* docs/integrations: Update docs to specify redirect uri of type authorization or post logout
* bold redirect uri
* improve wording
* update docs
* add banner for warning of redirect uri's
* Update website/integrations/_redirect-uri-2026-5-note.mdx
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
* stages/captcha: add Cap and JSON verification support
Add a configurable verification request content type so CAPTCHA providers can use either form-encoded or JSON token verification.
Add Cap as a preset and flow controller, including module-script loading, interactive widget handling, generated API/client types, tests, and docs.
* web/admin: clarify Cap captcha configuration
Treat the Cap endpoint as a form-only alias for the existing public key field and document Cap alongside the other CAPTCHA providers.
Agent-thread: https://sdko.org/internal/threads/019e737a-314e-72d0-98ae-201cb855df3a
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net>
* stages/captcha: prefer self-hosted Cap widget URL
Default the Cap provider guidance to the self-hosted widget asset and keep CDN usage pinned to reviewed releases.
Agent-thread: https://sdko.org/internal/thr/ak/019ead31-2435-7e12-b933-e873155d6894
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net>
* floating
---------
Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
* website: fix British spellings flagged by cspell
Apply American spellings (behaviour->behavior, colour->color, organise->organize, etc.) across release notes, integration docs, and security docs. Part of enabling cspell's British-spelling rule; the rule itself lands in a separate PR once all areas are clean.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* Update website/docs/developer-docs/docs/style-guide.mdx
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@goauthentik.io>
* website/docs: document npm install-script blocking
The repo's `.npmrc` sets `ignore-scripts=true` to neutralize the
dominant npm supply-chain attack pattern (preinstall/postinstall
payloads, as used by the recent "Shai-Hulud" and "Mini Shai-Hulud"
incidents). The trade-off is that a handful of packages that ship
native binaries — esbuild, chromedriver, tree-sitter — need to be
rebuilt explicitly when their install step is required.
Today this is implicit; a new contributor whose build fails because
esbuild's binary didn't unpack has no obvious next step except to
disable the protection. Documenting it in both setup guides points
them at `npm rebuild --foreground-scripts <pkg>` and makes the
"don't flip `ignore-scripts` off" guidance explicit.
No code or config changes — docs only.
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
* Use separate file.
* Apply suggestions from code review
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
* core: add .npmrc baseline to block dependency lifecycle scripts
Set ignore-scripts=true at the repo root, plus engine-strict, save-exact,
audit, and prefer-offline. This neutralizes the dominant npm supply-chain
attack vector — postinstall scripts in transitive dependencies — at the
cost of requiring an explicit rebuild for the handful of packages that
legitimately need install scripts (esbuild, chromedriver, tree-sitter,
tree-sitter-json). The next commit wires that rebuild into the Makefile.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* core: route node installs through make to retire website preinstall hook
Make docs-install depend on a new root-node-install so the root deps
are guaranteed before the website install runs, removing the need for
the website/preinstall lifecycle script. Rebuild the small audited list
of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json)
after the web install so ignore-scripts=true remains the only path that
needs maintenance. web/README documents the new workflow.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* Clean up install scripts.
* Track .npmrc in CODEOWNERS
* Fix formatter config. Reformat.
* Fix mounted references.
* Flesh out node scripts.
* Bump engines.
* Prep containers.
* Update makefile.
* Flesh out github actions.
* Clean up docs container.
* lint.
Bump.
Lint.
Bump NPM version.
* Add limits.
* collapse the composite's three setup-node calls to one cache restore
* Add SHA.
* Bump NPM range.
* Run formatter.
* Bump NPM.
* Remove extra install.
* Fix website deps.
* Use local prettier. Fix drift in CI.
* ci: build frontend in CI with node_env production
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* Install docusaurus config.
* Fix linter warning, order.
* Add linter commands.
* Add timeout.
* Remove pre install check.
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* Add section about package reduction
* Suggestion from marc
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
* test format
* ran make docs
* Updated integration guides with the old label "Create with Provider" to new label of "New Application".
* mention drop-down menu
* add ellipses
* edit procedure
* update create a user
* edit first steps doc
* punctuation
* dewi and dominic edits
* typo
* tweak
* more dominic edits
* tweak and ran make install
* tweak and ran uv lock
* edit dir to folder
* wtfci
* undo uv.lock change
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* removed mention of selecting folder
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Connor Peshek
Dominic R
Dewi Roberts
sreelim
Teffen Ellis
4www
Simonyi Gergő
Blue
Jens L.
Marc 'risson' Schmitt
authentik-automation[bot]
Fletcher Heisler
Tana M Berry
Marcelo Elizeche Landó