205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity
22,497 Commits 384 Branches 449 Tags
rust-proxy
Commit Graph

4348 Commits

Author SHA1 Message Date
Dominic R 6df226188f providers/scim: Add GitLab compatibility mode (#22906) 
* providers/scim: Add GitLab compatibility mode

Add a GitLab SCIM compatibility mode that skips ServiceProviderConfig probing and document when to use it.

Also wrap non-JSON SCIM responses so providers that return HTML redirects fall back through the existing ServiceProviderConfig default path.

Agent-thread: https://sdko.org/internal/thr/per/019ea36a-92dd-7651-8a2d-0d838e724a7d

A7k-product: product

A7k-product-repo: 1

Co-authored-by: Agent <agent@svc.sdko.net>

* providers/scim: Fold GitLab mode into existing migration

Agent-thread: https://sdko.org/internal/thr/ak/019ea7bd-ce63-77a2-90d6-5dcc25d4402d

A7k-product: product

A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>

---------

Co-authored-by: Agent <agent@svc.sdko.net>
 2026-06-15 16:30:07 -04:00
Dominic R fc8424ac50 stages/captcha: add Cap and JSON verification support (#22373) 
* stages/captcha: add Cap and JSON verification support

Add a configurable verification request content type so CAPTCHA providers can use either form-encoded or JSON token verification.

Add Cap as a preset and flow controller, including module-script loading, interactive widget handling, generated API/client types, tests, and docs.

* web/admin: clarify Cap captcha configuration

Treat the Cap endpoint as a form-only alias for the existing public key field and document Cap alongside the other CAPTCHA providers.

Agent-thread: https://sdko.org/internal/threads/019e737a-314e-72d0-98ae-201cb855df3a

A7k-product: product

A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>

* stages/captcha: prefer self-hosted Cap widget URL

Default the Cap provider guidance to the self-hosted widget asset and keep CDN usage pinned to reviewed releases.

Agent-thread: https://sdko.org/internal/thr/ak/019ead31-2435-7e12-b933-e873155d6894

A7k-product: product

A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>

* floating

---------

Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2026-06-11 16:15:21 +00:00
Dominic R 226c69d213 core, web: Remove stale compatibility paths (#22192) 
* Remove stale compatibility paths

* fix schema

* should have vibecoded this

---------

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2026-06-10 12:31:48 -04:00
Connor Peshek f6d7edd4d8 providers/oauth: skip post logout redirect matching if none are saved on the provider (#22718) 
skip post logout redirect matching if none are saved on the provider
 2026-06-09 11:36:01 -05:00
Jens L. ed69aa6024 endpoints/connectors/agent: fix exception with invalid auth type (#22943) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-06-09 11:19:55 +02:00
Jens L. 519a4d73c4 blueprints: handle integrity exception when applying blueprints (#22599) 
this can happen when the server/worker are starting and you also try to apply blueprints with `ak apply_blueprint`, as seen in https://github.com/goauthentik/action-setup-authentik
 2026-06-08 15:24:22 +02:00
Teffen Ellis 5727ae4271 core, internal, packages: fix British spellings flagged by cspell (#22819) 
* core, internal, packages: fix British spellings flagged by cspell

Apply American spellings in Python docstrings/comments, Go log messages, a Rust doc comment, and a template comment (behaviour->behavior, initialise->initialize, finalise->finalize, etc.). Part of enabling cspell's British-spelling rule; the rule itself lands in a separate PR once all areas are clean.

Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>

* gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-06-08 14:55:31 +02:00
Jens L. 5d16c90c1d enterprise/providers/scim: fix interactive OAuth overriding refresh_token (#22858) 
* enterprise/providers/scim: fix interactive OAuth overriding refresh_token

* fixup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-06-04 17:32:46 +02:00
Vlad Kamerdinerov 5681abafa4 sources/oauth: Fallback to id field when sub is missing in OIDC callback (#22672) 
fix/oidc-callback-fallback-id-to-sub

Signed-off-by: Vlad Kamerdinerov <61966975+v-kamerdinerov@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-06-03 13:22:13 +02:00
authentik-automation[bot] e8a8a4b2e7 stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#22772) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-06-02 17:00:07 +02:00
authentik-automation[bot] a370d76d23 security: automated internal backport of patch GHSA-c3m2-jqmq-pvp3.sec.patch to authentik-main (#22732) 
* Automated internal backport of patch GHSA-c3m2-jqmq-pvp3.sec.patch to authentik-main

* fix spellcheck

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2026-05-28 16:43:35 +02:00
authentik-automation[bot] 8830a712b0 security: automated internal backport of patch GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-main (#22734) 
Automated internal backport of patch GHSA-xp7f-xjjx-gwm8.sec.patch to authentik-main

Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-28 16:39:26 +02:00
authentik-automation[bot] 3243c974b2 security: automated internal backport of patch GHSA-wr38-7xg8-fqxr.sec.patch to authentik-main (#22733) 
Automated internal backport of patch GHSA-wr38-7xg8-fqxr.sec.patch to authentik-main

Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-28 16:38:49 +02:00
Jens L. 5409b54a69 enterprise/providers/scim: fix last_updated for OAuth interactive (#22678) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-27 23:33:56 +02:00
Jens L. 7dd26c2261 providers/oauth2: fix session decode when upgrading from 2026.2 (#22684) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-27 22:35:09 +02:00
Marc 'risson' Schmitt 5c1eb0e449 packages/ak-common/db: fix conn_max_age causing spinning (#22679) 
* packages/ak-common/config: fix option int parsing, specifically for conn_max_age

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* packages/ak-common/db: fix conn_max_age usage

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2026-05-27 19:43:13 +02:00
Jens L. 7f31c4cf56 events: fix Event.log_deprecation not checking that cause is a string (#22598) 2026-05-27 12:36:55 +02:00
Jens L. 3e74ab9916 endpoints/connectors/agent: allow federated auth via ssh hostkey lookup (#22594) 
* endpoints/connectors/agent: allow federated auth via ssh hostkey lookup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add lookup test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-23 22:00:38 +02:00
Connor Peshek b9e1b27d59 events: fix certificate typo (#22542) 
authentik/events: fix certificate typo
 2026-05-21 21:52:01 +00:00
Dominic R 495076a8b7 providers/saml: handle XML declarations in unified endpoint (#22455) 
* providers/saml: handle XML declarations in unified endpoint

The unified SAML endpoint decodes redirect-binding payloads to a Unicode string and then passes that string to lxml. When an SP sends an XML declaration with an encoding, lxml raises before authentik can detect whether the message is an AuthnRequest or LogoutRequest, and the endpoint reports an unknown SAML message type.

Encode decoded redirect payloads back to bytes before XML parsing so lxml can honor the declaration. Add regression coverage for redirect-binding AuthnRequest and LogoutRequest payloads with XML declarations.

Validation: .venv/bin/python -m pytest authentik/providers/saml/tests/test_views_unified.py; uv run ruff check authentik/providers/saml/views/unified.py authentik/providers/saml/tests/test_views_unified.py

Agent-thread: https://sdko.org/internal/threads/019e3d5c-1579-7533-813c-1d7da8b7b01b

Co-authored-by: Agent <agent@svc.sdko.net>

* providers/saml: Use fixtures for unified request tests

Move the inline SAML request XML into fixtures so the unified endpoint tests use reusable request bodies while preserving XML declaration coverage.

Agent-thread: https://sdko.org/internal/threads/019e431d-86e3-7200-8079-e8bcb390183b
Co-authored-by: Agent <agent@svc.sdko.net>

---------

Co-authored-by: Agent <agent@svc.sdko.net>
 2026-05-21 16:36:58 +00:00
Jens L. d5fa0ceacf outposts: fix stale version in OutpostState (#22487) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-20 17:26:08 +02:00
Jens L. e3315673eb enterprise/stages/mtls: attempt fix freezegun (#22474) 
* enterprise/stages/mtls: attempt fix freezegun

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* emil's fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Revert "enterprise/stages/mtls: attempt fix freezegun"

This reverts commit 8963dac3bc.

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Reapply "enterprise/stages/mtls: attempt fix freezegun"

This reverts commit 090ab760b6.

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-20 13:50:24 +02:00
Connor Peshek 32a1fc0de9 providers/saml: Properly import audience from metadata. (#22181) 
* providers/saml: Properly import audience from metadata.

* update tests
 2026-05-18 12:05:07 -05:00
Jens L. 1ab8bfa042 root: configure freezegun to exclude cryptography (#22442) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-18 18:31:08 +02:00
Jens L. fdc1099fb4 enterprise/stages/mtls: freeze time for expired certs (#22411) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-18 01:17:05 +02:00
Jens L. 1af9856274 flows: remove link to overview for non-internal user (#22362) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-14 23:23:14 +02:00
Jens L. 889c6b5fa2 web: migrate brand assets to npm pkg (#22361) 
* web: migrate brand assets to npm pkg

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* move assets to separate script and re-use with storybook

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix testing icon

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-14 16:09:40 +02:00
Jens L. a712e5bb2f enterprise/providers/scim: add support for interactive OAuth2 (#22072) 
* enterprise/providers/scim: add support for interactive OAuth2

