Headline Changes
-
WebAuthn support
This release introduces support for WebAuthn, an open standard for the use of hardware authentication keys like YubiKeys on the web.
You can configure a WebAuthn device using the "WebAuthn Authenticator Setup Stage" stage. Afterwards, it can be used as an n-th factor, just like TOTP authenticators.
-
Simplify role-based access
Instead of having to create a Group Membership policy for every group you want to use, you can now select a Group and even a User directly in a binding.
When a group is selected, the binding behaves the same as if a Group Membership policy exists.
When a user is selected, the binding checks the user of the request, and denies the request when the user doesn't match.
Group Membership policies are automatically migrated to use this simplified access.
-
Invisible reCAPTCHA
The checkbox-based reCAPTCHA has been replaced with reCAPTCHA v2 Invisible.
This is a breaking change, as a set of reCAPTCHA keys are only valid for a single type. For this, go to https://www.google.com/recaptcha/admin and create a new set of keys with the "reCAPTCHA v2" type and "Invisible reCAPTCHA badge" mode.
-
Migration of Flow Executor to SPA/API
The flow executor has been migrated to a full SPA/API architecture. This was required for WebAuthn, but also allows for greater customizability.
It also allows other services to use the flow executor via an API, which will be used by the outpost further down the road.
-
Deny stage
A new stage which simply denies access. This can be used to conditionally deny access to users during a flow. Authorization flows for example required an authenticated user, but there was no previous way to block access for un-authenticated users.
If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, irregardless of the inputs.
See https://goauthentik.io/docs/releases/2021.3/#fixed-in-202134