c8e9eba971
move to cert store
...
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-06-17 14:51:19 +02:00
c2e8494a9d
tls certificates
...
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-06-17 14:51:18 +02:00
b260aeed50
continue on handlers
...
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-06-17 14:51:02 +02:00
9c4905bf5f
outpost basics and refresh logic
...
commit 04669c9f857ecb0b47a5303958bf02de196ba4e9
Merge: 7ff008d6d6 620387f294marc.schmitt@risson.space >
Date: Mon Apr 27 15:36:33 2026 +0200
Merge branch 'main' into rust-proxy
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 7ff008d6d6119d96dceb3d2491feabbfc2f19f26
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Fri Apr 24 16:47:38 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 5ad0150fe4e56a59acebd13a2b2915a727608761
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Fri Apr 24 15:19:32 2026 +0200
fix page size
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 4f52a79c6af382b61cc3e6d01a477f27fbf417ba
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Fri Apr 24 14:53:04 2026 +0200
application refresh
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit a8b8a81375ec642a43ff267e488e99ee3e063fc6
Merge: 31e7b1dc4b 0459568a96marc.schmitt@risson.space >
Date: Fri Apr 24 13:54:38 2026 +0200
Merge branch 'main' into rust-proxy
commit 31e7b1dc4b8ae5e922e889292f419dea066072e9
Merge: 2cb3df2a60 8bf7efecfdmarc.schmitt@risson.space >
Date: Thu Apr 23 15:46:53 2026 +0200
Merge branch 'rust-worker-2' into rust-proxy
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 8bf7efecfdmarc.schmitt@risson.space >
Date: Thu Apr 23 15:33:30 2026 +0200
fix lint
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit b1ceb28f711fec16b8e039e6c41566marc.schmitt@risson.space >
Date: Thu Apr 23 15:26:14 2026 +0200
Merge branch 'main' into rust-worker-2
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 2cb3df2a6003b9828829226a6fdae581a668637d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 16 19:00:42 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 542688179737ea2ba2018fbc63189cc51a5364fd
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 16 19:00:26 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 3f703bb21b06950c786e6f50d19b112916b38901
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 16 18:23:54 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit b3c0a50f914aa87a7e36b76d38cd782249d31ce0
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 16 16:46:54 2026 +0200
metrics and logging
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 1fec16b8e0marc.schmitt@risson.space >
Date: Thu Apr 16 13:40:07 2026 +0200
run -> start
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 8657d74dc9marc.schmitt@risson.space >
Date: Thu Apr 2 13:22:10 2026 +0200
root: init rust worker
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 347df15f508a7e1422109a6b6315ad99a4eadb4b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 16 14:00:28 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit cf2ed15ceda53604f8224554a77b27b80f753d2f
Merge: dc1d99288f b220e80a0d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 16 13:42:43 2026 +0200
Merge branch 'rust-worker-2' into rust-proxy
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit b220e80a0d1c94552d5cbe8ad41f6c0b1ebba84a
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 16 13:40:07 2026 +0200
run -> start
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 54f6b5c73c0721770b812f09fc37ca8cfd9961ef
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 2 13:22:10 2026 +0200
root: init rust worker
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 9fad68bdada9bfb36607b05e79ec3fb8962e12cf
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 17:12:01 2026 +0200
packages/ak-common/tracing: get sentry config from API for outposts
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit dc1d99288f6c95dd3e9215fae121c16938c14d24
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 17:51:28 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 8fb795ec8963c47cd48e81046a7d7f88c33317ff
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 17:41:40 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit f8f84f5f0b15d1a5bee057effc949dc86d34c819
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 17:41:33 2026 +0200
fixup
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 58125584635dce8a940df2065c44d002b39d0ca8
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 17:38:06 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 513462f78df5e1bf99267ead7e10b5bf1a5e14e7
