6df226188f
providers/scim: Add GitLab compatibility mode ( #22906 )
...
* providers/scim: Add GitLab compatibility mode
Add a GitLab SCIM compatibility mode that skips ServiceProviderConfig probing and document when to use it.
Also wrap non-JSON SCIM responses so providers that return HTML redirects fall back through the existing ServiceProviderConfig default path.
Agent-thread: https://sdko.org/internal/thr/per/019ea36a-92dd-7651-8a2d-0d838e724a7d
A7k-product: product
A7k-product-repo: 1
Co-authored-by: Agent <agent@svc.sdko.net >
* providers/scim: Fold GitLab mode into existing migration
Agent-thread: https://sdko.org/internal/thr/ak/019ea7bd-ce63-77a2-90d6-5dcc25d4402d
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
---------
Co-authored-by: Agent <agent@svc.sdko.net >
2026-06-15 16:30:07 -04:00
fc8424ac50
stages/captcha: add Cap and JSON verification support ( #22373 )
...
* stages/captcha: add Cap and JSON verification support
Add a configurable verification request content type so CAPTCHA providers can use either form-encoded or JSON token verification.
Add Cap as a preset and flow controller, including module-script loading, interactive widget handling, generated API/client types, tests, and docs.
* web/admin: clarify Cap captcha configuration
Treat the Cap endpoint as a form-only alias for the existing public key field and document Cap alongside the other CAPTCHA providers.
Agent-thread: https://sdko.org/internal/threads/019e737a-314e-72d0-98ae-201cb855df3a
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
* stages/captcha: prefer self-hosted Cap widget URL
Default the Cap provider guidance to the self-hosted widget asset and keep CDN usage pinned to reviewed releases.
Agent-thread: https://sdko.org/internal/thr/ak/019ead31-2435-7e12-b933-e873155d6894
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
* floating
---------
Co-authored-by: Agent <agent@svc.sdko.net >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-06-11 16:15:21 +00:00
226c69d213
core, web: Remove stale compatibility paths ( #22192 )
...
* Remove stale compatibility paths
* fix schema
* should have vibecoded this
---------
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-06-10 12:31:48 -04:00
f4e4bfcbe5
root: fix schema and API clients ( #22735 )
...
* regenerate schema
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* update ts client
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-06-01 18:42:06 +02:00
b9e1b27d59
events: fix certificate typo ( #22542 )
...
authentik/events: fix certificate typo
2026-05-21 21:52:01 +00:00
a712e5bb2f
enterprise/providers/scim: add support for interactive OAuth2 ( #22072 )
...
* enterprise/providers/scim: add support for interactive OAuth2
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* prep different oauth mode
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* implement it
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add data to API
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* start adding tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove not-needed migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix last_updated not being updated
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-13 18:27:34 +02:00
b5deeaa822
enterprise: fix account lockdown target handling ( #22246 )
...
- Use the pending lockdown target in the example blueprint warning and avoid repeating the username when email/name is not distinct.
- Hide the admin Account Lockdown action for internal service accounts.
2026-05-12 01:59:00 +00:00
ea61e1cf3b
root: bump version to 2026.8.0-rc1 ( #22167 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-08 17:15:32 +00:00
93abd2e041
stage/authenticator*: expand attempt throttling to email- and sms-based 2FA ( #21751 )
...
* stages/authenticator*: enable attempt throttling for email- and sms-based second authentication factor
* stages/authenticator*: add throttling tests
* stage/authenticator_validate: add throttling documentation
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* stages/authenticator_validate: update docs wording
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-05-07 12:12:06 -05:00
a8db2882ec
stages/invitation: Invitation wizard ( #20399 )
2026-05-05 11:47:31 -05:00
a3b0180049
providers/oauth: make rp init logout oidc certification changes ( #21815 )
...
* providers/oauth: make rp init logout oidc certification changes
* update test
* slight rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add oidc certification tests
* test
* fix backchannel url
* make urls uniform
* update to main
* remove env bind
* cleanup patch
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add traefik healthcheck
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix healthcheck
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-05-04 19:11:59 +02:00
821b74d7c1
enterprise: account lockdown ( #18615 )
2026-04-30 23:02:46 +00:00
899994027d
core: support hashed password in users API + automated install ( #18686 )
...
