diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 6f49b82019..e14f69ac27 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -64,7 +64,7 @@ runs: rustflags: "" - name: Setup rust dependencies if: ${{ contains(inputs.dependencies, 'rust') }} - uses: taiki-e/install-action@56545b37b57562edd73171cb6c62cc509db4c34e # v2 + uses: taiki-e/install-action@0631aa6515c7d545823c67cfae7ef4fc7f490154 # v2 with: tool: cargo-deny cargo-machete cargo-llvm-cov nextest - name: Setup node (root, web) diff --git a/Cargo.lock b/Cargo.lock index b475976d63..08179d8e4c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2642,9 +2642,9 @@ dependencies = [ [[package]] name = "pyo3" -version = "0.28.3" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91fd8e38a3b50ed1167fb981cd6fd60147e091784c427b8f7183a7ee32c31c12" +checksum = "cd274650b21d4bfc26a0a47587962c1edb425f69287324355cd040c3ea66071c" dependencies = [ "libc", "once_cell", @@ -2656,18 +2656,18 @@ dependencies = [ [[package]] name = "pyo3-build-config" -version = "0.28.3" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e368e7ddfdeb98c9bca7f8383be1648fd84ab466bf2bc015e94008db6d35611e" +checksum = "c5e2a7d2f0d013342f295c048ad19237add5154a55b1c5a254c0ec93d4109078" dependencies = [ "target-lexicon", ] [[package]] name = "pyo3-ffi" -version = "0.28.3" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f29e10af80b1f7ccaf7f69eace800a03ecd13e883acfacc1e5d0988605f651e" +checksum = "ca85c467da1bbc8d866eea5deff9cf29ea5f7785054a17da36e65bda9c05845b" dependencies = [ "libc", "pyo3-build-config", @@ -2675,9 +2675,9 @@ dependencies = [ [[package]] name = "pyo3-macros" -version = "0.28.3" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "df6e520eff47c45997d2fc7dd8214b25dd1310918bbb2642156ef66a67f29813" +checksum = "9ac53762fd065daa3194dd09337a38bd793a188100fd1a9304c4ab312d901771" dependencies = [ "proc-macro2", "pyo3-macros-backend", @@ -2687,13 +2687,12 @@ dependencies = [ [[package]] name = "pyo3-macros-backend" -version = "0.28.3" +version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4cdc218d835738f81c2338f822078af45b4afdf8b2e33cbb5916f108b813acb" +checksum = "4ca3a1557399783172dc5bf39cfca835157732532cba56b71d2292161e53b362" dependencies = [ "heck", "proc-macro2", - "pyo3-build-config", "quote", "syn", ] @@ -4578,9 +4577,9 @@ dependencies = [ [[package]] name = "which" -version = "8.0.2" +version = "8.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81995fafaaaf6ae47a7d0cc83c67caf92aeb7e5331650ae6ff856f7c0c60c459" +checksum = "c789537cf2f7f55be8e6192f92e464174ee55f91af622777f7f1ceb0dbccd03e" dependencies = [ "libc", ] diff --git a/Cargo.toml b/Cargo.toml index 02f085538f..802f80573d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -48,8 +48,8 @@ metrics-exporter-prometheus = { version = "= 0.18.3", default-features = false } nix = { version = "= 0.31.3", features = ["hostname", "signal"] } notify = "= 8.2.0" pin-project-lite = "= 0.2.17" -pyo3 = "= 0.28.3" -pyo3-build-config = "= 0.28.3" +pyo3 = "= 0.29.0" +pyo3-build-config = "= 0.29.0" regex = "= 1.12.3" reqwest = { version = "= 0.13.4", features = [ "form", @@ -113,7 +113,7 @@ tracing-subscriber = { version = "= 0.3.23", features = [ ] } url = "= 2.5.8" uuid = { version = "= 1.23.2", features = ["serde", "v4"] } -which = "= 8.0.2" +which = "= 8.0.3" ak-axum = { package = "authentik-axum", version = "2026.8.0-rc1", path = "./packages/ak-axum" } ak-client = { package = "authentik-client", version = "2026.8.0-rc1", path = "./packages/client-rust" } diff --git a/authentik/stages/captcha/api.py b/authentik/stages/captcha/api.py index cb33ff4d2c..959d30df00 100644 --- a/authentik/stages/captcha/api.py +++ b/authentik/stages/captcha/api.py @@ -17,6 +17,7 @@ class CaptchaStageSerializer(StageSerializer): "private_key", "js_url", "api_url", + "request_content_type", "interactive", "score_min_threshold", "score_max_threshold", diff --git a/authentik/stages/captcha/migrations/0005_captchastage_request_content_type.py b/authentik/stages/captcha/migrations/0005_captchastage_request_content_type.py new file mode 100644 index 0000000000..6c7d24dbe7 --- /dev/null +++ b/authentik/stages/captcha/migrations/0005_captchastage_request_content_type.py @@ -0,0 +1,24 @@ +# Generated by Django 5.2.14 on 2026-05-14 23:58 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("authentik_stages_captcha", "0004_captchastage_interactive"), + ] + + operations = [ + migrations.AddField( + model_name="captchastage", + name="request_content_type", + field=models.TextField( + choices=[ + ("application/x-www-form-urlencoded", "Form encoded"), + ("application/json", "JSON"), + ], + default="application/x-www-form-urlencoded", + ), + ), + ] diff --git a/authentik/stages/captcha/models.py b/authentik/stages/captcha/models.py index fb5a6dac28..776911b91e 100644 --- a/authentik/stages/captcha/models.py +++ b/authentik/stages/captcha/models.py @@ -8,6 +8,13 @@ from rest_framework.serializers import BaseSerializer from authentik.flows.models import Stage +class CaptchaRequestContentType(models.TextChoices): + """Supported request content types for CAPTCHA verification.""" + + FORM = "application/x-www-form-urlencoded", _("Form encoded") + JSON = "application/json", _("JSON") + + class CaptchaStage(Stage): """Verify the user is human using Google's reCaptcha/other compatible CAPTCHA solutions.""" @@ -30,6 +37,10 @@ class CaptchaStage(Stage): js_url = models.TextField(default="https://www.recaptcha.net/recaptcha/api.js") api_url = models.TextField(default="https://www.recaptcha.net/recaptcha/api/siteverify") + request_content_type = models.TextField( + choices=CaptchaRequestContentType.choices, + default=CaptchaRequestContentType.FORM, + ) @property def serializer(self) -> type[BaseSerializer]: diff --git a/authentik/stages/captcha/stage.py b/authentik/stages/captcha/stage.py index 9e582e5614..66b823e7a7 100644 --- a/authentik/stages/captcha/stage.py +++ b/authentik/stages/captcha/stage.py @@ -15,7 +15,7 @@ from authentik.flows.challenge import ( from authentik.flows.stage import ChallengeStageView from authentik.lib.utils.http import get_http_session from authentik.root.middleware import ClientIPMiddleware -from authentik.stages.captcha.models import CaptchaStage +from authentik.stages.captcha.models import CaptchaRequestContentType, CaptchaStage LOGGER = get_logger() PLAN_CONTEXT_CAPTCHA = "captcha" @@ -35,17 +35,23 @@ class CaptchaChallenge(WithUserInfoChallenge): def verify_captcha_token(stage: CaptchaStage, token: str, remote_ip: str, key: str | None = None): """Validate captcha token""" + payload = { + "secret": key or stage.private_key, + "response": token, + "remoteip": remote_ip, + } + body_kwargs = ( + {"json": payload} + if stage.request_content_type == CaptchaRequestContentType.JSON + else {"data": payload} + ) try: response = get_http_session().post( stage.api_url, headers={ - "Content-type": "application/x-www-form-urlencoded", - }, - data={ - "secret": key or stage.private_key, - "response": token, - "remoteip": remote_ip, + "Content-Type": stage.request_content_type, }, + **body_kwargs, ) response.raise_for_status() data = response.json() diff --git a/authentik/stages/captcha/tests.py b/authentik/stages/captcha/tests.py index 41bceb9f43..39a7b4a32e 100644 --- a/authentik/stages/captcha/tests.py +++ b/authentik/stages/captcha/tests.py @@ -10,7 +10,7 @@ from authentik.flows.planner import FlowPlan from authentik.flows.tests import FlowTestCase from authentik.flows.views.executor import SESSION_KEY_PLAN from authentik.lib.generators import generate_id -from authentik.stages.captcha.models import CaptchaStage +from authentik.stages.captcha.models import CaptchaRequestContentType, CaptchaStage from authentik.stages.captcha.stage import ( PLAN_CONTEXT_CAPTCHA_PRIVATE_KEY, PLAN_CONTEXT_CAPTCHA_SITE_KEY, @@ -56,6 +56,39 @@ class TestCaptchaStage(FlowTestCase): ) self.assertEqual(response.status_code, 200) self.assertStageRedirects(response, reverse("authentik_core:root-redirect")) + self.assertEqual( + mock.request_history[0].headers["Content-Type"], + CaptchaRequestContentType.FORM, + ) + self.assertIn("response=PASSED", mock.request_history[0].text) + + @Mocker() + def test_valid_json_content_type(self, mock: Mocker): + """Test valid captcha with JSON verification request""" + self.stage.request_content_type = CaptchaRequestContentType.JSON + self.stage.save() + mock.post( + "https://www.recaptcha.net/recaptcha/api/siteverify", + json={ + "success": True, + "score": 0.5, + }, + ) + plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]) + session = self.client.session + session[SESSION_KEY_PLAN] = plan + session.save() + response = self.client.post( + reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}), + {"token": "PASSED"}, + ) + self.assertEqual(response.status_code, 200) + self.assertStageRedirects(response, reverse("authentik_core:root-redirect")) + self.assertEqual( + mock.request_history[0].headers["Content-Type"], + CaptchaRequestContentType.JSON, + ) + self.assertEqual(mock.request_history[0].json()["response"], "PASSED") @Mocker() def test_valid_override(self, mock: Mocker): diff --git a/blueprints/schema.json b/blueprints/schema.json index 03bd2a617c..602e676233 100644 --- a/blueprints/schema.json +++ b/blueprints/schema.json @@ -15105,6 +15105,14 @@ "minLength": 1, "title": "Api url" }, + "request_content_type": { + "type": "string", + "enum": [ + "application/x-www-form-urlencoded", + "application/json" + ], + "title": "Request content type" + }, "interactive": { "type": "boolean", "title": "Interactive" diff --git a/lifecycle/aws/package-lock.json b/lifecycle/aws/package-lock.json index 6dc3577f04..26d15bcf21 100644 --- a/lifecycle/aws/package-lock.json +++ b/lifecycle/aws/package-lock.json @@ -9,7 +9,7 @@ "version": "0.0.0", "license": "MIT", "devDependencies": { - "aws-cdk": "^2.1125.0", + "aws-cdk": "^2.1126.0", "cross-env": "^10.1.0" }, "engines": { @@ -25,9 +25,9 @@ "license": "MIT" }, "node_modules/aws-cdk": { - "version": "2.1125.0", - "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1125.0.tgz", - "integrity": "sha512-QAvsE2XQMcyNOjMMqAS7eDADR9t6vcFcMQvhOmtLfDqgfJXSyTkHvzM5zgwZCdJ4FNqWr5Y/zXvL1Cv5ECKXwQ==", + "version": "2.1126.0", + "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1126.0.tgz", + "integrity": "sha512-uNoocb3vCPiAT3j9+SwL6pn/VVggHWBsgC2XpxyhNvYQYt6cE9BM/149GWwtdcwnLrPjnwW1+CV/5nSSh5dV+w==", "dev": true, "license": "Apache-2.0", "bin": { diff --git a/lifecycle/aws/package.json b/lifecycle/aws/package.json index 51ec72589c..bc7a5ec52b 100644 --- a/lifecycle/aws/package.json +++ b/lifecycle/aws/package.json @@ -7,7 +7,7 @@ "aws-cfn": "cross-env CI=false cdk synth --version-reporting=false > template.yaml" }, "devDependencies": { - "aws-cdk": "^2.1125.0", + "aws-cdk": "^2.1126.0", "cross-env": "^10.1.0" }, "engines": { diff --git a/lifecycle/container/Dockerfile b/lifecycle/container/Dockerfile index 3573c7d79c..aaee9343f7 100644 --- a/lifecycle/container/Dockerfile +++ b/lifecycle/container/Dockerfile @@ -116,9 +116,9 @@ RUN --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \ RUN cat /root/.rustup/settings.toml # Stage: Download uv -FROM ghcr.io/astral-sh/uv:0.11.19@sha256:b46b03ddfcfbf8f547af7e9eaefdf8a39c8cebcba7c98858d3162bd28cf536f6 AS uv +FROM ghcr.io/astral-sh/uv:0.11.20@sha256:eaa5f1a3305307aaf9e67fe2bbba1d85ebbb2d8a63bce23af21797bfafbe0f8b AS uv # Stage: Base python image -FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:ede0a006a873bfd3e66fd0e56827bc8e46ea75341e1a6a35dae6edd6ad6be691 AS python-base +FROM ghcr.io/goauthentik/fips-python:3.14.5-slim-trixie-fips@sha256:94d880542ff5e74bd50b874680fd68a04fe6bb34b7f25e8a081b62b7e1ae6dc3 AS python-base ENV VENV_PATH="/ak-root/.venv" \ PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \ diff --git a/locale/en/LC_MESSAGES/django.po b/locale/en/LC_MESSAGES/django.po index ec23cf2ce9..6f636c5735 100644 --- a/locale/en/LC_MESSAGES/django.po +++ b/locale/en/LC_MESSAGES/django.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2026-05-22 00:36+0000\n" +"POT-Creation-Date: 2026-06-11 00:42+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -3399,14 +3399,6 @@ msgstr "" msgid "Google OAuth Sources" msgstr "" -#: authentik/sources/oauth/models.py -msgid "Azure AD OAuth Source" -msgstr "" - -#: authentik/sources/oauth/models.py -msgid "Azure AD OAuth Sources" -msgstr "" - #: authentik/sources/oauth/models.py msgid "Entra ID OAuth Source" msgstr "" diff --git a/locale/fr_FR/LC_MESSAGES/django.po b/locale/fr_FR/LC_MESSAGES/django.po index feb36304fe..55ecc2eab2 100644 --- a/locale/fr_FR/LC_MESSAGES/django.po +++ b/locale/fr_FR/LC_MESSAGES/django.po @@ -15,7 +15,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2026-05-22 00:36+0000\n" +"POT-Creation-Date: 2026-06-11 00:42+0000\n" "PO-Revision-Date: 2025-12-01 19:09+0000\n" "Last-Translator: Sp P, 2026\n" "Language-Team: French (France) (https://app.transifex.com/authentik/teams/119923/fr_FR/)\n" @@ -3790,14 +3790,6 @@ msgstr "Source d'OAuth Google" msgid "Google OAuth Sources" msgstr "Source d'OAuth Google" -#: authentik/sources/oauth/models.py -msgid "Azure AD OAuth Source" -msgstr "Source d'OAuth Azure AD" - -#: authentik/sources/oauth/models.py -msgid "Azure AD OAuth Sources" -msgstr "Source d'OAuth Azure AD" - #: authentik/sources/oauth/models.py msgid "Entra ID OAuth Source" msgstr "Source d'OAuth Entra ID" diff --git a/locale/hu_HU/LC_MESSAGES/django.po b/locale/hu_HU/LC_MESSAGES/django.po index 601b01c818..384418a924 100644 --- a/locale/hu_HU/LC_MESSAGES/django.po +++ b/locale/hu_HU/LC_MESSAGES/django.po @@ -12,7 +12,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2026-05-22 00:36+0000\n" +"POT-Creation-Date: 2026-06-11 00:42+0000\n" "PO-Revision-Date: 2025-12-01 19:09+0000\n" "Last-Translator: Gyula Kiss , 2026\n" "Language-Team: Hungarian (Hungary) (https://app.transifex.com/authentik/teams/119923/hu_HU/)\n" @@ -3780,14 +3780,6 @@ msgstr "Google OAuth forrás" msgid "Google OAuth Sources" msgstr "Google OAuth források" -#: authentik/sources/oauth/models.py -msgid "Azure AD OAuth Source" -msgstr "Azure AD OAuth forrás" - -#: authentik/sources/oauth/models.py -msgid "Azure AD OAuth Sources" -msgstr "Azure AD OAuth források" - #: authentik/sources/oauth/models.py msgid "Entra ID OAuth Source" msgstr "Entra ID OAuth forrás" diff --git a/locale/no_NO/LC_MESSAGES/django.po b/locale/no_NO/LC_MESSAGES/django.po index b329c081a9..3b01fb6a0f 100644 --- a/locale/no_NO/LC_MESSAGES/django.po +++ b/locale/no_NO/LC_MESSAGES/django.po @@ -12,7 +12,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2026-05-22 00:36+0000\n" +"POT-Creation-Date: 2026-06-11 00:42+0000\n" "PO-Revision-Date: 2025-12-01 19:09+0000\n" "Last-Translator: Raphael Cancelliere, 2026\n" "Language-Team: Norwegian (Norway) (https://app.transifex.com/authentik/teams/119923/no_NO/)\n" @@ -3692,14 +3692,6 @@ msgstr "Google OAuth-kilde" msgid "Google OAuth Sources" msgstr "Google OAuth-kilder" -#: authentik/sources/oauth/models.py -msgid "Azure AD OAuth Source" -msgstr "Azure AD OAuth-kilde" - -#: authentik/sources/oauth/models.py -msgid "Azure AD OAuth Sources" -msgstr "Azure AD OAuth-kilder" - #: authentik/sources/oauth/models.py msgid "Entra ID OAuth Source" msgstr "Entra ID OAuth-kilde" diff --git a/packages/client-ts/src/models/CaptchaStage.ts b/packages/client-ts/src/models/CaptchaStage.ts index 2c6b18c9dc..13430ab177 100644 --- a/packages/client-ts/src/models/CaptchaStage.ts +++ b/packages/client-ts/src/models/CaptchaStage.ts @@ -14,6 +14,11 @@ import type { FlowSet } from "./FlowSet"; import { FlowSetFromJSON } from "./FlowSet"; +import type { RequestContentTypeEnum } from "./RequestContentTypeEnum"; +import { + RequestContentTypeEnumFromJSON, + RequestContentTypeEnumToJSON, +} from "./RequestContentTypeEnum"; /** * CaptchaStage Serializer @@ -81,6 +86,12 @@ export interface CaptchaStage { * @memberof CaptchaStage */ apiUrl?: string; + /** + * + * @type {RequestContentTypeEnum} + * @memberof CaptchaStage + */ + requestContentType?: RequestContentTypeEnum; /** * * @type {boolean} @@ -141,6 +152,10 @@ export function CaptchaStageFromJSONTyped(json: any, ignoreDiscriminator: boolea publicKey: json["public_key"], jsUrl: json["js_url"] == null ? undefined : json["js_url"], apiUrl: json["api_url"] == null ? undefined : json["api_url"], + requestContentType: + json["request_content_type"] == null + ? undefined + : RequestContentTypeEnumFromJSON(json["request_content_type"]), interactive: json["interactive"] == null ? undefined : json["interactive"], scoreMinThreshold: json["score_min_threshold"] == null ? undefined : json["score_min_threshold"], @@ -171,6 +186,7 @@ export function CaptchaStageToJSONTyped( public_key: value["publicKey"], js_url: value["jsUrl"], api_url: value["apiUrl"], + request_content_type: RequestContentTypeEnumToJSON(value["requestContentType"]), interactive: value["interactive"], score_min_threshold: value["scoreMinThreshold"], score_max_threshold: value["scoreMaxThreshold"], diff --git a/packages/client-ts/src/models/CaptchaStageRequest.ts b/packages/client-ts/src/models/CaptchaStageRequest.ts index 1c68022168..37792dc7ef 100644 --- a/packages/client-ts/src/models/CaptchaStageRequest.ts +++ b/packages/client-ts/src/models/CaptchaStageRequest.ts @@ -12,6 +12,12 @@ * Do not edit the class manually. */ +import type { RequestContentTypeEnum } from "./RequestContentTypeEnum"; +import { + RequestContentTypeEnumFromJSON, + RequestContentTypeEnumToJSON, +} from "./RequestContentTypeEnum"; + /** * CaptchaStage Serializer * @export @@ -48,6 +54,12 @@ export interface CaptchaStageRequest { * @memberof CaptchaStageRequest */ apiUrl?: string; + /** + * + * @type {RequestContentTypeEnum} + * @memberof CaptchaStageRequest + */ + requestContentType?: RequestContentTypeEnum; /** * * @type {boolean} @@ -101,6 +113,10 @@ export function CaptchaStageRequestFromJSONTyped( privateKey: json["private_key"], jsUrl: json["js_url"] == null ? undefined : json["js_url"], apiUrl: json["api_url"] == null ? undefined : json["api_url"], + requestContentType: + json["request_content_type"] == null + ? undefined + : RequestContentTypeEnumFromJSON(json["request_content_type"]), interactive: json["interactive"] == null ? undefined : json["interactive"], scoreMinThreshold: json["score_min_threshold"] == null ? undefined : json["score_min_threshold"], @@ -129,6 +145,7 @@ export function CaptchaStageRequestToJSONTyped( private_key: value["privateKey"], js_url: value["jsUrl"], api_url: value["apiUrl"], + request_content_type: RequestContentTypeEnumToJSON(value["requestContentType"]), interactive: value["interactive"], score_min_threshold: value["scoreMinThreshold"], score_max_threshold: value["scoreMaxThreshold"], diff --git a/packages/client-ts/src/models/PatchedCaptchaStageRequest.ts b/packages/client-ts/src/models/PatchedCaptchaStageRequest.ts index b616986c41..b2522615bb 100644 --- a/packages/client-ts/src/models/PatchedCaptchaStageRequest.ts +++ b/packages/client-ts/src/models/PatchedCaptchaStageRequest.ts @@ -12,6 +12,12 @@ * Do not edit the class manually. */ +import type { RequestContentTypeEnum } from "./RequestContentTypeEnum"; +import { + RequestContentTypeEnumFromJSON, + RequestContentTypeEnumToJSON, +} from "./RequestContentTypeEnum"; + /** * CaptchaStage Serializer * @export @@ -48,6 +54,12 @@ export interface PatchedCaptchaStageRequest { * @memberof PatchedCaptchaStageRequest */ apiUrl?: string; + /** + * + * @type {RequestContentTypeEnum} + * @memberof PatchedCaptchaStageRequest + */ + requestContentType?: RequestContentTypeEnum; /** * * @type {boolean} @@ -100,6 +112,10 @@ export function PatchedCaptchaStageRequestFromJSONTyped( privateKey: json["private_key"] == null ? undefined : json["private_key"], jsUrl: json["js_url"] == null ? undefined : json["js_url"], apiUrl: json["api_url"] == null ? undefined : json["api_url"], + requestContentType: + json["request_content_type"] == null + ? undefined + : RequestContentTypeEnumFromJSON(json["request_content_type"]), interactive: json["interactive"] == null ? undefined : json["interactive"], scoreMinThreshold: json["score_min_threshold"] == null ? undefined : json["score_min_threshold"], @@ -128,6 +144,7 @@ export function PatchedCaptchaStageRequestToJSONTyped( private_key: value["privateKey"], js_url: value["jsUrl"], api_url: value["apiUrl"], + request_content_type: RequestContentTypeEnumToJSON(value["requestContentType"]), interactive: value["interactive"], score_min_threshold: value["scoreMinThreshold"], score_max_threshold: value["scoreMaxThreshold"], diff --git a/packages/client-ts/src/models/RequestContentTypeEnum.ts b/packages/client-ts/src/models/RequestContentTypeEnum.ts new file mode 100644 index 0000000000..e287dc0fa2 --- /dev/null +++ b/packages/client-ts/src/models/RequestContentTypeEnum.ts @@ -0,0 +1,58 @@ +/* tslint:disable */ +/* eslint-disable */ +/** + * authentik + * Making authentication simple. + * + * The version of the OpenAPI document: 2026.8.0-rc1 + * Contact: hello@goauthentik.io + * + * NOTE: This class is auto generated by OpenAPI Generator (https://openapi-generator.tech). + * https://openapi-generator.tech + * Do not edit the class manually. + */ + +/** + * + * @export + */ +export const RequestContentTypeEnum = { + ApplicationXWwwFormUrlencoded: "application/x-www-form-urlencoded", + ApplicationJson: "application/json", + UnknownDefaultOpenApi: "11184809", +} as const; +export type RequestContentTypeEnum = + (typeof RequestContentTypeEnum)[keyof typeof RequestContentTypeEnum]; + +export function instanceOfRequestContentTypeEnum(value: any): boolean { + for (const key in RequestContentTypeEnum) { + if (Object.prototype.hasOwnProperty.call(RequestContentTypeEnum, key)) { + if (RequestContentTypeEnum[key as keyof typeof RequestContentTypeEnum] === value) { + return true; + } + } + } + return false; +} + +export function RequestContentTypeEnumFromJSON(json: any): RequestContentTypeEnum { + return RequestContentTypeEnumFromJSONTyped(json, false); +} + +export function RequestContentTypeEnumFromJSONTyped( + json: any, + ignoreDiscriminator: boolean, +): RequestContentTypeEnum { + return json as RequestContentTypeEnum; +} + +export function RequestContentTypeEnumToJSON(value?: RequestContentTypeEnum | null): any { + return value as any; +} + +export function RequestContentTypeEnumToJSONTyped( + value: any, + ignoreDiscriminator: boolean, +): RequestContentTypeEnum { + return value as RequestContentTypeEnum; +} diff --git a/packages/client-ts/src/models/index.ts b/packages/client-ts/src/models/index.ts index da4090a4cf..3f9fc870ef 100644 --- a/packages/client-ts/src/models/index.ts +++ b/packages/client-ts/src/models/index.ts @@ -713,6 +713,7 @@ export * from "./RelatedRule"; export * from "./Reputation"; export * from "./ReputationPolicy"; export * from "./ReputationPolicyRequest"; +export * from "./RequestContentTypeEnum"; export * from "./Review"; export * from "./ReviewRequest"; export * from "./ReviewerGroup"; diff --git a/pyproject.toml b/pyproject.toml index aeca2ac862..11d4b94bf3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -66,7 +66,7 @@ dependencies = [ "ua-parser==1.0.2", "unidecode==1.4.0", "urllib3<3", - "uvicorn[standard]==0.48.0", + "uvicorn[standard]==0.49.0", "watchdog==6.0.0", "webauthn==2.7.1", "wsproto==1.3.2", diff --git a/schema.yml b/schema.yml index 6a3f2c51c1..f21afc33db 100644 --- a/schema.yml +++ b/schema.yml @@ -36333,6 +36333,8 @@ components: type: string api_url: type: string + request_content_type: + $ref: '#/components/schemas/RequestContentTypeEnum' interactive: type: boolean score_min_threshold: @@ -36378,6 +36380,8 @@ components: api_url: type: string minLength: 1 + request_content_type: + $ref: '#/components/schemas/RequestContentTypeEnum' interactive: type: boolean score_min_threshold: @@ -48260,6 +48264,8 @@ components: api_url: type: string minLength: 1 + request_content_type: + $ref: '#/components/schemas/RequestContentTypeEnum' interactive: type: boolean score_min_threshold: @@ -53805,6 +53811,11 @@ components: minimum: -2147483648 required: - name + RequestContentTypeEnum: + enum: + - application/x-www-form-urlencoded + - application/json + type: string Review: type: object description: |- diff --git a/uv.lock b/uv.lock index 78ff68f75f..c114a48104 100644 --- a/uv.lock +++ b/uv.lock @@ -422,7 +422,7 @@ requires-dist = [ { name = "ua-parser", specifier = "==1.0.2" }, { name = "unidecode", specifier = "==1.4.0" }, { name = "urllib3", specifier = "<3" }, - { name = "uvicorn", extras = ["standard"], specifier = "==0.48.0" }, + { name = "uvicorn", extras = ["standard"], specifier = "==0.49.0" }, { name = "watchdog", specifier = "==6.0.0" }, { name = "webauthn", specifier = "==2.7.1" }, { name = "wsproto", specifier = "==1.3.2" }, @@ -1812,17 +1812,24 @@ wheels = [ [[package]] name = "httptools" -version = "0.7.1" +version = "0.8.0" source = { registry = "https://pypi.org/simple" } -sdist = { url = "https://files.pythonhosted.org/packages/b5/46/120a669232c7bdedb9d52d4aeae7e6c7dfe151e99dc70802e2fc7a5e1993/httptools-0.7.1.tar.gz", hash = "sha256:abd72556974f8e7c74a259655924a717a2365b236c882c3f6f8a45fe94703ac9", size = 258961, upload-time = "2025-10-10T03:55:08.559Z" } +sdist = { url = "https://files.pythonhosted.org/packages/43/e5/d471fcb0e14523fe1c3f4ba58ca52480e7bd70ad7109a3846bc75892f7fb/httptools-0.8.0.tar.gz", hash = "sha256:6b2a32f18d97e16e90827d7a819ffa8dbd8cc245fc4e1fa9d1095b54ef4bd999", size = 271342, upload-time = "2026-05-25T22:17:48.841Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/34/50/9d095fcbb6de2d523e027a2f304d4551855c2f46e0b82befd718b8b20056/httptools-0.7.1-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:c08fe65728b8d70b6923ce31e3956f859d5e1e8548e6f22ec520a962c6757270", size = 203619, upload-time = "2025-10-10T03:54:54.321Z" }, - { url = "https://files.pythonhosted.org/packages/07/f0/89720dc5139ae54b03f861b5e2c55a37dba9a5da7d51e1e824a1f343627f/httptools-0.7.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:7aea2e3c3953521c3c51106ee11487a910d45586e351202474d45472db7d72d3", size = 108714, upload-time = "2025-10-10T03:54:55.163Z" }, - { url = "https://files.pythonhosted.org/packages/b3/cb/eea88506f191fb552c11787c23f9a405f4c7b0c5799bf73f2249cd4f5228/httptools-0.7.1-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:0e68b8582f4ea9166be62926077a3334064d422cf08ab87d8b74664f8e9058e1", size = 472909, upload-time = "2025-10-10T03:54:56.056Z" }, - { url = "https://files.pythonhosted.org/packages/e0/4a/a548bdfae6369c0d078bab5769f7b66f17f1bfaa6fa28f81d6be6959066b/httptools-0.7.1-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:df091cf961a3be783d6aebae963cc9b71e00d57fa6f149025075217bc6a55a7b", size = 470831, upload-time = "2025-10-10T03:54:57.219Z" }, - { url = "https://files.pythonhosted.org/packages/4d/31/14df99e1c43bd132eec921c2e7e11cda7852f65619bc0fc5bdc2d0cb126c/httptools-0.7.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:f084813239e1eb403ddacd06a30de3d3e09a9b76e7894dcda2b22f8a726e9c60", size = 452631, upload-time = "2025-10-10T03:54:58.219Z" }, - { url = "https://files.pythonhosted.org/packages/22/d2/b7e131f7be8d854d48cb6d048113c30f9a46dca0c9a8b08fcb3fcd588cdc/httptools-0.7.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:7347714368fb2b335e9063bc2b96f2f87a9ceffcd9758ac295f8bbcd3ffbc0ca", size = 452910, upload-time = "2025-10-10T03:54:59.366Z" }, - { url = "https://files.pythonhosted.org/packages/53/cf/878f3b91e4e6e011eff6d1fa9ca39f7eb17d19c9d7971b04873734112f30/httptools-0.7.1-cp314-cp314-win_amd64.whl", hash = "sha256:cfabda2a5bb85aa2a904ce06d974a3f30fb36cc63d7feaddec05d2050acede96", size = 88205, upload-time = "2025-10-10T03:55:00.389Z" }, + { url = "https://files.pythonhosted.org/packages/1a/12/fa3fbf5f9517b273edea2dc982aa82a8c634091e67c590792b729017bc6f/httptools-0.8.0-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:de242a49b5d18e0a8776e654e9f6bf6d89f3875a5c35b425a0e7ce940feb3fd6", size = 206183, upload-time = "2026-05-25T22:17:24.004Z" }, + { url = "https://files.pythonhosted.org/packages/30/fc/5e7c4cb443370f2090a3aba0453a07384d29ff66b7435bb90e77e1037599/httptools-0.8.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:159e9ab5f701ccd42e555a12f1ad8ff69702910fc1c996cf2bb66e5fcb7a231b", size = 112079, upload-time = "2026-05-25T22:17:25.216Z" }, + { url = "https://files.pythonhosted.org/packages/ba/53/771bd891eb0f236f32145d6a1775777ec85745f3cc983a1f23d1a3b8ddfe/httptools-0.8.0-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:c4a9f1707e4823d54dfec6c33fa3697d302aed536ed352a7ebb5a061ddb869d0", size = 481596, upload-time = "2026-05-25T22:17:26.186Z" }, + { url = "https://files.pythonhosted.org/packages/62/42/94e15bc68ce3d423243c45d7f1b0c7561f13844f97dc52ae23182fb65628/httptools-0.8.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:d76ad7b951387e3632c8716a9bb03ac5b45c5f16119aa409db0459520887944e", size = 480865, upload-time = "2026-05-25T22:17:27.542Z" }, + { url = "https://files.pythonhosted.org/packages/1c/7c/fe2980fc03723272e30f135b62360b075f513dfe7cc73aef36c7f04012bd/httptools-0.8.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:a3b7387147361c3fd47a0bde763c5c91b5b4cd4dc9989b8ece84ff436c99843b", size = 463189, upload-time = "2026-05-25T22:17:28.546Z" }, + { url = "https://files.pythonhosted.org/packages/15/1b/47fc5fff68acd1bfa20b4734059c9a06cadb88119dcd5258b5b0d21d91c8/httptools-0.8.