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 17:38:02 2026 +0200
fixup
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 833912b71241a72dec09981f0d3ad77e7ab4e541
Merge: 9fba928666 78a4b06ab3
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 17:32:31 2026 +0200
Merge branch 'rust-worker-2' into rust-proxy
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 78a4b06ab3e43f5d5c3c42d33b2a364e08e89136
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 2 13:22:10 2026 +0200
root: init rust worker
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit c38e3cbbcfc5ba7dc1ce906c3ff50aa34c2c94e1
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 17:12:01 2026 +0200
packages/ak-common/tracing: get sentry config from API for outposts
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 9fba928666d7f7990558ca0fa3b170ef77585386
Merge: ce8f33416e 668f37ea41marc.schmitt@risson.space >
Date: Wed Apr 15 17:16:50 2026 +0200
Merge branch 'main' into rust-proxy
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit ce8f33416ec479a745551cbdffe9ff133136d237
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Wed Apr 15 16:41:26 2026 +0200
ws
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 6308ec3360fa122856e94b383888ae83d979fee0
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Tue Apr 14 15:04:03 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit 915bf6942eda4b067fecd53651c17b9587578bb6
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Fri Apr 10 17:16:32 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit e63d2afb293d50d6b30e65387bfe07182cc57eb3
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Fri Apr 10 14:10:05 2026 +0200
wip
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
commit d103cea26a8115545edeab4a11b78f5fd37c2a7a
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Date: Thu Apr 2 13:22:10 2026 +0200
root: init rust worker
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-06-17 14:50:46 +02:00
a321c69eb5
core: bump sqlx from 0.8.6 to 0.9.0 ( #22754 )
...
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-06-17 12:27:24 +00:00
6df226188f
providers/scim: Add GitLab compatibility mode ( #22906 )
...
* providers/scim: Add GitLab compatibility mode
Add a GitLab SCIM compatibility mode that skips ServiceProviderConfig probing and document when to use it.
Also wrap non-JSON SCIM responses so providers that return HTML redirects fall back through the existing ServiceProviderConfig default path.
Agent-thread: https://sdko.org/internal/thr/per/019ea36a-92dd-7651-8a2d-0d838e724a7d
A7k-product: product
A7k-product-repo: 1
Co-authored-by: Agent <agent@svc.sdko.net >
* providers/scim: Fold GitLab mode into existing migration
Agent-thread: https://sdko.org/internal/thr/ak/019ea7bd-ce63-77a2-90d6-5dcc25d4402d
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
---------
Co-authored-by: Agent <agent@svc.sdko.net >
2026-06-15 16:30:07 -04:00
fc8424ac50
stages/captcha: add Cap and JSON verification support ( #22373 )
...
* stages/captcha: add Cap and JSON verification support
Add a configurable verification request content type so CAPTCHA providers can use either form-encoded or JSON token verification.
Add Cap as a preset and flow controller, including module-script loading, interactive widget handling, generated API/client types, tests, and docs.
* web/admin: clarify Cap captcha configuration
Treat the Cap endpoint as a form-only alias for the existing public key field and document Cap alongside the other CAPTCHA providers.
Agent-thread: https://sdko.org/internal/threads/019e737a-314e-72d0-98ae-201cb855df3a
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
* stages/captcha: prefer self-hosted Cap widget URL
Default the Cap provider guidance to the self-hosted widget asset and keep CDN usage pinned to reviewed releases.
Agent-thread: https://sdko.org/internal/thr/ak/019ead31-2435-7e12-b933-e873155d6894
A7k-product: product
A7k-product-repo: 2
Co-authored-by: Agent <agent@svc.sdko.net >
* floating
---------
Co-authored-by: Agent <agent@svc.sdko.net >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-06-11 16:15:21 +00:00
226c69d213
core, web: Remove stale compatibility paths ( #22192 )
...
* Remove stale compatibility paths
* fix schema
* should have vibecoded this
---------
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-06-10 12:31:48 -04:00
5727ae4271
core, internal, packages: fix British spellings flagged by cspell ( #22819 )
...
