root: Python 3.14 (#17313)

* root: Python 3.14

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update pydantic

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* bump kadmin

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add krb5 stuff to compile on macos?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-lock

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* trigger build

* lock uv

* bump to 3.14.2

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* output container logs if it failed to start

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* relock

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* target black and ruff to python 3.14

* upgrade pydatic from 2.11.7 to 2.12.5

* revert ruff to python 3.13 ruff checks

* bump docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix makefile

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>

Makefile

@@ -20,26 +20,35 @@ GEN_API_TS = gen-ts-api
 GEN_API_PY = gen-py-api
 GEN_API_GO = gen-go-api
 
-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+BREW_LDFLAGS :=
+BREW_CPPFLAGS :=
+BREW_PKG_CONFIG_PATH :=
 
 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
 # to prevent SAML-related tests from failing and ensure correct pip dependency compilation
-# These functions are only evaluated when called in specific targets
-LIBXML2_EXISTS = $(shell brew list libxml2 2> /dev/null)
-KRB5_EXISTS = $(shell brew list krb5 2> /dev/null)
-
-LIBXML2_LDFLAGS = -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
-LIBXML2_CPPFLAGS = -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
-LIBXML2_PKG_CONFIG = $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
-
-KRB_PATH =
-
-ifneq ($(KRB5_EXISTS),)
-	KRB_PATH = PATH="$(shell brew --prefix krb5)/sbin:$(shell brew --prefix krb5)/bin:$$PATH"
+ifeq ($(UNAME_S),Darwin)
+# Only add for brew users who installed libxmlsec1
+	BREW_EXISTS := $(shell command -v brew 2> /dev/null)
+	ifdef BREW_EXISTS
+		LIBXML2_EXISTS := $(shell brew list libxml2 2> /dev/null)
+		ifdef LIBXML2_EXISTS
+			_xml_pref := $(shell brew --prefix libxml2)
+			BREW_LDFLAGS += -L${_xml_pref}/lib $(LDFLAGS)
+			BREW_CPPFLAGS += -I${_xml_pref}/include $(CPPFLAGS)
+			BREW_PKG_CONFIG_PATH += ${_xml_pref}/lib/pkgconfig:$(PKG_CONFIG_PATH)
+		endif
+		KRB5_EXISTS := $(shell brew list krb5 2> /dev/null)
+		ifdef KRB5_EXISTS
+			_krb5_pref := $(shell brew --prefix krb5)
+			BREW_LDFLAGS += -L${_krb5_pref}/lib $(LDFLAGS)
+			BREW_CPPFLAGS += -I${_krb5_pref}/include $(CPPFLAGS)
+			BREW_PKG_CONFIG_PATH += ${_krb5_pref}/lib/pkgconfig:$(PKG_CONFIG_PATH)
+		endif
+	endif
 endif
 
+UV_ARGS := LDFLAGS="$(BREW_LDFLAGS)" CPPFLAGS="$(BREW_CPPFLAGS)" PKG_CONFIG_PATH="$(BREW_PKG_CONFIG_PATH)"
+
 all: lint-fix lint gen web test  ## Lint, build, and test everything
 
 HELP_WIDTH := $(shell grep -h '^[a-z][^ ]*:.*\#\#' $(MAKEFILE_LIST) 2>/dev/null | \
@@ -72,11 +81,11 @@ lint: ## Lint the python and golang sources
 	golangci-lint run -v
 
 core-install:
-ifneq ($(LIBXML2_EXISTS),)
+ifeq ($(UNAME_S),Darwin)
 # Clear cache to ensure fresh compilation
 	uv cache clean
 # Force compilation from source for lxml and xmlsec with correct environment
-	LDFLAGS="$(LIBXML2_LDFLAGS)" CPPFLAGS="$(LIBXML2_CPPFLAGS)" PKG_CONFIG_PATH="$(LIBXML2_PKG_CONFIG)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
+	$(UV_ARGS) uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
 else
 	uv sync --frozen
 endif
@@ -109,11 +118,17 @@ core-i18n-extract:
 install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
 
 dev-drop-db:
+	$(eval pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null))
+	$(eval pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null))
+	$(eval pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null))
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
 
 dev-create-db:
+	$(eval pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null))
+	$(eval pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null))
+	$(eval pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null))
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
 
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.