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:f256d6ce930c52ca1cb2a960b7da03548c454e7d28b06059ad41bfe789036ce0", size = 466610, upload-time = "2026-05-25T22:17:29.816Z" }, + { url = "https://files.pythonhosted.org/packages/60/bd/07b13c93ffd9bec9546e0d43f8e19378dd696dbd278511406bc07371ef1f/httptools-0.8.0-cp314-cp314-win_amd64.whl", hash = "sha256:19d1ee275bb59ba2643ba9a3a1e51cc0c788caf2b8df506368e03f56fdd08527", size = 92705, upload-time = "2026-05-25T22:17:31.133Z" }, + { url = "https://files.pythonhosted.org/packages/fd/c4/121648f68ce066d7bd762d6b6d97e620847642d38d54f3d90ff11d947629/httptools-0.8.0-cp314-cp314t-macosx_10_13_universal2.whl", hash = "sha256:de1ed58a974e75d56560acc7e7fed01a454994429456f65209789992e41f2568", size = 215023, upload-time = "2026-05-25T22:17:32.401Z" }, + { url = "https://files.pythonhosted.org/packages/b9/b0/312a062ae741ae3e8baa8c8bf20be81b2e67337b259ab4349bebc7b6142e/httptools-0.8.0-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:e93c227b595c6926c1acee96891dd9da4be338cfbe82e5cd3bb9d8dd7dc4ac0b", size = 117405, upload-time = "2026-05-25T22:17:33.742Z" }, + { url = "https://files.pythonhosted.org/packages/fc/37/fccd705f795386bb05bf413012fecff2a33e5aa8c2f069096de3e9fd8702/httptools-0.8.0-cp314-cp314t-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:2a021c3a8e65cc125390d72f59b968afca3bdcaff25bd67965e0a055a14946ca", size = 558497, upload-time = "2026-05-25T22:17:34.732Z" }, + { url = "https://files.pythonhosted.org/packages/bd/39/f172e8003576de35f5ba77ff417cf0e34429d35dc014deef15afa337a72c/httptools-0.8.0-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:48774d39cbb70e2b1f71f88852a3087ae1d3a1eb80482bb48c13067ab080c14f", size = 571585, upload-time = "2026-05-25T22:17:35.813Z" }, + { url = "https://files.pythonhosted.org/packages/3e/b9/f5564760af99f3dbbf3f9104dc00e5da27e96cf433c6bdcf77617f70bf3f/httptools-0.8.0-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:88eead8ec8680a9f146c655bc88445a325bd7921cfd8194c7337e9467282427d", size = 543297, upload-time = "2026-05-25T22:17:37.08Z" }, + { url = "https://files.pythonhosted.org/packages/99/67/8d9f2c313618e161b82f3873188e7196126da1d6e29688df40eb3997c77a/httptools-0.8.0-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:2c032fa028f46871ec7e1fc59fc15e8023eab3e6bbe6ece786a1611719a5d081", size = 539535, upload-time = "2026-05-25T22:17:38.032Z" }, + { url = "https://files.pythonhosted.org/packages/48/63/b906c01e53f50d432c0defe43ce52764a111dc1bdd028bafbeb54dcfd008/httptools-0.8.0-cp314-cp314t-win_amd64.whl", hash = "sha256:384c17174464c8e873398b7af24f0b1f44d992c820328413951a625323155d77", size = 108209, upload-time = "2026-05-25T22:17:39.473Z" }, ] [[package]] @@ -3853,15 +3860,15 @@ socks = [ [[package]] name = "uvicorn" -version = "0.48.0" +version = "0.49.0" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "click" }, { name = "h11" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/e6/bf/f6544ba992ddb9a6077343a576f9844f7f8f06ab819aefd00206e9255f18/uvicorn-0.48.0.tar.gz", hash = "sha256:a5504207195d08c2511bf9125ede5ac4a4b71725d519e758d01dcf0bc2d31c37", size = 91074, upload-time = "2026-05-24T12:08:41.925Z" } +sdist = { url = "https://files.pythonhosted.org/packages/c4/1f/fa18009dea8469069cca78a4e877a008ab78f08b064bfc9ab891579077ff/uvicorn-0.49.0.tar.gz", hash = "sha256:ebf4271aa580d9de97f93192d4595176df6e91f9aae919ca73e4fc07df1e66a3", size = 91284, upload-time = "2026-06-03T22:01:30.448Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/01/be/72532be3da7acc5fdfbccdb95215cd04f995a0886532a5b423f929cda4cc/uvicorn-0.48.0-py3-none-any.whl", hash = "sha256:48097851328b87ec36117d3d575234519eb58c2b22d79666e9bbc6c49a761dad", size = 71410, upload-time = "2026-05-24T12:08:40.258Z" }, + { url = "https://files.pythonhosted.org/packages/88/fa/e1388bbcf24ef3274f45c0c1c7b501fd14971037c1b6ee23610553307497/uvicorn-0.49.0-py3-none-any.whl", hash = "sha256:ba3d14c3ee7e41c6c654c46c9eb489d33213cdd30aa1696eab1374337c13f68f", size = 71376, upload-time = "2026-06-03T22:01:29.037Z" }, ] [package.optional-dependencies] diff --git a/web/package-lock.json b/web/package-lock.json index 5ce5d55e2f..a599d9befe 100644 --- a/web/package-lock.json +++ b/web/package-lock.json @@ -37,6 +37,7 @@ "@lit/reactive-element": "^2.1.2", "@lit/task": "^1.0.3", "@mdx-js/mdx": "^3.1.1", + "@mermaid-js/layout-elk": "^0.2.1", "@mrmarble/djangoql-completion": "^0.8.3", "@open-wc/lit-helpers": "^0.7.0", "@openlayers-elements/core": "^0.4.0", @@ -2037,6 +2038,19 @@ "react": ">=16" } }, + "node_modules/@mermaid-js/layout-elk": { + "version": "0.2.1", + "resolved": "https://registry.npmjs.org/@mermaid-js/layout-elk/-/layout-elk-0.2.1.tgz", + "integrity": "sha512-MX9jwhMyd5zDcFsYcl3duDUkKhjVRUCGEQrdCeNV5hCIR6+3FuDDbRbFmvVbAu15K1+juzsYGG+K8MDvCY1Amg==", + "license": "MIT", + "dependencies": { + "d3": "^7.9.0", + "elkjs": "^0.9.3" + }, + "peerDependencies": { + "mermaid": "^11.0.2" + } + }, "node_modules/@mermaid-js/parser": { "version": "1.1.1", "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.1.tgz", @@ -9387,6 +9401,12 @@ "integrity": "sha512-PwfIw7WQSt3xX7yOf5OE/unLzsK9CaN2f/FvV3WjPR1Knoc1T9vePRVV4W1EM301JzzysK51K7FNKcusCr0zYA==", "license": "ISC" }, + "node_modules/elkjs": { + "version": "0.9.3", + "resolved": "https://registry.npmjs.org/elkjs/-/elkjs-0.9.3.tgz", + "integrity": "sha512-f/ZeWvW/BCXbhGEf1Ujp29EASo/lk1FDnETgNKwJrsVvGZhUWCZyg3xLJjAsxfOmt8KjswHmI5EwCQcPMpOYhQ==", + "license": "EPL-2.0" + }, "node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", @@ -20916,7 +20936,7 @@ "version": "1.0.0", "license": "MIT", "dependencies": { - "@goauthentik/tsconfig": "^1.0.9", + "@goauthentik/tsconfig": "^2.0.0", "@types/node": "^25.7.0", "@types/semver": "^7.7.1", "semver": "^7.7.4", @@ -20927,6 +20947,16 @@ "npm": ">=11.14.1" } }, + "packages/core/node_modules/@goauthentik/tsconfig": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@goauthentik/tsconfig/-/tsconfig-2.0.0.tgz", + "integrity": "sha512-HiU/U9cO4Aaik3VjUHu/3PjD0m2nhIJXlENW1kbfVRFBaqAw//9UuHIel2E3vgwyua93fht36cBb8itZVsG1Vg==", + "license": "MIT", + "engines": { + "node": ">=24", + "npm": ">=11.14.1" + } + }, "packages/core/node_modules/semver": { "version": "7.7.4", "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz", diff --git a/web/package.json b/web/package.json index 39563a776b..b873955a52 100644 --- a/web/package.json +++ b/web/package.json @@ -112,6 +112,7 @@ "@lit/reactive-element": "^2.1.2", "@lit/task": "^1.0.3", "@mdx-js/mdx": "^3.1.1", + "@mermaid-js/layout-elk": "^0.2.1", "@mrmarble/djangoql-completion": "^0.8.3", "@open-wc/lit-helpers": "^0.7.0", "@openlayers-elements/core": "^0.4.0", @@ -212,14 +213,10 @@ ], "wireit": { "build": { - "#comment": [ - "`npm run build` and `npm run watch` are the most common ", - "commands you should be using when working on the front end", - "The files and output spec here expect you to use `npm run build --watch` ", - "instead of `npm run watch`. The former is more comprehensive, but ", - "the latter is faster." - ], "command": "${NODE_RUNNER} scripts/build-web.mjs", + "dependencies": [ + "build-locales" + ], "files": [ "src/**/*.{css,jpg,png,ts,js,json}", "!src/**/*.stories.ts", @@ -239,8 +236,12 @@ "./dist/poly-*.js.map", "./dist/styles/**" ], - "dependencies": [ - "build-locales" + "#comment": [ + "`npm run build` and `npm run watch` are the most common ", + "commands you should be using when working on the front end", + "The files and output spec here expect you to use `npm run build --watch` ", + "instead of `npm run watch`. The former is more comprehensive, but ", + "the latter is faster." ], "env": { "NODE_RUNNER": { @@ -255,9 +256,6 @@ "build-locales" ] }, - "locales:repair": { - "command": "prettier --write ./src/locale-codes.ts" - }, "lint:components": { "command": "lit-analyzer src" }, @@ -270,6 +268,9 @@ "lit-analyse": { "command": "lit-analyzer src" }, + "locales:repair": { + "command": "prettier --write ./src/locale-codes.ts" + }, "precommit": { "command": "prettier --write .", "dependencies": [ diff --git a/web/packages/core/package.json b/web/packages/core/package.json index df396010c1..5b734d756a 100644 --- a/web/packages/core/package.json +++ b/web/packages/core/package.json @@ -44,7 +44,7 @@ } }, "dependencies": { - "@goauthentik/tsconfig": "^1.0.9", + "@goauthentik/tsconfig": "^2.0.0", "@types/node": "^25.7.0", "@types/semver": "^7.7.1", "semver": "^7.7.4", diff --git a/web/src/admin/flows/FlowDiagram.ts b/web/src/admin/flows/FlowDiagram.ts index f2e93d7650..dcd08329a7 100644 --- a/web/src/admin/flows/FlowDiagram.ts +++ b/web/src/admin/flows/FlowDiagram.ts @@ -2,28 +2,29 @@ import "#elements/EmptyState"; import { aki } from "#common/api/client"; -import { Diagram } from "#elements/Diagram"; +import { Diagram } from "#elements/Diagram/ak-diagram"; import { FlowsApi } from "@goauthentik/api"; +import { observes } from "@patternfly/pfe-core/decorators/observes.js"; + import { customElement, property } from "lit/decorators.js"; @customElement("ak-flow-diagram") export class FlowDiagram extends Diagram { - @property() - flowSlug?: string; + @property({ type: String, useDefault: true }) + public flowSlug: string | null = null; - refreshHandler = (): void => { - this.diagram = undefined; + @observes("flowSlug") + protected refresh(): void { aki(FlowsApi) .flowsInstancesDiagramRetrieve({ slug: this.flowSlug || "", }) .then((data) => { this.diagram = data.diagram; - this.requestUpdate(); }); - }; + } } declare global { diff --git a/web/src/admin/sources/oauth/OAuthSourceDiagram.ts b/web/src/admin/sources/oauth/OAuthSourceDiagram.ts index a1151ffa61..ec5008999a 100644 --- a/web/src/admin/sources/oauth/OAuthSourceDiagram.ts +++ b/web/src/admin/sources/oauth/OAuthSourceDiagram.ts @@ -1,4 +1,4 @@ -import { Diagram } from "#elements/Diagram"; +import { Diagram } from "#elements/Diagram/ak-diagram"; import { UserMatchingModeToLabel } from "#admin/sources/oauth/utils"; @@ -9,22 +9,28 @@ import { customElement, property } from "lit/decorators.js"; @customElement("ak-source-oauth-diagram") export class OAuthSourceDiagram extends Diagram { - @property({ attribute: false }) - source?: OAuthSource; + @property({ attribute: false, useDefault: true }) + public source: OAuthSource | null = null; - refreshHandler = (): void => { + protected override syncDiagramContent = (): void => { if (!this.source) return; - const graph = ["graph LR"]; - graph.push(`source[${msg(str`OAuth Source ${this.source.name}`)}]`); - graph.push( - `source --> flow_manager["${UserMatchingModeToLabel(this.source.userMatchingMode || UserMatchingModeEnum.Identifier)}"]`, - ); + + const graph = [ + "graph LR", + `source[${msg(str`OAuth Source ${this.source.name}`)}]`, + `source --> flow_manager["${UserMatchingModeToLabel( + this.source.userMatchingMode || UserMatchingModeEnum.Identifier, + )}"]`, + ]; + if (this.source.enrollmentFlow) { graph.push("flow_manager --> flow_enroll[Enrollment flow]"); } + if (this.source.authenticationFlow) { graph.push("flow_manager --> flow_auth[Authentication flow]"); } + this.diagram = graph.join("\n"); }; } diff --git a/web/src/admin/stages/captcha/CaptchaStageForm.ts b/web/src/admin/stages/captcha/CaptchaStageForm.ts index 6c962e3ac2..387f71815c 100644 --- a/web/src/admin/stages/captcha/CaptchaStageForm.ts +++ b/web/src/admin/stages/captcha/CaptchaStageForm.ts @@ -14,9 +14,11 @@ import { SlottedTemplateResult } from "#elements/types"; import { BaseStageForm } from "#admin/stages/BaseStageForm"; import { CAPTCHA_PROVIDERS, + CAPTCHA_REQUEST_CONTENT_TYPES, CaptchaProviderKey, CaptchaProviderKeys, CaptchaProviderPreset, + deriveCapSiteVerifyURL, detectProviderFromInstance, pluckFormValues, } from "#admin/stages/captcha/shared"; @@ -35,6 +37,10 @@ import { customElement, state } from "lit/decorators.js"; import { guard } from "lit/directives/guard.js"; import { ifDefined } from "lit/directives/if-defined.js"; +type CaptchaStageFormRequest = (CaptchaStageRequest | PatchedCaptchaStageRequest) & { + capEndpoint?: string; +}; + @customElement("ak-stage-captcha-form") export class CaptchaStageForm extends BaseStageForm { public static override readonly styles = [...super.styles, Styles]; @@ -83,6 +89,26 @@ export class CaptchaStageForm extends BaseStageForm { public async send( data: CaptchaStageRequest | PatchedCaptchaStageRequest, ): Promise { + const formData = data as CaptchaStageFormRequest; + + if (this.selectedProvider === "cap" && (formData.capEndpoint || formData.publicKey)) { + const capEndpoint = formData.capEndpoint || formData.publicKey || ""; + + formData.publicKey = capEndpoint; + delete formData.capEndpoint; + + const presetURL = CAPTCHA_PROVIDERS.cap.apiUrl; + // The Cap verification URL includes the site key, so derive it from the + // widget endpoint unless the advanced field was explicitly customized. + if (!data.apiUrl || data.apiUrl === presetURL) { + const siteVerifyURL = deriveCapSiteVerifyURL(capEndpoint); + + if (siteVerifyURL) { + data.apiUrl = siteVerifyURL; + } + } + } + if (this.instance) { return this.#api.stagesCaptchaPartialUpdate({ stageUuid: this.instance.pk || "", @@ -117,43 +143,77 @@ export class CaptchaStageForm extends BaseStageForm {

${guard([this.#currentPreset], () => { - const { formatAPISource, keyURL } = this.#currentPreset; + const { formatAPISource, formatDescription, keyURL } = this.#currentPreset; - if (!formatAPISource || !keyURL) { - return null; - } + const description = formatDescription + ? html`

${formatDescription()}

` + : null; + const providerLink = + formatAPISource && keyURL + ? html` + ${this.selectedProvider === "cap" + ? msg( + html`Use the + ${html`${formatAPISource()}`} + to self-host Cap and configure the endpoint.`, + { + id: "captcha.provider-link.cap", + desc: "Supplementary help text with link to Cap documentation.", + }, + ) + : msg( + html`API keys can be obtained from the + ${html`${formatAPISource()}.`}`, + { + id: "captcha.provider-link", + desc: "Supplementary help text with link to provider dashboard.", + }, + )} + ` + : null; - return html` - ${msg( - html`API keys can be obtained from the - ${html`${formatAPISource()}.`}`, - { - id: "captcha.provider-link", - desc: "Supplementary help text with link to provider dashboard.", - }, - )} - `; + return html`${description} ${providerLink}`; })} `; } protected renderKeyFields(): SlottedTemplateResult { + const isCapProvider = this.selectedProvider === "cap"; + const publicKeyLabel = isCapProvider ? msg("Cap Endpoint") : msg("Public Key"); + const publicKeyPlaceholder = isCapProvider + ? msg("https://cap.example.com/site-key/") + : msg("Paste your CAPTCHA public key..."); + const publicKeyHelp = isCapProvider + ? msg("The public site-key endpoint of your Cap server.", { + id: "captcha.cap-endpoint.description", + desc: "Description for Cap endpoint field.", + }) + : msg("The public key is used by authentik to render the CAPTCHA widget.", { + id: "captcha.public-key.description", + desc: "Description for CAPTCHA public key field.", + }); + return html` @@ -236,9 +296,13 @@ export class CaptchaStageForm extends BaseStageForm { type="url" value="${ifDefined(formValues.jsUrl)}" required - help=${msg( - "URL to fetch the CAPTCHA JavaScript library from. Automatically set based on provider selection but can be customized.", - )} + help=${this.selectedProvider === "cap" + ? msg( + "For Cap, prefer the self-hosted widget asset, for example https://cap.example.com/assets/widget.js. If using a CDN, pin a reviewed release.", + ) + : msg( + "URL to fetch the CAPTCHA JavaScript library from. Automatically set based on provider selection but can be customized.", + )} > { type="url" value="${ifDefined(formValues.apiUrl)}" required - help=${msg( - "URL used to validate CAPTCHA response on the backend. Automatically set based on provider selection but can be customized.", - )} + help=${this.selectedProvider === "cap" + ? msg( + "Cap's server-side verification endpoint, for example https://cap.example.com/site-key/siteverify.", + ) + : msg( + "URL used to validate CAPTCHA response on the backend. Automatically set based on provider selection but can be customized.", + )} > + + +

+ ${msg( + "Content-Type used for server-side verification. Cap requires JSON; most other providers use form-encoded requests.", + )} +

+ `; } diff --git a/web/src/admin/stages/captcha/shared.ts b/web/src/admin/stages/captcha/shared.ts index ce10318569..f7eb92d518 100644 --- a/web/src/admin/stages/captcha/shared.ts +++ b/web/src/admin/stages/captcha/shared.ts @@ -2,12 +2,35 @@ import { CaptchaStage, CaptchaStageRequest } from "@goauthentik/api"; import { msg } from "@lit/localize"; +export type CaptchaRequestContentType = "application/x-www-form-urlencoded" | "application/json"; + +export const CAPTCHA_REQUEST_CONTENT_TYPES = [ + { + value: "application/x-www-form-urlencoded", + formatDisplayName: () => + msg("Form encoded", { + id: "captcha.request-content-type.form", + }), + }, + { + value: "application/json", + formatDisplayName: () => + msg("JSON", { + id: "captcha.request-content-type.json", + }), + }, +] as const satisfies { + value: CaptchaRequestContentType; + formatDisplayName: () => string; +}[]; + export const CaptchaProviderKeys = [ "recaptcha_v2", "recaptcha_v3", "recaptcha_enterprise", "hcaptcha", "turnstile", + "cap", "custom", ] as const satisfies string[]; @@ -15,8 +38,10 @@ export type CaptchaProviderKey = (typeof CaptchaProviderKeys)[number]; export interface CaptchaProviderPreset { formatDisplayName: () => string; + formatDescription?: () => string; jsUrl: string; apiUrl: string; + requestContentType: CaptchaRequestContentType; interactive: boolean; supportsScore: boolean; score?: { min: number; max: number }; @@ -37,6 +62,7 @@ export const CAPTCHA_PROVIDERS = { }), jsUrl: "https://www.recaptcha.net/recaptcha/api.js", apiUrl: "https://www.recaptcha.net/recaptcha/api/siteverify", + requestContentType: "application/x-www-form-urlencoded", interactive: true, supportsScore: false, formatAPISource: () => @@ -52,6 +78,7 @@ export const CAPTCHA_PROVIDERS = { }), jsUrl: "https://www.recaptcha.net/recaptcha/api.js", apiUrl: "https://www.recaptcha.net/recaptcha/api/siteverify", + requestContentType: "application/x-www-form-urlencoded", interactive: false, supportsScore: true, score: { min: 0.5, max: 1.0 }, @@ -68,6 +95,7 @@ export const CAPTCHA_PROVIDERS = { }), jsUrl: "https://www.recaptcha.net/recaptcha/enterprise.js", apiUrl: "https://www.recaptcha.net/recaptcha/api/siteverify", + requestContentType: "application/x-www-form-urlencoded", interactive: false, supportsScore: true, score: { min: 0.5, max: 1.0 }, @@ -84,6 +112,7 @@ export const CAPTCHA_PROVIDERS = { }), jsUrl: "https://js.hcaptcha.com/1/api.js", apiUrl: "https://api.hcaptcha.com/siteverify", + requestContentType: "application/x-www-form-urlencoded", interactive: true, supportsScore: true, score: { min: 0.0, max: 0.5 }, @@ -100,6 +129,7 @@ export const CAPTCHA_PROVIDERS = { }), jsUrl: "https://challenges.cloudflare.com/turnstile/v0/api.js", apiUrl: "https://challenges.cloudflare.com/turnstile/v0/siteverify", + requestContentType: "application/x-www-form-urlencoded", interactive: true, supportsScore: false, formatAPISource: () => @@ -108,6 +138,26 @@ export const CAPTCHA_PROVIDERS = { }), keyURL: "https://dash.cloudflare.com", }, + cap: { + formatDisplayName: () => + msg("Cap", { + id: "captcha.providers.cap", + }), + formatDescription: () => + msg("Cap is a self-hostable CAPTCHA server that uses proof-of-work challenges.", { + id: "captcha.providers.cap.description", + }), + jsUrl: "https://cap.example.com/assets/widget.js", + apiUrl: "https://cap.example.com/site-key/siteverify", + requestContentType: "application/json", + interactive: true, + supportsScore: false, + formatAPISource: () => + msg("Cap documentation", { + id: "captcha.providers.cap.setup-guide", + }), + keyURL: "https://trycap.dev/guide/", + }, custom: { formatDisplayName: () => msg("Custom", { @@ -115,23 +165,56 @@ export const CAPTCHA_PROVIDERS = { }), jsUrl: "https://www.recaptcha.net/recaptcha/api.js", apiUrl: "https://www.recaptcha.net/recaptcha/api/siteverify", + requestContentType: "application/x-www-form-urlencoded", interactive: false, supportsScore: true, score: { min: 0.5, max: 1.0 }, }, } as const satisfies Record; +export function deriveCapSiteVerifyURL(endpoint: string): string | null { + const trimmedEndpoint = endpoint.trim(); + + if (!URL.canParse(trimmedEndpoint)) { + return null; + } + + const endpointURL = new URL(trimmedEndpoint); + const normalizedEndpoint = endpointURL.href.endsWith("/") + ? endpointURL.href + : `${endpointURL.href}/`; + + return new URL("siteverify", normalizedEndpoint).toString(); +} + /** * Detect which provider preset matches the given {@linkcode CaptchaStage} instance. * This allows the form to show the correct provider in the dropdown when editing * an existing CAPTCHA stage. Falls back to "custom" if no match is found. */ +function isCapWidgetURL(jsUrl?: string | null): boolean { + if (!jsUrl || !URL.canParse(jsUrl)) { + return false; + } + + const { pathname } = new URL(jsUrl); + return pathname.includes("cap-widget") || pathname.endsWith("/assets/widget.js"); +} + export function detectProviderFromInstance(stage?: CaptchaStage | null): CaptchaProviderKey { if (!stage) return "custom"; for (const key of CaptchaProviderKeys) { const preset = CAPTCHA_PROVIDERS[key]; + if ( + key === "cap" && + isCapWidgetURL(stage.jsUrl) && + stage.requestContentType === preset.requestContentType + ) { + return key; + } + if (stage.jsUrl === preset.jsUrl && stage.apiUrl === preset.apiUrl) { return key; } @@ -153,6 +236,7 @@ export function pluckFormValues( return { jsUrl: instance.jsUrl, apiUrl: instance.apiUrl, + requestContentType: instance.requestContentType, interactive: instance.interactive, scoreMinThreshold: instance.scoreMinThreshold, scoreMaxThreshold: instance.scoreMaxThreshold, @@ -163,6 +247,7 @@ export function pluckFormValues( return { jsUrl: preset.jsUrl, apiUrl: preset.apiUrl, + requestContentType: preset.requestContentType, interactive: preset.interactive, scoreMinThreshold: preset.score?.min ?? 0.5, scoreMaxThreshold: preset.score?.max ?? 1.0, diff --git a/web/src/common/theme.ts b/web/src/common/theme.ts index 6bc5717d79..6966c50111 100644 --- a/web/src/common/theme.ts +++ b/web/src/common/theme.ts @@ -261,26 +261,29 @@ declare global { * @param hint The color scheme hint to use. * @param doc The document to apply the theme to. */ -export const applyDocumentTheme = ((currentUITheme = resolveUITheme(), doc = document): void => { +export const applyDocumentTheme = (( + currentUITheme = resolveUITheme(), + ownerDocument = document, +): void => { console.debug(`authentik/theme (document): want to switch to ${currentUITheme} theme`); - const { themeChoice } = doc.documentElement.dataset; + const { themeChoice } = ownerDocument.documentElement.dataset; if (themeChoice && themeChoice !== "auto") { console.debug( `authentik/theme (document): skipping theme application due to explicit choice (${themeChoice})`, ); - doc.dispatchEvent(new ThemeChangeEvent(themeChoice)); + ownerDocument.dispatchEvent(new ThemeChangeEvent(themeChoice)); return; } - doc.documentElement.dataset.theme = currentUITheme; + ownerDocument.documentElement.dataset.theme = currentUITheme; console.debug(`authentik/theme (document): switching to ${currentUITheme} theme`); - doc.dispatchEvent(new ThemeChangeEvent(currentUITheme)); + ownerDocument.dispatchEvent(new ThemeChangeEvent(currentUITheme)); }) satisfies UIThemeListener; /** diff --git a/web/src/elements/Diagram.ts b/web/src/elements/Diagram.ts deleted file mode 100644 index 12b4fa686e..0000000000 --- a/web/src/elements/Diagram.ts +++ /dev/null @@ -1,103 +0,0 @@ -import "#elements/EmptyState"; - -import { EVENT_REFRESH } from "#common/constants"; -import { DOM_PURIFY_STRICT } from "#common/purify"; -import { ThemeChangeEvent } from "#common/theme"; - -import { AKElement } from "#elements/Base"; - -import { UiThemeEnum } from "@goauthentik/api"; - -import mermaid, { MermaidConfig } from "mermaid"; - -import { css, CSSResult, html, TemplateResult } from "lit"; -import { customElement, property } from "lit/decorators.js"; -import { unsafeHTML } from "lit/directives/unsafe-html.js"; -import { until } from "lit/directives/until.js"; - -@customElement("ak-diagram") -export class Diagram extends AKElement { - @property({ attribute: false }) - diagram?: string; - - refreshHandler = (): void => { - if (!this.textContent) return; - this.diagram = this.textContent; - }; - - handlerBound = false; - - static styles: CSSResult[] = [ - css` - :host { - display: flex; - justify-content: center; - } - `, - ]; - - config: MermaidConfig; - - constructor() { - super(); - this.config = { - // The type definition for this says number - // but the example use strings - // and numbers don't work - logLevel: "fatal", - startOnLoad: false, - flowchart: { - curve: "linear", - }, - htmlLabels: false, - securityLevel: "strict", - dompurifyConfig: DOM_PURIFY_STRICT, - }; - mermaid.initialize(this.config); - } - - firstUpdated(): void { - if (this.handlerBound) return; - window.addEventListener(EVENT_REFRESH, this.refreshHandler); - this.addEventListener(ThemeChangeEvent.eventName, ((ev: CustomEvent) => { - if (ev.detail === UiThemeEnum.Dark) { - this.config.theme = "dark"; - } else { - this.config.theme = "default"; - } - mermaid.initialize(this.config); - }) as EventListener); - this.handlerBound = true; - this.refreshHandler(); - } - - disconnectedCallback(): void { - super.disconnectedCallback(); - window.removeEventListener(EVENT_REFRESH, this.refreshHandler); - } - - render(): TemplateResult { - this.querySelectorAll("*").forEach((el) => { - try { - el.remove(); - } catch { - console.debug(`authentik/diagram: failed to remove element ${el}`); - } - }); - if (!this.diagram) { - return html``; - } - return html`${until( - mermaid.render("graph", this.diagram).then((r) => { - r.bindFunctions?.(this.shadowRoot as unknown as Element); - return unsafeHTML(r.svg); - }), - )}`; - } -} - -declare global { - interface HTMLElementTagNameMap { - "ak-diagram": Diagram; - } -} diff --git a/web/src/elements/Diagram/ak-diagram.css b/web/src/elements/Diagram/ak-diagram.css new file mode 100644 index 0000000000..f21bc9f9bb --- /dev/null +++ b/web/src/elements/Diagram/ak-diagram.css @@ -0,0 +1,4 @@ +:host { + display: flex; + justify-content: center; +} diff --git a/web/src/elements/Diagram/ak-diagram.ts b/web/src/elements/Diagram/ak-diagram.ts new file mode 100644 index 0000000000..a0ab870a79 --- /dev/null +++ b/web/src/elements/Diagram/ak-diagram.ts @@ -0,0 +1,88 @@ +import "#elements/EmptyState"; + +import { AKRefreshEvent } from "#common/events"; + +import { AKElement } from "#elements/Base"; +import { listen } from "#elements/decorators/listen"; +import Styles from "#elements/Diagram/ak-diagram.css"; +import { EmptyState } from "#elements/EmptyState"; +import MermaidStyles from "#elements/mermaid/mermaid.css"; +import { loadMermaid } from "#elements/mermaid/utils"; +import { SlottedTemplateResult } from "#elements/types"; + +import { CSSResult, PropertyValues } from "lit"; +import { guard } from "lit-html/directives/guard.js"; +import { customElement, property } from "lit/decorators.js"; +import { unsafeHTML } from "lit/directives/unsafe-html.js"; +import { until } from "lit/directives/until.js"; + +@customElement("ak-diagram") +export class Diagram extends AKElement { + static styles: CSSResult[] = [MermaidStyles, Styles]; + + #diagram = ""; + @property({ attribute: false, useDefault: true }) + public get diagram(): string { + return this.#diagram || this.textContent.trim() || ""; + } + + public set diagram(value: string) { + const previous = this.#diagram; + this.#diagram = value.trim(); + + this.requestUpdate("diagram", previous); + } + + @listen(AKRefreshEvent, { + target: window, + }) + protected syncDiagramContent = (): void => { + if (!this.textContent) return; + this.diagram = this.textContent; + }; + + loadingPlaceholder: EmptyState; + + constructor() { + super(); + this.loadingPlaceholder = new EmptyState(); + this.loadingPlaceholder.loading = true; + } + + protected firstUpdated(changedProperties: PropertyValues): void { + super.firstUpdated(changedProperties); + this.syncDiagramContent(); + } + + protected renderMermaid(): Promise { + return loadMermaid(this.activeTheme).then((mermaid) => { + if (!this.diagram) { + return null; + } + + return mermaid.render(`mermaid-svg-${this.localName}`, this.diagram).then((result) => { + result.bindFunctions?.