6df226188f
providers/scim: Add GitLab compatibility mode ( #22906 )
...
* providers/scim: Add GitLab compatibility mode
Add a GitLab SCIM compatibility mode that skips ServiceProviderConfig probing and document when to use it.
Also wrap non-JSON SCIM responses so providers that return HTML redirects fall back through the existing ServiceProviderConfig default path.
Agent-thread: https://sdko.org/internal/thr/per/019ea36a-92dd-7651-8a2d-0d838e724a7d
A7k-product: product
A7k-product-repo: 1
Co-authored-by: Agent <agent@svc.sdko.net >
* providers/scim: Fold GitLab mode into existing migration
Agent-thread: https://sdko.org/internal/thr/ak/019ea7bd-ce63-77a2-90d6-5dcc25d4402d
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
---------
Co-authored-by: Agent <agent@svc.sdko.net >
2026-06-15 16:30:07 -04:00
fc8424ac50
stages/captcha: add Cap and JSON verification support ( #22373 )
...
* stages/captcha: add Cap and JSON verification support
Add a configurable verification request content type so CAPTCHA providers can use either form-encoded or JSON token verification.
Add Cap as a preset and flow controller, including module-script loading, interactive widget handling, generated API/client types, tests, and docs.
* web/admin: clarify Cap captcha configuration
Treat the Cap endpoint as a form-only alias for the existing public key field and document Cap alongside the other CAPTCHA providers.
Agent-thread: https://sdko.org/internal/threads/019e737a-314e-72d0-98ae-201cb855df3a
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
* stages/captcha: prefer self-hosted Cap widget URL
Default the Cap provider guidance to the self-hosted widget asset and keep CDN usage pinned to reviewed releases.
Agent-thread: https://sdko.org/internal/thr/ak/019ead31-2435-7e12-b933-e873155d6894
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
* floating
---------
Co-authored-by: Agent <agent@svc.sdko.net >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-06-11 16:15:21 +00:00
226c69d213
core, web: Remove stale compatibility paths ( #22192 )
...
* Remove stale compatibility paths
* fix schema
* should have vibecoded this
---------
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-06-10 12:31:48 -04:00
ed69aa6024
endpoints/connectors/agent: fix exception with invalid auth type ( #22943 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-06-09 11:19:55 +02:00
5727ae4271
core, internal, packages: fix British spellings flagged by cspell ( #22819 )
...
* core, internal, packages: fix British spellings flagged by cspell
Apply American spellings in Python docstrings/comments, Go log messages, a Rust doc comment, and a template comment (behaviour->behavior, initialise->initialize, finalise->finalize, etc.). Part of enabling cspell's British-spelling rule; the rule itself lands in a separate PR once all areas are clean.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-06-08 14:55:31 +02:00
f4e4bfcbe5
root: fix schema and API clients ( #22735 )
...
* regenerate schema
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* update ts client
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-06-01 18:42:06 +02:00
b9e1b27d59
events: fix certificate typo ( #22542 )
...
authentik/events: fix certificate typo
2026-05-21 21:52:01 +00:00
1af9856274
flows: remove link to overview for non-internal user ( #22362 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-14 23:23:14 +02:00
a712e5bb2f
enterprise/providers/scim: add support for interactive OAuth2 ( #22072 )
...
* enterprise/providers/scim: add support for interactive OAuth2
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* prep different oauth mode
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* implement it
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add data to API
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* start adding tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove not-needed migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix last_updated not being updated
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-13 18:27:34 +02:00
5053167a05
internal: Automated internal backport: CVE-2026-40166.sec.patch to authentik-main ( #22299 )
...
* Automated internal backport of patch CVE-2026-40166.sec.patch to authentik-main
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-05-12 20:15:56 +02:00
f4e868210d
internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-main ( #22305 )
...
Automated internal backport of patch GHSA-973w-j457-rp2m.sec.patch to authentik-main
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-12 20:14:12 +02:00
c810beca71
providers/saml: make unified saml endpoint ( #20026 )
...