* core, internal, packages: fix British spellings flagged by cspell
Apply American spellings in Python docstrings/comments, Go log messages, a Rust doc comment, and a template comment (behaviour->behavior, initialise->initialize, finalise->finalize, etc.). Part of enabling cspell's British-spelling rule; the rule itself lands in a separate PR once all areas are clean.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-06-08 14:55:31 +02:00
f47fc31b62
core: bump openapitools/openapi-generator-cli from v7.20.0 to v7.22.0 in /packages/client-go ( #22573 )
...
core: bump openapitools/openapi-generator-cli in /packages/client-go
Bumps openapitools/openapi-generator-cli from v7.20.0 to v7.22.0.
---
updated-dependencies:
- dependency-name: openapitools/openapi-generator-cli
dependency-version: v7.22.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-02 19:18:43 +02:00
12d4c0ac2d
core: bump openapitools/openapi-generator-cli from v7.21.0 to v7.22.0 in /packages/client-ts ( #22575 )
...
* core: bump openapitools/openapi-generator-cli in /packages/client-ts
Bumps openapitools/openapi-generator-cli from v7.21.0 to v7.22.0.
---
updated-dependencies:
- dependency-name: openapitools/openapi-generator-cli
dependency-version: v7.22.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
* re-gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-06-02 18:25:13 +02:00
f4e4bfcbe5
root: fix schema and API clients ( #22735 )
...
* regenerate schema
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* update ts client
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-06-01 18:42:06 +02:00
461f9b4cf2
packages/ak-common/db: fix certificates options not allowing file paths ( #22680 )
...
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-05-27 19:43:27 +02:00
5c1eb0e449
packages/ak-common/db: fix conn_max_age causing spinning ( #22679 )
...
* packages/ak-common/config: fix option int parsing, specifically for conn_max_age
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* packages/ak-common/db: fix conn_max_age usage
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-05-27 19:43:13 +02:00
b9e1b27d59
events: fix certificate typo ( #22542 )
...
authentik/events: fix certificate typo
2026-05-21 21:52:01 +00:00
de3f5ea3cb
core: align django-channels-postgres psycopg[pool] floor with #22201 ( #22363 )
...
Co-authored-by: Agent (authentik-m-align-django-friendly-wild-grain) <279763771+playpen-agent@users.noreply.github.com >
2026-05-18 15:44:38 +02:00
1af9856274
flows: remove link to overview for non-internal user ( #22362 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-14 23:23:14 +02:00
9543b3c9f6
ci: Consistent NPM versions via Corepack ( #20400 )
...
* core: add .npmrc baseline to block dependency lifecycle scripts
Set ignore-scripts=true at the repo root, plus engine-strict, save-exact,
audit, and prefer-offline. This neutralizes the dominant npm supply-chain
attack vector — postinstall scripts in transitive dependencies — at the
cost of requiring an explicit rebuild for the handful of packages that
legitimately need install scripts (esbuild, chromedriver, tree-sitter,
tree-sitter-json). The next commit wires that rebuild into the Makefile.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com >
* core: route node installs through make to retire website preinstall hook
Make docs-install depend on a new root-node-install so the root deps
are guaranteed before the website install runs, removing the need for
the website/preinstall lifecycle script. Rebuild the small audited list
of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json)
after the web install so ignore-scripts=true remains the only path that
needs maintenance. web/README documents the new workflow.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com >
* Clean up install scripts.
* Track .npmrc in CODEOWNERS
* Fix formatter config. Reformat.
* Fix mounted references.
* Flesh out node scripts.
* Bump engines.
* Prep containers.
* Update makefile.
* Flesh out github actions.
* Clean up docs container.
* lint.
Bump.
Lint.
Bump NPM version.
* Add limits.
* collapse the composite's three setup-node calls to one cache restore
* Add SHA.
* Bump NPM range.
* Run formatter.
* Bump NPM.
* Remove extra install.
* Fix website deps.
* Use local prettier. Fix drift in CI.
* ci: build frontend in CI with node_env production
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Install docusaurus config.
* Fix linter warning, order.
* Add linter commands.
* Add timeout.
* Remove pre install check.
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-05-13 22:05:07 +00:00
a712e5bb2f
enterprise/providers/scim: add support for interactive OAuth2 ( #22072 )
...
