when possibly), to record the metrics of the outposts.

    If you're using a manually deployed outpost, keep in mind that the ports change to 9000 and 9443 instead of 4180 and 4443

  • New metrics

    This version introduces new and simplified Prometheus metrics. There is a new common monitoring port across the server and all outposts, 9300. This port requires no authentication, making it easier to configure.

    For the core application, this endpoint contains metrics for both authentik and the inbuilt outpost.

Minor changes

  • *: use common user agent for all outgoing requests
  • admin: migrate to new update check, add option to disable update check
  • api: add additional filters for ldap and proxy providers
  • core: optimise groups api by removing member superuser status
  • core: remove ?v from static files
  • events: add mark_all_seen
  • events: allow setting a mapping for webhook transport to customise request payloads
  • internal: fix font loading errors on safari
  • lifecycle: fix worker startup error when docker socket's group is not called docker
  • outpost: fix spans being sent without parent context
  • outpost: update global outpost config on refresh
  • outposts: add expected outpost replica count to metrics
  • outposts/controllers: re-create service when mismatched ports to prevent errors
  • outposts/controllers/kubernetes: don't create service monitor for embedded outpost
  • outposts/ldap: improve logging of client IPs
  • policies/password: fix symbols not being checked correctly
  • root: include authentik version in backup naming
  • root: show location header in logs when redirecting
  • sources/oauth: prevent potentially confidential data from being logged
  • stages/authenticator_duo: add API to "import" devices from duo
  • stages/identification: fix empty user_fields query returning first user
  • tenants: optimise db queries in middleware
  • web: allow duplicate messages
  • web: ignore network error
  • web/admin: fix notification clear all not triggering render
  • web/admin: fix user selection in token form
  • web/admin: increase default expiry for refresh tokens
  • web/admin: show applications instead of providers in outpost form
  • web/flows: fix display error when using IdentificationStage without input fields

Fixed in 2021.9.1-rc2

  • core: fix token expiry for service accounts being only 30 minutes
  • outposts: add consistent name and type to metrics
  • outposts/proxy: remove deprecated rs256
  • policies: improve error handling when using bindings without policy
  • providers/saml: improved error handling
  • stages/email: don't crash when testing stage does not exist
  • web: update background image

Fixed in 2021.9.1-rc3

  • core: allow admins to create tokens with all parameters, re-add user to token form
  • core: fix tokens not being viewable but superusers
  • root: log failed celery tasks to event log
  • sources/ldap: bump timeout, run each sync component in its own task
  • sources/ldap: improve messages of sync tasks in UI
  • sources/ldap: prevent error when retrying old system task with no arguments
  • web: fix datetime-local fields throwing errors on firefox
  • web: fix text colour in delete form in dark mode
  • web: improve display of action buttons with non-primary classes
  • web/admin: fix error in firefox when creating token
  • web/admin: fix ldap sync status for new API
  • web/admin: fix settings link on user avatar
  • web/admin: trigger refresh after syncing ldap
  • web/user: add auto-focus search for applications
  • web/user: add missing stop impersonation button
  • web/user: fix edit button for applications
  • web/user: fix final redirect after stage setup
  • web/user: optimise load, fix unread status for notifications

Fixed in 2021.9.1

  • api: disable include_format_suffixes
  • core: fix token identifier not being slugified when created with user-controller input
  • outposts: don't map port 9300 on docker, only expose port
  • outposts: don't restart container when health checks are starting
  • outposts/ldap: allow custom attributes to shadow built-in attributes
  • policies/expression: add ak_user_has_authenticator
  • root: use tagged go client version
  • stages/email: don't throw 404 when token can't be found
  • stages/email: slugify token identifier
  • stages/email: use different query arguments for email and invitation tokens
  • web: fix notification badge not refreshing after clearing notifications