* core: add hash_password command and password_hash bootstrap support
* core: prevent hash format exposure in validation error
* core: remove redundant password length check
* core: remove extra blank lines from hash_password command
* core: add password_hash serializer tests, refine validation and imports
* core: add null password fields test, add hash warning to docs
* core: move hash validation to User.set_password_from_hash method
* core: emit password_changed signal in set_password_from_hash
* website: remove redundant hash security warning
* core: wrap conflict error message for translation
* core: wrap invalid hash error message for translation
* web, core: add set_password_hash API endpoint and admin UI
* core: simplify password_hash check to None comparison
* core: use None check for password conflict validation
* website: clarify Docker Compose $ escaping for .env vs compose.yml
* website: lint
* web: lint
* core: add nosec comment for empty password string in signal
* core: lint
* web: Fix Password Hash help text
* sources/kerberos,ldap: Gergo's review
* add testing for ^^ and type fix
* more general signal tests; not provider specific
* only used in tests
* add warning
* we can do this
* signals fix????
* core, web, website: review fixes
* style(docs): format automated install guide
* web: restore modal invoker import after rebase
Co-authored-by: Codex <codex@openai.com >
* fix generated clients
* core: trim hash password command tests
* core: add password hash permission
* core: cover service account password hashes
* web: remove password hash form
* core: regenerate password hash migration
* core: reuse password serializer for hashes
* docs: clarify hashed password imports
* Regenerate
* core: deduplicate user serializer writes
* core: deduplicate password update actions
* core: deduplicate password change signaling
* tests: reuse password hash API helper
* tests: reuse SSF credential assertions
* docs: centralize hashed password caveat
* core: name password hash signal source
* core: centralize password hash validation
* core: deduplicate serializer password saves
* docs: link source writeback caveats
* api: clarify password hash request field
* tests: deduplicate password hash API assertions
* web: reuse user display-name helper
* web: use existing user display formatter
* core: reuse reset password permission for hash endpoint
* core: keep separate password hash serializer
* tests: remove redundant password hash permission test
* 21745
Co-authored-by: Gergo <gergo@goauthentik.io >
* core: preserve empty password handling in user serializer
* core: inline blueprint user serializer fields
* Use password hash constant
* Simplify user serializer flow
* Inline password update handling
* Apply serializer cleanup
* Clean blueprint password handling
* Drop extra returns
* Split password hash signal
* Align hash signal receivers
* Remove stale password guards
* Inline password signal
---------
Co-authored-by: Codex <codex@openai.com >
Co-authored-by: Gergo <gergo@goauthentik.io >
2026-04-29 06:27:59 +02:00
a2ca19d718
providers/saml: generate issuer url when provider is set on app ( #18022 )
...
* providers/saml: generate issuer url in saml processors unless overridded
* remove issuer
* remove duplicate
* Generate url when assertion is created and save to session
* cleanup
* Fix front-end rendering of issuer
* Update web/src/admin/providers/saml/SAMLProviderViewPage.ts
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update authentik/providers/saml/models.py
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update authentik/providers/saml/models.py
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* use reverse for urls and update tests
* update issuer description
* Don't absorb sp entity id
* rename issuer_url to issuer_override
* fix migration file to rename to override
* fix migration file order
* lint, fix tests
* fix tests
* fix once again not importing the sp issuer
* build
* use const for default issuer
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-28 17:31:12 -05:00
05005f4eb9
core: add support for hiding applications from the user dashboard ( #21530 )
...
* Add meta_hide field to hide apps
* exclude hidden applications from user dashboard
* Add the hide option to the UI
* Add schema
* Add hide setting to application wizard
* Add typescript client changes
* fix linting
* Convert blank://blank to meta_hide=True in the migration
* fix tests
* update docs
* fix continuous login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Apply suggestions from code review
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* fix linting
* fix migrations
* Apply suggestions from code review
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* rename all mentions of dashboard to My applications
* generate schema
* generate TS client
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-04-28 13:05:56 -03:00
620387f294
providers/scim: fix vCenter compatibility mode ( #21830 )
2026-04-27 12:00:00 +00:00
8f1bdc01b6
providers/oauth2: Configure allowed grant types ( #20363 )
...
* naming cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* adjust defaults, start adding tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix proxy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add UI
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* attempt to fix e2e
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow refresh token for conformance
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix e2e
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-27 13:36:57 +02:00
c6ee7b6881
core: complete rework to oobe and setup experience ( #21753 )
...
