4.39.6 (2025-08-09)

Notable Changes

OpenID Connect 1.0 client registrations incorrectly allowed none as a authorization_signed_response_alg value, this is no longer the case and if you specified this value you'll have to either remove it or update it to the new correct default of RS256.

Bug Fixes

• commands: missing header list header (#9956) (6a31393)
• configuration: healthchecks for unix are unhealthy (#9988) (76e0702)
• oidc: alg none allowed for jarm (#10045) (86e8c4b)
• regulation: ip not marked (#9949) (b731a0c)

Docker Container

• docker pull authelia/authelia:4.39.6
• docker pull ghcr.io/authelia/authelia:4.39.6

4.39.5 (2025-07-13)

Bug Fixes

• configuration: allow claim name override (#9714) (1ce7c5e), closes #9687
• configuration: default pbkdf2 iterations (#9694) (8173ba4)
• embed: unable to run services (#9619) (e77c6bc)
• notifier: disable require tls ineffectual (#9803) (6bddcc6)
• oidc: authorize request relies on session update (#9678) (fcd2bba), closes #9677
• storage: change key operator (#9618) (b582afb)
• webauthn: allow relaxed cache policy (#9696) (5e56d20)
• web: csp inline style error (#9642) (46c49f1)

Docker Container

• docker pull authelia/authelia:4.39.5
• docker pull ghcr.io/authelia/authelia:4.39.5

4.39.4 (2025-05-25)

Bug Fixes

• configuration: oidc enc generated kid invalid chars (#9493) (15f2a1a)
• oidc: explicit consent flow failure (#9562) (a3f62b3)
• web: add missing translations (#9496) (9d8fd85)
• web: adjust contrast for iv buttons and text input (#9570) (f040e41)

Docker Container

• docker pull authelia/authelia:4.39.4
• docker pull ghcr.io/authelia/authelia:4.39.4

4.39.3 (2025-05-11)

Important Note: The v4.39.2 release inadvertently removed the legacy OpenID Connect 1.0 endpoints which have not been documented at least in the last 3 years either at the discovery document or on the website. While these changes were technically unintentional right at this moment they were going to be hard removed at some point before we graduated OpenID Connect 1.0 out of a experimental/beta state and users had previously been notified of this change, as such we're going to leave them as is. Users should refer to our documentation as well as their instances discovery endpoints to obtain the correct URLs. The URLs that potentially may need updating are as follows: the URL /api/oidc/jwks previously handled requests for the JSON Web Key Set Endpoint, the URL /api/oidc/authorize previously also handled requests for the Authorization Endpoint, the URL /api/oidc/introspect previously also handled requests for the Introspection Endpoint, and the URL /api/oidc/revoke previously also handled requests for the Revocation Endpoint.

Bug Fixes

• oidc: rfc9068 jwt strategy not configured (#9479) (785eab9), closes #9478
• web: fetch webauthn when disabled (#9482) (bc318fa)
• web: no redirection to completion view (#9480) (0a4c2f2)

Docker Container

• docker pull authelia/authelia:4.39.3
• docker pull ghcr.io/authelia/authelia:4.39.3

4.39.2 (2025-05-10)

Important Note: The v4.39.2 release inadvertently removed the legacy OpenID Connect 1.0 endpoints which have not been documented in the last 3 years either at the discovery document or on the website. While these changes were technically unintentional right at this moment they were going to be hard removed at some point before we graduated OpenID Connect 1.0 out of a experimental/beta state, as such we're going to leave them as is. Users should refer to our documentation as well as their instances discovery endpoints to obtain the correct URLs.

Bug Fixes

• commands: incorrect flag mapping (#9292) (6b358ef)
• configuration: missing oidc alg validations (#9267) (694cf9e)
• configuration: yescrypt not configurable (#9241) (0f6c1dc)
• oidc: consent semantics not enforced (#9331) (04c27fe)
• oidc: consent subject binding too early (#9302) (3ebed86)
• oidc: device authorization flow (#9429) (f6001ff)
• oidc: ensure stateful userinfo token use (#9385) (9b2de99), closes #9382
• oidc: include missing id token claims in implicit flow (#9238) (1313776)
• oidc: missing device code handlers (#9265) (b0cf8c5)
• oidc: missing grant handlers (#9272) (25f79d0)
• webauthn: metadata errors too vague (#9012) (1eaf858)
• webauthn: passkey compliance workaround (#9278) (0a3e633), closes #9094
• web: differing password ux (#9243) (aef2966)
• web: display name is mislabeled as username (#9108) (b05026c)
• web: unified peek button for password fields (#9311) (ec34a3f)

Performance Improvements

• configuration: decode hooks improvements (#9338) (8dbdfdc)

Docker Container

• docker pull authelia/authelia:4.39.2
• docker pull ghcr.io/authelia/authelia:4.39.2

4.39.1 (2025-03-18)

Bug Fixes

• configuration: cache lifespan scheme case (#8983) (16a447b), closes #8981
• notifier startup check ignored (#8977) (212b1b5), closes #8975
• oidc: claims nil value not checked (#8982) (6cc1909), closes #8979
• oidc: multiple subject matching regression (#8998) (377ddd1)
• session retrieval failure with in-built memory provider (#9004) (7a750da)
• storage: cached_data table value size (#8984) (3f5e747)
• suites: sambaldap certs with negative serial numbers (#9007) (0558ad2)
• web: appbar layout (#8987) (c661154)
• web: broken horizontal margin (#8988) (3f2aa0d)
• web: duo sign in failure (#8986) (d514f8a)

Docker Container

• docker pull authelia/authelia:4.39.1
• docker pull ghcr.io/authelia/authelia:4.39.1

4.39.0 (2025-03-16)

Summary

Please see the Authelia Blog: 4.39 Release Notes for human readable summaries of the changes. It's important to note some critical changes have occurred in this release that warrant some user attention.

