---
title: Release 2023.2
slug: "/releases/2023.2"
---

## New features

-   Proxy provider logout improvements

    In previous versions, logging out of a single proxied application would only invalidate that application's session. Starting with this release, when logging out of a proxied application (via the _/outpost.goauthentik.io/sign_out_ URL), all the users session within the outpost are terminated. Sessions in other outposts and with other protocols are unaffected.

-   UX Improvements

    As with the previous improvements, we've made a lot of minor improvements to the general authentik UX to make your life easier.

-   OAuth2 Provider improvements

    The OAuth2 provider has been reworked to be closer to OAuth specifications and better support refresh tokens and offline access. Additionally the expiry for access tokens and refresh tokens can be adjusted separately now.

## Upgrading

This release does not introduce any new requirements.

### docker-compose

Download the docker-compose file for 2023.2 from [here](https://goauthentik.io/version/2023.2/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.

### Kubernetes

Update your values to use the new images:

```yaml
image:
    repository: ghcr.io/goauthentik/server
    tag: 2023.2.0
```

## Minor changes/fixes

-   \*/saml: disable pretty_print, add signature tests
-   blueprints: don't update default tenant
-   blueprints: handle error when blueprint entry identifier field does not exist
-   core: delete session when user is set to inactive
-   core: fix inconsistent branding in end_session view
-   core: fix token's set_key accessing data incorrectly
-   events: improve sanitising for tuples and sets
-   events: prevent error when request fails without response
-   internal: fix cache-control header
-   providers/ldap: add unbind flow execution (#4484)
-   providers/ldap: fix error not being checked correctly when fetching users
-   providers/oauth2: add user id as "sub" mode
-   providers/oauth2: only set auth_time in ID token when a login event is stored in the session
-   providers/oauth2: optimise client credentials JWT database lookup (#4606)
-   providers/proxy: outpost wide logout implementation (#4605)
-   stages/authenticator_validate: fix error with passwordless webauthn login
-   stages/prompt: field name (#4497)
-   stages/prompt: fix mismatched name field in migration
-   stages/user_write: fix migration setting wrong value, fix form
-   web/admin: fix certificate filtering for SAML verification certificate
-   web/admin: fix dark theme for hover on tables
-   web/admin: fix token edit button
-   web/admin: rework event info page to show all event infos
-   web/elements: add dropdown css to DOM directly instead of including
-   web/elements: fix ak-expand not using correct font
-   web/elements: fix clashing page url param
-   web/elements: fix click propagation from modal into table
-   web/elements: improve codemirror contrast in dark theme
-   web/elements: make table rows clickable to select items
-   web/elements: persist table page in URL parameters
-   web/flows: improve handling of flow info
-   web/user: filter tokens by username
-   web/user: refactor loading of data in userinterface

## API Changes

#### What's New

---

##### `POST` /admin/system/

#### What's Changed

---

##### `POST` /core/tokens/{identifier}/set_key/

##### `GET` /providers/oauth2/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `sub_mode` (string)

        > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        -   `user_id`

##### `PUT` /providers/oauth2/{id}/

###### Request:

Changed content type : `application/json`

-   Changed property `sub_mode` (string)

    > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    -   `user_id`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `sub_mode` (string)

        > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        -   `user_id`

##### `PATCH` /providers/oauth2/{id}/

###### Request:

Changed content type : `application/json`

-   Changed property `sub_mode` (string)

    > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    -   `user_id`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `sub_mode` (string)

        > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        -   `user_id`

##### `POST` /providers/oauth2/

###### Request:

Changed content type : `application/json`

-   Changed property `sub_mode` (string)

    > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

    Added enum value:

    -   `user_id`

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    -   Changed property `sub_mode` (string)

        > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

        Added enum value:

        -   `user_id`

##### `GET` /providers/oauth2/

###### Parameters:

Changed: `sub_mode` in `query`

> Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > OAuth2Provider Serializer

        -   Changed property `sub_mode` (string)

            > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

            Added enum value:

            -   `user_id`

##### `GET` /oauth2/authorization_codes/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `provider` (object)

        > OAuth2Provider Serializer

        -   Changed property `sub_mode` (string)

            > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

            Added enum value:

            -   `user_id`

##### `GET` /oauth2/refresh_tokens/{id}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `provider` (object)

        > OAuth2Provider Serializer

        -   Changed property `sub_mode` (string)

            > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

            Added enum value:

            -   `user_id`

##### `GET` /oauth2/authorization_codes/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

        -   Changed property `provider` (object)

            > OAuth2Provider Serializer

            -   Changed property `sub_mode` (string)

                > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

                Added enum value:

                -   `user_id`

##### `GET` /oauth2/refresh_tokens/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Serializer for BaseGrantModel and RefreshToken

        -   Changed property `provider` (object)

            > OAuth2Provider Serializer

            -   Changed property `sub_mode` (string)

                > Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

                Added enum value:

                -   `user_id`

##### `GET` /stages/prompt/prompts/{prompt_uuid}/

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `name`

    *   Added property `name` (string)

##### `PUT` /stages/prompt/prompts/{prompt_uuid}/

###### Request:

Changed content type : `application/json`

New required properties:

-   `name`

*   Added property `name` (string)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `name`

    *   Added property `name` (string)

##### `PATCH` /stages/prompt/prompts/{prompt_uuid}/

###### Request:

Changed content type : `application/json`

-   Added property `name` (string)

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    New required properties:

    -   `name`

    *   Added property `name` (string)

##### `POST` /stages/prompt/prompts/

###### Request:

Changed content type : `application/json`

New required properties:

-   `name`

*   Added property `name` (string)

###### Return Type:

Changed response : **201 Created**

-   Changed content type : `application/json`

    New required properties:

    -   `name`

    *   Added property `name` (string)

##### `GET` /stages/prompt/prompts/

###### Parameters:

Added: `name` in `query`

###### Return Type:

Changed response : **200 OK**

-   Changed content type : `application/json`

    -   Changed property `results` (array)

        Changed items (object): > Prompt Serializer

        New required properties:

        -   `name`

        *   Added property `name` (string)