* initial
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* use same startup template
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix check not working
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated: fix inspector auth
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ensure oobe flow can only accessed via correct url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set setup flag when applying bootstrap blueprint when env is set
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add system visibility to flags to make them non-editable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set setup flag for e2e tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests and linting
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make github lint happy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make tests have less assumptions
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Update docs
* include more heuristics in migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add management command to set any flag
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* migrate worker command to signal
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* improved api for setting flags
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* short circuit
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-24 14:47:05 +02:00
24edee3e78
flows: add warning message for expired password reset links ( #21395 )
...
* flows: add warning message for expired password reset links
Fixes #21306
* Replace token expiry check with REQUIRE_TOKEN authentication requirement
Incorporate review comments to move expired/invalid token handling from executor-level check to flow planner authentication requirement. This avoids disclosing whether a token ever existed and handles already-cleaned-up tokens.
* The fix was changing gettext_lazy to gettext
* remove unneeded migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update form
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 15:09:05 +02:00
915b5a73fc
enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login ( #20766 )
...
* enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix API url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove optional settings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add a missing text
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-18 20:29:17 +02:00
00639d9596
policies/event_matcher: Add query option to filter events ( #21618 )
...
* policies/event_matcher: support QL query
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix lit dev warning
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cache autocomplete data if QL isn't setup yet
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* dont use ql input in modal
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix codespell
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-16 01:52:11 +02:00
c32f21046d
enterprise/search: move QL to open source] ( #21484 )
...
* enterprise/search move to /search
* use make gen for schema updates
* update docs
* re-org
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup more
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* oops
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* huh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* typing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-09 16:37:11 +02:00
8c3d5f1269
providers/oauth: post_logout_redirect_uri support ( #20011 )
...
* oauth2/providers: add post logout redirect uri to providers
* properly handle post_logout_redirect_uri and frontchannel message to rp
* add backchannel support
* move logout url logic
* hanlde forbidden_uri_schemes on post_logout_redirect_uri
* merge post_logout with redirect_uri
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-07 03:46:11 -05:00
ea2bdde5a3
enterprise/providers/ssf: test conformance ( #21383 )
...
* bump conformance server
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add support for rfc push
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make format and aud optional
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix some endpoints
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* force 401
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* implement get and patch for streams
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* enable async stream deletion
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow configuring remote certificate validation
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add verification endpoint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add support for authorization_header
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set default aud cause spec cant agree with itself
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* bump timeout
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix header `typ`
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* enabled -> status
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* re-migrate
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests and a fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make streams deletable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* and more logs and fix a silly bug
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add stream status endpoint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* move ssf out of preview
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated typing fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sigh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-05 16:35:39 +02:00
dc96bda2d3
website/docs: add example recovery flow with MFA ( #19497 )
...
* website/docs: add example recovery flow with MFA
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Apply suggestion from @tanberry
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Signed-off-by: Jens L. <jens@beryju.org >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-01 12:24:33 +00:00
8dddc05bc0
source/saml: Add forceauthn to saml authnrequest ( #20883 )
...
* source/saml: Add ForceAuthn support to SAML AuthnRequest
2026-03-31 22:54:01 -05:00
0b1ba60354
stages/authenticator_webauthn: save attestation certificate when creating credential ( #20095 )
...
* stages/authenticator_webauthn: save attestation certificate when creating credential
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add toggle
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* squash
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-30 13:55:39 +02:00
1a43ac1dc2
providers/scim: add webex compatibility mode ( #21208 )
...
* providers/scim: add webex compatibility mode
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* migrate
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-27 21:39:39 +01:00
59263ae678
events: add option to configure webhook CA ( #20823 )
...
* events: add option to configure webhook CA
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Update website/docs/sys-mgmt/events/transports.md
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-03-14 21:01:01 +01:00
e9b33be694
stages/authenticator_webauthn: Add WebAuthn client hints support ( #20700 )
...
* Add webauthn_hints to models
* Add migrations
* Add webauthn_hints to the API
* Add enum to settings.py
* Add webauthn client hints to configuration forms in authenticator_webauthn and authenticator_validate
* Add compatability for older user agents auto infering authenticatorAttachment
* Rewording
* Fix capitalization
* Add tests
* Use ak-dual-select instead of checkboxes for hints
* Add preserve-order, no-search and no-status properties to ak-dual-select
* add no-search and no-status to ak-dual-select in AuthenticatorValidateStageForm.ts
2026-03-13 20:36:28 -03:00
d880c46d7c
enterprise/endpoints/connectors: add google_chrome ( #19129 )
...
