205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

website/docs: release notes for 2026.5.0 (#21997)

Browse Source 
* begin release

* add notes from meeting

* Update website/docs/releases/2026/v2026.5.md

Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* Update website/docs/releases/2026/v2026.5.md

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* Update website/docs/releases/2026/v2026.5.md

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* Update website/docs/releases/2026/v2026.5.md

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* update release notes

* Flesh out UI improvements.

* Fix links.

* Update website/docs/releases/2026/v2026.5.md

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* website/docs: update 2026.5 release notes

* website/docs: clarify account lockdown release note

* website/docs: add 2026.5 integration guides

* website/docs: add Anthropic integration guides

* website/docs: highlight GitHub Enterprise guide split

* website/docs: highlight integration entitlements migration

* website/docs: highlight Seerr integration rename

* website/docs: highlight Home Assistant OIDC guide update

* website/docs: add Splunk integration guide

* website/docs: highlight NetBird guide refresh

* website/docs: nest integration guide updates

* website/docs: credit integration guide updates

* website/docs: trim Seerr release note

* website/docs: simplify entitlements release note

* website/docs: clarify Home Assistant OIDC methods

* website/docs: add 2FA throttling release note

* website/docs: add tap-to-login release note

* website/docs: retitle hashed password imports

* website/docs: link feature notes to docs

* website/docs: correct Rust worker highlight

* website/docs: clarify Rust worker performance note

* website/docs: link Rust setup docs

* website/docs: apply release note style formatting

* website/docs: remove empty release note heading

* website/docs: fix release note spelling

* website/docs: fix authenticator validation link

* website/docs: use relative authenticator validation link

* website/docs: add integration guides to release notes

---------

Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dominic R <dominic@goauthentik.io>
This commit is contained in:
Connor Peshek
2026-05-07 21:34:44 -05:00
committed by GitHub
parent 85091b9d46
commit e89b811ded
2 changed files with 137 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
locale/en/dictionaries/integrations.txt
+3 -1
View File
@@ -25,7 +25,9 @@ Gravitee
HACS
Homarr
Informatique
Jellyseerr
Kimai
Kiota
Knoc
Knocknoc
Komodo
@@ -51,6 +53,7 @@ Plesk
proftpd
Qube
Relatedly
Seerr
Sidero
snipeit
sonarqube
@@ -62,7 +65,6 @@ Vikunja
Wazuh
Wdio
Weixin
Kiota
Wekan
Xcreds
Zammad
website/docs/releases/2026/v2026.5.md
+134 -1
View File
@@ -1,11 +1,17 @@
---
title: Release 2026.5
slug: "/releases/2026.5"
draft: true
beta: true
---
## Highlights
- **Account Lockdown**: :ak-enterprise A new panic button for compromised accounts that can immediately cut off access, revoke tokens, end sessions, and leave an audit trail.
- **Fleet Conditional Access**: :ak-enterprise authentik can now verify user devices using Fleet certificates via the Fleet Connector and an mTLS stage, without the authentik agent.
- **`AKQL` is now open source**: The `AKQL` search query language for logs and users, previously enterprise-only, is now free for everyone to use.
- **Command Palette and wizard upgrades**: A new `Cmd + K` command palette to search the authentik UI, alongside reworked wizards including a new user creation wizard, improved binding wizard, and new invitation wizard.
- **Performance improvements**: The new Rust worker entrypoint drops memory usage by approximately 200 MB per worker container, opens one fewer PostgreSQL connection per worker, and makes the Admin interface less resource-intensive through lazy-loaded modals.
## Breaking changes
### Listening on multiple IPs
@@ -14,6 +20,133 @@ For advanced use cases, authentik now supports setting listening settings to a c
## New features and improvements
### Account Lockdown: :ak-enterprise
Account Lockdown gives administrators and users a panic button to secure an account when compromise is suspected. From the Admin interface, an administrator can lock down a user directly from their detail page; users can also lock down their own account from **Settings** if they no longer trust their password or active sessions.
A lockdown can deactivate the account, invalidate the local authentik password, terminate active sessions, revoke API/app/recovery/verification/OAuth tokens and grants, and record the reason in the audit log. authentik includes a packaged blueprint with warnings, reason collection, and completion messages so teams can get started quickly and customize the experience where needed.
For setup details, refer to the [Account Lockdown documentation](../../security/account-lockdown.md).
### Command Palette
The new command palette lets you quickly navigate authentik without clicking through menus. Press `Cmd + K` (or `Ctrl + K` on Windows and Linux) from anywhere in the UI to open it, then start typing to jump to a page, run an action, or look up a user. You can also use `Cmd/Ctrl + /` to jump straight into search, or `Cmd/Ctrl + Shift + K` to open directly to the actions list.
