* website/integrations: Personio
Add an integration guide for Personio with OIDC SSO against authentik,
covering the confidential OAuth2/OpenID Connect provider configuration
in authentik and the Personio OIDC settings (issuer, authorization,
token, userinfo, and JWKS endpoints, scopes, client credentials, and
the email claim mapping). Tested with Personio (SaaS) and authentik
2026.5.0.
Also add Personio to the integrations spell-check dictionary.
* website/integrations: Personio: cleanup
Refresh the Personio OIDC guide to match the integration template and current Personio setup flow.
Agent-thread: https://sdko.org/internal/threads/019e610a-5c59-7050-88e7-3c9569491cf2
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/integrations: Omnissa Workspace ONE Access
Add an integration guide for Omnissa Workspace ONE Access with OIDC SSO
against authentik, covering the OAuth2/OpenID Connect provider
configuration in authentik (with both the web and the awgb://oauth2
mobile redirect URIs), the OpenID Connect IDP setup under
Integrations > Identity Providers in Omnissa Workspace ONE Access
(manual endpoint configuration, client credentials, user lookup
attribute mapping, directories, network ranges, authentication method
name), and a short pointer to wiring the new authentication method
into the relevant access policies. Tested with Omnissa Workspace ONE
Access (SaaS) and authentik 2026.5.0.
Also add Omnissa to the integrations spell-check dictionary.
* website/integrations: Omnissa Workspace ONE Access: cleanup
Clean up the Omnissa Workspace ONE Access integration guide to match current OIDC guidance and template structure.
Agent-thread: https://sdko.org/internal/threads/019e6109-22aa-74a0-a539-ee3f017da7af
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/integrations: Veeam Backup & Replication
Add an integration guide for Veeam Backup & Replication with SAML SSO
against authentik, covering the Users and Roles > Identity Provider
configuration in the VBR console, the SAML Provider from Metadata
setup in authentik, the metadata exchange between both sides, and the
External Group role mapping. Tested with Veeam Backup & Replication
13.0.1 and authentik 2026.5.0.
* website/integrations: Veeam Backup & Replication: cleanup
Update the Veeam Backup & Replication SAML guide to match the current integration template and verified Veeam/authentik terminology.
Agent-thread: https://sdko.org/internal/threads/019e6109-a3c8-76b3-a443-02ca7927a08f
Co-authored-by: Agent <agent@svc.sdko.net>
* Apply suggestion from @dominic-r
Signed-off-by: Dominic R <dominic@goauthentik.io>
---------
Signed-off-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Dominic R <dominic@sdko.org>
* website/integrations: Dashy
Add an integration guide for Dashy with OIDC SSO against authentik,
covering the public OAuth2/OpenID Connect provider configuration in
authentik and the Dashy OIDC settings (web UI and conf.yml). Tested
with Dashy 4.1.15 and authentik 2026.5.0.
* website/integrations: Dashy: cleanup
Clean up the Dashy integration guide to match the current template and OIDC behavior.
Agent-thread: https://sdko.org/internal/threads/019e611f-c782-7741-8b53-a83e0b658006
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/integrations: mailcow Logs Viewer
Add an integration guide for mailcow Logs Viewer with OAuth2/OIDC SSO
against authentik, covering the application/provider creation and the
OAuth2 environment variables on the mailcow Logs Viewer side. Tested
with mailcow Logs Viewer 2.6.1 and authentik 2026.5.0.
* website/integrations: mailcow Logs Viewer: cleanup
Align the mailcow Logs Viewer guide with the integration template and remove default-only OAuth settings.
Agent-thread: https://sdko.org/internal/threads/019e6120-481a-7892-9720-e2b9ff002e6e
Co-authored-by: Agent <agent@svc.sdko.net>
---------
Co-authored-by: nicedevil007 <nicedevil007@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Agent <agent@svc.sdko.net>
* website/docs: document npm install-script blocking
The repo's `.npmrc` sets `ignore-scripts=true` to neutralize the
dominant npm supply-chain attack pattern (preinstall/postinstall
payloads, as used by the recent "Shai-Hulud" and "Mini Shai-Hulud"
incidents). The trade-off is that a handful of packages that ship
native binaries — esbuild, chromedriver, tree-sitter — need to be
rebuilt explicitly when their install step is required.
Today this is implicit; a new contributor whose build fails because
esbuild's binary didn't unpack has no obvious next step except to
disable the protection. Documenting it in both setup guides points
them at `npm rebuild --foreground-scripts <pkg>` and makes the
"don't flip `ignore-scripts` off" guidance explicit.
No code or config changes — docs only.
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
* Use separate file.
* Apply suggestions from code review
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
* root: bind-mount .npmrc into Dockerfile npm ci stages
`npm` walks up from cwd looking for `.npmrc`. The two Dockerfiles that
run `npm ci` (`lifecycle/container/Dockerfile` for the web build and
`website/Dockerfile` for the docs build) bind-mount package.json /
package-lock.json into the build context, but not `.npmrc`. As a result
the project-level settings — most importantly `ignore-scripts=true` —
are not honored inside the container, so a hypothetical malicious
package's preinstall/postinstall hook would execute during the image
build.
Adding `--mount=type=bind,target=/work/.npmrc,src=./.npmrc` to each
`npm ci` step closes that gap. The mount is read-only and only present
for the install step, so it adds no layer weight.