* providers/saml: make unified saml endpoint
2026-05-09 09:28:05 -05:00
34364f4acc
blueprints: fix mismatched API schema and implementation ( #22087 )
...
align blueprint import schema with 200 result response
2026-05-08 14:37:17 -03:00
ea61e1cf3b
root: bump version to 2026.8.0-rc1 ( #22167 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-08 17:15:32 +00:00
e220d8e29b
events: fix destination_group_obj not being nullable ( #22161 )
...
* events: fix `destination_group_obj` not being nullable
* `make lint-fix`
2026-05-08 17:16:20 +02:00
93abd2e041
stage/authenticator*: expand attempt throttling to email- and sms-based 2FA ( #21751 )
...
* stages/authenticator*: enable attempt throttling for email- and sms-based second authentication factor
* stages/authenticator*: add throttling tests
* stage/authenticator_validate: add throttling documentation
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* stages/authenticator_validate: update docs wording
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-05-07 12:12:06 -05:00
a8db2882ec
stages/invitation: Invitation wizard ( #20399 )
2026-05-05 11:47:31 -05:00
7cffbb4d07
tenants: add option to mark flag as deprecated ( #22063 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-05 17:25:01 +02:00
716bc6e136
api: set authenticated session user agent nullable properties ( #22059 )
...
* Set properties to nullable and regenerate schema
* Make gen
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-05-05 14:47:27 +02:00
b04f8a6177
providers/oauth2: override RedirectURITypeEnum capitalization for generated API ( #22037 )
...
* fix(providers/oauth2): correct RedirectURITypeEnum capitalization in API schema
* fix: remove encoding artifacts introduced during client regeneration
2026-05-05 14:18:02 +02:00
4851179522
enterprise/providers/ssf: more conformance fixes ( #21521 )
...
* enterprise/providers/ssf: more conformance fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include request when possible
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove null state
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* t
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* re-gen & format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove None state
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix ci
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* revert a thing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix ssf conformance test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* no subtest
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix network
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add test for stream update
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-04 14:11:21 +02:00
821b74d7c1
enterprise: account lockdown ( #18615 )
2026-04-30 23:02:46 +00:00
8963d29ab4
enterprise/lifecycle: remove one review per object limitation ( #21046 )
...
* enterprise/lifecycle: allow multiple rules to apply to a single object (and thus, multiple concurrent reviews)
* enterprise/lifecyle: add missing migration to allow multiple lifecycle rules per object, add tests, update documentation
* enterprise/lifecycle: add a bit of padding to individual review iterations on Review tab for better visual separation
* enterprise/lifecycle: remove validation preventing the creation of multiple lifecycle rules for one object type
* enterprise/lifecycle: change the approach to querying the list of reviews with user_is_reviewer annotation to prevent duplicate rows
* enterprise/lifecycle: add custom per-type logic to get object name for use in a notification to prevent texts like "Review is due for Group Group X"
* enterprise/lifecycle: updated wording on lifecycle rule form and preview banner padding
* enterprise/lifecycle: remove task list from lifecycle rules and switch to using per-rule schedules
* enterprise/lifecycle: add a title to the lifecycle tab
* Revert "enterprise/lifecycle: remove task list from lifecycle rules and switch to using per-rule schedules"
This reverts commit 8a060015b693f65f651a71bdb0c47092d3463af1.
* enterprise/lifecycle: remove task list from the lifecycle rule list page and attach the tasks to the schedule
* enterprise/lifecycle: add proper caption when there are no reviews for an object
* enterprise/lifecycle: attach individual apply_lifecycle_rule tasks to the schedule when launched from apply_lifecycle_rules
* enterprise/lifecycle: update generated API clients
* enterprise/lifecycle: update wording
* enterprise/lifecycle: fix ts issues after rebase
* Update website/docs/sys-mgmt/object-lifecycle-management.md
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* enterprise/lifecycle: remove fmall code artifact
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-04-30 14:11:07 -05:00
899994027d
core: support hashed password in users API + automated install ( #18686 )
...