Results are grouped by category, including pages within authentik, users, and documentation searches that open on docs.goauthentik.io. The palette is designed to make routine admin tasks faster — useful when you know what you want to do but don't want to hunt for the right menu.
### Fleet Conditional Access: :ak-enterprise
authentik can now verify user devices based on their Fleet certificates without requiring the authentik agent, using the Fleet Connector together with an mTLS stage. For details, refer to the [Fleet Conditional Access documentation](../../endpoint-devices/device-compliance/fleet-conditional-access.md).
### Tap-to-login Secure Enclave support: :ak-enterprise
[Endpoint Devices](../../endpoint-devices/index.mdx) now support independent Secure Enclave keys for tap-to-login. This allows iPhone and Apple Watch credentials to be bound directly to a user, so tap-to-login can work without first pairing the credential to a specific endpoint device.
### WebAuthn Client Hints support
The WebAuthn Stage now supports the `hints` parameter from the [WebAuthn Level 3 spec](https://www.w3.org/TR/webauthn-3/#enum-hints). Admins can configure one or more hints (`security-key`, `client-device`, or `hybrid`) to tell the browser which authenticator type to expect. The browser uses this to skip straight to the relevant selection UI during passkey registration and authentication, reducing friction especially in enterprise deployments where security keys are mandatory.
Keep in mind that hints are advisory — they only affect the browser UI, not policy. Authenticator type requirements still need to be enforced server-side.
### 2FA attempt throttling
The [Authenticator Validation stage](../../add-secure-apps/flows-stages/stages/authenticator_validate/index.md) can now throttle repeated failed attempts for email and SMS OTP devices, extending the same brute-force protection already available for TOTP and static authenticators. Admins can tune throttling behavior to slow down repeated guessing attempts without changing the user's login flow.
### Import hashed passwords
authentik can now bootstrap and import users with pre-hashed Django passwords, making automated installs and migrations safer by avoiding plaintext passwords in deployment workflows.
Use [`AUTHENTIK_BOOTSTRAP_PASSWORD_HASH`](../../install-config/automated-install.mdx#authentik_bootstrap_password_hash) for the initial `akadmin` password, generate hashes with the new `hash_password` command, or import hashes later through blueprints and the user password-hash API.
Hashed-password imports update authentik's local password verifier only. Because authentik never receives the raw password, these imports are not written back to LDAP or Kerberos sources.
### `AKQL` is now open source
The `AKQL` search query language was previously an enterprise-only feature for [querying logs](../../sys-mgmt/events/logging-events.mdx#advanced-queries) and [users](../../users-sources/user/user_basic_operations.md#advanced-queries). `AKQL` is now free for everyone to use, allowing searches based on specific attributes such as `context.geo.country = "Germany"`.
### Improved UI and accessibility
Accessibility and user experience improvements have been made across the admin interface.
#### Form accessibility
Form labels have been updated to be more descriptive for screen readers, and now informing you of the full action that will be executed when the button is pressed. This change is being rolled out across the entire admin interface, starting with the most commonly used buttons and forms. These changes have all been reflected in the docs as well, helping to make authentik more accessible for all users.
#### Modal accessibility
In addition to general improvements to form accessibility, many of our modals now use the browser native `<dialog>` element, fixing several issues which prevented screen readers from properly traversing modal content. We'll be phasing out the remaining non-`<dialog>` modals over the next few releases to ensure a more consistent and accessible experience across the entire admin interface.
#### Wizard improvements
Wizards throughout authentik have been reworked to have fewer steps and cover of the most common use cases.
The invitation wizard in particular now makes it easy for administrators to send invites to new users. It guides admins through the process of configuring an invite system and sending the invites to users.
Service accounts are now created through the new user creation wizard, which has been reworked to be more intuitive and faster to use.
#### Mobile and tablet improvements
While authentik's admin interface is primarily designed for desktop use, we've made several improvements to make it more usable on mobile and tablet devices for those times when you need to make a quick change on the go.
#### Login improvements
The login flow has additional UI improvements to reduce friction and make it easier to use, including:
- An improved "Remember me" option that autofocuses the most appropriate input field based the presence of a username or password field.
- Better error handling and messaging for failed login attempts, including more specific error messages for WebAuthn when authentication fails.
- Additional mobile optimizations, such as better keyboard handling, field focus, and responsive design improvements to make the login flow easier to use on mobile and tablet devices.