(this.renderRoot as HTMLElement); + + return unsafeHTML(result.svg); + }); + }); + } + + protected override render(): SlottedTemplateResult { + const { diagram, loadingPlaceholder, activeTheme } = this; + + return guard([diagram, activeTheme], () => { + if (!diagram) { + return loadingPlaceholder; + } + + return until(this.renderMermaid(), loadingPlaceholder); + }); + } +} + +declare global { + interface HTMLElementTagNameMap { + "ak-diagram": Diagram; + } +} diff --git a/web/src/elements/ak-mdx/ak-mdx.tsx b/web/src/elements/ak-mdx/ak-mdx.tsx index 94d100d833..cbc50c2dcc 100644 --- a/web/src/elements/ak-mdx/ak-mdx.tsx +++ b/web/src/elements/ak-mdx/ak-mdx.tsx @@ -11,12 +11,12 @@ import { remarkHeadings } from "#elements/ak-mdx/remark/remark-headings"; import { remarkLists } from "#elements/ak-mdx/remark/remark-lists"; import Styles from "#elements/ak-mdx/styles.css"; import { AKElement } from "#elements/Base"; +import MermaidStyles from "#elements/mermaid/mermaid.css"; +import { loadMermaid } from "#elements/mermaid/utils"; import { DistDirectoryName, StaticDirectoryName } from "#paths"; import OneDark from "#styles/atom/one-dark.css"; -import { UiThemeEnum } from "@goauthentik/api"; - import { compile as compileMDX, run as runMDX } from "@mdx-js/mdx"; import apacheGrammar from "highlight.js/lib/languages/apache"; import diffGrammar from "highlight.js/lib/languages/diff"; @@ -77,6 +77,7 @@ export class AKMDX extends AKElement { PFTable, PFContent, OneDark, + MermaidStyles, Styles, ]; @@ -113,6 +114,8 @@ export class AKMDX extends AKElement { mdxModule.content, ); + const { activeTheme } = this; + const mdx = await compileMDX(normalized, { outputFormat: "function-body", remarkPlugins: [ @@ -132,7 +135,8 @@ export class AKMDX extends AKElement { rehypeMermaid, { prefix: "mermaid-svg-", - colorScheme: this.activeTheme === UiThemeEnum.Dark ? "dark" : "light", + colorScheme: activeTheme, + mermaidConfig: await loadMermaid(activeTheme), } satisfies RehypeMermaidOptions, ], ], diff --git a/web/src/elements/ak-mdx/styles.css b/web/src/elements/ak-mdx/styles.css index 025074820d..7db3238078 100644 --- a/web/src/elements/ak-mdx/styles.css +++ b/web/src/elements/ak-mdx/styles.css @@ -59,21 +59,6 @@ pre:has(.hljs) { padding: var(--pf-global--spacer--md); } -svg[id^="mermaid-svg-"] { - .rect { - fill: var( - --ak-mermaid-box-background-color, - var(--pf-global--BackgroundColor--light-300) - ) !important; - } - - .messageText { - stroke-width: 4; - fill: var(--ak-mermaid-message-text) !important; - paint-order: stroke; - } -} - ak-alert + :is(h2, p) { padding-top: var(--pf-global--spacer--md); } @@ -81,19 +66,7 @@ ak-alert + :is(h2, p) { /* #region Dark Theme */ :host([theme="dark"]) { - --ak-mermaid-message-text: var(--ak-dark-foreground); - --ak-mermaid-box-background-color: var(--ak-dark-background-lighter); --ak-table-stripe-background: var(--pf-global--BackgroundColor--dark-200); - - svg[id^="mermaid-svg-"] { - line[class^="messageLine"] { - /* - Mermaid's support for dynamic palette changes leaves a lot to be desired. - This is a workaround to keep content readable while not breaking the rest of the theme. - */ - filter: invert(1) !important; - } - } } /* #endregion */ diff --git a/web/src/elements/mermaid/mermaid.css b/web/src/elements/mermaid/mermaid.css new file mode 100644 index 0000000000..4e66674c8a --- /dev/null +++ b/web/src/elements/mermaid/mermaid.css @@ -0,0 +1,59 @@ +/* svg[id^="mermaid-svg-"] { */ +/* &.flowchart { + .edgeLabel .label { + padding: 4px 10px; + border-radius: 4px; + background: rgba(0, 0, 0, 0.55); + color: var(--ak-foreground, #fff); + } + } */ + +.flowchart { + foreignObject:has(.edgeLabel) { + display: flex; + align-items: center; + justify-content: center; + overflow: visible; + } + + .edgeLabel, + .edgeLabel .labelBkg { + background-color: transparent; + display: flex !important; + } + + .edgeLabel > span, + .labelBkg > span.edgeLabel { + margin-inline: auto; + max-width: max-content; + padding: 3px 12px; + border-radius: 6px; + white-space: nowrap; + } + + .edgeLabel { + background-color: var(--pf-global--palette--gold-200) !important; + border: 1px solid var(--pf-global--palette--gold-500) !important; + } +} + +svg[id^="mermaid-svg-"] { + & > .rect { + fill: color-mix(var(--pf-global--palette--gold-100), transparent 95%); + stroke: var(--pf-global--palette--gold-100); + stroke-width: 1; + } + + .messageText { + fill: var(--pf-global--Color--100) !important; + } + + .messageLine0 { + stroke: var(--pf-global--palette--purple-300) !important; + } + + [id$="-arrowhead"] path { + fill: var(--pf-global--palette--purple-300) !important; + stroke: var(--pf-global--palette--purple-300) !important; + } +} diff --git a/web/src/elements/mermaid/theme.ts b/web/src/elements/mermaid/theme.ts new file mode 100644 index 0000000000..e2db5ae298 --- /dev/null +++ b/web/src/elements/mermaid/theme.ts @@ -0,0 +1,164 @@ +import type { MermaidConfig } from "mermaid"; + +/** + * Resolves PatternFly CSS custom properties into concrete hex colors and maps + * them onto Mermaid's `themeVariables` keyset. + * + * @remarks + * + * Colors are parsed through a 1x1 canvas so that any valid CSS color form + * (named, rgb/rgba, hsl, or a `var()` chain) collapses to a hex string Mermaid + * can consume. Fully transparent values resolve to `"transparent"`. + * + * PatternFly 4 handles light/dark theming at the token level, so a single token + * set resolves correctly under either theme — no per-theme branching needed. + */ +export class MermaidThemeAdapter { + canvas = new OffscreenCanvas(1, 1); + ctx = this.canvas.getContext("2d"); + + constructor(protected computedStyle: CSSStyleDeclaration) {} + + /** + * Resolve a CSS custom property to a hex color string. + * + * @param cssProperty The CSS custom property name to read. + * @param fallback Color used when the property is unset or empty. + * + * @returns A hex color code string, or `"transparent"` for fully transparent values. + */ + public readHexColorVariable = (cssProperty: string, fallback = "#ff0000"): string => { + if (!this.ctx) { + throw new Error("Could not create canvas context for color parsing"); + } + + this.ctx.clearRect(0, 0, 1, 1); + this.ctx.fillStyle = this.computedStyle.getPropertyValue(cssProperty).trim() || fallback; + this.ctx.fillRect(0, 0, 1, 1); + + const [r, g, b, a] = this.ctx.getImageData(0, 0, 1, 1).data; + + if (a === 0) { + return "transparent"; + } + + // eslint-disable-next-line no-bitwise + return `#${((1 << 24) + (r << 16) + (g << 8) + b).toString(16).slice(1)}`; + }; + + /** + * Read a surface color, substituting an opaque fallback when the token + * resolves to `transparent`. Node fills must never be see-through. + */ + protected readSurface = (cssProperty: string, fallback: string): string => { + const value = this.readHexColorVariable(cssProperty, fallback); + + return value === "transparent" ? fallback : value; + }; + + /** + * Map PatternFly tokens onto Mermaid's `themeVariables`. + * + * @remarks + * + * Requires `theme: "base"` in the Mermaid config — other built-in themes + * ignore most of these overrides. + */ + public toThemeVariables(darkMode?: boolean): MermaidConfig["themeVariables"] { + const { readHexColorVariable: read, readSurface } = this; + + const surface = readSurface("--pf-global--palette--purple-50", "#ffffff"); + const surfaceAlt = readSurface("--pf-global--palette--blue-50", surface); + const surfaceDark = readSurface("--pf-global--palette--black-200", surfaceAlt); + + const textBase = read("--pf-global--palette--purple-700"); + const textSecondary = read( + darkMode ? "--pf-global--palette--gold-100" : "--pf-global--palette--gold-400", + ); + const border = read( + darkMode ? "--pf-global--palette--purple-300" : "--pf-global--palette--purple-700", + ); + + const primaryBorder = read("--pf-global--palette--purple-400"); + const primaryAccent = read("--pf-global--palette--purple-100"); + const primaryAccentText = read("--pf-global--palette--purple-700"); + + const success = read("--pf-global--success-color--100"); + const danger = read("--pf-global--danger-color--100"); + const warning = read("--pf-global--warning-color--100"); + const info = read("--pf-global--info-color--100"); + + return { + // Base / canvas + background: surface, + mainBkg: surface, + fontFamily: "var(--ak-font-family-sans-serif)", + + // Primary node + primaryColor: surface, + primaryBorderColor: primaryBorder, + primaryTextColor: textBase, + + // Secondary node + secondaryColor: surfaceAlt, + secondaryBorderColor: border, + secondaryTextColor: textBase, + + // Tertiary node + tertiaryColor: surfaceDark, + tertiaryBorderColor: border, + tertiaryTextColor: textBase, + + // Edges / lines / labels + lineColor: textSecondary, + edgeLabelBackground: surface, + titleColor: textBase, + + // Generic node fallbacks + nodeBorder: border, + nodeTextColor: textBase, + + // Clusters / subgraphs + clusterBkg: surfaceDark, + clusterBorder: border, + + // Notes + noteBkgColor: warning, + noteTextColor: textBase, + noteBorderColor: border, + + // Brand accents (classDef / linkStyle) + primaryColorAccent: primaryAccent, + primaryTextColorAccent: primaryAccentText, + + // Status (state / git / quadrant diagrams) + successColor: success, + errorColor: danger, + warningColor: warning, + infoColor: info, + + // Sequence / state actors + actorBkg: surface, + actorBorder: border, + actorTextColor: textBase, + labelBoxBkgColor: surface, + labelTextColor: textBase, + }; + } + + /** + * Semantic accent colors for emitting `linkStyle` / `classDef` directives + * into diagram source (e.g. coloring policy pass/fail edges). + */ + public toAccents() { + const { readHexColorVariable: read } = this; + + return { + success: read("--pf-global--success-color--100"), + danger: read("--pf-global--danger-color--100"), + warning: read("--pf-global--warning-color--100"), + info: read("--pf-global--info-color--100"), + primary: read("--pf-global--palette--purple-100"), + }; + } +} diff --git a/web/src/elements/mermaid/utils.ts b/web/src/elements/mermaid/utils.ts new file mode 100644 index 0000000000..a6192cb826 --- /dev/null +++ b/web/src/elements/mermaid/utils.ts @@ -0,0 +1,76 @@ +import MermaidStyles from "./mermaid.css"; + +import { DOM_PURIFY_STRICT } from "#common/purify"; +import { ResolvedUITheme } from "#common/theme"; + +import { MermaidThemeAdapter } from "#elements/mermaid/theme"; + +import elkLayouts from "@mermaid-js/layout-elk"; +import type { Mermaid, MermaidConfig } from "mermaid"; + +export const DefaultMermaidConfig: Readonly = { + logLevel: "fatal", + startOnLoad: false, + htmlLabels: true, + fontFamily: "var(--ak-font-family-sans-serif)", + layout: "elk", + flowchart: { + curve: "linear", + + nodeSpacing: 25, + rankSpacing: 25, + wrappingWidth: 500, + }, + theme: "base", + securityLevel: "strict", + dompurifyConfig: DOM_PURIFY_STRICT, +}; + +let lastActiveTheme: ResolvedUITheme | null = null; +let mermaid: Mermaid | null = null; + +/** + * Load the Mermaid library and initialize it with the appropriate theme based + * on the provided UI theme. + * + * @remarks + * + * Mermaid is only loaded once and cached for subsequent calls. Note that + * Mermaid is a singleton and does not support multiple instances with different + * configurations. Re-initialization occurs only when the active theme changes. + * + * @param uiTheme The resolved UI theme to derive Mermaid colors from. + * @returns The initialized Mermaid singleton. + */ +export async function loadMermaid(uiTheme: ResolvedUITheme): Promise { + if (!mermaid) { + const mermaidModule = await import("mermaid"); + mermaid = mermaidModule.default; + mermaid.registerLayoutLoaders(elkLayouts); + } + + if (uiTheme && uiTheme === lastActiveTheme) { + return mermaid; + } + + await new Promise((resolve) => requestAnimationFrame(resolve)); + + const computedStyle = getComputedStyle(document.documentElement); + const darkMode = uiTheme === "dark"; + + const themeAdapter = new MermaidThemeAdapter(computedStyle); + const themeVariables = themeAdapter.toThemeVariables(darkMode); + + mermaid.initialize({ + ...DefaultMermaidConfig, + themeVariables: { + ...themeVariables, + }, + darkMode, + themeCSS: String(MermaidStyles), + }); + + lastActiveTheme = uiTheme; + + return mermaid; +} diff --git a/web/src/flow/stages/captcha/CaptchaStage.css b/web/src/flow/stages/captcha/CaptchaStage.css index 1256ec09e1..4a70ac0c7e 100644 --- a/web/src/flow/stages/captcha/CaptchaStage.css +++ b/web/src/flow/stages/captcha/CaptchaStage.css @@ -36,4 +36,9 @@ ak-stage-captcha[theme="dark"].style-scope { background-color: var(--captcha-background-from); animation: captcha-background-animation 1s infinite var(--pf-global--TimingFunction); } + + &[data-transparent-loading="true"][data-ready="loading"] { + background-color: transparent; + animation: none; + } } diff --git a/web/src/flow/stages/captcha/CaptchaStage.ts b/web/src/flow/stages/captcha/CaptchaStage.ts index 51859f2596..dfd3198fd2 100644 --- a/web/src/flow/stages/captcha/CaptchaStage.ts +++ b/web/src/flow/stages/captcha/CaptchaStage.ts @@ -12,6 +12,7 @@ import { AKFormErrors, ErrorProp } from "#components/ak-field-errors"; import { FlowUserDetails } from "#flow/FormStatic"; import { BaseStage } from "#flow/stages/base"; import Styles from "#flow/stages/captcha/CaptchaStage.css"; +import { CapController, isCapWidgetURL } from "#flow/stages/captcha/controllers/cap"; import { CaptchaController, CaptchaControllerConstructor, @@ -53,7 +54,14 @@ interface LoadMessage { message: "load"; } -type IframeMessageEvent = MessageEvent; +interface ErrorMessage { + source?: string; + context?: string; + message: "error"; + error: string; +} + +type IframeMessageEvent = MessageEvent; @customElement("ak-stage-captcha") export class CaptchaStage @@ -79,6 +87,7 @@ export class CaptchaStage HCaptchaController, GReCaptchaController, TurnstileController, + CapController, ]); #logger = ConsoleLogger.prefix("flow:captcha"); @@ -165,6 +174,9 @@ export class CaptchaStage return match(data) .with({ message: "captcha" }, ({ token }) => this.onTokenChange(token)) .with({ message: "load" }, this.#loadListener) + .with({ message: "error" }, ({ error }) => { + this.error = error; + }) .otherwise(({ message }) => { this.#logger.debug(`Unknown message: ${message}`); }); @@ -183,12 +195,18 @@ export class CaptchaStage } if (this.challenge?.interactive) { + // Cap renders its own framed widget, so the generic iframe loading shimmer looks like + // an extra CAPTCHA box flashing behind it. + const isCapChallenge = + URL.canParse(this.challenge.jsUrl) && isCapWidgetURL(new URL(this.challenge.jsUrl)); + return html` @@ -306,8 +324,13 @@ export class CaptchaStage // Then, load the new script... const scriptElement = document.createElement("script"); + const matchedController = Array.from(CaptchaStage.controllers).find((Controller) => + Controller.matchesURL(challengeURL), + ); scriptElement.src = challengeURL.toString(); + scriptElement.type = + matchedController?.scriptType === "module" ? "module" : "text/javascript"; scriptElement.async = true; scriptElement.defer = true; scriptElement.onload = this.#scriptLoadListener; @@ -528,6 +551,7 @@ export class CaptchaStage challengeURL: challengeURL.toString(), theme: this.activeTheme, scriptOnLoad: !(controller instanceof TurnstileController), + scriptType: controller.scriptType, }); if ( diff --git a/web/src/flow/stages/captcha/controllers/CaptchaController.ts b/web/src/flow/stages/captcha/controllers/CaptchaController.ts index 6da5320f84..6c0c2820d6 100644 --- a/web/src/flow/stages/captcha/controllers/CaptchaController.ts +++ b/web/src/flow/stages/captcha/controllers/CaptchaController.ts @@ -28,6 +28,20 @@ export abstract class CaptchaController implements ReactiveController { return (this.constructor as typeof CaptchaController).globalName; } + public static readonly scriptType: "classic" | "module" = "classic"; + + public get scriptType(): "classic" | "module" { + return (this.constructor as typeof CaptchaController).scriptType; + } + + public static isAvailable(): boolean { + return Object.hasOwn(window, this.globalName); + } + + public static matchesURL(_url: URL): boolean { + return false; + } + /** * A prefix for log messages from this controller. */ @@ -42,7 +56,7 @@ export abstract class CaptchaController implements ReactiveController { ): Array { return Array.from(controllerConstructors).filter((Controller) => { // Can we find the global for this captcha provider? - return Object.hasOwn(window, Controller.globalName); + return Controller.isAvailable(); }); } @@ -98,6 +112,9 @@ export abstract class CaptchaController implements ReactiveController { export type CaptchaControllerConstructor = { globalName: string; + scriptType: "classic" | "module"; + isAvailable: () => boolean; + matchesURL: (url: URL) => boolean; } & (new (host: CaptchaHandlerHost) => CaptchaController); export interface CaptchaHandlerHost extends ReactiveControllerHost { diff --git a/web/src/flow/stages/captcha/controllers/cap.ts b/web/src/flow/stages/captcha/controllers/cap.ts new file mode 100644 index 0000000000..47dfaa3f81 --- /dev/null +++ b/web/src/flow/stages/captcha/controllers/cap.ts @@ -0,0 +1,61 @@ +import { CaptchaController } from "#flow/stages/captcha/controllers/CaptchaController"; + +import { html } from "lit"; + +export function isCapWidgetURL(url: URL): boolean { + return url.pathname.includes("cap-widget") || url.pathname.endsWith("/assets/widget.js"); +} + +export class CapController extends CaptchaController { + public static readonly globalName = "cap-widget"; + + public static readonly scriptType = "module"; + + public static override isAvailable(): boolean { + return customElements.get("cap-widget") !== undefined; + } + + public static override matchesURL(url: URL): boolean { + return isCapWidgetURL(url); + } + + public interactive = () => { + const endpoint = this.host.challenge?.siteKey ?? ""; + + return html`
+ +
+ `; + }; + + public refreshInteractive = async () => { + this.host.iframeRef.value?.contentWindow?.location.reload(); + }; + + public execute = async () => { + throw new Error("Cap requires interactive mode."); + }; + + public refresh = async () => { + throw new Error("Cap requires interactive mode."); + }; +} diff --git a/web/src/flow/stages/captcha/shared.ts b/web/src/flow/stages/captcha/shared.ts index 5245809e7f..a3613aa421 100644 --- a/web/src/flow/stages/captcha/shared.ts +++ b/web/src/flow/stages/captcha/shared.ts @@ -30,6 +30,7 @@ export interface IFrameTemplateInit { * Defaults to `true`. */ scriptOnLoad?: boolean; + scriptType?: "classic" | "module"; } /** @@ -42,7 +43,7 @@ export interface IFrameTemplateInit { */ export function iframeTemplate( children: TemplateResult, - { challengeURL, theme, scriptOnLoad = true }: IFrameTemplateInit, + { challengeURL, theme, scriptOnLoad = true, scriptType = "classic" }: IFrameTemplateInit, ) { return createDocumentTemplate({ head: html` @@ -75,7 +76,7 @@ export function iframeTemplate( ${children} `, diff --git a/web/src/flow/stages/identification/controllers/CaptchaDisplayController.ts b/web/src/flow/stages/identification/controllers/CaptchaDisplayController.ts index b77691567d..918db04736 100644 --- a/web/src/flow/stages/identification/controllers/CaptchaDisplayController.ts +++ b/web/src/flow/stages/identification/controllers/CaptchaDisplayController.ts @@ -49,6 +49,12 @@ export class CaptchaDisplayController implements ReactiveController { const input = this.#inputRef.value; if (!input) return; input.value = token; + // The surrounding identification form only updates its validity when form controls + // emit normal input events, so mirror a user's field change after the CAPTCHA solves. + input.dispatchEvent(new Event("input", { bubbles: true, composed: true })); + input.dispatchEvent(new Event("change", { bubbles: true, composed: true })); + this.#loaded = true; + this.host.requestUpdate(); }; public onFailure() { diff --git a/web/xliff/cs-CZ.xlf b/web/xliff/cs-CZ.xlf index 5515cebdbf..e0b633b284 100644 --- a/web/xliff/cs-CZ.xlf +++ b/web/xliff/cs-CZ.xlf @@ -6187,10 +6187,6 @@ neprojde, když jedna nebo obě z vybraných možností jsou rovny nebo nad prah Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Volitelně omezte, které typy zařízení WebAuthn mohou být použity. Pokud nejsou vybrány žádné typy zařízení, jsou povolena všechna zařízení. - - This restriction only applies to devices created in authentik 2024.4 or later. - Toto omezení se vztahuje pouze na zařízení vytvořená v authentik 2024.4 nebo novějších verzích. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Krok použitý k nastavení WebAuthn autentizátoru (např. Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/de-DE.xlf b/web/xliff/de-DE.xlf index e07cd9f2c7..7d7b38120e 100644 --- a/web/xliff/de-DE.xlf +++ b/web/xliff/de-DE.xlf @@ -6213,10 +6213,6 @@ Beim Erstellen eines festen Auswahlfelds aktiviere „Als Ausdruck interpretiere Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Optional kannst du einschränken, welche WebAuthn-Gerätetypen verwendet werden dürfen. Wenn keine Gerätetypen ausgewählt sind, sind alle Geräte erlaubt. - - This restriction only applies to devices created in authentik 2024.4 or later. - Diese Beschränkung gilt nur für Geräte, die in authentik 2024.4 oder neuer erstellt wurden. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Stage zur Konfiguration eines WebAuthn-Authenticators (z. B. Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/en.xlf b/web/xliff/en.xlf index 53c95b2ad2..299855a203 100644 --- a/web/xliff/en.xlf +++ b/web/xliff/en.xlf @@ -4781,9 +4781,6 @@ doesn't pass when either or both of the selected options are equal or above the Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. - - This restriction only applies to devices created in authentik 2024.4 or later. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/es-ES.xlf b/web/xliff/es-ES.xlf index 2d8e26c5f6..57a0f06b07 100644 --- a/web/xliff/es-ES.xlf +++ b/web/xliff/es-ES.xlf @@ -6153,10 +6153,6 @@ El valor de este campo se compara con el atributo de pertenencia del usuario.Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Opcionalmente, restrinja los tipos de dispositivos WebAuthn que se pueden usar. Si no se selecciona ningún tipo de dispositivo, se permiten todos. - - This restriction only applies to devices created in authentik 2024.4 or later. - Esta restricción solo se aplica a dispositivos creados en authentik 2024.4 o posterior. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Etapa utilizada para configurar un autenticador WebAuthn (es decir, Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/fi-FI.xlf b/web/xliff/fi-FI.xlf index 908b56d2af..64c19da239 100644 --- a/web/xliff/fi-FI.xlf +++ b/web/xliff/fi-FI.xlf @@ -6328,10 +6328,6 @@ läpäisy estyy kun jompi kumpi tai molemmat vaihtoehdot ylittävät raja-arvon. Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Valinnaisesti voit rajoittaa, mitä WebAuthn-laitetyyppejä voidaan käyttää. Jos mitään tyyppiä ei ole valittu, kaiken tyyppiset laitteet sallitaan. - - This restriction only applies to devices created in authentik 2024.4 or later. - Tämä rajoitus koskee vain laitteita, jotka on luotu authentik 2024.4 tai uudemmalla versiolla. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Vaihe, jolla määritellään WebAuthn-todentaja (esim. Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/fr-FR.xlf b/web/xliff/fr-FR.xlf index d0b4174309..831b3d0501 100644 --- a/web/xliff/fr-FR.xlf +++ b/web/xliff/fr-FR.xlf @@ -6318,10 +6318,6 @@ doesn't pass when either or both of the selected options are equal or above the Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Optionnel, restreindre quels types d'appareil WebAuthn peuvent être utilisés. Lorsqu'aucun type d'appareil n'est sélectionné, tout les appareils sont autorisés. - - This restriction only applies to devices created in authentik 2024.4 or later. - Les restrictions ne s'appliquent qu'aux appareils créés dans authentik 2024.4 ou ultérieur. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Étape de configuration d'un authentificateur WebAuthn (Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/it-IT.xlf b/web/xliff/it-IT.xlf index ae785e0830..70bea2cf10 100644 --- a/web/xliff/it-IT.xlf +++ b/web/xliff/it-IT.xlf @@ -6110,10 +6110,6 @@ doesn't pass when either or both of the selected options are equal or above the Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Facoltativamente limitare quali tipi di dispositivi WebAuthn possono essere utilizzati. Quando non vengono selezionati tipi di dispositivi, tutti i dispositivi sono consentiti. - - This restriction only applies to devices created in authentik 2024.4 or later. - Questa restrizione si applica solo ai dispositivi creati in authentik 2024.4 o versione successiva. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Fase utilizzato per configurare un autenticatore WebAuthn (ovvero Yubikey, FaceId/Windows Hello). diff --git a/web/xliff/ja-JP.xlf b/web/xliff/ja-JP.xlf index c050ecbbe8..938133e8c1 100644 --- a/web/xliff/ja-JP.xlf +++ b/web/xliff/ja-JP.xlf @@ -6322,10 +6322,6 @@ doesn't pass when either or both of the selected options are equal or above the Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. どの WebAuthn デバイスタイプを使用できるかをオプションで制限します。デバイスタイプが選択されていない場合、すべてのデバイスが許可されます。 - - This restriction only applies to devices created in authentik 2024.4 or later. - この制限は authentik 2024.4 以降で作成されたデバイスにのみ適用されます。 - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). WebAuthn 認証器を設定するために使用されるステージ(例:Yubikey、FaceID/Windows Hello)。 diff --git a/web/xliff/ko-KR.xlf b/web/xliff/ko-KR.xlf index 4c3f600733..f8d0affac6 100644 --- a/web/xliff/ko-KR.xlf +++ b/web/xliff/ko-KR.xlf @@ -5880,10 +5880,6 @@ doesn't pass when either or both of the selected options are equal or above the Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. - - This restriction only applies to devices created in authentik 2024.4 or later. - 이 제한은 authentik 2024.4 또는 이후에 등록된 기기에만 적용됩니다. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). WebAuthn 인증기를 구성하는 데 사용되는 스테이지(예: Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/nl-NL.xlf b/web/xliff/nl-NL.xlf index d47029f2d6..35dcea3012 100644 --- a/web/xliff/nl-NL.xlf +++ b/web/xliff/nl-NL.xlf @@ -5665,9 +5665,6 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. - - This restriction only applies to devices created in authentik 2024.4 or later. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/pl-PL.xlf b/web/xliff/pl-PL.xlf index 55bf4aab79..b9082faea9 100644 --- a/web/xliff/pl-PL.xlf +++ b/web/xliff/pl-PL.xlf @@ -5896,10 +5896,6 @@ Można tu używać tylko zasad, ponieważ dostęp jest sprawdzany przed uwierzyt Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Opcjonalnie ogranicza, które typy urządzeń WebAuthn mogą być używane. Jeśli nie wybrano żadnego typu urządzenia, wszystkie urządzenia są dozwolone. - - This restriction only applies to devices created in authentik 2024.4 or later. - To ograniczenie dotyczy tylko urządzeń utworzonych w wersji authentik 2024.4 lub nowszej. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Etap używany do konfiguracji uwierzytelniacza WebAuthn (np. Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/pt-BR.xlf b/web/xliff/pt-BR.xlf index e9454e0fc0..345b3dbad6 100644 --- a/web/xliff/pt-BR.xlf +++ b/web/xliff/pt-BR.xlf @@ -6322,10 +6322,6 @@ retorne uma lista para fornecer várias opções padrão. Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Opcionalmente restrinja quais tipos de dispositivos WebAuthn podem ser usados. Quando nenhum tipo de dispositivo é selecionado, todos os dispositivos são permitidos. - - This restriction only applies to devices created in authentik 2024.4 or later. - Essa restrição se aplica apenas a dispositivos criados no authentik 2024.4 ou posterior. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Etapa usada para configurar um autenticador WebAuthn (ex.: Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/ru-RU.xlf b/web/xliff/ru-RU.xlf index e685331bb5..87eb455407 100644 --- a/web/xliff/ru-RU.xlf +++ b/web/xliff/ru-RU.xlf @@ -5946,10 +5946,6 @@ doesn't pass when either or both of the selected options are equal or above the Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. Опционально ограничьте типы устройств WebAuthn, которые могут быть использованы. Если типы устройств не выбраны, разрешены все устройства. - - This restriction only applies to devices created in authentik 2024.4 or later. - Это ограничение распространяется только на устройства, созданные в authentik 2024.4 или более поздней версии. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Этап, используемый для настройки аутентификатора WebAuthn (например, Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/tr-TR.xlf b/web/xliff/tr-TR.xlf index 150b9b802c..e30d5d4895 100644 --- a/web/xliff/tr-TR.xlf +++ b/web/xliff/tr-TR.xlf @@ -5944,10 +5944,6 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. İsteğe bağlı olarak, hangi WebAuthn cihaz türlerinin kullanılabileceğini kısıtlayın. Hiçbir cihaz türü seçilmediğinde, tüm cihazlara izin verilir. - - This restriction only applies to devices created in authentik 2024.4 or later. - Bu kısıtlama yalnızca authentik 2024.4 veya sonraki sürümlerde oluşturulan cihazlar için geçerlidir. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). Bir WebAuthn kimlik doğrulayıcısını yapılandırmak için kullanılan sahne alanı (ör. Yubikey, FaceID/Windows Hello). diff --git a/web/xliff/zh-Hans.xlf b/web/xliff/zh-Hans.xlf index c2c7379fed..f686ae61eb 100644 --- a/web/xliff/zh-Hans.xlf +++ b/web/xliff/zh-Hans.xlf @@ -6379,10 +6379,6 @@ doesn't pass when either or both of the selected options are equal or above the Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. 可选的 WebAuthn 可用设备类型限制。如果未选择设备类型,则允许所有设备。 - - This restriction only applies to devices created in authentik 2024.4 or later. - 此限制仅适用于在 authentik 2024.4 或更新版本中创建的设备。 - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). 用来配置 WebAuthn 身份验证器(即 Yubikey、FaceID/Windows Hello)的阶段。 diff --git a/web/xliff/zh-Hant.xlf b/web/xliff/zh-Hant.xlf index 569e92981a..7cbccaf305 100644 --- a/web/xliff/zh-Hant.xlf +++ b/web/xliff/zh-Hant.xlf @@ -5707,9 +5707,6 @@ doesn't pass when either or both of the selected options are equal or above the Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed. - - This restriction only applies to devices created in authentik 2024.4 or later. - Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). 用於設定 WebAuthn 身份認證器的階段(例如 Yubikey、FaceID/Windows Hello)。 