* core: add hash_password command and password_hash bootstrap support
* core: prevent hash format exposure in validation error
* core: remove redundant password length check
* core: remove extra blank lines from hash_password command
* core: add password_hash serializer tests, refine validation and imports
* core: add null password fields test, add hash warning to docs
* core: move hash validation to User.set_password_from_hash method
* core: emit password_changed signal in set_password_from_hash
* website: remove redundant hash security warning
* core: wrap conflict error message for translation
* core: wrap invalid hash error message for translation
* web, core: add set_password_hash API endpoint and admin UI
* core: simplify password_hash check to None comparison
* core: use None check for password conflict validation
* website: clarify Docker Compose $ escaping for .env vs compose.yml
* website: lint
* web: lint
* core: add nosec comment for empty password string in signal
* core: lint
* web: Fix Password Hash help text
* sources/kerberos,ldap: Gergo's review
* add testing for ^^ and type fix
* more general signal tests; not provider specific
* only used in tests
* add warning
* we can do this
* signals fix????
* core, web, website: review fixes
* style(docs): format automated install guide
* web: restore modal invoker import after rebase
Co-authored-by: Codex <codex@openai.com >
* fix generated clients
* core: trim hash password command tests
* core: add password hash permission
* core: cover service account password hashes
* web: remove password hash form
* core: regenerate password hash migration
* core: reuse password serializer for hashes
* docs: clarify hashed password imports
* Regenerate
* core: deduplicate user serializer writes
* core: deduplicate password update actions
* core: deduplicate password change signaling
* tests: reuse password hash API helper
* tests: reuse SSF credential assertions
* docs: centralize hashed password caveat
* core: name password hash signal source
* core: centralize password hash validation
* core: deduplicate serializer password saves
* docs: link source writeback caveats
* api: clarify password hash request field
* tests: deduplicate password hash API assertions
* web: reuse user display-name helper
* web: use existing user display formatter
* core: reuse reset password permission for hash endpoint
* core: keep separate password hash serializer
* tests: remove redundant password hash permission test
* 21745
Co-authored-by: Gergo <gergo@goauthentik.io >
* core: preserve empty password handling in user serializer
* core: inline blueprint user serializer fields
* Use password hash constant
* Simplify user serializer flow
* Inline password update handling
* Apply serializer cleanup
* Clean blueprint password handling
* Drop extra returns
* Split password hash signal
* Align hash signal receivers
* Remove stale password guards
* Inline password signal
---------
Co-authored-by: Codex <codex@openai.com >
Co-authored-by: Gergo <gergo@goauthentik.io >
2026-04-29 06:27:59 +02:00
a2ca19d718
providers/saml: generate issuer url when provider is set on app ( #18022 )
...
* providers/saml: generate issuer url in saml processors unless overridded
* remove issuer
* remove duplicate
* Generate url when assertion is created and save to session
* cleanup
* Fix front-end rendering of issuer
* Update web/src/admin/providers/saml/SAMLProviderViewPage.ts
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update authentik/providers/saml/models.py
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update authentik/providers/saml/models.py
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* use reverse for urls and update tests
* update issuer description
* Don't absorb sp entity id
* rename issuer_url to issuer_override
* fix migration file to rename to override
* fix migration file order
* lint, fix tests
* fix tests
* fix once again not importing the sp issuer
* build
* use const for default issuer
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-28 17:31:12 -05:00
05005f4eb9
core: add support for hiding applications from the user dashboard ( #21530 )
...
* Add meta_hide field to hide apps
* exclude hidden applications from user dashboard
* Add the hide option to the UI
* Add schema
* Add hide setting to application wizard
* Add typescript client changes
* fix linting
* Convert blank://blank to meta_hide=True in the migration
* fix tests
* update docs
* fix continuous login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Apply suggestions from code review
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* fix linting
* fix migrations
* Apply suggestions from code review
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* rename all mentions of dashboard to My applications
* generate schema
* generate TS client
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-04-28 13:05:56 -03:00
620387f294
providers/scim: fix vCenter compatibility mode ( #21830 )
2026-04-27 12:00:00 +00:00
8f1bdc01b6
providers/oauth2: Configure allowed grant types ( #20363 )
...