Specific critical changes which are detailed in the Authelia Blog: 4.39 Release Notes to watch out for:

1. Changes that will require manual intervention in some scenarios:
   • The default claims for ID Tokens minted by the Authelia OpenID Connect 1.0 Identity Provider have changed.
2. Changes that shouldn't require manual intervention but are significant enough to cause issues in some edge cases:
   • The official Authelia container has been heavily changed.
   • The official Systemd Units which are packaged in AUR packages, DEB packages, and the GitHub artifacts archives have been heavily changed.

Detailed Changes

Bug Fixes

• i18n: lack of privacy policy message consistency (#8845) (a091374)
• web: radio group spacing on mobile and uncentered icons (#8843) (ff88332)
• web: workflow id missing from passkey first factor (#8951) (f948399), closes #8950

Features

• authentication: additional and custom attributes (#8078) (34932a8)
• authentication: ldap connection pooling (#7217) (0af038e)
• authentication: permit empty base dn (#8112) (4b50771)
• build from authelia/base base image (#8884) (7d1adff)
• configuration: listen on file descriptor (#5973) (df67550)
• configuration: reusable definitions (#8077) (a9d1986)
• configuration: support abstract unix socket (#7662) (3fc0378)
• docker: implement shellcheck recommendations (#7474) (c7a8e58)
• embed: make authelia embedable (#8841) (9241731), closes #5803
• handlers: basic authz caching (#8320) (05fa254), closes #5006
• logging: reopen on sighup (#7140) (16e44cb), closes #4964
• metrics: record passkey logins separately (#8866) (6759988)
• middlewares: tokenized bucket rate limit (#8321) (ef5051b), closes #7353 #1947
• oidc: authorization policy network criteria (#8079) (f67097c)
• oidc: claims parameter support (#8081) (111344e), closes #2868
• oidc: merged id token claims (#8851) (eadf0ba), closes #8619
• oidc: prompt parameter support (#8080) (9c718b3), closes #2596
• oidc: rfc7516 jwt encryption (#8083) (684c8e2)
• oidc: rfc8628 oauth 2.0 device code grant (#8082) (e7d387e)
• regulation: ip bans and unbanning (#7230) (5e40d97)
• storage: allow peer authentication (#8161) (4b8d2ce)
• storage: allow postgres failover (#7775) (2934c16)
• use dedicated system user for systemd unit (#4982) (e33d729), closes #3736
• web: add new oled theme (#8838) (e02a2db)
• webauthn: passkeys (#7942) (197b455), closes #2827 #2761
• web: change password (#7676) (f4abcb3), closes #3548
• web: language picker (#6716) (2f1afa1)

Docker Container

• docker pull authelia/authelia:4.39.0
• docker pull ghcr.io/authelia/authelia:4.39.0

4.38.19 (2025-02-16)

Bug Fixes

• configuration: authz endpoint errors with forward slash (#8654) (d382bb0)
• configuration: unregisterable domains not accepted (#8663) (5811888)
• handlers: regulation flow (#8683) (d4a5418)
• notifier: smtp log fails to serialize (#8570) (ba3a877), closes #8569

Docker Container

• docker pull authelia/authelia:4.38.19
• docker pull ghcr.io/authelia/authelia:4.38.19

4.38.18 (2025-01-01)

Bug Fixes

• commands: crypto rand file param missing (#8533) (d386d06)
• configuration: allow unix socket ports (#8520) (31565e4), closes #8509
• configuration: oidc subject not validated (#8380) (990312b)
• session: add connection timeout and retry options to redis (#8146) (7584aac)
• templates: add missing functions (#8494) (7c12781)
• web: include privacy policy when remember me is enabled (#8540) (a18b1d9), closes #8537
• web: missing translations (#8318) (db901a0)
• web: undesirable default method ux (#8521) (7f515d1), closes #8345

Docker Container

• docker pull authelia/authelia:4.38.18
• docker pull ghcr.io/authelia/authelia:4.38.18

4.38.17 (2024-10-30)

Bug Fixes

• configuration: jwk without required key startup panic (#8023) (af5face)
• configuration: templating panic edge case (#8130) (feca984)
• configuration: utilise updated psl for domain validation (#8119) (a89d8b8), closes /github.com/golang/go/issues/15518#issuecomment-217312171 #8074
• web: feedback missing from password reset (#8021) (58866f6)
• web: totp credential ui shows too much info (#8062) (5538c2f)
• web: webauthn buttons crowded (#8008) (108c58e)

Docker Container

• docker pull authelia/authelia:4.38.17
• docker pull ghcr.io/authelia/authelia:4.38.17