diff --git a/website/docs/add-secure-apps/flows-stages/stages/captcha/index.md b/website/docs/add-secure-apps/flows-stages/stages/captcha/index.md index 3f65660a9c..79ef5679e6 100644 --- a/website/docs/add-secure-apps/flows-stages/stages/captcha/index.md +++ b/website/docs/add-secure-apps/flows-stages/stages/captcha/index.md @@ -2,7 +2,7 @@ title: Captcha stage --- -The Captcha stage adds CAPTCHA verification to a flow by using Google reCAPTCHA or compatible alternatives like hCaptcha and Cloudflare Turnstile. +The Captcha stage adds CAPTCHA verification to a flow by using Google reCAPTCHA or compatible alternatives like hCaptcha, Cloudflare Turnstile, and Cap. ## Overview @@ -20,6 +20,7 @@ It can either be bound to a flow or embedded inside the [Identification stage](. - **Error on invalid score**: show an error immediately when the score is outside the configured threshold. If disabled, the flow continues and policies can inspect the result from context. - **JS URL**: JavaScript loader URL for the provider. - **API URL**: verification endpoint URL for the provider. +- **Request content type**: content type used when authentik verifies the CAPTCHA token with the provider. ## Flow integration @@ -55,6 +56,25 @@ Recommended values: Score thresholds only apply to hCaptcha Enterprise. +### Cap + +Cap is a self-hostable CAPTCHA server that uses proof-of-work challenges. + +See https://trycap.dev/guide/. + +authentik supports Cap's default widget. The floating widget is not supported. + +Recommended values: + +- **Public key**: public Cap endpoint for the site key path, for example `https://cap.example.com/site-key/` +- **Private key**: Cap secret key +- **Interactive**: enabled +- **JS URL**: self-hosted Cap widget asset, for example `https://cap.example.com/assets/widget.js`. If you use a CDN, pin a reviewed release such as `https://cdn.jsdelivr.net/npm/cap-widget@` instead of the unversioned package URL. See [Cap releases](https://github.com/tiagozip/cap/releases). +- **API URL**: Cap verification endpoint, for example `https://cap.example.com/site-key/siteverify` +- **Request content type**: JSON + +Cap does not use score thresholds. + ### Cloudflare Turnstile See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha. diff --git a/website/docs/add-secure-apps/providers/scim/create-scim-provider.md b/website/docs/add-secure-apps/providers/scim/create-scim-provider.md new file mode 100644 index 0000000000..7258c50f62 --- /dev/null +++ b/website/docs/add-secure-apps/providers/scim/create-scim-provider.md @@ -0,0 +1,71 @@ +--- +title: Create a SCIM provider +--- + +## Create a SCIM provider with token authentication + +To create a provider along with a corresponding application, navigate to **Applications** > **Applications** and click **New Application**. We recommend this combined approach for most common use cases. Alternatively, you can use the legacy method to solely create the provider by navigating to **Applications** > **Providers** and clicking **New Provider**. + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. +3. On the **Application** page, define the application settings, and then click **Next**. +4. Select **SCIM** as the **Provider Type**, and then click **Next**. +5. On the **Configure Provider** page, provide the configuration settings, and then click **Next**. +6. On the **Configure Bindings** page, click **Next**. +7. Click **Create** to create both the application and the provider. + +### Set the SCIM provider as a backchannel provider for the application + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click the edit icon of the new SCIM application. +3. Click the plus icon (+) next to **Backchannel providers**. +4. Select the new SCIM provider, and then click **Confirm**. +5. Click **Save changes**. + +## Create a SCIM provider with OAuth authentication + +There are 3 required steps to creating a SCIM provider: + +1. [Create an OAuth source](#create-an-oauth-source) +2. [Create a SCIM application and provider](#create-a-scim-application-and-provider) +3. [Set the SCIM provider as a backchannel provider for the application](#set-the-scim-provider-as-a-backchannel-provider-for-the-application) + +If using OAuth (Interactive) mode, you will also need to: + +4. [Provide admin authorization](#provide-admin-authorization-oauth-interactive-mode-only) + +### Create an OAuth source + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Directory** > **Federation and Social login** and click **New Source**. +3. Select **OpenID OAuth Source** as the **Source type**. +4. On the **OpenID OAuth Source Details** page, provide the configuration settings provided by the SCIM endpoint that you are provisioning to, and then click **Create**. + +### Create a SCIM application and provider + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. +3. On the **Application** page, define the application settings, and then click **Next**. +4. Select **SCIM** as the **Provider Type**, and then click **Next**. +5. On the **Configure Provider** page, configure the required settings. Set **Authentication mode** to the desired OAuth option, select the **OAuth source** you created in the previous section, and then click **Next**. +6. On the **Configure Bindings** page, click **Next**. +7. Click **Create** to create both the application and the provider. + +### Set the SCIM provider as a backchannel provider for the application + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click the edit icon of the new SCIM application. +3. Click the plus icon (+) next to **Backchannel providers**. +4. Select the new SCIM provider, and then click **Confirm**. +5. Click **Save changes**. + +### Provide admin authorization (OAuth Interactive mode only) + +If you selected **OAuth (Interactive)** as the **Authentication mode** for the SCIM provider, you will need to authorize the initial OAuth connection. + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Providers** and click the name of the new SCIM provider. +3. Next to **OAuth Status**, click **(Re-)Authenticate**. +4. You should be redirected to the SCIM endpoint that you are provisioning to for authentication. +5. Once authenticated, you should be redirected back to authentik. If successful, **OAuth Status** should now show as **Authenticated**. + This step is only required when initially configuring the SCIM provider; subsequent authentications will be automatic. diff --git a/website/docs/add-secure-apps/providers/scim/index.md b/website/docs/add-secure-apps/providers/scim/index.md index 0c516b745c..12f1ef9cc2 100644 --- a/website/docs/add-secure-apps/providers/scim/index.md +++ b/website/docs/add-secure-apps/providers/scim/index.md @@ -8,13 +8,7 @@ A SCIM provider requires a SCIM base URL for the endpoint and an authentication SCIM providers in authentik always serve as [backchannel providers](../../applications/manage_apps.mdx#backchannel-providers), which are used in addition to the main provider that supplies SSO authentication. A backchannel provider is used for an application that requires backend authentication, directory synchronization, or other additional authentication needs. -## Set up a SCIM provider - -Many applications use SCIM together with another SSO protocol such as OAuth/OIDC or SAML. For example, you can create an application and provider pair for Slack by using SAML for authentication and SCIM for provisioning. For this setup, use the following workflow: - -1. [Create](../../applications/manage_apps.mdx#create-an-application-and-provider-pair) the application and provider pair. -2. [Create](../../applications/manage_apps.mdx#backchannel-providers) the SCIM backchannel provider. -3. Edit the application, and in the **Backchannel Providers** field add the SCIM provider that you created. +For instructions on creating a SCIM provider, refer to the [Create a SCIM provider](./create-scim-provider.md) documentation. ## Authentication modes @@ -23,12 +17,6 @@ In authentik, there are two ways to authenticate SCIM requests: - **Static token** provided by the application. This is the default authentication mode. - **OAuth token** that authentik retrieves from a specified source and uses for authentication. -When you create a new SCIM provider, select the **Authentication Mode** that the application supports. - -![Creating a SCIM provider](./scim_oauth.png) - -For either mode, enter the SCIM base **URL** for the endpoint. - ### Static token When the authentication mode is set to **Static token**, authentik sends the token provided by the application with outgoing SCIM requests to authenticate each request. @@ -37,6 +25,12 @@ When the authentication mode is set to **Static token**, authentik sends the tok When you configure a SCIM provider to use OAuth for authentication, authentik generates short-lived tokens through an OAuth flow and sends them to the SCIM endpoint. This offers improved security and control compared with a static token. +authentik supports two types of SCIM OAuth authentication: + +- **Silent OAuth** – The system obtains or refreshes access tokens automatically, without any administrator interaction. This is the typical approach used for ongoing SCIM provisioning. + +- **Interactive OAuth** – During setup, an administrator is required to authorize the connection before the SCIM integration can obtain its initial token. authentik then stores a refresh token, and provisioning then runs in the background without further admin interaction. + You can also add additional token request parameters such as `grant_type`, `subject_token`, or `client_assertion`. **Example**: diff --git a/website/docs/install-config/first-steps/index.mdx b/website/docs/install-config/first-steps/index.mdx index 25f0f1e0ed..e07e6d0ffe 100644 --- a/website/docs/install-config/first-steps/index.mdx +++ b/website/docs/install-config/first-steps/index.mdx @@ -102,7 +102,7 @@ Every application that you add to authentik requires a provider, which is used t authorization, etc. - **Protocol settings**: provide the following required configurations: - Note the **Client ID**, **Client Secret**, and **Slug** values because they will be required later when you configure Grafana to use authentik. - - Set the **Redirect URI** as a `Strict` redirect to `https://grafana.company/login/generic_oauth`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grafana.company/login/generic_oauth`. - TIP: The Redirect URI is where a user is directed to, as soon as authentik's authorization flow is successfully completed. - **Grant Types** (required): Select at least one [grant type](../../add-secure-apps/providers/oauth2/#oauth-20-flows-and-grant-types) that the provider can use. diff --git a/website/docs/sidebar.mjs b/website/docs/sidebar.mjs index 8ee5468744..d32fe47197 100644 --- a/website/docs/sidebar.mjs +++ b/website/docs/sidebar.mjs @@ -254,7 +254,15 @@ const items = [ "add-secure-apps/providers/saml/saml_single_logout", ], }, - "add-secure-apps/providers/scim/index", + { + type: "category", + label: "SCIM Provider", + link: { + type: "doc", + id: "add-secure-apps/providers/scim/index", + }, + items: ["add-secure-apps/providers/scim/create-scim-provider"], + }, { type: "category", label: "SSF Provider", diff --git a/website/integrations/_redirect-uri-2026-5-note.mdx b/website/integrations/_redirect-uri-2026-5-note.mdx new file mode 100644 index 0000000000..309aa5dc3f --- /dev/null +++ b/website/integrations/_redirect-uri-2026-5-note.mdx @@ -0,0 +1,3 @@ +:::info Redirect URI changes in authentik 2026.5 +In authentik versions earlier than 2026.5, all **Redirect URIs** are automatically treated as `Authorization` type. If you are using one of these older authentik versions, add only the `Authorization` URL to your **Redirect URIs** and do not configure a `Post Logout` URI. +::: diff --git a/website/integrations/chat-communication-collaboration/affine/index.md b/website/integrations/chat-communication-collaboration/affine/index.md index 62d37b65e3..260489d9b8 100644 --- a/website/integrations/chat-communication-collaboration/affine/index.md +++ b/website/integrations/chat-communication-collaboration/affine/index.md @@ -4,6 +4,8 @@ sidebar_label: AFFiNE support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is AFFiNE? > AFFiNE is an open-source, self-hostable workspace for documents, whiteboards, and databases. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of AFFiNE with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of AFFiNE with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Add one `Strict` redirect URI and set it to `https://affine.company/oauth/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://affine.company/oauth/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/chatgpt/index.mdx b/website/integrations/chat-communication-collaboration/chatgpt/index.mdx index 8108314f42..427cccdcd9 100644 --- a/website/integrations/chat-communication-collaboration/chatgpt/index.mdx +++ b/website/integrations/chat-communication-collaboration/chatgpt/index.mdx @@ -4,6 +4,7 @@ sidebar_label: ChatGPT support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -38,6 +39,8 @@ You can configure ChatGPT to use either OIDC or SAML; this guide explains both o ## authentik configuration + + To support the integration of ChatGPT with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -48,7 +51,7 @@ To support the integration of ChatGPT with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Temporarily set a `Strict` redirect URI to `https://temp.temp`. + - Temporarily add a **Redirect URI** of type `Strict` `Authorization` as `https://temp.temp`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. @@ -77,7 +80,7 @@ ChatGPT only enables the **Manage SSO** wizard after you verify ownership of you 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created ChatGPT provider. -3. Under **Protocol settings**, set the **Redirect URIs** to the **Login redirect URI** from ChatGPT. +3. Under **Protocol settings**, add a **Redirect URI** of type `Strict` `Authorization` as the **Login redirect URI** value from ChatGPT. 4. Click **Update**. diff --git a/website/integrations/chat-communication-collaboration/espo-crm/index.md b/website/integrations/chat-communication-collaboration/espo-crm/index.md index f497fdb616..072cab9d27 100644 --- a/website/integrations/chat-communication-collaboration/espo-crm/index.md +++ b/website/integrations/chat-communication-collaboration/espo-crm/index.md @@ -4,6 +4,8 @@ sidebar_label: EspoCRM support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is EspoCRM? > EspoCRM is a CRM (customer relationship management) web application that allows users to store, visualize, and analyze their company's business-related relationships such as opportunities, people, businesses, and projects. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of EspoCRM with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -37,7 +41,7 @@ To support the integration of EspoCRM with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://espocrm.company/oauth-callback.php`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://espocrm.company/oauth-callback.php`. - Select any available signing key. - Under **Advanced protocol settings**, set **Subject mode** to **Based on the User's username**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/grommunio/index.md b/website/integrations/chat-communication-collaboration/grommunio/index.md index 3671d94f37..052a2a2eb9 100644 --- a/website/integrations/chat-communication-collaboration/grommunio/index.md +++ b/website/integrations/chat-communication-collaboration/grommunio/index.md @@ -4,6 +4,8 @@ sidebar_label: grommunio support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is grommunio? @@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To integrate authentik with grommunio, you will need to create an application and provider pair in authentik. :::info Keycloak-compatible endpoints @@ -39,7 +43,7 @@ grommunio-web expects Keycloak-compatible OIDC endpoints. Because authentik does - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name, the authorization flow to use, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://grommunio.company/web`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grommunio.company/web`. - Set **Signing Key** to an available RSA key. - Under **Advanced protocol settings**: - Add the `authentik default OAuth Mapping: OpenID 'offline_access'` scope to **Selected Scopes**. diff --git a/website/integrations/chat-communication-collaboration/hedgedoc/index.md b/website/integrations/chat-communication-collaboration/hedgedoc/index.md index b4e41f8dab..50883c1ca1 100644 --- a/website/integrations/chat-communication-collaboration/hedgedoc/index.md +++ b/website/integrations/chat-communication-collaboration/hedgedoc/index.md @@ -4,6 +4,8 @@ sidebar_label: HedgeDoc support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is HedgeDoc? > HedgeDoc lets you create real-time collaborative markdown notes. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of HedgeDoc with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of HedgeDoc with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://hedgedoc.company/auth/oauth2/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hedgedoc.company/auth/oauth2/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/chat-communication-collaboration/kanboard/index.md b/website/integrations/chat-communication-collaboration/kanboard/index.md index b204eca231..389713f351 100644 --- a/website/integrations/chat-communication-collaboration/kanboard/index.md +++ b/website/integrations/chat-communication-collaboration/kanboard/index.md @@ -4,6 +4,8 @@ sidebar_label: Kanboard support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Kanboard? > Kanboard is a free and open source Kanban project management software. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Kanboard with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Kanboard with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://kanboard.company/oauth/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://kanboard.company/oauth/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/mailcow-logs-viewer/index.md b/website/integrations/chat-communication-collaboration/mailcow-logs-viewer/index.md index 609173069d..9f30192c53 100644 --- a/website/integrations/chat-communication-collaboration/mailcow-logs-viewer/index.md +++ b/website/integrations/chat-communication-collaboration/mailcow-logs-viewer/index.md @@ -4,6 +4,8 @@ sidebar_label: mailcow Logs Viewer support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is mailcow Logs Viewer? > A modern, self-hosted dashboard for monitoring, analyzing, and managing your mailcow mail server. Track email delivery, investigate spam, manage quarantine, detect bounce-based abuse, and validate DNS configurations, all from a single interface. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of mailcow Logs Viewer with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of mailcow Logs Viewer with authentik, you need to cr - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **application slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://mailcow-logs-viewer.company/api/auth/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mailcow-logs-viewer.company/api/auth/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/mailcow/index.md b/website/integrations/chat-communication-collaboration/mailcow/index.md index d5fe636eb3..1fcdc73dc4 100644 --- a/website/integrations/chat-communication-collaboration/mailcow/index.md +++ b/website/integrations/chat-communication-collaboration/mailcow/index.md @@ -4,6 +4,8 @@ sidebar_label: mailcow support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is mailcow? > mailcow is a Dockerized, open-source groupware and email suite based on Docker. It relies on many well-known and long-used components, which, when combined, result in a comprehensive email server solution. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of mailcow with authentik, you need to create a property mapping, set the `email_verified` attribute on required users, and create an application/provider pair in authentik. ### Create a property mapping @@ -56,7 +60,7 @@ Repeat these steps for all users that need to use the Mailcow integration. - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://mailcow.company`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mailcow.company`. - Select any available signing key. - Under **Advanced protocol settings**: - Remove the `authentik default OAuth Mapping: OpenID 'email'` scope from **Selected Scopes**. diff --git a/website/integrations/chat-communication-collaboration/mastodon/index.md b/website/integrations/chat-communication-collaboration/mastodon/index.md index 61aaa6c24b..6b2a6589e8 100644 --- a/website/integrations/chat-communication-collaboration/mastodon/index.md +++ b/website/integrations/chat-communication-collaboration/mastodon/index.md @@ -4,6 +4,8 @@ sidebar_label: Mastodon support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Mastodon? > Mastodon is free and open-source software for running self-hosted social networking services. It has microblogging features similar to Twitter @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Mastodon with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Mastodon with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://mastodon.company/auth/auth/openid_connect/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mastodon.company/auth/auth/openid_connect/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/matrix-synapse/index.md b/website/integrations/chat-communication-collaboration/matrix-synapse/index.md index d57e7f6b50..1d79d8ac53 100644 --- a/website/integrations/chat-communication-collaboration/matrix-synapse/index.md +++ b/website/integrations/chat-communication-collaboration/matrix-synapse/index.md @@ -4,6 +4,8 @@ sidebar_label: Matrix Synapse support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Matrix Synapse? > Matrix is an open source project that publishes the Matrix open standard for secure, decentralized, real-time communication, and its Apache licensed reference implementations. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Matrix Synapse with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Matrix Synapse with authentik, you need to create - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://matrix.company/_synapse/client/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://matrix.company/_synapse/client/oidc/callback`. - Select any available RSA signing key. Matrix Synapse doesn't support ECC keys. - Do not set an encryption key because this is not supported by Matrix Synapse. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx index 3311917e88..6ac90c4476 100644 --- a/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx +++ b/website/integrations/chat-communication-collaboration/mattermost-team-edition/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Mattermost Team Edition support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -45,6 +46,8 @@ Once configured, Mattermost will display a login button with the GitLab icon, bu ## authentik configuration + + To support the integration of Mattermost Team Edition with authentik, you need to create property mappings and an application/provider pair in authentik. ### Create property mappings @@ -84,7 +87,7 @@ The following `id` property mapping is optional. If omitted, Mattermost will gen - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://mattermost.company/signup/gitlab/complete`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mattermost.company/signup/gitlab/complete`. - Select any available signing key. - Under **Advanced protocol settings**, add the scopes you just created to the list of selected scopes. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/mobilizon/index.md b/website/integrations/chat-communication-collaboration/mobilizon/index.md index 51fb0c597f..f3a190d6fe 100644 --- a/website/integrations/chat-communication-collaboration/mobilizon/index.md +++ b/website/integrations/chat-communication-collaboration/mobilizon/index.md @@ -4,6 +4,8 @@ sidebar_label: Mobilizon support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Mobilizon? > Gather, organize and mobilize yourselves with a convivial, ethical, and emancipating tool. https://joinmobilizon.org @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Mobilizon with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Mobilizon with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://mobilizon.company/auth/keycloak/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://mobilizon.company/auth/keycloak/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx index 1601cad068..476f1b7e38 100644 --- a/website/integrations/chat-communication-collaboration/nextcloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/nextcloud/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Nextcloud support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx"; ## What is Nextcloud? @@ -116,13 +117,16 @@ To connect to an existing Nextcloud user, set the `nextcloud_user_id` attribute ## Create an application and provider in authentik + + 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **New Application** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.) - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://nextcloud.company/apps/user_oidc/code`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://nextcloud.company/apps/user_oidc/code`. + - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://nextcloud.company`. - Select any available signing key. - Under **Advanced protocol settings**: - _(optional)_ If you created the `Nextcloud Profile` scope mapping, add it to **Selected Scopes**. diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index 9fcfc14a12..f082bd73df 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -4,6 +4,7 @@ sidebar_label: OpenCloud support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -35,6 +36,8 @@ Choose your setup below. The **Web only** tab logs in through the browser. The * ## authentik configuration + + 1. Log in to authentik as an administrator and open the Admin interface. 2. Navigate to **Applications** > **Applications** and click **New Application**. - **Application**: provide a name and note the **slug**. @@ -43,9 +46,9 @@ Choose your setup below. The **Web only** tab logs in through the browser. The * - **Client type**: `Public` - **Client ID**: `web` - **Redirect URIs**: - - Strict: `https://opencloud.company/oidc-callback.html` - - Strict: `https://opencloud.company/oidc-silent-redirect.html` - - Strict: `https://opencloud.company/` + - `Strict` `Authorization`: `https://opencloud.company/oidc-callback.html` + - `Strict` `Authorization`: `https://opencloud.company/oidc-silent-redirect.html` + - `Strict` `Authorization`: `https://opencloud.company/` - **Signing Key**: select any available key. - **Scopes**: `openid`, `profile`, `email`. 3. Click **Submit**. @@ -112,12 +115,12 @@ With GLOBAL issuer mode enabled, tokens use an issuer of `iss = https://authenti Repeat these steps for **each** of the four clients (Web, Desktop, Android, and iOS), using the per-client values from the table below. -| Client | Client ID | Redirect URIs | -| ------- | ------------------ | ------------------------------------------------------------------------------------------- | -| Web | `web` | Strict: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` | -| Desktop | `OpenCloudDesktop` | Regex: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?` | -| Android | `OpenCloudAndroid` | Strict: `oc://android.opencloud.eu` | -| iOS | `OpenCloudIOS` | Strict: `oc://ios.opencloud.eu` | +| Client | Client ID | Redirect URIs | +| ------- | ------------------ | ------------------------------------------------------------------------------------------------------------- | +| Web | `web` | `Strict` `Authorization`: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` | +| Desktop | `OpenCloudDesktop` | `Regex` `Authorization`: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?` | +| Android | `OpenCloudAndroid` | `Strict` `Authorization`: `oc://android.opencloud.eu` | +| iOS | `OpenCloudIOS` | `Strict` `Authorization`: `oc://ios.opencloud.eu` | 1. Log in to authentik as an administrator and open the Admin interface. 2. Navigate to **Applications** > **Applications** and click **New Application**. diff --git a/website/integrations/chat-communication-collaboration/openproject/index.md b/website/integrations/chat-communication-collaboration/openproject/index.md index 810faadcb7..5fa39a36f0 100644 --- a/website/integrations/chat-communication-collaboration/openproject/index.md +++ b/website/integrations/chat-communication-collaboration/openproject/index.md @@ -4,6 +4,8 @@ sidebar_label: OpenProject support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is OpenProject? > OpenProject is a web-based project management software. Use OpenProject to manage your projects, tasks and goals. Collaborate via work packages and link them to your pull requests on GitHub. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of OpenProject with authentik, you need to create a property mapping and an application/provider pair in authentik. ### Create a scope mapping @@ -61,7 +65,7 @@ OpenProject requires a first and last name for each user. By default authentik o - **Protocol settings**: - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - **Redirect URI**: - - Strict: `https://openproject.company/auth/oidc-authentik/callback` + - `Strict` `Authorization`: `https://openproject.company/auth/oidc-authentik/callback` - **Signing key**: select any available signing key. - **Advanced protocol settings**: - **Scopes**: diff --git a/website/integrations/chat-communication-collaboration/owncloud/index.md b/website/integrations/chat-communication-collaboration/owncloud/index.md index 3fe9e17576..2ffe8b378d 100644 --- a/website/integrations/chat-communication-collaboration/owncloud/index.md +++ b/website/integrations/chat-communication-collaboration/owncloud/index.md @@ -4,6 +4,8 @@ sidebar_label: ownCloud support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is ownCloud? > ownCloud is a free and open-source software project for content collaboration and sharing and syncing of files. @@ -23,6 +25,8 @@ This guide focuses on deploying ownCloud installations using Docker. If you depl ## authentik configuration + + To support the integration of ownCloud with authentik, you need to create multiple application/provider pairs in authentik. A different pair is required for the Web UI, Desktop application, Android application, and iOS application. The configuration for each application is nearly identical, except for the **Client ID**, **Client Secret**, and the **Redirect URI** values, which are [predefined](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-ids-secrets-and-redirect-uris) by ownCloud for the Desktop, Android, and iOS applications. @@ -43,29 +47,29 @@ The configuration for each application is nearly identical, except for the **Cli - **Client ID**: Use the value generated by authentik. - **Client Secret**: Use the value generated by authentik. - **Redirect URIs**: - - Strict: `https://owncloud.company/apps/openidconnect/redirect` + - `Strict` `Authorization`: `https://owncloud.company/apps/openidconnect/redirect` **Desktop Application** - **Signing Key**: Select any available signing key. - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id). - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret). - **Redirect URIs**: - - Regex: `http://localhost:\d+` - - Regex: `http://127.0.0.1:\d+` + - `Regex` `Authorization`: `http://localhost:\d+` + - `Regex` `Authorization`: `http://127.0.0.1:\d+` **Android Application** - **Signing Key**: Select any available signing key. - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id). - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret). - **Redirect URI**: - - Strict: `oc://android.owncloud.com` + - `Strict` `Authorization`: `oc://android.owncloud.com` **iOS Application** - **Signing Key**: Select any available signing key. - **Client ID**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-id). - **Client Secret**: Use the predefined value found in the [ownCloud admin manual](https://doc.owncloud.com/server/latest/admin_manual/configuration/user/oidc/oidc.html#client-secret). - **Redirect URI**: - - Strict: `oc://ios.owncloud.com` + - `Strict` `Authorization`: `oc://ios.owncloud.com` - **Advanced protocol settings:** - **Scopes**: Select the following scopes for each of the four application/provider pairs: `email`, `offline_access`, `openid`, `profile`. diff --git a/website/integrations/chat-communication-collaboration/planka/index.mdx b/website/integrations/chat-communication-collaboration/planka/index.mdx index 3cb8a3938c..184f8fb23a 100644 --- a/website/integrations/chat-communication-collaboration/planka/index.mdx +++ b/website/integrations/chat-communication-collaboration/planka/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Planka support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Planka? > Planka is an open-source, Trello-like application with a Kanban board system, used for project management. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Planka with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Planka with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://planka.company/oidc-callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://planka.company/oidc-callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/rocketchat/index.md b/website/integrations/chat-communication-collaboration/rocketchat/index.md index ec6b751bc9..eb4dc1657f 100644 --- a/website/integrations/chat-communication-collaboration/rocketchat/index.md +++ b/website/integrations/chat-communication-collaboration/rocketchat/index.md @@ -4,6 +4,8 @@ sidebar_label: Rocket.chat support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Rocket.chat? > Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript for organizations with high standards of data protection. It is licensed under the MIT License with some other licenses mixed in. See [Rocket.chat GitHub](https://github.com/RocketChat/Rocket.Chat/blob/develop/LICENSE) for licensing information. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Rocket.chat with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Rocket.chat with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://rocket.company/\_oauth/authentik`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rocket.company/\_oauth/authentik`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/roundcube/index.md b/website/integrations/chat-communication-collaboration/roundcube/index.md index 16ea18ad68..a87f28148e 100644 --- a/website/integrations/chat-communication-collaboration/roundcube/index.md +++ b/website/integrations/chat-communication-collaboration/roundcube/index.md @@ -4,6 +4,8 @@ sidebar_label: Roundcube support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Roundcube? > Roundcube is a browser-based multilingual IMAP client with an application-like user interface. It provides the full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking. @@ -29,6 +31,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Roundcube with authentik, you need to create an application/provider pair in authentik. ### Create property mappings @@ -59,7 +63,7 @@ To support the integration of Roundcube with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://roundcube.company/index.php?\_task=settings&\_action=plugin.oauth_redirect`. - Select any available signing key. - Under **Advanced protocol settings**: - Under **Scopes**, add `dovecotprofile` and `authentik default OAuth Mapping: OpenID 'offline_access'` to the list of selected scopes. diff --git a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md index b10ca7489b..8f1ecac453 100644 --- a/website/integrations/chat-communication-collaboration/sharepoint-se/index.md +++ b/website/integrations/chat-communication-collaboration/sharepoint-se/index.md @@ -4,6 +4,8 @@ sidebar_label: SharePoint Server SE support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Microsoft SharePoint? > SharePoint is a proprietary, web-based collaborative platform that integrates natively with Microsoft 365. @@ -66,6 +68,8 @@ These guidelines use the following placeholders for the overall setup: ## authentik configuration + + ### Step 1: Create authentik OpenID property mappings SharePoint requires additional properties within the OpenID and profile scopes in order to operate OIDC properly and map incoming authentik OID claims with Microsoft claims. @@ -140,7 +144,7 @@ From the authentik Admin Dashboard: :::info use the explicit flow if user consents are required ::: - - **Redirect URIs / Origins**: `auth.providerRedirectURI` + - **Redirect URIs / Origins** (`Strict` `Authorization`): `auth.providerRedirectURI` - **Signing Key**: authentik Self-signed Certificate :::info The certificate is used for signing JWT tokens; if you change it after the integration do not forget to update your SharePoint Trusted Certificate. diff --git a/website/integrations/chat-communication-collaboration/vikunja/index.mdx b/website/integrations/chat-communication-collaboration/vikunja/index.mdx index ffc336152c..8d528ffe16 100644 --- a/website/integrations/chat-communication-collaboration/vikunja/index.mdx +++ b/website/integrations/chat-communication-collaboration/vikunja/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Vikunja support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -31,6 +32,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Vikunja with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -41,8 +44,8 @@ To support the integration of Vikunja with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - For web login, set a `Strict` redirect URI to `https://vikunja.company/auth/openid/authentik`. - - If using the Vikunja desktop client, add a `Regex` redirect URI such as `^http://127\\.0\\.0\\.1:[0-9]+/auth/openid/authentik$` to allow loopback redirects to `127.0.0.1`. + - For web login, add a **Redirect URI** of type `Strict` `Authorization` as `https://vikunja.company/auth/openid/authentik`. + - If using the Vikunja desktop client, add a **Redirect URI** of type `Regex` `Authorization` such as `^http://127\\.0\\.0\\.1:[0-9]+/auth/openid/authentik$` to allow loopback redirects to `127.0.0.1`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/chat-communication-collaboration/wekan/index.mdx b/website/integrations/chat-communication-collaboration/wekan/index.mdx index bc3c91a631..008d8557bf 100644 --- a/website/integrations/chat-communication-collaboration/wekan/index.mdx +++ b/website/integrations/chat-communication-collaboration/wekan/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Wekan support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Wekan? > Wekan is an open-source kanban board which allows a card-based task and to-do management. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Wekan with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Wekan with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://wekan.company/_oauth/oidc`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wekan.company/_oauth/oidc`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/chat-communication-collaboration/writefreely/index.md b/website/integrations/chat-communication-collaboration/writefreely/index.md index 435217e1f9..180e536ddd 100644 --- a/website/integrations/chat-communication-collaboration/writefreely/index.md +++ b/website/integrations/chat-communication-collaboration/writefreely/index.md @@ -4,6 +4,8 @@ sidebar_label: Writefreely support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Writefreely? > An open source platform for building a writing space on the web. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Writefreely with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Writefreely with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://writefreely.company/oauth/callback/generic`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://writefreely.company/oauth/callback/generic`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/cloud-providers/aws-classic/index.mdx b/website/integrations/cloud-providers/aws-classic/index.mdx index 21a3c348a8..6838258512 100644 --- a/website/integrations/cloud-providers/aws-classic/index.mdx +++ b/website/integrations/cloud-providers/aws-classic/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Amazon Web Services (Classic IAM) support_level: authentik --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -44,6 +45,8 @@ SCIM Provisioning is only supported in conjunction with [IAM Identity Center](.. ## authentik configuration + + To support the integration of AWS with authentik via the Classic IAM method, you need to create two property mappings, an application/provider pair, and application entitlements for the AWS roles that users can assume. ### Create property mappings @@ -273,7 +276,7 @@ To support the integration of AWS with authentik using OIDC, you need to create - **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **slug** values because they will be required later. - - Set a `Strict` redirect URI to match the AWS resource that you want to access via OIDC. + - Add a **Redirect URI** of type `Strict` `Authorization` that matches the AWS resource that you want to access via OIDC. - Select any available signing key. - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/cloud-providers/digitalocean/index.md b/website/integrations/cloud-providers/digitalocean/index.md index 12fb4abfd6..a0b6dbacd8 100644 --- a/website/integrations/cloud-providers/digitalocean/index.md +++ b/website/integrations/cloud-providers/digitalocean/index.md @@ -4,6 +4,8 @@ sidebar_label: DigitalOcean support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is DigitalOcean? > DigitalOcean is a cloud infrastructure provider that offers developers simple, scalable virtual servers (droplets), managed databases, and other cloud services to deploy and manage applications efficiently. @@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of DigitalOcean with authentik, you need to create a scope mapping, an application/provider pair, and application entitlements for the DigitalOcean roles that users should receive. ### Create a scope mapping @@ -72,7 +76,7 @@ To support the integration of DigitalOcean with authentik, you need to create a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://cloud.digitalocean.com/sessions/sso/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://cloud.digitalocean.com/sessions/sso/callback`. - Select any available signing key. - Under **Advanced protocol settings**: - Add the `profile` scope created in the previous section. Do not remove authentik’s `authentik default OAuth Mapping: OpenID 'profile'`, as claims such as `name` are required by DigitalOcean. diff --git a/website/integrations/cloud-providers/oracle-cloud/index.md b/website/integrations/cloud-providers/oracle-cloud/index.md index 70ba59ce8b..2eb4bea93e 100644 --- a/website/integrations/cloud-providers/oracle-cloud/index.md +++ b/website/integrations/cloud-providers/oracle-cloud/index.md @@ -4,6 +4,8 @@ sidebar_label: Oracle Cloud support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Oracle Cloud? > Oracle Cloud is the first public cloud built from the ground up to be a better cloud for every application. By rethinking core engineering and systems design for cloud computing, we created innovations that accelerate migrations, deliver better reliability and performance for all applications, and offer the complete services customers need to build innovative cloud applications. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Oracle Cloud with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -35,7 +39,7 @@ To support the integration of Oracle Cloud with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://tenant.identity.oraclecloud.com/oauth2/v1/social/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://tenant.identity.oraclecloud.com/oauth2/v1/social/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/dashboards/dashy/index.md b/website/integrations/dashboards/dashy/index.md index 382d70586f..580e689017 100644 --- a/website/integrations/dashboards/dashy/index.md +++ b/website/integrations/dashboards/dashy/index.md @@ -4,6 +4,8 @@ sidebar_label: Dashy support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Dashy? > Dashy is a self-hostable personal dashboard built for you. Includes status-checking, widgets, themes, icon packs, a UI editor and tons more. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Dashy with authentik, you need to create an application/provider pair in authentik. If you want to manage Dashy administrator access through authentik, create or choose a group for Dashy administrators and add the appropriate users to it. Note the exact group name because it will be required later. @@ -36,7 +40,7 @@ If you want to manage Dashy administrator access through authentik, create or ch - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **slug** values because they will be required later. - Set the **Client type** to `Public`. Dashy runs entirely in the browser and does not store a client secret. - - Create two `Strict` redirect URIs: + - Add two **Redirect URIs** of type `Strict` `Authorization`: - `https://dashy.company` - `https://dashy.company/` - Select any available signing key. diff --git a/website/integrations/dashboards/homarr/index.md b/website/integrations/dashboards/homarr/index.md index 0005de3bcc..550e93b9e8 100644 --- a/website/integrations/dashboards/homarr/index.md +++ b/website/integrations/dashboards/homarr/index.md @@ -4,6 +4,8 @@ sidebar_label: Homarr support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Homarr? > A sleek, modern dashboard that puts all of your apps and services at your fingertips. Control everything in one convenient location. Seamlessly integrates with the apps you've added, providing you with valuable information. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Homarr with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Homarr with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Create two `Strict` redirect URIs: `https://homarr.company/api/auth/callback/oidc` and `http://localhost:50575/api/auth/callback/oidc`. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://homarr.company/api/auth/callback/oidc` and `http://localhost:50575/api/auth/callback/oidc`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/dashboards/linkwarden/index.md b/website/integrations/dashboards/linkwarden/index.md index 60cffdfc14..73d572ed29 100644 --- a/website/integrations/dashboards/linkwarden/index.md +++ b/website/integrations/dashboards/linkwarden/index.md @@ -4,6 +4,8 @@ sidebar_label: Linkwarden support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Linkwarden? > Linkwarden is an open-source collaborative bookmark manager used to collect, organize, and preserve webpages. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Linkwarden with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Linkwarden with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://linkwarden.company/api/v1/auth/callback/authentik`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://linkwarden.company/api/v1/auth/callback/authentik`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/coder/index.md b/website/integrations/development/coder/index.md index a0d75d89eb..94570c3081 100644 --- a/website/integrations/development/coder/index.md +++ b/website/integrations/development/coder/index.md @@ -4,6 +4,8 @@ sidebar_label: Coder support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Coder? > Coder is an open-source platform that provides browser-based cloud development environments, enabling developers and teams to securely write, edit, and manage code remotely without the need for local setup. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Coder with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Coder with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://coder.company/api/v2/users/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://coder.company/api/v2/users/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/engomo/index.mdx b/website/integrations/development/engomo/index.mdx index d9cedfb59f..c8f3967bf3 100644 --- a/website/integrations/development/engomo/index.mdx +++ b/website/integrations/development/engomo/index.mdx @@ -4,6 +4,8 @@ sidebar_label: engomo support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is engomo? > engomo is a low-code app development platform to create enterprise apps for smartphones and tablets based on Android, iOS, or iPadOS. @@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Engomo with authentik, you need to create an application/provider pair in authentik. ### Create property mappings @@ -46,7 +50,7 @@ To support the integration of Engomo with authentik, you need to create an appli - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **slug** values because they will be required later. - Set the **Client type** to `Public`. - - Add two `Strict` redirect URIs and set them to `https://engomo.company/auth` and `com.engomo.engomo://callback/`. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://engomo.company/auth` and `com.engomo.engomo://callback/`. - Select any available signing key. - Under **Advanced protocol settings**, add the scope you just created to the list of available scopes. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/forgejo/index.md b/website/integrations/development/forgejo/index.md index a29b10f261..df34aa3bf3 100644 --- a/website/integrations/development/forgejo/index.md +++ b/website/integrations/development/forgejo/index.md @@ -4,6 +4,8 @@ sidebar_label: Forgejo support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Forgejo? > Forgejo is a lightweight, self‑hosted alternative to GitHub/GitLab, with a strong emphasis on community governance and open development. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Forgejo with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Forgejo with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https:///user/oauth2/authentik/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https:///user/oauth2/authentik/callback`. - Select any available signing key. - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/frappe/index.md b/website/integrations/development/frappe/index.md index e5664a78a1..b893d8de94 100644 --- a/website/integrations/development/frappe/index.md +++ b/website/integrations/development/frappe/index.md @@ -4,6 +4,8 @@ sidebar_label: Frappe support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + :::info These instructions apply to all projects in the Frappe Family, including ERPNext. ::: @@ -28,6 +30,8 @@ This documentation only lists the settings that have been changed from their def ## authentik configuration + + To support the integration of Frappe with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -39,7 +43,7 @@ To support the integration of Frappe with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/`. Replace `` with the name of the provider in Frappe. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://frappe.company/api/method/frappe.integrations.oauth2_logins.custom/`. Replace `` with the name of the provider in Frappe. - Select any available signing key. - Under **Advanced protocol settings**, set **Subject mode** to be `Based on the Users's username`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/gitea/index.md b/website/integrations/development/gitea/index.md index 33dfaa2094..eda4ad538f 100644 --- a/website/integrations/development/gitea/index.md +++ b/website/integrations/development/gitea/index.md @@ -4,6 +4,8 @@ sidebar_label: Gitea support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Gitea? > Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Gitea with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Gitea with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https:///user/oauth2/authentik/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https:///user/oauth2/authentik/callback`. - Select any available signing key. - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/gitlab/index.mdx b/website/integrations/development/gitlab/index.mdx index 6154cc6239..e8e243e85d 100644 --- a/website/integrations/development/gitlab/index.mdx +++ b/website/integrations/development/gitlab/index.mdx @@ -4,6 +4,8 @@ sidebar_label: GitLab support_level: authentik --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is GitLab? > GitLab is a complete DevOps platform with features for version control, CI/CD, issue tracking, and collaboration, facilitating efficient software development and deployment workflows. @@ -43,6 +45,8 @@ import Tabs from "@theme/Tabs"; ## authentik configuration + + To support the integration of GitLab with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -110,7 +114,7 @@ To support the integration of GitLab with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://gitlab.company/users/auth/openid_connect/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gitlab.company/users/auth/openid_connect/callback`. - Select any available signing key. - Under **Advanced protocol settings**, set the **Subject mode** to `Based on the User's Email`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/gravitee/index.md b/website/integrations/development/gravitee/index.md index f05fdfd16f..0e4565936f 100644 --- a/website/integrations/development/gravitee/index.md +++ b/website/integrations/development/gravitee/index.md @@ -4,6 +4,8 @@ sidebar_label: Gravitee support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Gravitee? > Gravitee.io API Management is a flexible, lightweight and blazing-fast Open Source solution that helps your organization control who, when and how users access your APIs. @@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Gravitee with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -36,7 +40,7 @@ To support the integration of Gravitee with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Add two `Strict` redirect URI and set them to `https://gravitee.company/user/login` and `https://gravitee.company/console/`. Ensure a trailing slash is present at the end of the second redirect URI. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://gravitee.company/user/login` and `https://gravitee.company/console/`. Ensure a trailing slash is present at the end of the second redirect URI. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/jenkins/index.md b/website/integrations/development/jenkins/index.md index 0ce37bf2c0..470bc2dd47 100644 --- a/website/integrations/development/jenkins/index.md +++ b/website/integrations/development/jenkins/index.md @@ -4,6 +4,8 @@ sidebar_label: Jenkins support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Jenkins? > The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Jenkins with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Jenkins with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://jenkins.company/securityRealm/finishLogin`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://jenkins.company/securityRealm/finishLogin`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/development/node-red/index.md b/website/integrations/development/node-red/index.md index f0ef11869f..4e21606981 100644 --- a/website/integrations/development/node-red/index.md +++ b/website/integrations/development/node-red/index.md @@ -4,6 +4,8 @@ sidebar_label: Node-RED support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Node-RED? > Node-RED is a programming tool for wiring together hardware devices, APIs and online services in new and interesting ways. @@ -29,6 +31,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Node-RED with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -40,7 +44,7 @@ To support the integration of Node-RED with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://nodered.company/auth/strategy/callback/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://nodered.company/auth/strategy/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/device-management/apple/index.md b/website/integrations/device-management/apple/index.md index 5a259e2680..37d0798933 100644 --- a/website/integrations/device-management/apple/index.md +++ b/website/integrations/device-management/apple/index.md @@ -13,6 +13,8 @@ authentik_enterprise: true authentik_preview: true --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Apple Business Manager? > Apple Business Manager is a web-based portal for IT administrators, managers, and procurement professionals to manage devices and automate device enrollment. @@ -71,6 +73,8 @@ Be aware that Apple Business Manager imposes the following restrictions on feder ## authentik configuration + + The workflow to configure authentik as an identity provider for Apple Business Manager involves creating scope mappings, signing keys, a Shared Signals Framework provider, and an OIDC provider/application pair. Together, these components will handle the authentication flow and backchannel communication between authentik and Apple Business Manager. @@ -160,7 +164,7 @@ You will need to create an [OAuth2/OpenID Provider](/docs/add-secure-apps/provid - **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://gsa-ws.apple.com/grandslam/GsService2/acs`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gsa-ws.apple.com/grandslam/GsService2/acs`. - Select any available signing key. - Under **Advanced protocol settings**, in addition to the default scopes, add the four following **Selected Scopes** to the provider. - `Apple Business Manager ssf.manage` diff --git a/website/integrations/device-management/meshcentral/index.md b/website/integrations/device-management/meshcentral/index.md index 226adb7a07..9329c80bc7 100644 --- a/website/integrations/device-management/meshcentral/index.md +++ b/website/integrations/device-management/meshcentral/index.md @@ -4,6 +4,8 @@ sidebar_label: MeshCentral support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is MeshCentral? > MeshCentral is a free, open source, web-based platform for remote device management. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of MeshCentral with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of MeshCentral with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://meshcentral.company/auth-oidc-callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://meshcentral.company/auth-oidc-callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/device-management/omnissa-workspace-one-access/index.md b/website/integrations/device-management/omnissa-workspace-one-access/index.md index 6b8a5baa32..8bc4bc2330 100644 --- a/website/integrations/device-management/omnissa-workspace-one-access/index.md +++ b/website/integrations/device-management/omnissa-workspace-one-access/index.md @@ -4,6 +4,8 @@ sidebar_label: Omnissa Workspace ONE Access support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Omnissa Workspace ONE Access? > Omnissa Workspace ONE Access, now Omnissa Access, is the identity and access service for the Omnissa Workspace ONE platform. It provides single sign-on, access policies, and identity federation for applications and devices, and can delegate authentication to external identity providers such as authentik. @@ -31,6 +33,8 @@ You can leave the form open in another browser tab while configuring authentik. ## authentik configuration + + To support the integration of Omnissa Workspace ONE Access with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -43,8 +47,8 @@ To support the integration of Omnissa Workspace ONE Access with authentik, you n - Note the **Client ID** and **Client Secret** values because they will be required later. - **Protocol Settings**: - **Redirect URI**: - - Strict: the redirect URI you noted in the Omnissa Workspace ONE Access pre-configuration step. - - Strict: `awgb://oauth2`. This URI is used by the Workspace ONE mobile applications. + - `Strict` `Authorization`: the redirect URI you noted in the Omnissa Workspace ONE Access pre-configuration step. + - `Strict` `Authorization`: `awgb://oauth2`. This URI is used by the Workspace ONE mobile applications. - **Signing Key**: select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/documentation/bookstack/index.mdx b/website/integrations/documentation/bookstack/index.mdx index a73e7894fb..e80c785311 100644 --- a/website/integrations/documentation/bookstack/index.mdx +++ b/website/integrations/documentation/bookstack/index.mdx @@ -4,6 +4,7 @@ sidebar_label: BookStack support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -38,6 +39,8 @@ You can configure Bookstack to use either OIDC or SAML, and this guide explains ## authentik configuration + + To support the integration of BookStack with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -48,7 +51,7 @@ To support the integration of BookStack with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://bookstack.company/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://bookstack.company/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/documentation/dokuwiki/dokuwiki_oauth_generic.png b/website/integrations/documentation/dokuwiki/dokuwiki_oauth_generic.png index 6141ebf419..6230969002 100644 Binary files a/website/integrations/documentation/dokuwiki/dokuwiki_oauth_generic.png and b/website/integrations/documentation/dokuwiki/dokuwiki_oauth_generic.png differ diff --git a/website/integrations/documentation/dokuwiki/index.md b/website/integrations/documentation/dokuwiki/index.md index 349507c5aa..1d45852a02 100644 --- a/website/integrations/documentation/dokuwiki/index.md +++ b/website/integrations/documentation/dokuwiki/index.md @@ -4,6 +4,8 @@ sidebar_label: DokuWiki support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is DokuWiki? > DokuWiki is an open source wiki application licensed under GPLv2 and written in the PHP programming language. It works on plain text files and thus does not need a database. Its syntax is similar to the one used by MediaWiki and it is often recommended as a more lightweight, easier to customize alternative to MediaWiki. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of DokuWiki with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -35,7 +39,8 @@ To support the integration of DokuWiki with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://dokuwiki.company/doku.php`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://dokuwiki.company/doku.php`. + - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://dokuwiki.company/doku.php`. - Select any available signing key. - Under **Advanced protocol settings**, add the following OAuth mapping under **Scopes**: `authentik default OAuth Mapping: OpenID 'offline_access'` - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. @@ -68,6 +73,7 @@ For **oauthgeneric**: - Set `plugin»oauthgeneric»authurl` to `https://authentik.company/application/o/authorize/` - Set `plugin»oauthgeneric»tokenurl` to `https://authentik.company/application/o/token/` - Set `plugin»oauthgeneric»userurl` to `https://authentik.company/application/o/userinfo/` +- Set `plugin»oauthgeneric»logouturl` to `https://authentik.company/application/o/end-session/` - Set `plugin»oauthgeneric»authmethod` to `Bearer Header` - Set `plugin»oauthgeneric»scopes` to `email, openid, profile, offline_access` - Select `plugin»oauthgeneric»needs-state` @@ -75,6 +81,7 @@ For **oauthgeneric**: - Set `plugin»oauthgeneric»json-name` to `name` - Set `plugin»oauthgeneric»json-mail` to `email` - Set `plugin»oauthgeneric»json-grps` to`groups` +- Set `plugin»oauthgeneric»color ` to `#fd4b2d` ![](./dokuwiki_oauth_generic.png) diff --git a/website/integrations/documentation/karakeep/index.md b/website/integrations/documentation/karakeep/index.md index 19d6b625ad..1eb9d46a33 100644 --- a/website/integrations/documentation/karakeep/index.md +++ b/website/integrations/documentation/karakeep/index.md @@ -4,6 +4,8 @@ sidebar_label: Karakeep support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Karakeep? > A self-hostable bookmark-everything app (links, notes and images) with AI-based automatic tagging and full-text search. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Karakeep with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Karakeep with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://karakeep.company/api/auth/callback/custom`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://karakeep.company/api/auth/callback/custom`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/documentation/kitchenowl/index.md b/website/integrations/documentation/kitchenowl/index.md index 87aa24dbb0..802e171e35 100644 --- a/website/integrations/documentation/kitchenowl/index.md +++ b/website/integrations/documentation/kitchenowl/index.md @@ -4,6 +4,8 @@ sidebar_label: KitchenOwl support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is KitchenOwl? > KitchenOwl is a smart self-hosted grocery list and recipe manager. Easily add items to your shopping list before you go shopping. You can also create recipes and set up meal plans to help you organize your cooking. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of KitchenOwl with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of KitchenOwl with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret** values because they will be required later. - - Create two `Strict` redirect URIs and set them to `https://kitchenowl.company/signin/redirect` and `kitchenowl:/signin/redirect`. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://kitchenowl.company/signin/redirect` and `kitchenowl:/signin/redirect`. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/documentation/mealie/index.md b/website/integrations/documentation/mealie/index.md index d21edafe32..96117a7172 100644 --- a/website/integrations/documentation/mealie/index.md +++ b/website/integrations/documentation/mealie/index.md @@ -4,6 +4,8 @@ sidebar_label: Mealie support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Mealie? > Mealie is a self-hosted recipe manager and meal planner. Easily add recipes by providing the URL and Mealie will automatically import the relevant data or add a family recipe with the UI editor. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Mealie with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Mealie with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, , and **slug** values because they will be required later. - - Create two `Strict` redirect URIs and set to `https://mealie.company/login` and `https://mealie.company/login?direct=1`. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://mealie.company/login` and `https://mealie.company/login?direct=1`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/documentation/netbox/index.md b/website/integrations/documentation/netbox/index.md index 8a4cdaa9c8..0cdcffef91 100644 --- a/website/integrations/documentation/netbox/index.md +++ b/website/integrations/documentation/netbox/index.md @@ -4,6 +4,8 @@ sidebar_label: NetBox support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is NetBox? > NetBox is the leading solution for modeling and documenting modern networks. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of NetBox with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of NetBox with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://netbox.company/oauth/complete/oidc/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://netbox.company/oauth/complete/oidc/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/documentation/outline/index.md b/website/integrations/documentation/outline/index.md index ab058984bc..547fd9cc2e 100644 --- a/website/integrations/documentation/outline/index.md +++ b/website/integrations/documentation/outline/index.md @@ -4,6 +4,8 @@ sidebar_label: Outline support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Outline? > Your team's knowledge base. @@ -24,6 +26,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Outline with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -35,7 +39,7 @@ To support the integration of Outline with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://outline.company/auth/oidc.callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://outline.company/auth/oidc.callback`. - Select any available signing key. - Under **Advanced protocol settings**, set the **Subject Mode** to **Based on the User's username**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/documentation/paperless-ngx/index.mdx b/website/integrations/documentation/paperless-ngx/index.mdx index 758116cee2..c14dcbbc85 100644 --- a/website/integrations/documentation/paperless-ngx/index.mdx +++ b/website/integrations/documentation/paperless-ngx/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Paperless-ngx support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Paperless-ngx? > Paperless-ngx is an application that indexes your scanned documents and allows you to easily search for documents and store metadata alongside your documents. It was a fork from Paperless-ng, in turn a fork from the original Paperless, neither of which are maintained any longer. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Paperless-ngx with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Paperless-ngx with authentik, you need to create a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://paperless.company/accounts/oidc/authentik/login/callback/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://paperless.company/accounts/oidc/authentik/login/callback/`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. - **Advanced protocol settings**: - **Selected Scopes**: Add the following diff --git a/website/integrations/documentation/papra/index.mdx b/website/integrations/documentation/papra/index.mdx index 06f04fd13a..3ded3f7628 100644 --- a/website/integrations/documentation/papra/index.mdx +++ b/website/integrations/documentation/papra/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Papra support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Papra? > An open-source document management platform designed to help you organize, secure, and archive your files effortlessly. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Papra with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Papra with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **Slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://papra.company/api/auth/oauth2/callback/authentik`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://papra.company/api/auth/oauth2/callback/authentik`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/documentation/tandoor/index.md b/website/integrations/documentation/tandoor/index.md index 75a7259e7c..dde4f187b1 100644 --- a/website/integrations/documentation/tandoor/index.md +++ b/website/integrations/documentation/tandoor/index.md @@ -4,6 +4,8 @@ sidebar_label: Tandoor support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Tandoor? > Application for managing recipes, planning meals and building shopping lists. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Tandoor with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Tandoor with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://tandoor.company/accounts/oidc/authentik/login/callback/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://tandoor.company/accounts/oidc/authentik/login/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/documentation/wiki-js/index.md b/website/integrations/documentation/wiki-js/index.md index d02f80d636..9353aec562 100644 --- a/website/integrations/documentation/wiki-js/index.md +++ b/website/integrations/documentation/wiki-js/index.md @@ -4,6 +4,8 @@ sidebar_label: Wiki.js support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Wiki.js? > Wiki.js is a wiki engine running on Node.js and written in JavaScript. It is free software released under the Affero GNU General Public License. It is available as a self-hosted solution or using "single-click" install on the DigitalOcean and AWS marketplace. @@ -33,6 +35,8 @@ Add a _Generic OpenID Connect / OAuth2_ strategy and take note of the _Callback ## authentik configuration + + To support the integration of Wiki.js with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -44,7 +48,7 @@ To support the integration of Wiki.js with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://wiki.company/login/id-from-wiki/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wiki.company/login/id-from-wiki/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/hypervisors-orchestrators/arcane/index.md b/website/integrations/hypervisors-orchestrators/arcane/index.md index c2ca0a3774..805f50c3b0 100644 --- a/website/integrations/hypervisors-orchestrators/arcane/index.md +++ b/website/integrations/hypervisors-orchestrators/arcane/index.md @@ -4,6 +4,8 @@ sidebar_label: Arcane support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Arcane? > Modern Docker Management, Designed for Everyone. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Arcane with authentik, you need to create an application/provider pair in authentik. ### Create custom scope mapping @@ -53,7 +57,7 @@ Arcane either requires the email scope to return a `true` value for whether the - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://arcane.company/auth/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://arcane.company/auth/oidc/callback`. - Select any available signing key. - Under **Advanced protocol settings**: - Remove the `authentik default OAuth Mapping: OpenID 'email'` scope, and add the custom scope mapping you created above. diff --git a/website/integrations/hypervisors-orchestrators/portainer/index.md b/website/integrations/hypervisors-orchestrators/portainer/index.md index be6161989c..8e43594255 100644 --- a/website/integrations/hypervisors-orchestrators/portainer/index.md +++ b/website/integrations/hypervisors-orchestrators/portainer/index.md @@ -4,6 +4,8 @@ sidebar_label: Portainer support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Portainer? > Portainer is a powerful, GUI-based Container-as-a-Service solution that helps organizations manage and deploy cloud-native applications easily and securely. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Portainer with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Portainer with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations: - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://portainer.company/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://portainer.company/`. - Select any available signing key. - Under **Advanced protocol settings** > **Selected Scopes**, add `authentik default OAuth Mapping: OpenID 'entitlements'`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/hypervisors-orchestrators/proxmox-ve/index.md b/website/integrations/hypervisors-orchestrators/proxmox-ve/index.md index a9506d099f..b388bb87ad 100644 --- a/website/integrations/hypervisors-orchestrators/proxmox-ve/index.md +++ b/website/integrations/hypervisors-orchestrators/proxmox-ve/index.md @@ -4,6 +4,8 @@ sidebar_label: Proxmox VE support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Proxmox VE? > Proxmox Virtual Environment is an open source server virtualization management solution based on QEMU/KVM and LXC. You can manage virtual machines, containers, highly available clusters, storage, and networks with an integrated, easy-to-use web interface or via CLI. Proxmox VE code is licensed under the GNU Affero General Public License, version 3. The project is developed and maintained by Proxmox Server Solutions GmbH. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Proxmox with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Proxmox with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://proxmox.company:8006`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://proxmox.company:8006`. - Select any available signing key. - Ensure that encryption is disabled. - Under **Advanced protocol settings**: diff --git a/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md b/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md index eaff37aad4..c969104797 100644 --- a/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md +++ b/website/integrations/hypervisors-orchestrators/vmware-cloud-director/index.md @@ -4,6 +4,8 @@ sidebar_label: VMware Cloud Director support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is VMware Cloud Director? > VMware Cloud Director is a platform that enables service providers and enterprises to create multi-tenant virtual data centers (VDCs) from underlying VMware vSphere infrastructure. It supports self-service resource provisioning, secure tenant isolation, and management of compute, storage, and networking via web portals and APIs. @@ -21,6 +23,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of VMware Cloud Director with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -31,7 +35,7 @@ To support the integration of VMware Cloud Director with authentik, you need to - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://clouddirector.company/login/oauth?service=provider`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://clouddirector.company/login/oauth?service=provider`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md b/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md index da00fb37bd..e4a44cab11 100644 --- a/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md +++ b/website/integrations/hypervisors-orchestrators/vmware-vcenter/index.md @@ -4,6 +4,8 @@ sidebar_label: VMware vCenter support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is vCenter? > vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. VMware vMotion and svMotion require the use of vCenter and ESXi hosts. @@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of vCenter with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -36,7 +40,7 @@ To support the integration of vCenter with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://vcenter.company/ui/login/oauth2/authcode`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://vcenter.company/ui/login/oauth2/authcode`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md b/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md index e984d08396..4807639da1 100644 --- a/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md +++ b/website/integrations/hypervisors-orchestrators/xen-orchestra/index.md @@ -4,6 +4,8 @@ sidebar_label: Xen Orchestra support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Xen Orchestra? > Xen Orchestra provides a user friendly web interface for every Xen based hypervisor (XenServer, xcp-ng, etc.). @@ -28,6 +30,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Xen Orchestra with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -39,7 +43,7 @@ To support the integration of Xen Orchestra with authentik, you need to create a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://xenorchestra.company/signin/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://xenorchestra.company/signin/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/apache-guacamole/index.mdx b/website/integrations/infrastructure/apache-guacamole/index.mdx index a91a85d647..be8e3ed55a 100644 --- a/website/integrations/infrastructure/apache-guacamole/index.mdx +++ b/website/integrations/infrastructure/apache-guacamole/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Apache Guacamole support_level: authentik --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Apache Guacamole with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -37,7 +40,7 @@ To support the integration of Apache Guacamole with authentik, you need to creat - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://guacamole.company/`. If you have configured [Apache Tomcat](https://tomcat.apache.org/) to run Apache Guacamole on a subpath, you will need to update this value accordingly. - Select any available signing key. - Note that Apache Guacamole does not support session tokens longer than 300 minutes (5 hours). - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/argocd/index.md b/website/integrations/infrastructure/argocd/index.md index ae576f176d..6c201276c3 100644 --- a/website/integrations/infrastructure/argocd/index.md +++ b/website/integrations/infrastructure/argocd/index.md @@ -4,6 +4,8 @@ sidebar_label: ArgoCD support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is ArgoCD? > Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of ArgoCD with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of ArgoCD with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Add two `Strict` redirect URI and set them to `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://argocd.company/api/dex/callback` and `https://localhost:8085/auth/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/harbor/index.md b/website/integrations/infrastructure/harbor/index.md index cb18da1d9c..4d7ec76acc 100644 --- a/website/integrations/infrastructure/harbor/index.md +++ b/website/integrations/infrastructure/harbor/index.md @@ -4,6 +4,8 @@ sidebar_label: Harbor support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Harbor? > Harbor is an open source container image registry that secures images with role-based access control, scans images for vulnerabilities, and signs images as trusted. A CNCF Graduated project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage images across cloud native compute platforms like Kubernetes and Docker. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Harbor with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -35,7 +39,7 @@ To support the integration of Harbor with authentik, you need to create an appli - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - **Protocol Settings**: - **Redirect URI**: - - Strict: `https://harbor.company/c/oidc/callback`. + - `Strict` `Authorization`: `https://harbor.company/c/oidc/callback`. - **Signing Key**: select any available signing key. - **Advanced Protocol Settings**: - **Scopes**: add `authentik default OAuth Mapping: OpenID 'offline_access'` to **Selected Scopes**. diff --git a/website/integrations/infrastructure/keycloak/index.mdx b/website/integrations/infrastructure/keycloak/index.mdx index df90fb72c6..b4ba14dc11 100644 --- a/website/integrations/infrastructure/keycloak/index.mdx +++ b/website/integrations/infrastructure/keycloak/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Keycloak support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -39,6 +40,8 @@ Keycloak can be configured to use either OIDC or SAML for federated login source ## authentik configuration + + To support the integration of Keycloak with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -49,7 +52,7 @@ To support the integration of Keycloak with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://keycloak.company/access/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://keycloak.company/access/oidc/callback`. - Set the **Logout URI** to `https://keycloak.company/realms//protocol/openid-connect/logout/backchannel-logout`. - Set the **Logout Method** to `Back-channel`. - Select any available signing key. diff --git a/website/integrations/infrastructure/komodo/index.mdx b/website/integrations/infrastructure/komodo/index.mdx index de4d83794a..a8abba5089 100644 --- a/website/integrations/infrastructure/komodo/index.mdx +++ b/website/integrations/infrastructure/komodo/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Komodo support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Komodo? > Komodo is a web-based application designed to organize and streamline the management of servers, builds, deployments, and automated tasks. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Komodo with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Komodo with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://komodo.company/auth/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://komodo.company/auth/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. - **Configure Launch URL** _(optional)_: set to `https://komodo.company/auth/oidc/login`. diff --git a/website/integrations/infrastructure/minio/index.mdx b/website/integrations/infrastructure/minio/index.mdx index a82346f0c7..e53fc9e4d7 100644 --- a/website/integrations/infrastructure/minio/index.mdx +++ b/website/integrations/infrastructure/minio/index.mdx @@ -4,6 +4,7 @@ sidebar_label: MinIO support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -30,6 +31,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of MinIO with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -40,7 +43,7 @@ To support the integration of MinIO with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://minio.company/oauth_callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://minio.company/oauth_callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/nexterm/index.md b/website/integrations/infrastructure/nexterm/index.md index ab4e0eb326..7a5284b1f3 100644 --- a/website/integrations/infrastructure/nexterm/index.md +++ b/website/integrations/infrastructure/nexterm/index.md @@ -4,6 +4,8 @@ sidebar_label: Nexterm support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Nexterm? > Nexterm is an open-source server management platform for SSH, VNC, and RDP. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Nexterm with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Nexterm with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://nexterm.company/api/auth/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://nexterm.company/api/auth/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/osticket/index.md b/website/integrations/infrastructure/osticket/index.md index 57f6f202b1..e1a5976301 100644 --- a/website/integrations/infrastructure/osticket/index.md +++ b/website/integrations/infrastructure/osticket/index.md @@ -4,6 +4,8 @@ sidebar_label: osTicket support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is osTicket? > osTicket is a web-based, open source user support/ticketing solution. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of osTicket with authentik, you need to create an application/provider pair in authentik. 1. Log in to authentik as an administrator and open the authentik Admin interface. @@ -31,7 +35,7 @@ To support the integration of osTicket with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret** and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://osticket.company/osticket/api/auth/oauth2`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://osticket.company/osticket/api/auth/oauth2`. - Select any available signing key. - Under **Advanced protocol settings**: - **Subject Mode**: `Based on the User's Email` diff --git a/website/integrations/infrastructure/pgadmin/index.md b/website/integrations/infrastructure/pgadmin/index.md index ff0e1fb1fe..8f63db21c0 100644 --- a/website/integrations/infrastructure/pgadmin/index.md +++ b/website/integrations/infrastructure/pgadmin/index.md @@ -4,6 +4,8 @@ sidebar_label: pgAdmin support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is pgAdmin? > pgAdmin is a management tool for PostgreSQL and derivative relational databases such as EnterpriseDB's EDB Advanced Server. It may be run either as a web or desktop application. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of pgAdmin with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -37,7 +41,7 @@ To support the integration of pgAdmin with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://pgadmin.company/oauth2/authorize`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://pgadmin.company/oauth2/authorize`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/plesk/index.md b/website/integrations/infrastructure/plesk/index.md index 9a261458a7..54d57cd237 100644 --- a/website/integrations/infrastructure/plesk/index.md +++ b/website/integrations/infrastructure/plesk/index.md @@ -4,6 +4,8 @@ sidebar_label: Plesk support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Plesk? > Plesk is a web hosting platform with a control panel that helps manage servers, applications, and websites through a comprehensive graphical user interface. It provides tools for web professionals, IT administrators, and hosting companies to simplify the process of hosting and managing websites. @@ -27,6 +29,8 @@ Replace these placeholders in the guide with your values: ## authentik configuration + + To support the integration of Plesk with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Plesk with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://plesk.company/modules/oauth/public/login.php`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://plesk.company/modules/oauth/public/login.php`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/rabbitmq/index.mdx b/website/integrations/infrastructure/rabbitmq/index.mdx index 5b10602f2b..cf4d6d9b25 100644 --- a/website/integrations/infrastructure/rabbitmq/index.mdx +++ b/website/integrations/infrastructure/rabbitmq/index.mdx @@ -4,6 +4,7 @@ sidebar_label: RabbitMQ support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -28,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of RabbitMQ with authentik, you need to create a property mapping, two user groups, and an application/provider pair. ### Create a property mapping @@ -66,7 +69,7 @@ After creating the groups, select a group, navigate to the **Users** tab, and ma - Set **Client Type** to **Public**. - Note the **Client ID** and **slug** values because they will be required later. - Under **Grant Types**, select **Authorization Code** and **Client credentials**. - - Set a `Strict` redirect URI to `https://rabbitmq.company:15672/js/oidc-oauth/login-callback.html`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rabbitmq.company:15672/js/oidc-oauth/login-callback.html`. - Select any available signing key. - Under **Advanced protocol settings**: - Add the `RabbitMQ claims` scope that you created in the previous section to **Selected Scopes**. diff --git a/website/integrations/infrastructure/rustdesk-pro/index.mdx b/website/integrations/infrastructure/rustdesk-pro/index.mdx index f50a6e2052..4aef8bb2ce 100644 --- a/website/integrations/infrastructure/rustdesk-pro/index.mdx +++ b/website/integrations/infrastructure/rustdesk-pro/index.mdx @@ -4,6 +4,8 @@ sidebar_label: RustDesk Server Pro support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is RustDesk Server Pro? > RustDesk Server Pro is a premium self-hosted solution for managing remote desktop connections securely and efficiently. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Rustdesk Server Pro with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Rustdesk Server Pro with authentik, you need to cr - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://rustdesk.company/api/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://rustdesk.company/api/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/semaphore/index.mdx b/website/integrations/infrastructure/semaphore/index.mdx index e2e7f7117a..4ffdeb8337 100644 --- a/website/integrations/infrastructure/semaphore/index.mdx +++ b/website/integrations/infrastructure/semaphore/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Semaphore support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Semaphore UI? > Semaphore UI is a modern web interface for managing popular DevOps tools. @@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Semaphore with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -35,7 +39,7 @@ To support the integration of Semaphore with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://semaphore.company/api/auth/oidc/authentik/redirect`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://semaphore.company/api/auth/oidc/authentik/redirect`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/synology-dsm/index.md b/website/integrations/infrastructure/synology-dsm/index.md index b3d9fe326a..c5811b0909 100644 --- a/website/integrations/infrastructure/synology-dsm/index.md +++ b/website/integrations/infrastructure/synology-dsm/index.md @@ -4,6 +4,8 @@ sidebar_label: Synology DSM (DiskStation Manager) support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Synology DSM? > Synology Inc. is a Taiwanese corporation that specializes in network-attached storage (NAS) appliances. Synology's line of NAS is known as the DiskStation for desktop models, FlashStation for all-flash models, and RackStation for rack-mount models. Synology's products are distributed worldwide and localized in several languages. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Synology DSM with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Synology DSM with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://synology.company`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://synology.company`. - Select any available signing key. - Under **Advanced protocol settings**, set the **subject mode** to be based on the user's email. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/termix/index.mdx b/website/integrations/infrastructure/termix/index.mdx index 5db31fb6ce..4eac67e7a4 100644 --- a/website/integrations/infrastructure/termix/index.mdx +++ b/website/integrations/infrastructure/termix/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Termix support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Termix? > Termix is a clientless web-based server management platform with SSH terminal, tunneling, and file editing capabilities. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Termix with authentik, you need to create an application/provider pair in authentik. 1. Log in to authentik as an administrator and open the authentik Admin interface. @@ -31,7 +35,7 @@ To support the integration of Termix with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://termix.company/users/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://termix.company/users/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/terrakube/index.md b/website/integrations/infrastructure/terrakube/index.md index 10f7a4f35a..b10aba8f25 100644 --- a/website/integrations/infrastructure/terrakube/index.md +++ b/website/integrations/infrastructure/terrakube/index.md @@ -4,6 +4,8 @@ sidebar_label: Terrakube support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Terrakube? > Terrakube is an open-source collaboration platform designed for managing remote Infrastructure-as-Code (IaC) operations with Terraform. It serves as an alternative to proprietary tools like Terraform Enterprise. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Terrakube with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Terrakube with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://terrakube-dex.company/dex/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://terrakube-dex.company/dex/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/zammad/index.md b/website/integrations/infrastructure/zammad/index.md index 6cc586b61d..13788cac5c 100644 --- a/website/integrations/infrastructure/zammad/index.md +++ b/website/integrations/infrastructure/zammad/index.md @@ -4,6 +4,7 @@ sidebar_label: Zammad support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; import SAMLProvider20265Warning from "../../\_saml-provider-2026-5-warning.