* init
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add icon
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* actually load
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix serializer
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* init ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix duplicated element name
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include chrome url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make it work, some small UI fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* invisible submit for frame
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix device not set in flow plan, fix other small things, more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* simplify
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Minor doc changes
* dedupe templates
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-03-09 11:17:56 +01:00
e7ea15c791
enterprise/providers/microsoft_entra: fix dangling comma ( #20391 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-02-18 18:37:33 +01:00
fe0f559cd2
core: bump django-countries from 7.6.1 to 8.2.0 ( #19459 )
...
* core: bump django-countries from 7.6.1 to 8.2.0
Bumps [django-countries](https://github.com/SmileyChris/django-countries ) from 7.6.1 to 8.2.0.
- [Changelog](https://github.com/SmileyChris/django-countries/blob/main/CHANGES.md )
- [Commits](https://github.com/SmileyChris/django-countries/compare/v7.6.1...v8.2.0 )
---
updated-dependencies:
- dependency-name: django-countries
dependency-version: 8.2.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
# Conflicts:
# pyproject.toml
# uv.lock
* re-gen schema
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-02-17 18:13:41 +01:00
858a040dfb
providers/saml: send logoutResponse on sp-init logout ( #17691 )
...
* providers/saml: send logoutResponse on sp-init logout
* Use first updated to fix multiple submits
* add backchannel logoutResponse
* tests
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local >
2026-02-11 14:18:39 -06:00
7cb789e777
root: bump version to 2026.5.0-rc1 ( #20174 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-02-11 01:43:16 +01:00
2f2488b326
enterprise/lifecycle: implement Object Lifecycle Management ( #20015 )
...
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Jens L. <jens@beryju.org >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Dominic R <dominic@sdko.org >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-02-10 18:33:06 +01:00
ef74ca01a2
enterprise/providers: WSFed configurable realm, default wreply ( #19996 )
...
* enterprise/providers/wsfed: make realm configurable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make wreply optional, fallback to configure
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* use audience instead of issuer
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix lookup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-02-06 00:14:10 +01:00
68c7037eea
flows: add option for flow layout with frame background ( #19527 )
...
* flows: add option for flow layout with frame background
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Tidy variables. Fix mobile and tablet layouts, shadows.
* Update web/src/flow/FlowExecutor.ts
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-02-04 17:39:01 +01:00
1b9653901c
rbac: clean up roles and permissions ( #19588 )
...
* clean up roles and permissions
This was purposefully not included in `2025.12` to split the changes up.
The main content of this patch is in the migrations. Everything else
follows more or less automatically.
* add breaking change warning to release notes
* add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* add configuration warning to default notifications blueprint
* add rudimentary tests for User.ak_groups
* remove no longer used permissions
* clarify deprecation
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
* remove integration changes
These will be included in a separate PR once this is released.
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-01-29 19:12:38 +01:00
6ca26b501b
providers/scim: modify user- and group syncing behavior ( #13947 )
...
* providers/scim: modify user- and group syncing behavior
rename filtergroup to groupfilters and allow multiple values
only sync groups which are in the scimprovider's attribute \"group_filters\"
only sync users which are entitled to view the scimprovider's application
* Update authentik/providers/scim/api/providers.py
Signed-off-by: Immanuel von Neumann <45020096+ImmanuelVonNeumann@users.noreply.github.com >
* fix(authentik/scim): update schema.yml and test name
* merge migrations
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* providers/scim: fix linting
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* filter eagerly
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Immanuel von Neumann <45020096+ImmanuelVonNeumann@users.noreply.github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-01-29 17:07:58 +01:00
d1fb7dde14
enterprise/providers: WS-Federation ( #19583 )
...
* init
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix metadata
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* aight
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* progress
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix timedelta
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* start testing metadata
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add some more tests and schemas
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* test signature
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* attempt to fix signed xml linebreak
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1258
https://github.com/robrichards/xmlseclibs/issues/28
https://github.com/xmlsec/python-xmlsec/issues/196
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format + gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more validation
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* hmm
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add e2e test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* qol fix in wait_for_url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add UI
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* acs -> reply url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sign_out
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix some XML typing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove verification_kp as its not used
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix reply url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ws-fed to tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add logout test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add SAMLSession
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* refactor
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated type fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add backchannel logout
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* delete import_metadata in wsfed
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include generated realm
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Update web/src/admin/providers/wsfed/WSFederationProviderViewPage.ts
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Signed-off-by: Jens L. <jens@beryju.org >
* include wtrealm in ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-01-28 17:43:16 +01:00
e2cb1a8d0c
endpoints: FleetDM connector ( #18589 )
...