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
* Update bindmount.
---------
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
* Minor changes
* A word
* Update to new format and 2026.5 changes
* Remove unused placeholder
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
* new screenshots
* added line about Docs style guide to bump
* tweak
* Optimised images with calibre/image-actions
* Apply suggestion from @dominic-r
Signed-off-by: Dominic R <dominic@goauthentik.io>
* changed size to match original
* Optimised images with calibre/image-actions
* adjusted size to match original, resolution is 72
* Optimised images with calibre/image-actions
* resize attempt
* Optimised images with calibre/image-actions
* try again
* Optimised images with calibre/image-actions
* update the screenshots from the real instance
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* Optimised images with calibre/image-actions
---------
Signed-off-by: Dominic R <dominic@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@goauthentik.io>
Co-authored-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* website/integrations/infrastructure: add RabbitMQ
Add a community-supported integration document for RabbitMQ 4.x using
the `rabbitmq_auth_backend_oauth2` plugin. The same configuration
supports both Management UI login via OpenID Connect and AMQP / HTTP
API authentication with a JWT used as the password.
Includes the required scope mapping (aud claim + synthetic-SA groups
injection for the client_credentials grant), the two groups
(rabbitmq-administrator and rabbitmq-monitoring) used by RabbitMQ's
scope_aliases, and the application policy bindings that gate login at
the authentik layer.
* website/integrations/infrastructure: tighten SA bypass to internal_service_account
Use `request.user.type == "internal_service_account"` instead of a
suffix match on the username plus the broader `service_account` type.
`internal_service_account` is the authentik user type assigned only to
the synthetic SA that the OAuth2 provider creates for each
`client_credentials` grant; manually-created service accounts use the
plain `service_account` type. The previous check would let any admin-
created `service_account` whose username ended with `-client_credentials`
through the application policy, which is broader than intended.
* Update formatting, change language, remove line breaks
* Update.
---------
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@goauthentik.io>
* core: add .npmrc baseline to block dependency lifecycle scripts
Set ignore-scripts=true at the repo root, plus engine-strict, save-exact,
audit, and prefer-offline. This neutralizes the dominant npm supply-chain
attack vector — postinstall scripts in transitive dependencies — at the
cost of requiring an explicit rebuild for the handful of packages that
legitimately need install scripts (esbuild, chromedriver, tree-sitter,
tree-sitter-json). The next commit wires that rebuild into the Makefile.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* core: route node installs through make to retire website preinstall hook
Make docs-install depend on a new root-node-install so the root deps
are guaranteed before the website install runs, removing the need for
the website/preinstall lifecycle script. Rebuild the small audited list
of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json)
after the web install so ignore-scripts=true remains the only path that
needs maintenance. web/README documents the new workflow.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* Clean up install scripts.
* Track .npmrc in CODEOWNERS
* Fix formatter config. Reformat.
* Fix mounted references.
* Flesh out node scripts.
* Bump engines.
* Prep containers.
* Update makefile.
* Flesh out github actions.
* Clean up docs container.
* lint.
Bump.
Lint.
Bump NPM version.
* Add limits.
* collapse the composite's three setup-node calls to one cache restore
* Add SHA.
* Bump NPM range.
* Run formatter.
* Bump NPM.
* Remove extra install.
* Fix website deps.
* Use local prettier. Fix drift in CI.
* ci: build frontend in CI with node_env production
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* Install docusaurus config.
* Fix linter warning, order.
* Add linter commands.
* Add timeout.
* Remove pre install check.
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* core: add .npmrc baseline to block dependency lifecycle scripts
Set ignore-scripts=true at the repo root, plus engine-strict, save-exact,
audit, and prefer-offline. This neutralizes the dominant npm supply-chain
attack vector — postinstall scripts in transitive dependencies — at the
cost of requiring an explicit rebuild for the handful of packages that
legitimately need install scripts (esbuild, chromedriver, tree-sitter,
tree-sitter-json). The next commit wires that rebuild into the Makefile.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* core: route node installs through make to retire website preinstall hook
Make docs-install depend on a new root-node-install so the root deps
are guaranteed before the website install runs, removing the need for
the website/preinstall lifecycle script. Rebuild the small audited list
of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json)
after the web install so ignore-scripts=true remains the only path that
needs maintenance. web/README documents the new workflow.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* Clean up install scripts.
* Track .npmrc in CODEOWNERS
---------
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* Add section about package reduction
* Suggestion from marc
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
* test format
* ran make docs
* Updated integration guides with the old label "Create with Provider" to new label of "New Application".
* mention drop-down menu
* add ellipses
* edit procedure
* update create a user
* edit first steps doc
* punctuation
* dewi and dominic edits
* typo
* tweak
* more dominic edits
* tweak and ran make install
* tweak and ran uv lock
* edit dir to folder
* wtfci
* undo uv.lock change
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* removed mention of selecting folder
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Dominic R <dominic@goauthentik.io>
dependabot[bot]
NiceDevil
Fletcher Heisler
Dominic R
Dewi Roberts
Connor Peshek
Teffen Ellis
Tana M Berry
Tobias Krug
Oleksii Kondratiuk
Marc 'risson' Schmitt
Marcelo Elizeche Landó
Jens L.
authentik-automation[bot]