Fixed in 2021.9.2

  • api: add logging to sentry proxy
  • internal: add asset paths for user interface
  • web: fix import order of polyfills causing shadydom to not work on firefox and safari
  • web/user: enable sentry

Fixed in 2021.9.3

  • core: fix api return code for user self-update
  • events: add additional validation for event transport
  • outposts: ensure service is always re-created with mismatching ports
  • outposts: fix outposts not correctly updating central state
  • outposts: make AUTHENTIK_HOST_BROWSER configurable from central config
  • outposts/proxy: ensure cookies only last as long as tokens
  • outposts/proxy: Fix failing traefik healthcheck (#1470)
  • outposts/proxyv2: fix routing not working correctly for domain auth
  • providers/proxy: add token_validity field for outpost configuration
  • web/admin: add notice for recovery
  • web/admin: fix NotificationWebhookMapping not loading correctly
  • web/admin: fix Transport Form not loading mode correctly on edit
  • web/admin: handle error correctly when creating user recovery link
  • web/elements: fix token copy error in safari
  • web/elements: improve error handling on forms
  • web/user: fix brand not being shown in safari
  • web/user: search apps when user typed before apps have loaded
  • website/docs: fix typos and grammar (#1459)

Fixed in 2021.9.4

  • outposts: allow disabling of docker controller port mapping
  • outposts/proxy: fix duplicate protocol in domain auth mode
  • root: Use fully qualified names for docker bases base images. (#1490)
  • sources/ldap: add support for Active Directory userAccountControl attribute
  • sources/ldap: don't sync ldap source when no property mappings are set
  • web/admin: don't require username nor name for activate/deactivate toggles
  • web/admin: fix LDAP Source form not exposing syncParentGroup
  • web/elements: fix initialLoad not being done when viewportCheck was disabled
  • web/elements: use dedicated button for search clear instead of webkit exclusive one

Fixed in 2021.9.5

  • events: add missing migration
  • lifecycle: switch to h11 uvicorn worker for now
  • outpost/proxy: fix missing negation for internal host ssl verification
  • outposts: check ports of deployment in kubernetes outpost controller
  • outposts: don't always build permissions on outpost.user access, only in signals and tasks
  • outposts: fix circular import in kubernetes controller
  • outposts/proxy: add new headers with unified naming
  • outposts/proxy: show full error message when user is authenticated
  • providers/ldap: use RDN when using posixGroup's memberUid attribute (#1514)
  • providers/proxy: always check ingress secret in kubernetes controller
  • sources/ldap: fix logic error in Active Directory account disabled status
  • stages/email: add activate_user_on_success flag, add for all example flows
  • stages/user_login: add check for user.is_active and tests
  • tests/integration: fix tests failing due to incorrect comparison
  • web/admin: fix search group label

Fixed in 2021.9.6

  • admin: clear update notification when notification's version matches current version
  • api: ensure viewsets have default ordering
  • core: include group uuids in self serializer
  • core: make user's name field fully options
  • core: only return group names for user_self
  • internal: add internal healthchecking to prevent websocket errors
  • outposts: fix error when comparing ports in docker controller when port mapping is disabled
  • root: add docker-native healthcheck for web and celery
  • root: remove redundant internal network from compose
  • web: add locale detection
  • web: fix rendering of token copy button in dark mode
  • web: fix strings not being translated at all when matching browser locale not found
  • web/admin: only show outpost deployment info when not embedded
  • web/elements: fix model form always loading when viewport check is disabled
  • web/flows: adjust message for email stage
  • web/user: don't show managed tokens in user interface

Fixed in 2021.9.7

  • root: fix syntax error in dockerfile healthcheck
  • web/admin: fix description for flow import

Fixed in 2021.9.8

  • web: fix interface crashing in non-blink browsers


This release does not introduce any new requirements.


Download the docker-compose file for 2021.9 from here. Afterwards, simply run docker-compose up -d.


Update your values to use the new images:

tag: 2021.9.1