Headline
CVE-2023-26481: Release 2023.2 - Signout and Avatar improvements | authentik
authentik is an open-source Identity Provider. Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking request.context['is_restored']), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. This issue has been fixed in versions 2023.2.3, 2023.1.3 and 2022.12.2.
New features
Proxy provider logout improvements
In previous versions, logging out of a single proxied application would only invalidate that application’s session. Starting with this release, when logging out of a proxied application (via the /outpost.goauthentik.io/sign_out URL), all the users session within the outpost are terminated. Sessions in other outposts and with other protocols are unaffected.
Additionally, different providers now have different cookies, instead of all using the same “authentik_proxy” token.
UX Improvements
As with the previous improvements, we’ve made a lot of minor improvements to the general authentik UX to make your life easier.
OAuth2 Provider improvements
The OAuth2 provider has been reworked to be closer to OAuth specifications and better support refresh tokens and offline access. Additionally the expiry for access tokens and refresh tokens can be adjusted separately now.
Generated avatars, multiple avatar modes
authentik now supports multiple avatar modes, and will use the next configured mode when a mode doesn’t have an avatar. For example, the new default configuration attempts to use gravatar, but if the user’s email does not have a gravatar setup, it will instead use the new generated avatars. See Configuration
Upgrading
This release does not introduce any new requirements.
docker-compose
Download the docker-compose file for 2023.2 from here. Afterwards, simply run docker-compose up -d.
Kubernetes
Update your values to use the new images:
image: repository: ghcr.io/goauthentik/server tag: 2023.2.0
Minor changes/fixes
- */saml: disable pretty_print, add signature tests
- blueprints: don’t update default tenant
- blueprints: handle error when blueprint entry identifier field does not exist
- core: Add support for auto generating unique avatars based on the user’s initials (#4663)
- core: delete session when user is set to inactive
- core: fix inconsistent branding in end_session view
- core: fix missing uniqueness validator on user api
- core: fix token’s set_key accessing data incorrectly
- events: dont log oauth temporary model creation
- events: improve sanitising for tuples and sets
- events: prevent error when request fails without response
- internal: better error message when outpost API controller couldn’t fetch outposts
- internal: fix cache-control header
- policies/event_matcher: fix empty app label not being allowed, require at least 1 criteria
- providers/ldap: add unbind flow execution (#4484)
- providers/ldap: fix error not being checked correctly when fetching users
- providers/oauth2: add user id as “sub” mode
- providers/oauth2: don’t use policy cache for token requests
- providers/oauth2: only set auth_time in ID token when a login event is stored in the session
- providers/oauth2: optimise client credentials JWT database lookup (#4606)
- providers/oauth2: rework OAuth2 Provider (#4652)
- providers/proxy: add token support for basic auth
- providers/proxy: different cookie name based on hashed client id (#4666)
- providers/proxy: outpost wide logout implementation (#4605)
- providers/saml: fix invalid SAML provider metadata, add schema tests
- providers/saml: fix mismatched SAML SLO Urls (#4655)
- stages/authenticator_validate: fix error with passwordless webauthn login
- stages/prompt: field name (#4497)
- stages/user_write: fix migration setting wrong value, fix form
- web: fix token delete form not showing token identifiers
- web/admin: add notice for user_login stage session cookie behaviour
- web/admin: clarify access code expiration
- web/admin: default to disable policy execution logging
- web/admin: fix certificate filtering for SAML verification certificate
- web/admin: rework event info page to show all event infos
- web/elements: add dropdown css to DOM directly instead of including
- web/elements: fix ak-expand not using correct font
- web/elements: fix clashing page url param
- web/elements: improve codemirror contrast in dark theme
- web/elements: make table rows clickable to select items
- web/elements: persist table page in URL parameters
- web/flows: fix flow background overlay on firefox
- web/user: filter tokens by username
- web/user: refactor loading of data in userinterface
Fixed in 2023.2.1
- internal: fix scheme not being forwarded correctly for host intercepted requests
- sources/ldap: add LDAP Debug endpoint
- web/admin: improve action button spinner on ldap source page
- web/admin: remove groups and users from users and group form to prevent accidental removal when updating
- web/admin: use full page size for modals
Fixed in 2023.2.2
- flows: include flow authentication requirement in diagram
- lib: don’t try to cache generated avatar with full user, only cache with name
- providers/ldap: check MFA password on password stage
- providers/proxy: fix client credential flows not using http interceptor
- providers/proxy: fix value is too long with filesystem sessions
- root: use channel send workaround for sync sending of websocket messages
- web/admin: fix error when creating new users
- web/user: revert truncate behaviour for application description
Fixed in 2023.2.3
- *: fix CVE-2023-26481, Reported by @fuomag9
API Changes****What’s New
POST /admin/system/****What’s Changed
POST /core/tokens/{identifier}/set_key/****GET /providers/oauth2/{id}/****Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
PUT /providers/oauth2/{id}/****Request:
Changed content type : application/json
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
PATCH /providers/oauth2/{id}/****Request:
Changed content type : application/json
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
POST /providers/oauth2/****Request:
Changed content type : application/json
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
Return Type:
Changed response : 201 Created
Changed content type : application/json
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
GET /providers/oauth2/****Parameters:
Changed: sub_mode in query
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property results (array)
Changed items (object): > OAuth2Provider Serializer
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property provider (object)
OAuth2Provider Serializer
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
GET /oauth2/refresh_tokens/{id}/****Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property provider (object)
OAuth2Provider Serializer
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
GET /oauth2/authorization_codes/****Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property results (array)
Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant
Changed property provider (object)
OAuth2Provider Serializer
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
GET /oauth2/refresh_tokens/****Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property results (array)
Changed items (object): > Serializer for BaseGrantModel and RefreshToken
Changed property provider (object)
OAuth2Provider Serializer
Changed property sub_mode (string)
Configure what data should be used as unique User Identifier. For most cases, the default should be fine.
Added enum value:
- user_id
GET /stages/prompt/prompts/{prompt_uuid}/****Return Type:
Changed response : 200 OK
Changed content type : application/json
New required properties:
name
Added property name (string)
PUT /stages/prompt/prompts/{prompt_uuid}/****Request:
Changed content type : application/json
New required properties:
name
Added property name (string)
Return Type:
Changed response : 200 OK
Changed content type : application/json
New required properties:
name
Added property name (string)
PATCH /stages/prompt/prompts/{prompt_uuid}/****Request:
Changed content type : application/json
- Added property name (string)
Return Type:
Changed response : 200 OK
Changed content type : application/json
New required properties:
name
Added property name (string)
POST /stages/prompt/prompts/****Request:
Changed content type : application/json
New required properties:
name
Added property name (string)
Return Type:
Changed response : 201 Created
Changed content type : application/json
New required properties:
name
Added property name (string)
GET /stages/prompt/prompts/****Parameters:
Added: name in query
Return Type:
Changed response : 200 OK
Changed content type : application/json
Changed property results (array)
Changed items (object): > Prompt Serializer
New required properties:
name
Added property name (string)