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* prep different oauth mode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* implement it

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add data to API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fixes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start adding tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove not-needed migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fixup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix last_updated not being updated

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-13 18:27:34 +02:00
Simonyi Gergő 691e173cad endpoints: remove print line (#22325) 2026-05-13 13:45:28 +02:00
authentik-automation[bot] aae1b32c61 stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#22322) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-13 09:25:56 +02:00
authentik-automation[bot] 00f0cfe6e4 internal: Automated internal backport: CVE-2026-41569.sec.patch to authentik-main (#22301) 
* Automated internal backport of patch CVE-2026-41569.sec.patch to authentik-main

* fix spell

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-12 20:26:13 +02:00
authentik-automation[bot] 5053167a05 internal: Automated internal backport: CVE-2026-40166.sec.patch to authentik-main (#22299) 
* Automated internal backport of patch CVE-2026-40166.sec.patch to authentik-main

* gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-12 20:15:56 +02:00
authentik-automation[bot] f4e868210d internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-main (#22305) 
Automated internal backport of patch GHSA-973w-j457-rp2m.sec.patch to authentik-main

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-12 20:14:12 +02:00
authentik-automation[bot] ee954d64f8 internal: Automated internal backport: CVE-2026-41577.sec.patch to authentik-main (#22302) 
Automated internal backport of patch CVE-2026-41577.sec.patch to authentik-main

Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-12 20:11:52 +02:00
authentik-automation[bot] 31d8ddc887 internal: Automated internal backport: CVE-2026-40172.sec.patch to authentik-main (#22300) 
Automated internal backport of patch CVE-2026-40172.sec.patch to authentik-main

Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-12 19:46:52 +02:00
authentik-automation[bot] c2636d72a4 internal: Automated internal backport: CVE-2026-40165.sec.patch to authentik-main (#22298) 
Automated internal backport of patch CVE-2026-40165.sec.patch to authentik-main

Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-12 19:37:12 +02:00
Connor Peshek c810beca71 providers/saml: make unified saml endpoint (#20026) 
* providers/saml: make unified saml endpoint
 2026-05-09 09:28:05 -05:00
Connor Peshek 88bef0ec5f providers/saml: make issuer url metadata url (#22178) 2026-05-09 07:28:30 -05:00
Jens L. 886c494402 tenants: fix system flags removeable (#22163) 
* tenants: fix system flags removeable

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* lint and fix test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-09 14:05:58 +02:00
Marcelo Elizeche Landó 34364f4acc blueprints: fix mismatched API schema and implementation (#22087) 
align blueprint import schema with 200 result response
 2026-05-08 14:37:17 -03:00
authentik-automation[bot] ea61e1cf3b root: bump version to 2026.8.0-rc1 (#22167) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-08 17:15:32 +00:00
Simonyi Gergő e220d8e29b events: fix destination_group_obj not being nullable (#22161) 
* events: fix `destination_group_obj` not being nullable

* `make lint-fix`
 2026-05-08 17:16:20 +02:00
Simonyi Gergő 9f613a3337 tenants/settings: present unset flags as False (#22162) 
* tenants/settings: present unset flags as `False`

* Update authentik/tenants/api/settings.py

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>

* Update authentik/tenants/api/settings.py

Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>

---------

Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2026-05-08 17:16:11 +02:00
Alexander Tereshkin 93abd2e041 stage/authenticator*: expand attempt throttling to email- and sms-based 2FA (#21751) 
* stages/authenticator*: enable attempt throttling for email- and sms-based second authentication factor

* stages/authenticator*: add throttling tests

* stage/authenticator_validate: add throttling documentation

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* stages/authenticator_validate: update docs wording

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

---------

Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@sdko.org>
 2026-05-07 12:12:06 -05:00
authentik-automation[bot] 8d75cddbbd stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#22128) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-07 16:25:34 +00:00
Jens L. cf05037761 api: make ordering null-aware (#22099) 
* api: make ordering null-aware

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add types

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-06 20:34:24 +02:00
dependabot[bot] b32df17513 core: bump dramatiq from 1.17.1 to 2.1.0 (#22076) 
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2026-05-06 14:42:29 +00:00
Marcelo Elizeche Landó a8db2882ec stages/invitation: Invitation wizard (#20399) 2026-05-05 11:47:31 -05:00
Jens L. 7cffbb4d07 tenants: add option to mark flag as deprecated (#22063) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-05 17:25:01 +02:00
Dewi Roberts 716bc6e136 api: set authenticated session user agent nullable properties (#22059) 
* Set properties to nullable and regenerate schema

* Make gen

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-05 14:47:27 +02:00