authentik/website/docs/releases/2024/v2024.1.md

---
title: Release 2024.1
slug: "/releases/2024.1"
---

## Breaking changes

-   Removal of deprecated metrics

    -   `authentik_outpost_flow_timing_get` -> `authentik_outpost_flow_timing_get_seconds`
    -   `authentik_outpost_flow_timing_post` -> `authentik_outpost_flow_timing_post_seconds`
    -   `authentik_outpost_ldap_requests` -> `authentik_outpost_ldap_request_duration_seconds`
    -   `authentik_outpost_ldap_requests_rejected` -> `authentik_outpost_ldap_requests_rejected_total`
    -   `authentik_outpost_proxy_requests` -> `authentik_outpost_proxy_request_duration_seconds`
    -   `authentik_outpost_proxy_upstream_time` -> `authentik_outpost_proxy_upstream_response_duration_seconds`
    -   `authentik_outpost_radius_requests` -> `authentik_outpost_radius_request_duration_seconds`
    -   `authentik_outpost_radius_requests_rejected` -> `authentik_outpost_radius_requests_rejected_total`
    -   `authentik_main_requests` -> `authentik_main_request_duration_seconds`

-   Required `offline_access` scope for Refresh tokens

    The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.

    Applications which require will need their configuration update to include the `offline_access` scope mapping.

## New features

-   "Pretend user exists" option for Identification stage

    Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. **This feature is enabled by default.**

## Upgrading

This release does not introduce any new requirements.

### docker-compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

```
wget -O docker-compose.yml https://goauthentik.io/version/2024.1/docker-compose.yml
docker-compose up -d
```

The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name.

### Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

```shell
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.1
```

## Minor changes/fixes

<!-- _Insert the output of `make gen-changelog` here_ -->

## API Changes

<!-- _Insert output of `make gen-diff` here_ -->
internal: remove deprecated metrics (#7540) Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-11-13 13:48:37 +00:00			`---`
			`title: Release 2024.1`
			`slug: "/releases/2024.1"`
			`---`

			`## Breaking changes`

			`- Removal of deprecated metrics`

			- `authentik_outpost_flow_timing_get` -> `authentik_outpost_flow_timing_get_seconds`
			- `authentik_outpost_flow_timing_post` -> `authentik_outpost_flow_timing_post_seconds`
			- `authentik_outpost_ldap_requests` -> `authentik_outpost_ldap_request_duration_seconds`
			- `authentik_outpost_ldap_requests_rejected` -> `authentik_outpost_ldap_requests_rejected_total`
			- `authentik_outpost_proxy_requests` -> `authentik_outpost_proxy_request_duration_seconds`
			- `authentik_outpost_proxy_upstream_time` -> `authentik_outpost_proxy_upstream_response_duration_seconds`
			- `authentik_outpost_radius_requests` -> `authentik_outpost_radius_request_duration_seconds`
			- `authentik_outpost_radius_requests_rejected` -> `authentik_outpost_radius_requests_rejected_total`
			- `authentik_main_requests` -> `authentik_main_request_duration_seconds`

providers/oauth2: offline access (#8026) * improve scope check (log when application requests non-configured scopes) Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add offline_access special scope Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ensure scope is set Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update tests for refresh tokens Signed-off-by: Jens Langhammer <jens@goauthentik.io> * special handling of scopes for github compat Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix spec Signed-off-by: Jens Langhammer <jens@goauthentik.io> * attempt to fix oidc tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove hardcoded slug Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check scope from authorization code instead of request Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix injection for consent stage checking incorrectly Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2024-01-04 18:57:11 +00:00			- Required `offline_access` scope for Refresh tokens

			The OAuth2 provider ships with a new default scope called `offline_access`, which must be requested by applications that need a refresh token. Previously, authentik would always issue a refresh token for the _Authorization code_ and _Device code_ OAuth grants.

			Applications which require will need their configuration update to include the `offline_access` scope mapping.

internal: remove deprecated metrics (#7540) Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-11-13 13:48:37 +00:00			`## New features`

stages/identification: add option to pretend user exists (#7610) * stages/identification: add option to pretend user exists Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests? Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * test CI permission fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-11-18 00:55:48 +00:00			`- "Pretend user exists" option for Identification stage`

			`Previously the identification stage would only continue if a user matching the user identifier exists. While this was the intended functionality, this release adds an option to continue to the next stage even if no matching user was found. "Pretend" users cannot authenticate nor receive emails, and don't exist in the database. This feature is enabled by default.`

internal: remove deprecated metrics (#7540) Signed-off-by: Jens Langhammer <jens@goauthentik.io> 2023-11-13 13:48:37 +00:00			`## Upgrading`

			`This release does not introduce any new requirements.`

			`### docker-compose`

			`To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:`

			```
			`wget -O docker-compose.yml https://goauthentik.io/version/2024.1/docker-compose.yml`
			`docker-compose up -d`
			```

			The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name.

			`### Kubernetes`

			`Upgrade the Helm Chart to the new version, using the following commands:`

			```shell
			`helm repo update`
			`helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.1`
			```

			`## Minor changes/fixes`

			<!-- _Insert the output of `make gen-changelog` here_ -->

			`## API Changes`

			<!-- _Insert output of `make gen-diff` here_ -->