* enterprise/endpoints/connectors/fleet: init
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# blueprints/schema.json
# schema.yml
* add ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix desc
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add configurable headers
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Address review feedback on FleetDM connector implementation (#18651 )
* Initial plan
* Add public override modifiers to updated method
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
* Address additional feedback from PR #18589
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
* Fix indentation in ak-switch-input component
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com >
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
* fix permission model
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add attributes to device access group
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add option to map device team
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update schema
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* switch connector to grid, add icons
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix pagination
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add software tab
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix pages in test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add more test devices
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add fedora test machine
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better formatting for OS version
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com >
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
2026-01-23 21:40:28 +01:00
288f6f50f6
core: bump bandit from 1.9.2 to 1.9.3 ( #19566 )
...
* core: bump bandit from 1.9.2 to 1.9.3
Bumps [bandit](https://github.com/PyCQA/bandit ) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/PyCQA/bandit/releases )
- [Commits](https://github.com/PyCQA/bandit/compare/1.9.2...1.9.3 )
---
updated-dependencies:
- dependency-name: bandit
dependency-version: 1.9.3
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
* update config, fix warnings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-01-20 01:45:45 +01:00
39f6f72e96
stages/authenticator_static: set max token length to 100 chars ( #19162 )
...
* stages/authenticator_static: add max length validation for token_length field
* wip
* wip
2026-01-07 22:50:10 +00:00
46297698d6
blueprints: set enrollment token key ( #19061 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-12-26 17:37:48 +01:00
fbe8028b08
root: bump version to 2026.2.0-rc1 ( #18794 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2025-12-12 20:59:47 +00:00
15b93a5e9d
stages/identification: Add WebAuthn conditional UI (passkey autofill) support ( #18377 )
...
* add passkey_login to identification stage
* handle passkey auth in identification stage
* Add passkey settings in identification stage in the admin UI
* Add UI changes for basic passkey conditional login
* Fix linting
* rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update tests
* update admin form
* allow passing stage to validate_challenge_webauthn
* update flows/tests/test_inspector.py
* update for new field
* Fix linting
* update go solvers for identification challenge
* Refactor tests
* Skip mfa validation if user already authenticated via passkey at identification stage
* Add skip_if_passkey_authenticated option to authenticator validate stage and UI
* Add e2e test for passkey login conditional ui
* add policy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Remove skip_if_passkey_authenticated
* fix blueprint
* Set backend so password stage policy knows user is already authenticated
* Set backend so password stage policy knows user is already authenticated
* fix linting
* slight tweaks
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* simplify e2e test
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marcelo@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2025-12-11 11:49:05 -03:00
92c5efbac1
sources/sync: configuration for outgoing sync trigger mode ( #17669 )
...
* sources/sync: configuration for outgoing sync trigger mode
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* lint
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* api and frontend
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* fix tests
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* update migrations
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* Wrap `msg` calls in function to fix translation. Update props to accept
callbacks.
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Teffen Ellis <teffen@goauthentik.io >
2025-12-10 12:40:32 -03:00
cd09bff247
sources/oauth: add WeChat type ( #18086 )
...
* Add wechat.
* Refactor comments and formatting in wechat.py
Signed-off-by: Anduin Xue <anduin@aiursoft.com >
* Fix lint.
Signed-off-by: Anduin Xue <anduin@aiursoft.com >
* Fix lint.
* fix: Rename `WeChat` enum member to `Wechat` for consistency
* docs: Add WeChat social login integration guide.
* Docs updates
* Revise WeChat integration instructions
Updated instructions for creating a WeChat Website Application and added details about scopes and user attribute mappings.
Signed-off-by: Anduin Xue <anduin@aiursoft.com >
* Prettier
* Update wechat.py
Signed-off-by: Anduin Xue <anduin@aiursoft.com >
---------
Signed-off-by: Anduin Xue <anduin@aiursoft.com >
Co-authored-by: dewi-tik <dewi@goauthentik.io >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2025-12-10 12:48:12 +00:00
4c07b7ae81
blueprints: remove pk from recovery example ( #18712 )
2025-12-10 13:15:09 +01:00
Dominic R
Marc 'risson' Schmitt
Connor Peshek
Jens L.
authentik-automation[bot]
Alexander Tereshkin
Marcelo Elizeche Landó
Dominic R
Bapuji Koraganti
Fletcher Heisler
dependabot[bot]
Simonyi Gergő
Immanuel von Neumann
Anduin Xue