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -40,6 +41,8 @@ values={[ ## authentik configuration + + To support the integration of Zammad with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -102,7 +105,7 @@ To support the integration of Zammad with authentik, you need to create an appli - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Set the **Client type** to `Public`. - Take note of the **Client ID** and **slug** values because they will be required later. - - Set the **Redirect URIs/Origins** to `Strict` / `https://zammad.company/auth/openid_connect/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://zammad.company/auth/openid_connect/callback`. - Select a **Signing Key**. - Under **Advanced protocol settings**, set **Subject mode** to **Based on the User's Email**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/zendesk/index.mdx b/website/integrations/infrastructure/zendesk/index.mdx index 2ea808ab58..3897cc8bd6 100644 --- a/website/integrations/infrastructure/zendesk/index.mdx +++ b/website/integrations/infrastructure/zendesk/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Zendesk support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -38,6 +39,8 @@ Zendesk can be configured to use either OIDC or SAML. This guide covers both met ## authentik configuration + + To support the integration of Zendesk with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -48,7 +51,7 @@ To support the integration of Zendesk with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://company.zendesk.com/access/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://company.zendesk.com/access/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/infrastructure/zot/index.md b/website/integrations/infrastructure/zot/index.md index 4c6b0945be..3c8f47151d 100644 --- a/website/integrations/infrastructure/zot/index.md +++ b/website/integrations/infrastructure/zot/index.md @@ -4,6 +4,8 @@ sidebar_label: Zot support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Zot? > Zot is an OCI-native container registry for distributing container images and OCI artifacts. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Zot with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -35,11 +39,9 @@ To support the integration of Zot with authentik, you need to create an applicat - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - **Protocol Settings**: - **Redirect URI**: - - Strict: `https://zot.company/zot/auth/callback/oidc`. + - `Strict` `Authorization`: `https://zot.company/zot/auth/callback/oidc`. - **Signing Key**: select any available signing key. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://zot.company/zot/auth/callback/oidc`. - - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/learning/absorb-lms/index.mdx b/website/integrations/learning/absorb-lms/index.mdx index 2445d92fd1..f29b7e71fc 100644 --- a/website/integrations/learning/absorb-lms/index.mdx +++ b/website/integrations/learning/absorb-lms/index.mdx @@ -5,6 +5,7 @@ support_level: community authentik_version: 2026.5 --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -39,6 +40,8 @@ values={[ ## authentik configuration + + To integrate authentik with Absorb LMS via OIDC, you will need to create an application and provider pair in authentik. ### Create an application and provider in authentik @@ -49,7 +52,7 @@ To integrate authentik with Absorb LMS via OIDC, you will need to create an appl - **Choose a Provider type**: select **OAuth2/OIDC Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Take note of the **Client ID** and **Client Secret** values as these will be required in the next section. - - Set a `Strict` Redirect URI to `https://company.myabsorb.com/account/openidconnect` + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://company.myabsorb.com/account/openidconnect` - Select any available **Signing key**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications in a user's **Application Dashboard**. diff --git a/website/integrations/media/audiobookshelf/index.md b/website/integrations/media/audiobookshelf/index.md index eb85cec8c3..0918f4713b 100644 --- a/website/integrations/media/audiobookshelf/index.md +++ b/website/integrations/media/audiobookshelf/index.md @@ -4,6 +4,8 @@ sidebar_label: Audiobookshelf support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Audiobookshelf? > Audiobookshelf is a self-hosted audiobook and podcast server. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Audiobookshelf with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,9 +37,10 @@ To support the integration of Audiobookshelf with authentik, you need to create - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Add two `Strict` redirect URIs: - - `https://audiobookshelf.company/auth/openid/callback` - - `https://audiobookshelf.company/auth/openid/mobile-redirect` + - Add three **Redirect URIs**: + - `Strict` `Authorization` `https://audiobookshelf.company/auth/openid/callback` + - `Strict` `Authorization` `https://audiobookshelf.company/auth/openid/mobile-redirect` + - `Strict` `Post Logout` `https://audiobookshelf.company/login` - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. @@ -53,6 +58,7 @@ To support the integration of Audiobookshelf with authentik, you need to create - **Token URL**: `https://authentik.company/application/o/token/` - **User Info URL**: `https://authentik.company/application/o/userinfo/` - **JWKS URL**: `https://authentik.company/application/o//jwks/` + - **Logout URL**: `https://auth.yoursite.com/application/o//end-session/` - **Signing Algorithm**: `RS256` - **Allow Mobile Redirect URLs**: `https://audiobookshelf.company/auth/openid/mobile-redirect` - **Match existing users by**: `username` diff --git a/website/integrations/media/freshrss/index.mdx b/website/integrations/media/freshrss/index.mdx index ebc10d11f8..9945828a29 100644 --- a/website/integrations/media/freshrss/index.mdx +++ b/website/integrations/media/freshrss/index.mdx @@ -4,6 +4,8 @@ sidebar_label: FreshRSS support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is FreshRSS? > FreshRSS is a self-hosted RSS feed aggregator. @@ -23,6 +25,8 @@ This documentation only lists the settings that have been changed from their def ## authentik configuration + + To support the integration of FreshRSS with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of FreshRSS with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Add two `Strict` redirect URIs and set them to `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/media/immich/index.md b/website/integrations/media/immich/index.md index 9668fc947c..c8212d7fb1 100644 --- a/website/integrations/media/immich/index.md +++ b/website/integrations/media/immich/index.md @@ -4,6 +4,8 @@ sidebar_label: Immich support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Immich? > Immich is a self-hosted backup solution for photos and videos on mobile devices. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Immich with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Immich with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Add three `Strict` redirect URIs and set them to `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`. + - Add three **Redirect URIs** of type `Strict` `Authorization` as `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. - **Configure Launch URL** _(optional)_: set the [Launch URL](/docs/add-secure-apps/applications/#appearance) to `https://immich.company/auth/login?autoLaunch=1` to allow automatic login to Immich when clicking the application from within authentik. diff --git a/website/integrations/media/jellyfin/index.md b/website/integrations/media/jellyfin/index.md index f0252d06fd..815be053f5 100644 --- a/website/integrations/media/jellyfin/index.md +++ b/website/integrations/media/jellyfin/index.md @@ -4,6 +4,8 @@ sidebar_label: Jellyfin support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Jellyfin? > Jellyfin is a free and open source media management and streaming platform for movies, TV shows, and music. @@ -95,6 +97,8 @@ At this point, enter a username and click **Save Search Attribute Settings and Q ## OIDC configuration + + ### authentik configuration **Provider Settings** @@ -102,7 +106,7 @@ At this point, enter a username and click **Save Search Attribute Settings and Q In authentik under **Providers**, create an OAuth2/OpenID Provider with these settings: - Name: `jellyfin` -- Redirect URI: `https://jellyfin.company/sso/OID/redirect/authentik` +- **Redirect URI**: `Strict` `Authorization` `https://jellyfin.company/sso/OID/redirect/authentik` Everything else is up to you, just make sure to grab the client ID and the client secret! diff --git a/website/integrations/media/kavita/index.md b/website/integrations/media/kavita/index.md new file mode 100644 index 0000000000..84854af511 --- /dev/null +++ b/website/integrations/media/kavita/index.md @@ -0,0 +1,65 @@ +--- +title: Integrate with Kavita +sidebar_label: Kavita +support_level: community +--- + +## What is Kavita? + +> Kavita is a self-hosted digital library and reading server for manga, comics, books, and other digital media, with support for organizing collections and reading in the browser. +> +> -- https://www.kavitareader.com/ + +## Preparation + +The following placeholders are used in this guide: + +- `kavita.company` is the FQDN of the Kavita installation. +- `authentik.company` is the FQDN of the authentik installation. + +:::info +This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. +::: + +## authentik configuration + +To support the integration of Kavita with authentik, you need to create an application/provider pair in authentik. + +### Create an application and provider in authentik + +1. Log in to authentik as an administrator and open the authentik Admin interface. +2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard. + - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. + - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. + - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. + - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://kavita.company/signin-oidc` + - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://kavita.company/signout-callback-oidc` + - **Logout URI**: `https://kavita.company/signout-oidc` + - **Logout Method**: `Front-channel` + - Select any available signing key. + - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. + +3. Click **Submit** to save the new application and provider. + +## Kavita configuration + +1. Log in to Kavita as an administrator. +2. Navigate to **Settings** > **OpenID Connect**. +3. Configure the following settings: + - **Authority**: `https://authentik.company/application/o//` + - **Client Id**: enter the Client ID from authentik. + - **Secret**: enter the Client Secret from authentik. + - **Provision Accounts**: enable this setting to automatically create Kavita accounts for users who log in through authentik. + - **Require Verified Emails**: disable this setting. +4. Click **Save**. + +Restart your Kavita instance for these changes to take effect. + +## Configuration verification + +To confirm that authentik is properly configured with Kavita, log out of Kavita and then log back in using the **Login with SSO** option. You should be redirected to authentik for authentication and then redirected back to Kavita as a logged-in user. + +## Resources + +- [Kavita OpenID Connect documentation](https://wiki.kavitareader.com/guides/admin-settings/open-id-connect/) diff --git a/website/integrations/media/komga/index.md b/website/integrations/media/komga/index.md index 10ed952c3c..27cb7f3cc0 100644 --- a/website/integrations/media/komga/index.md +++ b/website/integrations/media/komga/index.md @@ -4,6 +4,8 @@ sidebar_label: Komga support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Komga? > Komga is an open-source comic and manga server that lets users organize, read, and stream their digital comic collections with ease. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Komga with authentik, you need to create an application/provider pair in authentik. ### Create an email verification scope mapping in authentik @@ -40,7 +44,7 @@ Refer to [Email scope verification](/docs/add-secure-apps/providers/oauth2/index - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://komga.company/login/oauth2/code/authentik`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://komga.company/login/oauth2/code/authentik`. - Select any available signing key. - **Advanced protocol settings** > **Scopes**: - Add `OAuth Mapping: OpenID 'email' with "email_verified"` to the **Selected Scopes**. diff --git a/website/integrations/media/miniflux/index.md b/website/integrations/media/miniflux/index.md index 9bea7a0a77..97f98adf79 100644 --- a/website/integrations/media/miniflux/index.md +++ b/website/integrations/media/miniflux/index.md @@ -4,6 +4,8 @@ sidebar_label: Miniflux support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Miniflux? > Miniflux is a minimalist and opinionated RSS feed reader. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Miniflux with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Miniflux with authentik, you need to create an app - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://miniflux.company/oauth2/oidc/callback` + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://miniflux.company/oauth2/oidc/callback` - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/media/photoprism/index.md b/website/integrations/media/photoprism/index.md index 9857859d1e..287fb75624 100644 --- a/website/integrations/media/photoprism/index.md +++ b/website/integrations/media/photoprism/index.md @@ -4,6 +4,8 @@ sidebar_label: PhotoPrism support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is PhotoPrism? > PhotoPrism is an AI-powered photos app that lets you browse, organize, and find photos and videos on a home server, private server, or in the cloud. @@ -27,6 +29,8 @@ PhotoPrism requires HTTPS for OpenID Connect (OIDC). Make sure that the `PHOTOPR ## authentik configuration + + To support the integration of PhotoPrism with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -37,7 +41,7 @@ To support the integration of PhotoPrism with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Add one `Strict` redirect URI and set it to `https://photoprism.company/api/v1/oidc/redirect`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://photoprism.company/api/v1/oidc/redirect`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/media/seafile/index.md b/website/integrations/media/seafile/index.md index 67e2e2dec9..4b5e99fbfd 100644 --- a/website/integrations/media/seafile/index.md +++ b/website/integrations/media/seafile/index.md @@ -4,6 +4,8 @@ sidebar_label: Seafile support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Seafile? > Seafile is an open-source, cross-platform file-hosting software system. Files are stored on a central server and can be synchronized with personal computers and mobile devices through apps. Files on the Seafile server can also be accessed directly via the server's web interface. @@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Seafile with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -32,7 +36,7 @@ To support the integration of Seafile with authentik, you need to create an appl - **Choose a Provider type**: select OAuth2/OpenID Connect as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://seafile.company/oauth/callback/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://seafile.company/oauth/callback/`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/media/seerr/index.md b/website/integrations/media/seerr/index.md index f6e1cc3a35..74a2a527a6 100644 --- a/website/integrations/media/seerr/index.md +++ b/website/integrations/media/seerr/index.md @@ -4,6 +4,8 @@ sidebar_label: Seerr support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Seerr? > Seerr (previously Jellyseerr) is a free and open source application for managing requests in your media library. It integrates with media servers like Jellyfin, Plex, and Emby, and services such as Sonarr and Radarr. @@ -17,6 +19,8 @@ support_level: community ## authentik configuration + + To support the integration of Seerr with authentik, you need to create an application/provider pair in authentik. 1. Log in to authentik as an administrator and open the authentik Admin interface. @@ -25,7 +29,7 @@ To support the integration of Seerr with authentik, you need to create an applic - **Choose a Provider type**: OAuth2/OpenID - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://seerr.company/login`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://seerr.company/login`. - Select any available signing key. - **Configure Bindings** _(optional):_ you can create a [binding](https://docs.goauthentik.io/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user’s **Application Dashboard** page. diff --git a/website/integrations/miscellaneous/actual-budget/index.mdx b/website/integrations/miscellaneous/actual-budget/index.mdx index 1ecc595a90..f04328b09c 100644 --- a/website/integrations/miscellaneous/actual-budget/index.mdx +++ b/website/integrations/miscellaneous/actual-budget/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Actual Budget support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Actual Budget with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -36,7 +39,7 @@ To support the integration of Actual Budget with authentik, you need to create a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://actual.company/openid/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://actual.company/openid/callback`. - Select any available signing key. Actual Budget only supports the RS256 algorithm. Be aware of this when choosing a signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/miscellaneous/adventurelog/index.mdx b/website/integrations/miscellaneous/adventurelog/index.mdx index a599de2c8a..b81f0afc60 100644 --- a/website/integrations/miscellaneous/adventurelog/index.mdx +++ b/website/integrations/miscellaneous/adventurelog/index.mdx @@ -4,6 +4,8 @@ sidebar_label: AdventureLog support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is AdventureLog? > AdventureLog is a self-hosted travel tracker and trip planner. AdventureLog is the ultimate travel companion for the modern-day explorer. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of AdventureLog with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of AdventureLog with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Regex` redirect URI to `^https://adventurelog.company/accounts/oidc/.\*$`. + - Add a **Redirect URI** of type `Regex` `Authorization` as `^https://adventurelog.company/accounts/oidc/.\*$`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/miscellaneous/ezbookkeeping/index.mdx b/website/integrations/miscellaneous/ezbookkeeping/index.mdx index d16aaf1c2b..fd98dbd539 100644 --- a/website/integrations/miscellaneous/ezbookkeeping/index.mdx +++ b/website/integrations/miscellaneous/ezbookkeeping/index.mdx @@ -4,6 +4,7 @@ sidebar_label: ezBookkeeping support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -26,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of ezBookkeeping with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -36,7 +39,7 @@ To support the integration of ezBookkeeping with authentik, you need to create a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://ezbookkeeping.company/oauth2/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://ezbookkeeping.company/oauth2/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/miscellaneous/filerise/index.mdx b/website/integrations/miscellaneous/filerise/index.mdx index 0311d22e73..783d388e57 100644 --- a/website/integrations/miscellaneous/filerise/index.mdx +++ b/website/integrations/miscellaneous/filerise/index.mdx @@ -4,6 +4,8 @@ sidebar_label: FileRise support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is FileRise? > Lightweight, self-hosted web-based file manager with multi-file upload, editing, and batch operations. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of FileRise with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of FileRise with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set **Redirect URI** to `https://filerise.company/api/auth/auth.php?oidc=callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://filerise.company/api/auth/auth.php?oidc=callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/miscellaneous/home-assistant/index.md b/website/integrations/miscellaneous/home-assistant/index.md index 6ea250576a..f7d6e83d4c 100644 --- a/website/integrations/miscellaneous/home-assistant/index.md +++ b/website/integrations/miscellaneous/home-assistant/index.md @@ -4,6 +4,8 @@ sidebar_label: Home Assistant support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Home Assistant? @@ -47,6 +49,8 @@ values={[ ## authentik configuration + + To support the integration of Home Assistant with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -58,7 +62,7 @@ To support the integration of Home Assistant with authentik, you need to create - Choose a **Provider Type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://hass.company/auth/openid/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hass.company/auth/openid/callback`. - Select any available signing key (to use the RS256 `id_token_signing_alg`) - Configure Bindings (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. @@ -109,7 +113,7 @@ To support the integration of Home Assistant with authentik, you need to create - Choose a **Provider Type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://hass.company/auth/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hass.company/auth/oidc/callback`. - Select any available signing key (to use the RS256 `id_token_signing_alg`) - Configure Bindings (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/miscellaneous/open-webui/index.md b/website/integrations/miscellaneous/open-webui/index.md index a5dfbc91f9..c5ceb67eaa 100644 --- a/website/integrations/miscellaneous/open-webui/index.md +++ b/website/integrations/miscellaneous/open-webui/index.md @@ -4,6 +4,8 @@ sidebar_label: Open WebUI support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Open WebUI? > Open WebUI is a simple, self-hosted AI platform that works entirely offline. It supports tools like Ollama and OpenAI-style APIs and has a built-in engine for RAG tasks. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Open WebUI with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Open WebUI with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://openwebui.company/oauth/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://openwebui.company/oauth/oidc/callback`. - Select any available signing key. - Make sure to leave the **Encryption Key** field empty. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/miscellaneous/wallos/index.mdx b/website/integrations/miscellaneous/wallos/index.mdx index b24f151b0e..7606385b16 100644 --- a/website/integrations/miscellaneous/wallos/index.mdx +++ b/website/integrations/miscellaneous/wallos/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Wallos support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Wallos? > Wallos is a self-hosted subscription and budget planning application. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Wallos with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Wallos with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://wallos.company/index.php`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wallos.company/index.php`. - Select any available signing key. - **Configure Bindings** (optional): you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/miscellaneous/zipline/index.md b/website/integrations/miscellaneous/zipline/index.md index 38f1e5997f..814477df42 100644 --- a/website/integrations/miscellaneous/zipline/index.md +++ b/website/integrations/miscellaneous/zipline/index.md @@ -4,6 +4,8 @@ sidebar_label: Zipline support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Zipline? > Zipline is a self-hostable file upload server designed for easy file sharing, supporting tools like ShareX and Flameshot, with features such as simplified setup and extensive customization options. @@ -27,6 +29,8 @@ This guide is compatible with Zipline [version `v4.0.0`](https://github.com/dice ## authentik configuration + + To support the integration of Zipline with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Zipline with authentik, you need to create an appl - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings: - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://zipline.company/api/auth/oauth/oidc`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://zipline.company/api/auth/oauth/oidc`. - Select any available signing key. - Under **Advanced protocol settings** > **Scopes**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the **Selected Scopes** list. - **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/monitoring/beszel/index.mdx b/website/integrations/monitoring/beszel/index.mdx index e7a3c01b8c..ebe9f916cc 100644 --- a/website/integrations/monitoring/beszel/index.mdx +++ b/website/integrations/monitoring/beszel/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Beszel support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Beszel? > Beszel is a lightweight server monitoring platform that provides Docker statistics, historical data, and configurable alerts. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + The steps to configure authentik include creating an email verification scope mapping, creating an application and provider pair in authentik, obtaining the Client ID and Client Secret values, setting the redirect URI, and selecting a signing key. ### Create an email verification scope mapping in authentik @@ -44,7 +48,7 @@ Refer to [Email scope verification](/docs/add-secure-apps/providers/oauth2/index - **Choose a Provider type**: OAuth2/OpenID - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://beszel.company/api/oauth2-redirect`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://beszel.company/api/oauth2-redirect`. - Select any available signing key. - **Advanced protocol settings** > **Scopes**: - Add `OAuth Mapping: OpenID 'email' with "email_verified"` to the **Selected Scopes**. diff --git a/website/integrations/monitoring/chronograf/index.mdx b/website/integrations/monitoring/chronograf/index.mdx index e8d7bc2f6c..5ed04465f5 100644 --- a/website/integrations/monitoring/chronograf/index.mdx +++ b/website/integrations/monitoring/chronograf/index.mdx @@ -3,6 +3,8 @@ title: Integrate with Chronograf sidebar_label: Chronograf --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Chronograf? > Chronograf lets you quickly visualize the data stored in InfluxDB, enabling you to build robust queries and alerts. It is simple to use and comes with templates and libraries for rapidly creating dashboards with real-time data visualizations. @@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Chronograf with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Chronograf with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://chronograf.company/oauth/authentik/callback/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://chronograf.company/oauth/authentik/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/monitoring/gatus/index.mdx b/website/integrations/monitoring/gatus/index.mdx index 7a1b81b638..a4fe0a9362 100644 --- a/website/integrations/monitoring/gatus/index.mdx +++ b/website/integrations/monitoring/gatus/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Gatus support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Gatus? > Gatus is a developer-oriented health dashboard that gives you the ability to monitor your services using HTTP, ICMP, TCP, and even DNS queries as well as evaluate the result of said queries by using a list of conditions on values like the status code, the response time, the certificate expiration, the body and many others. The icing on top is that each of these health checks can be paired with alerting via Slack, Teams, PagerDuty, Discord, Twilio and many more. @@ -23,6 +25,8 @@ This documentation only lists the settings that have been changed from their def ## authentik configuration + + To support the integration of Gatus with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Gatus with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://gatus.company/authorization-code/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gatus.company/authorization-code/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/monitoring/glitchtip/index.md b/website/integrations/monitoring/glitchtip/index.md index 0f05c9f64f..feb67a9e65 100644 --- a/website/integrations/monitoring/glitchtip/index.md +++ b/website/integrations/monitoring/glitchtip/index.md @@ -4,6 +4,8 @@ sidebar_label: Glitchtip support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Glitchtip? > Bugs are inevitable in web development. The important thing is to catch them when they appear. With GlitchTip, you can rest easy knowing that if your web app throws an error or goes down, you will be notified immediately. GlitchTip combines error tracking and uptime monitoring in one open-source package to keep you and your team fully up-to-date on the status of your projects. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Glitchtip with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Glitchtip with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://glitchtip.company/accounts/oidc/authentik/login/callback/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://glitchtip.company/accounts/oidc/authentik/login/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/monitoring/grafana/index.mdx b/website/integrations/monitoring/grafana/index.mdx index 5fedbdaaf3..43596d0225 100644 --- a/website/integrations/monitoring/grafana/index.mdx +++ b/website/integrations/monitoring/grafana/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Grafana support_level: authentik --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Grafana? > Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources, Grafana Enterprise version with additional capabilities is also available. It is expandable through a plug-in system. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Grafana with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Grafana with authentik, you need to create an appl - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://grafana.company/login/generic_oauth`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://grafana.company/login/generic_oauth`. - Set the Logout URI to `https://grafana.company/logout`. - Set the Logout Method to `Front-channel`. - Select any available signing key. diff --git a/website/integrations/monitoring/icinga/index.md b/website/integrations/monitoring/icinga/index.md index 06e29e3962..792b203e50 100644 --- a/website/integrations/monitoring/icinga/index.md +++ b/website/integrations/monitoring/icinga/index.md @@ -4,6 +4,8 @@ sidebar_label: Icinga Web 2 support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Icinga Web 2? > Icinga Web 2 is the next-generation web interface for the Icinga monitoring stack. It provides a flexible UI to view monitoring states, drill into problems, and integrate with the Icinga 2 backend. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Icinga Web 2 with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -37,7 +41,7 @@ To support the integration of Icinga Web 2 with authentik, you need to create an - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://icinga.company/icingaweb2/oidc/authentication/realm?name=authentik`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://icinga.company/icingaweb2/oidc/authentication/realm?name=authentik`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/monitoring/observium/index.md b/website/integrations/monitoring/observium/index.md index 4b9e6381c3..d660c5854e 100644 --- a/website/integrations/monitoring/observium/index.md +++ b/website/integrations/monitoring/observium/index.md @@ -4,6 +4,8 @@ sidebar_label: Observium support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Observium? > Observium is a network monitoring and management platform that provides real-time insight into network health and performance. @@ -40,6 +42,8 @@ apt install ./libapache2-mod-auth-openidc_2.4.15.7-1.bookworm_amd64.deb ## authentik configuration + + To support the integration of Observium with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -51,7 +55,7 @@ To support the integration of Observium with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://observium.company/secure/redirect_uri`. Note that the Redirect URI can be anything, as long as it does not point to existing content. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://observium.company/secure/redirect_uri`. Note that the Redirect URI can be anything, as long as it does not point to existing content. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/monitoring/pulse/index.md b/website/integrations/monitoring/pulse/index.md index c5ea687734..da36ce91ec 100644 --- a/website/integrations/monitoring/pulse/index.md +++ b/website/integrations/monitoring/pulse/index.md @@ -4,6 +4,8 @@ sidebar_label: Pulse support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Pulse? > Pulse is an open-source monitoring platform that provides real-time insight into Proxmox, Docker, and Kubernetes infrastructure. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Pulse with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Pulse with authentik, you need to create an applic - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://pulse.company/api/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://pulse.company/api/oidc/callback`. - Select any available signing key. - Under **Advanced protocol settings**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the selected scopes if you want long-lived sessions backed by refresh tokens. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/monitoring/ubuntu-landscape/index.md b/website/integrations/monitoring/ubuntu-landscape/index.md index f4161b36d9..d4e4deab7d 100644 --- a/website/integrations/monitoring/ubuntu-landscape/index.md +++ b/website/integrations/monitoring/ubuntu-landscape/index.md @@ -4,6 +4,8 @@ sidebar_label: Ubuntu Landscape support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Ubuntu Landscape? > Landscape is a systems management tool developed by Canonical. It can be run on-premises or in the cloud depending on the needs of the user. It is primarily designed for use with Ubuntu derivatives such as Desktop, Server, and Core. @@ -29,6 +31,8 @@ Landscape uses the OpenID Connect protocol for single sign-on. ## authentik configuration + + To support the integration of Landscape with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -40,7 +44,7 @@ To support the integration of Landscape with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://landscape.company/login/handle-openid`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://landscape.company/login/handle-openid`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/monitoring/whats-up-docker/index.md b/website/integrations/monitoring/whats-up-docker/index.md index ed47fd8a62..c85db5da6b 100644 --- a/website/integrations/monitoring/whats-up-docker/index.md +++ b/website/integrations/monitoring/whats-up-docker/index.md @@ -4,6 +4,8 @@ sidebar_label: What's Up Docker support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is What's Up Docker? > What's Up Docker (WUD) is an easy-to-use tool that alerts you whenever a new version of your Docker containers is released. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of What's Up Docker with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of What's Up Docker with authentik, you need to creat - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://wud.company/auth/oidc/authentik/cb`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wud.company/auth/oidc/authentik/cb`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/networking/firezone/index.md b/website/integrations/networking/firezone/index.md index 7209c8d314..0ed2e1bcfe 100644 --- a/website/integrations/networking/firezone/index.md +++ b/website/integrations/networking/firezone/index.md @@ -4,6 +4,8 @@ sidebar_label: Firezone support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Firezone? > Firezone is an open-source remote access platform built on WireGuard®, a modern VPN protocol that's 4-6x faster than OpenVPN. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Firezone with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -34,7 +38,7 @@ To support the integration of Firezone with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://firezone.company/auth/oidc/authentik/callback/`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://firezone.company/auth/oidc/authentik/callback/`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/networking/gravity/index.md b/website/integrations/networking/gravity/index.md index 01384e25f6..8c4aae2c9e 100644 --- a/website/integrations/networking/gravity/index.md +++ b/website/integrations/networking/gravity/index.md @@ -4,6 +4,8 @@ sidebar_label: Gravity support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Gravity? > Gravity is a fully-replicated DNS, DHCP, and TFTP server powered by [etcd](https://etcd.io/), offering features like built-in caching, ad/privacy blocking, automatic DNS registration, and metric tracking. @@ -27,6 +29,8 @@ Gravity automatically triggers SSO authentication when configured. To prevent th ## authentik configuration + + To support the integration of Gravity with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Gravity with authentik, you need to create an appl - **Choose a Provider type**: Select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: Provide a name (or accept the auto-provided name), choose the authorization flow for this provider, and configure the following required settings: - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://gravity.company/auth/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://gravity.company/auth/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: Create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/networking/headscale/index.md b/website/integrations/networking/headscale/index.md index 2fa1fd81c6..5cad73276e 100644 --- a/website/integrations/networking/headscale/index.md +++ b/website/integrations/networking/headscale/index.md @@ -4,6 +4,8 @@ sidebar_label: Headscale support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Headscale? > Headscale is an open source alternative to the Tailscale coordination server and can be self-hosted for a single tailnet. Headscale is a re-implemented version of the Tailscale coordination server, developed independently and completely separate from Tailscale, with its own independent community of users and developers. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Headscale with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Headscale with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://headscale.company/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://headscale.company/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/networking/hoop.dev/index.md b/website/integrations/networking/hoop.dev/index.md index c8307cd3fd..679e85679d 100644 --- a/website/integrations/networking/hoop.dev/index.md +++ b/website/integrations/networking/hoop.dev/index.md @@ -4,6 +4,8 @@ sidebar_label: Hoop.dev support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Hoop.dev? > Hoop.dev is an access gateway for databases and servers with AI-powered automations that eliminate cumbersome access policies and break-glass workflows without compromising security. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Hoop.dev with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Hoop.dev with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://hoop.company/api/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://hoop.company/api/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/networking/netbird/index.mdx b/website/integrations/networking/netbird/index.mdx index 1ae5d51621..4ce088796e 100644 --- a/website/integrations/networking/netbird/index.mdx +++ b/website/integrations/networking/netbird/index.mdx @@ -4,6 +4,7 @@ sidebar_label: NetBird support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -41,6 +42,8 @@ NetBird can use authentik in two ways: ## authentik configuration + + To support adding authentik as an external identity provider in NetBird, you need to create an application/provider pair and application entitlements in authentik. ### Create an application and provider in authentik @@ -80,7 +83,7 @@ Name each entitlement exactly as the NetBird group value that NetBird should syn - **Issuer**: `https://authentik.company/application/o//` 4. Copy the redirect URL shown by NetBird. Do not complete the provider setup yet. 5. Return to authentik, navigate to **Applications** > **Providers**, and edit the NetBird provider. -6. Under **Redirect URIs/Origins**, add the redirect URL from NetBird as a `Strict` redirect. +6. Under **Redirect URIs/Origins**, add the redirect URL from NetBird as a `Strict` `Authorization` redirect. 7. Click **Update**. 8. Return to NetBird and complete the identity provider setup. @@ -109,8 +112,8 @@ To support replacing NetBird's embedded IdP with authentik, you need to create a - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** value because it will be required later. - Set **Client type** to `Public`. - - Add a `Strict` redirect URI to `http://localhost:53000`. - - Add a `Regex` redirect URI to `https://netbird.company/.*`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `http://localhost:53000`. + - Add a **Redirect URI** of type `Regex` `Authorization` as `https://netbird.company/.*`. - Select any available signing key. - Under **Advanced protocol settings**, set **Access Code Validity** to `minutes=10`. - Under **Advanced protocol settings**, set **Subject Mode** to `Based on the User's ID`. diff --git a/website/integrations/networking/pangolin/index.mdx b/website/integrations/networking/pangolin/index.mdx index 1b9c1f9d9c..c25c233df5 100644 --- a/website/integrations/networking/pangolin/index.mdx +++ b/website/integrations/networking/pangolin/index.mdx @@ -4,6 +4,8 @@ sidebar_label: Pangolin support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is Pangolin? > Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Pangolin with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Pangolin with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, and **Client Secret** values because they will be required later. - - Temporarily set **Redirect URI** to `https://temp.temp`. + - Temporarily add a **Redirect URI** of type `Strict` `Authorization` as `https://temp.temp`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. @@ -61,7 +65,7 @@ To support the integration of Pangolin with authentik, you need to create an app 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click the **Edit** icon of the newly created Pangolin provider. -3. Set the **Redirect URI** to the value taken from Pangolin (e.g. `https://pangolin.company/auth/idp//oidc/callback`). +3. Add a **Redirect URI** of type `Strict` `Authorization` as the value taken from Pangolin (e.g. `https://pangolin.company/auth/idp//oidc/callback`). 4. Click **Update**. ## Configuration verification diff --git a/website/integrations/networking/tailscale/index.md b/website/integrations/networking/tailscale/index.md index 3df0c2dd67..859640e4a6 100644 --- a/website/integrations/networking/tailscale/index.md +++ b/website/integrations/networking/tailscale/index.md @@ -4,6 +4,8 @@ sidebar_label: Tailscale support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Tailscale? > Tailscale is a mesh VPN service that creates secure, encrypted, peer-to-peer connections between devices across different networks using the WireGuard protocol. @@ -42,6 +44,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Tailscale with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -52,7 +56,7 @@ To support the integration of Tailscale with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://login.tailscale.com/a/oauth_response`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://login.tailscale.com/a/oauth_response`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/networking/technitium/index.md b/website/integrations/networking/technitium/index.md index c34f85e40d..698b8b630f 100644 --- a/website/integrations/networking/technitium/index.md +++ b/website/integrations/networking/technitium/index.md @@ -4,6 +4,8 @@ sidebar_label: Technitium DNS support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Technitium DNS? > Technitium DNS Server is a free, open source, cross-platform, authoritative and recursive DNS server that can be self-hosted for privacy and security, software development, and testing on small to medium-sized networks. @@ -25,6 +27,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Technitium DNS with authentik, you need to create a scope mapping, an application/provider pair, and application entitlements in authentik. ### Create a scope mapping in authentik @@ -59,7 +63,7 @@ Technitium DNS uses the `roles` claim to map SSO users to local groups. Create a - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - Set **Client type** to `Confidential`. - - Set a `Strict` redirect URI to `https://technitium.company/sso/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://technitium.company/sso/callback`. - Select any available signing key. - Ensure that the `openid`, `email`, and `profile` scopes are selected. Remove the `email` scope if you prefer usernames to use the preferred username claim instead of the email address. - Under **Advanced protocol settings** > **Selected Scopes**, add the scope mapping that you created in the previous section. diff --git a/website/integrations/platforms/budibase/index.md b/website/integrations/platforms/budibase/index.md index 693a7d7ac0..d2a45e6c0e 100644 --- a/website/integrations/platforms/budibase/index.md +++ b/website/integrations/platforms/budibase/index.md @@ -4,6 +4,8 @@ sidebar_label: Budibase support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Budibase? > Budibase is an open source low-code platform, and the easiest way to build internal tools that improve productivity. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Budibase with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of Budibase with authentik, you need to create an app - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://budibase.company/api/global/auth/oidc/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://budibase.company/api/global/auth/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/platforms/drupal/index.md b/website/integrations/platforms/drupal/index.md index 0afc315b4c..89d4b8b05e 100644 --- a/website/integrations/platforms/drupal/index.md +++ b/website/integrations/platforms/drupal/index.md @@ -4,6 +4,8 @@ sidebar_label: Drupal support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Drupal? > Drupal is a free and open-source content management system written in PHP and @@ -28,6 +30,8 @@ There are many different modules for Drupal that allow you to set up SSO using d ## authentik configuration + + To support the integration of Drupal with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -38,7 +42,7 @@ To support the integration of Drupal with authentik, you need to create an appli - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. The **slug** will be used in URLs and should match the `drupal-slug` placeholder defined earlier. - **Choose a Provider type**: select **OAuth2/OpenID Provider** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), and configure the following required settings: - - Add the following **Redirect URI**: `https://drupal.company/openid-connect/generic` + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://drupal.company/openid-connect/generic`. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/platforms/personio/index.md b/website/integrations/platforms/personio/index.md index 74b89535d1..62506db268 100644 --- a/website/integrations/platforms/personio/index.md +++ b/website/integrations/platforms/personio/index.md @@ -4,6 +4,8 @@ sidebar_label: Personio support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Personio? > Personio is an HR software platform for managing core HR processes such as recruiting, onboarding, payroll, time tracking, and performance management. @@ -22,6 +24,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Personio with authentik, you need to create an application/provider pair in authentik. ### Copy the Personio callback URL @@ -40,7 +44,7 @@ To support the integration of Personio with authentik, you need to create an app - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - Set the **Client type** to `Confidential`. - - Add two `Strict` redirect URIs: + - Add two **Redirect URIs** of type `Strict` `Authorization`: - The **Callback URLs/Redirect URIs** value from Personio. - `https://login.personio.com/login/callback` - Select any available signing key. diff --git a/website/integrations/platforms/pocketbase/index.md b/website/integrations/platforms/pocketbase/index.md index 747e5bbbca..643fd453e5 100644 --- a/website/integrations/platforms/pocketbase/index.md +++ b/website/integrations/platforms/pocketbase/index.md @@ -4,6 +4,8 @@ sidebar_label: PocketBase support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is PocketBase? > PocketBase is an open source backend consisting of an embedded SQLite database, realtime subscriptions, built-in auth management, a dashboard UI, and a REST-like API. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of PocketBase with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -33,7 +37,7 @@ To support the integration of PocketBase with authentik, you need to create an a - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://pocketbase.company/api/oauth2-redirect`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://pocketbase.company/api/oauth2-redirect`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/platforms/wordpress/index.md b/website/integrations/platforms/wordpress/index.md index 9f9ea62820..8eb025e5e1 100644 --- a/website/integrations/platforms/wordpress/index.md +++ b/website/integrations/platforms/wordpress/index.md @@ -4,6 +4,8 @@ sidebar_label: WordPress support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is WordPress? > WordPress is an open source publishing platform used to create websites, blogs, and other web content. @@ -27,6 +29,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of WordPress with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider @@ -37,7 +41,7 @@ To support the integration of WordPress with authentik, you need to create an ap - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and application **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://wp.company/wp-admin/admin-ajax.php?action=openid-connect-authorize`. - Select any available signing key. - Under **Advanced protocol settings** > **Scopes**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to the **Selected Scopes** list. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/security/1password/index.mdx b/website/integrations/security/1password/index.mdx index 18d81c8f8e..bae482d09f 100644 --- a/website/integrations/security/1password/index.mdx +++ b/website/integrations/security/1password/index.mdx @@ -4,6 +4,8 @@ sidebar_label: 1Password support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is 1Password? > 1Password is a password management tool that simplifies the process of creating, storing, and sharing passwords. It allows you to create strong, unique passwords, securely store them in a vault, and automatically fill them in when needed. @@ -24,6 +26,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of 1Password with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -35,7 +39,7 @@ To support the integration of 1Password with authentik, you need to create an ap - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Set **Client Type** to `Public`. - Note the **Client ID** and **slug** values because they will be required later. - - Add two `Strict` redirect URIs and set them to `https://your-domain.1password.com/sso/oidc/redirect/` and `onepassword://sso/oidc/redirect`. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://your-domain.1password.com/sso/oidc/redirect/` and `onepassword://sso/oidc/redirect`. - Select any available **Signing Key**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. If you add a SCIM provider as a backchannel provider later, only users who can view this application are synchronized. diff --git a/website/integrations/security/bitwarden/index.mdx b/website/integrations/security/bitwarden/index.mdx index 10bde10045..9ec8306744 100644 --- a/website/integrations/security/bitwarden/index.mdx +++ b/website/integrations/security/bitwarden/index.mdx @@ -4,6 +4,7 @@ sidebar_label: Bitwarden support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; import SAMLProvider20265Warning from "../../_saml-provider-2026-5-warning.mdx"; import TabItem from "@theme/TabItem"; import Tabs from "@theme/Tabs"; @@ -43,6 +44,8 @@ You can configure Bitwarden to use either OIDC or SAML; this guide explains both ## authentik configuration + + To support the integration of Bitwarden with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -55,14 +58,14 @@ To support the integration of Bitwarden with authentik, you need to create an ap - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - Add the redirect URIs for your Bitwarden deployment: - For Bitwarden Cloud US: - - Set a `Strict` `Authorization` redirect URI to `https://sso.bitwarden.com/oidc-signin`. - - Set a `Strict` `Post Logout` redirect URI to `https://sso.bitwarden.com/oidc-signedout`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://sso.bitwarden.com/oidc-signin`. + - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://sso.bitwarden.com/oidc-signedout`. - For Bitwarden Cloud EU: - - Set a `Strict` `Authorization` redirect URI to `https://sso.bitwarden.eu/oidc-signin`. - - Set a `Strict` `Post Logout` redirect URI to `https://sso.bitwarden.eu/oidc-signedout`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://sso.bitwarden.eu/oidc-signin`. + - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://sso.bitwarden.eu/oidc-signedout`. - For self-hosted Bitwarden: - - Set a `Strict` `Authorization` redirect URI to `https://bitwarden.company/sso/oidc-signin`. - - Set a `Strict` `Post Logout` redirect URI to `https://bitwarden.company/sso/oidc-signedout`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://bitwarden.company/sso/oidc-signin`. + - Add a **Redirect URI** of type `Strict` `Post Logout` as `https://bitwarden.company/sso/oidc-signedout`. - Select any available **Signing Key**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. diff --git a/website/integrations/security/cloudflare-access/index.md b/website/integrations/security/cloudflare-access/index.md index bbd635f768..61e736c569 100644 --- a/website/integrations/security/cloudflare-access/index.md +++ b/website/integrations/security/cloudflare-access/index.md @@ -4,6 +4,8 @@ sidebar_label: Cloudflare Access support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Cloudflare Access? > Cloudflare Access is a secure, cloud-based zero-trust solution for managing and authenticating user access to internal applications and resources. @@ -29,6 +31,8 @@ Looking to integrate authentik with your Cloudflare Dashboard? See our [integrat ## authentik configuration + + To support the integration of Cloudflare Access with authentik, you need to create an application/provider pair in authentik. Cloudflare uses your Cloudflare Access team name in the callback URL. You can find the team name in the Cloudflare dashboard under **Settings** > **Team name and domain** > **Team name**. @@ -41,7 +45,7 @@ Cloudflare uses your Cloudflare Access team name in the callback URL. You can fi - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Add one `Strict` redirect URI and set it to `https://company.cloudflareaccess.com/cdn-cgi/access/callback`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://company.cloudflareaccess.com/cdn-cgi/access/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/security/hashicorp-vault/index.md b/website/integrations/security/hashicorp-vault/index.md index f31df5dab4..9f14ceac9c 100644 --- a/website/integrations/security/hashicorp-vault/index.md +++ b/website/integrations/security/hashicorp-vault/index.md @@ -4,6 +4,8 @@ sidebar_label: HashiCorp Vault support_level: authentik --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is HashiCorp Vault? > HashiCorp Vault secures, stores, and controls access to tokens, passwords, certificates, encryption keys, and other sensitive data. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of HashiCorp Vault with authentik, you need to create an application and provider pair in authentik. ### Create an application and provider @@ -33,7 +37,7 @@ To support the integration of HashiCorp Vault with authentik, you need to create - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set two `Strict` redirect URIs to `https://vault.company/ui/vault/auth/oidc/oidc/callback` and `http://localhost:8250/oidc/callback`. + - Add two **Redirect URIs** of type `Strict` `Authorization` as `https://vault.company/ui/vault/auth/oidc/oidc/callback` and `http://localhost:8250/oidc/callback`. - Select any available signing key. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page. 3. Click **Submit** to save the new application and provider. diff --git a/website/integrations/security/vaultwarden/index.md b/website/integrations/security/vaultwarden/index.md index a039ae91e5..9b588144d8 100644 --- a/website/integrations/security/vaultwarden/index.md +++ b/website/integrations/security/vaultwarden/index.md @@ -4,6 +4,8 @@ sidebar_label: Vaultwarden support_level: community --- +import RedirectURI20265Note from "../../\_redirect-uri-2026-5-note.mdx"; + ## What is Vaultwarden? > Vaultwarden is an alternative server implementation of the Bitwarden Client API, written in Rust and compatible with official Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. @@ -23,6 +25,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of Vaultwarden with authentik, you need to create an application/provider pair in authentik. ### Create custom scope mapping @@ -53,7 +57,7 @@ Vaultwarden requires the email scope to return either `email_verified: True` or - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - - Set a `Strict` redirect URI to `https://vaultwarden.company/identity/connect/oidc-signin`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://vaultwarden.company/identity/connect/oidc-signin`. - Select any available signing key. - Under **Advanced protocol settings**: - Set **Access token validity** to more than 5 minutes. diff --git a/website/integrations/security/xcreds/index.mdx b/website/integrations/security/xcreds/index.mdx index 81be6f33d9..baaf24a556 100644 --- a/website/integrations/security/xcreds/index.mdx +++ b/website/integrations/security/xcreds/index.mdx @@ -4,6 +4,8 @@ sidebar_label: XCreds support_level: community --- +import RedirectURI20265Note from "../../_redirect-uri-2026-5-note.mdx"; + ## What is XCreds? > XCreds is an open source project for synchronizing IdP passwords with macOS login passwords. XCreds replaces the macOS login window to provide authentication to the cloud provider; a user enters their cloud password for authentication and XCreds keeps the local Mac password synchronized with the cloud password. @@ -26,6 +28,8 @@ This documentation lists only the settings that you need to change from their de ## authentik configuration + + To support the integration of XCreds with authentik, you need to create an application/provider pair in authentik. ### Create an application and provider in authentik @@ -36,7 +40,7 @@ To support the integration of XCreds with authentik, you need to create an appli - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type. - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID** and **Client Secret** values because they will be required later. - - Set a `Strict` redirect URI to `https://127.0.0.1/xcreds`. + - Add a **Redirect URI** of type `Strict` `Authorization` as `https://127.0.0.1/xcreds`. - Select any available signing key. - Under **Advanced protocol settings**, add `authentik default OAuth Mapping: OpenID 'offline_access'` to **Selected Scopes**. - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **Application Dashboard** page.