### Small general improvements (SAML issuer, hide applications)
**SAML issuer**: authentik now automatically generates your SAML issuer URL. You can still override the default SAML issuer.
**Hide applications**: You can [hide applications](../../add-secure-apps/applications/manage_apps.mdx#hide-applications) from the **My applications** page for situations when a user needs access to an application that should not appear there.
:::info
Before authentik 2026.5, an application was hidden by setting its **Launch URL** to `blank://blank`. Existing applications using that value are automatically migrated to using the **Hide from My applications** option upon upgrading.
:::
### Performance improvements
The authentik worker now starts through a Rust entrypoint. Python still runs authentik's worker code, but the Rust process owns worker startup, health checks, metrics, and worker-status reporting. This removes an idle top-level Python process and has led to an approximately 200 MB drop in memory usage for a single worker container. If you're a developer, check the updated [Developer Docs](../../developer-docs/setup/full-dev-environment.mdx) to install Rust.
The worker status reporting change also uses one fewer PostgreSQL connection per worker, which should put less load on the database.
The Admin interface is also less resource-intensive in the browser due to lazy-loaded modals.
### OAuth2 configurable grant types
[OAuth2 providers](../../add-secure-apps/providers/oauth2/index.mdx#oauth-20-flows-and-grant-types) now have a **Grant Types** setting that lets admins explicitly choose which grant types a given provider may use. The available options are Authorization Code, Implicit, Hybrid, Refresh token, Client credentials, Password, and Device-code. Existing providers default to having all grant types enabled to preserve current behavior, but you can now disable any grant types you don't want a particular client to use — useful for tightening security on individual integrations and disabling legacy flows like Implicit or Password where they aren't needed.
### Google Chrome conditional access: :ak-enterprise
authentik now includes a [Google Device Trust connector](../../endpoint-devices/device-compliance/connectors/google-chrome.md) that integrates with Chrome Enterprise Device Trust via the Chrome Verified Access API. This lets authentik validate that a user's Chrome browser or ChromeOS device is compliant — for example, running an up-to-date version with security patches applied — and use that as a signal in conditional access flows. The connector is especially useful for BYOD environments and remote workforces where device compliance can't be assumed.
### New out-of-the-box experience
When setting up authentik for the first time, you will now automatically be redirected to the [initial-setup flow](../../install-config/first-steps/index.mdx) instead of having to manually go there to complete your authentik installation.
## New integration guides
An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors!
- [Anthropic](https://integrations.goauthentik.io/platforms/anthropic/) (Thanks to @dominic-r)
- [Anthropic Workload Identity Federation](https://integrations.goauthentik.io/platforms/anthropic-workload-identity-federation/) (Thanks to @dominic-r)
- [Forgejo](https://integrations.goauthentik.io/development/forgejo/) (Thanks to @djagoo)
- [OneUptime](https://integrations.goauthentik.io/monitoring/oneuptime/) (Thanks to @M-Slanec)
- [PhotoPrism](https://integrations.goauthentik.io/media/photoprism/) (Thanks to @dominic-r)
- [PostHog](https://integrations.goauthentik.io/monitoring/posthog/) (Thanks to @dominic-r)
- [Splunk Enterprise](https://integrations.goauthentik.io/monitoring/splunk-enterprise/) (Thanks to @jhuesser)
- [Technitium DNS](https://integrations.goauthentik.io/networking/technitium/) (Thanks to @scinca)
### Integration guide updates
- The GitHub Enterprise integration docs were revamped and split into dedicated guides for [GitHub Enterprise Cloud](https://integrations.goauthentik.io/development/ghec/), [GitHub Enterprise Managed Users](https://integrations.goauthentik.io/development/ghec-emu/), and [GitHub Enterprise Server](https://integrations.goauthentik.io/development/ghes/), making it easier to pick the right SAML and SCIM setup path. (Thanks to @dominic-r)
- Integration guides that configure application-side roles and permissions now use [authentik Application Entitlements](../../add-secure-apps/applications/manage_apps.mdx#application-entitlements), giving admins a more consistent pattern for mapping access. (Thanks to @dominic-r)
- The Jellyseerr integration guide was updated for the project's move to [Seerr](https://integrations.goauthentik.io/media/seerr/). (Thanks to @BreizhHardware)
- The [Home Assistant](https://integrations.goauthentik.io/miscellaneous/home-assistant/) guide now covers both supported community OIDC integrations, `christiaangoossens/hass-oidc-auth` and `cavefire/hass-openid`, with UI and YAML setup options. (Thanks to @christiaangoossens)
- The [NetBird](https://integrations.goauthentik.io/networking/netbird/) guide was refreshed to match NetBird's current authentik provider setup, with separate paths for adding authentik as an external identity provider or fully replacing NetBird's embedded IdP. (Thanks to @dominic-r)
## Upgrading
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).