* naming cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* adjust defaults, start adding tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix proxy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add UI
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* attempt to fix e2e
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow refresh token for conformance
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix e2e
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-27 13:36:57 +02:00
24edee3e78
flows: add warning message for expired password reset links ( #21395 )
...
* flows: add warning message for expired password reset links
Fixes #21306
* Replace token expiry check with REQUIRE_TOKEN authentication requirement
Incorporate review comments to move expired/invalid token handling from executor-level check to flow planner authentication requirement. This avoids disclosing whether a token ever existed and handles already-cleaned-up tokens.
* The fix was changing gettext_lazy to gettext
* remove unneeded migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update form
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 15:09:05 +02:00
915b5a73fc
enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login ( #20766 )
...
* enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix API url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove optional settings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add a missing text
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-18 20:29:17 +02:00
00639d9596
policies/event_matcher: Add query option to filter events ( #21618 )
...
* policies/event_matcher: support QL query
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix lit dev warning
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cache autocomplete data if QL isn't setup yet
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* dont use ql input in modal
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix codespell
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-16 01:52:11 +02:00
c32f21046d
enterprise/search: move QL to open source] ( #21484 )
...
* enterprise/search move to /search
* use make gen for schema updates
* update docs
* re-org
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup more
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* oops
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* huh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* typing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-09 16:37:11 +02:00
2b8313ee91
core: fix policy binding objects not being nullable ( #21421 )
...
* fix policy binding objects not being nullable
* `make gen-clients`
* fix schema
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* tidy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix test
* `make gen`
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-08 16:39:00 +02:00
57d2135c8a
sources/ldap: Switch to new connection tracking, deprecated attribute-based connection ( #21392 )
...
* init user
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix and update groups
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* split api
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include user and group in ldap conn
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ldap users/groups page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ui cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update error message
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix import
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add forms for user/group connections
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix py sync
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix connection not always saved
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix help text
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-07 16:13:05 +02:00
8c3d5f1269
providers/oauth: post_logout_redirect_uri support ( #20011 )
...
* oauth2/providers: add post logout redirect uri to providers
* properly handle post_logout_redirect_uri and frontchannel message to rp
* add backchannel support
* move logout url logic
* hanlde forbidden_uri_schemes on post_logout_redirect_uri
* merge post_logout with redirect_uri
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-07 03:46:11 -05:00
ea2bdde5a3
enterprise/providers/ssf: test conformance ( #21383 )
...
* bump conformance server
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add support for rfc push
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make format and aud optional
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix some endpoints
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* force 401
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* implement get and patch for streams
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* enable async stream deletion
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow configuring remote certificate validation
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add verification endpoint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add support for authorization_header
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set default aud cause spec cant agree with itself
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* bump timeout
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix header `typ`
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* enabled -> status
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* re-migrate
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests and a fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make streams deletable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* and more logs and fix a silly bug
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add stream status endpoint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* move ssf out of preview
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated typing fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sigh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-05 16:35:39 +02:00
827a77dd52
web/admin: more and more polish ( #21303 )
...
* fix user edit button
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix impersonate button not aligned
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup oauth2 provider page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better desc for outpost health
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix static table not updating when items change
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix lint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include oidc providers in ssf provider retrieve
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* consistent oauth provider label
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* rework ssf view page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make client-rust makefile on macos
specifically when gnu sed is installed in the path
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-04 22:35:11 +02:00
8610c25bd3
blueprints: rework one-time import ( #18074 )
...
* initial move
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* rework permissions
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* initial UI rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add option to one-time import from file
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* adjust ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update api
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix import form logs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* reset correctly
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* improve error handling
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-01 15:03:16 +02:00
8dddc05bc0
source/saml: Add forceauthn to saml authnrequest ( #20883 )
...
