-
-
Notifications
You must be signed in to change notification settings - Fork 1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
website/docs: add 2025.2 release notes (#13002) * website/docs: add 2025.2 release notes * make compile * ffs * ffs --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>
- Loading branch information
1 parent
790e0c4
commit 0665bfa
Showing
1 changed file
with
171 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,171 @@ | ||
| --- | ||
| title: Release 2025.2 | ||
| slug: "/releases/2025.2" | ||
| --- | ||
|
|
||
| :::::note | ||
| 2025.2 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates. | ||
|
|
||
| To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.2.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet. | ||
| ::::: | ||
|
|
||
| ## Highlights | ||
|
|
||
| - **SSF Provider <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span>** Add support for Shared Signals Framework | ||
| TODO: Add preview banner to UI | ||
| - **RAC moved open source** Remote access is now available to everyone! | ||
| - **GeoIP distance and impossible travel checks** Add the ability to check for the distance a user has moved compared to a previous login, and if the user could have travelled the distance | ||
| - **Email OTP Stage** Allow users to use their email accounts as a one-time-password during authentication | ||
| - **Fine-grained permission for superuser toggle on groups** Setting the **Is superuser** toggle on a group now requires a separate permission. | ||
|
|
||
| ## Breaking changes | ||
|
|
||
| - **Deprecated and frozen `:latest` container image tag after 2025.2** | ||
|
|
||
| Using the `:latest` tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. | ||
|
|
||
| The tag will not be removed, however it will also not be updated past 2025.2. | ||
|
|
||
| We strongly recommended the use of a specific version tag for authentik instances' container images like `:2025.2`. | ||
|
|
||
| ## New features | ||
|
|
||
| - SSF Provider <span class="badge badge--primary">Enterprise</span> <span class="badge badge--info">Preview</span> | ||
|
|
||
| [Shared Signals Framework](#todo) allows applications to register a stream with authentik within which they can received events from authentik such as when a session was revoked or a credential was add/changed/deleted and execute actions based on these events. | ||
|
|
||
| This allows admins to integrate authentik with Apple Business/School Manager for federated Apple IDs. See the integration docs [here](#todo) | ||
|
|
||
| - RAC to open source | ||
|
|
||
| Remote access (RDP, VNC and SSH) has moved from enterprise to our free, open source code. We try our best to limit enterprise-specific functionality to features that would be non-essential to homelab users and far more valuable to enterprise use cases. We've had a variety of homelab users reach out with excellent use cases for RAC functionality, so while this will mean giving up some potential revenue, we think that opening up RAC to the community is the right thing to do! | ||
|
|
||
| - GeoIP distance and impossible travel checks | ||
|
|
||
| Add the ability to check for the distance a user has moved compared to a previous login, and add the option to check impossible travel distances based on client IP. | ||
|
|
||
| These options can be used to detect and prevent access from potentially stolen authentik sessions or stolen devices. | ||
|
|
||
| - Email OTP Stage | ||
|
|
||
| Admins now have the ability to configure the option for users to use their email as an authenticator. Users that already have an email address set on their account will be able to use that address to receive one-time-passwords. It is also possible to configure authentik to allow users to add additional email addresses as authenticators. | ||
|
|
||
| See [Email OTP Stage](#todo) | ||
|
|
||
| - Application Wizard is the default way to create applications | ||
|
|
||
| The default way of creating an application now allows admins to configure the provider and any kind of bindings without having to jump through different sections of the UI. The previous way of creating an application is and will stay available alongside the new and streamlined method. | ||
|
|
||
| - Fine-grained permission for superuser toggle on groups | ||
|
|
||
| Setting the **Is superuser** toggle on a group now requires a separate permission, making it much easier to allow for delegated management of groups without risking the ability for users to self-elevate permissions. | ||
|
|
||
| - Improved debugging experience | ||
|
|
||
| For people developing authentik or building very complex, custom integrations, configuring debugging in authentik is now documented [here](#todo) | ||
|
|
||
| ## TODO | ||
|
|
||
| temp | ||
|
|
||
| ## Upgrading | ||
|
|
||
| This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx). | ||
|
|
||
| :::warning | ||
| When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. | ||
| ::: | ||
|
|
||
| ### Docker Compose | ||
|
|
||
| To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands: | ||
|
|
||
| ```shell | ||