lifecycle/container/Dockerfile

@@ -78,7 +78,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
 # Stage 4: Download uv
 FROM ghcr.io/astral-sh/uv:0.9.18@sha256:5713fa8217f92b80223bc83aac7db36ec80a84437dbc0d04bbc659cae030d8c9 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.14.2-slim-trixie-fips@sha256:46c0658052e43ad303da39e461ad106c499a03fabd3512d05ff586e506507242 AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

packages/django-channels-postgres/pyproject.toml

@@ -2,7 +2,7 @@
 name = "django-channels-postgres"
 version = "0.1.0"
 description = "Django channels layer using PostgreSQL NOTIFY/LISTEN"
-requires-python = ">=3.9,<3.14"
+requires-python = ">=3.9,<3.15"
 readme = "README.md"
 license = "MIT"
 authors = [{ name = "Authentik Security Inc.", email = "hello@goauthentik.io" }]
@@ -25,6 +25,7 @@ classifiers = [
   "Programming Language :: Python :: 3.11",
   "Programming Language :: Python :: 3.12",
   "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
   "Programming Language :: Python",
   "Topic :: Software Development :: Libraries :: Python Modules",
   "Typing :: Typed",

packages/django-dramatiq-postgres/pyproject.toml

@@ -2,7 +2,7 @@
 name = "django-dramatiq-postgres"
 version = "0.1.0"
 description = "Django and Dramatiq integration with postgres-specific features"
-requires-python = ">=3.9,<3.14"
+requires-python = ">=3.9,<3.15"
 readme = "README.md"
 license = "MIT"
 authors = [{ name = "Authentik Security Inc.", email = "hello@goauthentik.io" }]
@@ -25,6 +25,7 @@ classifiers = [
   "Programming Language :: Python :: 3.11",
   "Programming Language :: Python :: 3.12",
   "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
   "Programming Language :: Python",
   "Topic :: Software Development :: Libraries :: Python Modules",
   "Typing :: Typed",

packages/django-postgres-cache/pyproject.toml

@@ -2,7 +2,7 @@
 name = "django-postgres-cache"
 version = "0.1.0"
 description = "Improved Django Postgres Cache"
-requires-python = ">=3.9,<3.14"
+requires-python = ">=3.9,<3.15"
 readme = "README.md"
 license = "MIT"
 authors = [{ name = "Authentik Security Inc.", email = "hello@goauthentik.io" }]
@@ -25,6 +25,7 @@ classifiers = [
   "Programming Language :: Python :: 3.11",
   "Programming Language :: Python :: 3.12",
   "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
   "Programming Language :: Python",
   "Topic :: Software Development :: Libraries :: Python Modules",
 ]

pyproject.toml

@@ -3,7 +3,7 @@ name = "authentik"
 version = "2026.2.0-rc1"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
-requires-python = "==3.13.*"
+requires-python = "==3.14.*"
 dependencies = [
   "ak-guardian==3.2.0",
   "argon2-cffi==25.1.0",
@@ -180,7 +180,7 @@ ignore-words = ".github/codespell-words.txt"
 
 [tool.black]
 line-length = 100
-target-version = ['py313']
+target-version = ['py314']
 exclude = 'node_modules'
 
 [tool.ruff]

tests/e2e/utils.py

@@ -102,6 +102,7 @@ class DockerTestCase(TestCase):
             sleep(1)
             attempt += 1
             if attempt >= self.max_healthcheck_attempts:
+                self.output_container_logs(container)
                 raise self.failureException("Container failed to start")
 
     def get_container_image(self, base: str) -> str:

website/docs/developer-docs/contributing.md

@@ -185,7 +185,7 @@ While the prerequisites above must be satisfied prior to having your pull reques
 
 All Python code is linted with [black](https://black.readthedocs.io/en/stable/) and [Ruff](https://docs.astral.sh/ruff).
 
-authentik runs on Python 3.13 at the time of writing this.
+authentik runs on Python 3.14 at the time of writing this.
 
 - Use native type-annotations wherever possible.
 - Add meaningful docstrings when possible.

website/docs/developer-docs/setup/full-dev-environment.mdx

@@ -16,7 +16,7 @@ import Tabs from "@theme/Tabs";
 
 Before you begin, ensure you have the following tools installed. You can run the [provided script](#3-installing-platform-specific-dependencies) below in **Installing platform-specific dependencies** to install these required tools.
 
-- [Python](https://www.python.org/) (3.13 or later)
+- [Python](https://www.python.org/) (3.14)
 - [uv](https://docs.astral.sh/uv/getting-started/installation/) (Latest stable release)
 - [Go](https://go.dev/) (1.24 or later)
 - [Node.js](https://nodejs.org/en) (24 or later)