* source/saml: Add ForceAuthn support to SAML AuthnRequest
2026-03-31 22:54:01 -05:00
06408cba59
core: fix provider not nullable ( #21275 )
...
* core: fix provider not nullable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix more inconsistencies
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* idk man
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-31 18:27:22 +02:00
0b1ba60354
stages/authenticator_webauthn: save attestation certificate when creating credential ( #20095 )
...
* stages/authenticator_webauthn: save attestation certificate when creating credential
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add toggle
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* squash
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-30 13:55:39 +02:00
d1c997b2fe
core: Application stats, device events & cleanup ( #21225 )
...
* core: app stats
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* refctor
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* rework to generic API
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* oops
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* handling
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow filtering events by device
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* show device events on device page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* simply event tables
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-29 21:58:12 +02:00
1a43ac1dc2
providers/scim: add webex compatibility mode ( #21208 )
...
* providers/scim: add webex compatibility mode
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* migrate
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-27 21:39:39 +01:00
5108be6554
api: cleanup enums ( #21201 )
...
* api: cleanup choice enums
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more names
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix?
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* try custom template
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sed it instead?
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* correct sed
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-27 15:54:59 +01:00
237423d458
core: bump drf-spectacular from 0.28.0 to 0.29.0 ( #19420 )
...
* core: bump drf-spectacular from 0.28.0 to 0.29.0
Bumps [drf-spectacular](https://github.com/tfranzel/drf-spectacular ) from 0.28.0 to 0.29.0.
- [Release notes](https://github.com/tfranzel/drf-spectacular/releases )
- [Changelog](https://github.com/tfranzel/drf-spectacular/blob/master/CHANGELOG.rst )
- [Commits](https://github.com/tfranzel/drf-spectacular/compare/0.28.0...0.29.0 )
---
updated-dependencies:
- dependency-name: drf-spectacular
dependency-version: 0.29.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
* add fix for warnings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update API
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-03-25 16:23:38 +01:00
d1ed30b6e0
core: add flag for future default behaviour of requiring a binding to access an application ( #16247 )
...
* core: add flag to configure if apps without bindings should be accessible to everyone or not
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# authentik/policies/views.py
# schema.yml
* add description
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# web/src/admin/admin-settings/AdminSettingsForm.ts
* fix flag check
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include scim
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add description
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-23 18:14:00 +01:00
48e1edfaa2
tasks: fix workers API URL missing trailing / ( #20954 )
2026-03-17 18:55:43 +00:00
db9081e7dc
policies: remove BufferedPolicyAccessView ( #20521 )
...
* policies: remove BufferedPolicyAccessView
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# authentik/policies/views.py
# authentik/providers/oauth2/views/authorize.py
# schema.yml
# tests/e2e/test_provider_saml.py
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-16 18:19:15 +01:00
59263ae678
events: add option to configure webhook CA ( #20823 )
...
* events: add option to configure webhook CA
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Update website/docs/sys-mgmt/events/transports.md
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-03-14 21:01:01 +01:00
e9b33be694
stages/authenticator_webauthn: Add WebAuthn client hints support ( #20700 )
...
* Add webauthn_hints to models
* Add migrations
* Add webauthn_hints to the API
* Add enum to settings.py
* Add webauthn client hints to configuration forms in authenticator_webauthn and authenticator_validate
* Add compatability for older user agents auto infering authenticatorAttachment
* Rewording
* Fix capitalization
* Add tests
* Use ak-dual-select instead of checkboxes for hints
* Add preserve-order, no-search and no-status properties to ak-dual-select
* add no-search and no-status to ak-dual-select in AuthenticatorValidateStageForm.ts
2026-03-13 20:36:28 -03:00
Dominic R
Jens L.
Teffen Ellis
Marc 'risson' Schmitt
Connor Peshek
authentik-automation[bot]
Marcelo Elizeche Landó
Simonyi Gergő
Alexander Tereshkin
Dewi Roberts
Luca Sannitu
Dominic R
Bapuji Koraganti
Fletcher Heisler
dependabot[bot]