| wget -O docker-compose.yml https://goauthentik.io/version/2025.2/docker-compose.yml | ||
| docker compose up -d | ||
| ``` | ||
|
|
||
| The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name. | ||
|
|
||
| ### Kubernetes | ||
|
|
||
| Upgrade the Helm Chart to the new version, using the following commands: | ||
|
|
||
| ```shell | ||
| helm repo update | ||
| helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.2 | ||
| ``` | ||
|
|
||
| ## Minor changes/fixes | ||
|
|
||
| - admin: monitor worker version (#12463) | ||
| - api: cleanup owner permissions (#12598) | ||
| - blueprints: add REPL for blueprint YAML tags (#9223) | ||
| - blueprints: fix schema for meta models (#12421) | ||
| - core: add indexes on ExpiringModel (#12658) | ||
| - core: fix application entitlements not creatable with blueprints (#12673) | ||
| - core: fix error when creating new user with default path (#12609) | ||
| - core: fix generic sources not being fetchable by pk (#12896) | ||
| - core: fix permissions for admin device listing (#12787) | ||
| - core: search users' attributes (#12740) | ||
| - core: show last password change date (#12958) | ||
| - enterprise/providers: SSF (#12327) | ||
| - enterprise/providers/SSF: fix a couple of bugs after real world testing (#12987) | ||
| - enterprise/rac: Improve client connection status & bugfixes (#12684) | ||
| - events: make sure password set event has the correct IP (#12585) | ||
| - events: notification_cleanup: avoid unnecessary loop (#12417) | ||
| - flows: clear flow state before redirecting to final URL (#12788) | ||
| - flows: fix history containing other plans (#12655) | ||
| - flows: fix inspector permission check (#12907) | ||
| - flows: more tests (#11587) | ||
| - flows: show policy messages in reevaluate marker (#12855) | ||
| - flows/inspector: add button to open flow inspector (#12656) | ||
| - internal: fix missing trailing slash in outpost websocket (#12470) | ||
| - internal: fix URL generation for websocket connection (#12439) | ||
| - lifecycle: update python to 3.12.8 (#12783) | ||
| - lifecycle/migrate: don't migrate tenants if not enabled (#12850) | ||
| - outposts: fix version label (#12486) | ||
| - providers/oauth2: include scope in token response (#12921) | ||
| - providers/oauth2: support token revocation for public clients (#12704) | ||
| - providers/saml: fix handle Accept: application/xml for SAML Metadata endpoint (#12483) (#12518) | ||
| - providers/saml: fix invalid SAML Response when assertion and response are signed (#12611) | ||
| - providers/saml: provide generic metadata url when possible (#12413) | ||
| - rbac: exclude permissions for internal models (#12803) | ||
| - rbac: permissions endpoint: allow authenticated users (#12608) | ||
| - root: backport version bump (#12426) | ||
| - root: docker: ensure apt packages are up-to-date (#12683) | ||
| - root: expose CONN_MAX_AGE, CONN_HEALTH_CHECKS and DISABLE_SERVER_SIDE_CURSORS for PostgreSQL config (#10159) | ||
| - root: fix dev build version being invalid semver (#12472) | ||
| - root: redis, make sure tlscacert isn't an empty string (#12407) | ||
| - sources: allow uuid or slug to be used for retrieving a source (#12780) | ||
| - sources: allow uuid or slug to be used for retrieving a source (2024.12 fix) (#12772) | ||
| - sources/kerberos: authenticate with the user's username instead of the first username in authentik (#12497) | ||
| - sources/kerberos: handle principal expire time (#12748) | ||
| - sources/oauth: fix authentication only being sent in form body (#12713) | ||
| - sources/scim: fix user creation (duplicate userName) (#12547) | ||
| - stages/authenticator: add user field to devices (#12636) | ||
| - stages/prompt: always show policy messages (#12765) | ||
| - stages/redirect: fix query parameter when redirecting to flow (#12750) | ||
| - web, core: fix grammatical issue in stage bindings (#10799) | ||
| - web: fix build dev build (#12473) | ||
| - web: fix error handling bug in ApplicationWizard.RACProviderForm (#12640) | ||
| - web: Fix issue where Codemirror partially applies OneDark theme. (#12811) | ||
| - web: fix mobile scrolling bug (#12601) | ||
| - web: fix source selection and outpost integration health (#12530) | ||
| - web: fix source selection and outpost integration health (#12530) | ||
| - web: fixes broken docLinks - url missing s (#12789) | ||
| - web: housekeeping, optimizations and small fixes (#12450) | ||
| - web: improve notification and API drawers (#12659) | ||
| - web: misc fixes for admin and flow inspector (#12461) | ||
| - web: only load version context when authenticated (#12482) | ||
| - web: update gen-client-ts to OpenAPI 7.11.0 (#12756) | ||
| - web/admin: fix role changelog missing primary key filter (#12671) | ||
| - web/admin: improve user display view (#12988) | ||
| - web/admin: more cleanup and consistency (#12657) | ||
| - web/admin: Refine navigation (#12441) | ||
| - web/components: ak-number-input: add support for min (#12703) | ||
| - web/flows: fix `login` / `log in` inconsistency (#12526) | ||
|
|
||
| ## API Changes | ||
|
|
||
| <!-- _Insert output of `make gen-diff` here_ --> |