* enterprise/providers/scim: add support for interactive OAuth2
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* prep different oauth mode
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* implement it
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add data to API
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* start adding tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove not-needed migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix last_updated not being updated
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-13 18:27:34 +02:00
5053167a05
internal: Automated internal backport: CVE-2026-40166.sec.patch to authentik-main ( #22299 )
...
* Automated internal backport of patch CVE-2026-40166.sec.patch to authentik-main
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-05-12 20:15:56 +02:00
75a62b7dca
web/maintenance: bump Typescript compiler to version 7 ( #22172 )
...
* Updgrade Typescript to use Typescript 7 (aka TSGO)
* web: drop `packages/` and composite from `tsc -p .` graph (#22100 )
Excluding the workspace subpackages cuts the program graph from 2719 to
1800 non-`node_modules` files (-34%) — most of the drop is the 912
generated files in `packages/client-ts/src/`, which are pulled in by
the recursive include glob even though that package has its own
composite tsconfig and is consumed via `@goauthentik/api/dist/*.d.ts`.
The base `@goauthentik/tsconfig` sets `composite: true`, which forced
TS6307 the moment we tried to exclude `packages/` (`@goauthentik/core`
imports get followed into `web/packages/core/`). Nothing references
`web` in this repo, so disabling composite is safe; `incremental` is
inherited from the base and still drives the `.tsbuildinfo` cache.
On this branch:
- cold `tsc -p .` 26.3s → 22.7s (-14%)
- warm `tsc -p .` 4.1s → 3.5s (-15%)
- `npm run precommit` 39.9s → 37.9s warm
Type coverage is unchanged: each excluded package already type-checks
itself via its own tsconfig + build, and stories/tests/e2e remain in
the include set.
Co-Authored-By: Agent (authentik-i22100-affordable-constant-chartreuse) <279763771+playpen-agent@users.noreply.github.com >
* Fix types.
---------
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Co-authored-by: Agent (authentik-i22100-affordable-constant-chartreuse) <279763771+playpen-agent@users.noreply.github.com >
2026-05-12 15:47:07 +02:00
c810beca71
providers/saml: make unified saml endpoint ( #20026 )
...
* providers/saml: make unified saml endpoint
2026-05-09 09:28:05 -05:00
ea61e1cf3b
root: bump version to 2026.8.0-rc1 ( #22167 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-05-08 17:15:32 +00:00
e220d8e29b
events: fix destination_group_obj not being nullable ( #22161 )
...
* events: fix `destination_group_obj` not being nullable
* `make lint-fix`
2026-05-08 17:16:20 +02:00
93abd2e041
stage/authenticator*: expand attempt throttling to email- and sms-based 2FA ( #21751 )
...
* stages/authenticator*: enable attempt throttling for email- and sms-based second authentication factor
* stages/authenticator*: add throttling tests
* stage/authenticator_validate: add throttling documentation
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* stages/authenticator_validate: update docs wording
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-05-07 12:12:06 -05:00
b420e4fdbd
packages/django-dramatiq-postgres/broker: avoid task processing stopping on decode error ( #22110 )
2026-05-07 15:35:21 +00:00
b32df17513
core: bump dramatiq from 1.17.1 to 2.1.0 ( #22076 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-05-06 14:42:29 +00:00
e40187179d
packages/client-ts: Fix TypeScript config, ESBuild warnings ( #21863 )
...
* packages/client-ts: drop composite/incremental from tsconfig template
Sync with goauthentik/client-ts#13 . The flags are the mechanism of
the missing-dist release bug upstream; harmless in the monorepo (no
publishing) but pointless for a single-package, no-project-references
setup. Keeping the two trees aligned avoids drift.
Co-Authored-By: Agent (authentik-m-sync-packages-final-concrete-buff) <279763771+playpen-agent@users.noreply.github.com >
* Fix package not building.
---------
Co-authored-by: Agent (authentik-m-sync-packages-final-concrete-buff) <279763771+playpen-agent@users.noreply.github.com >
2026-05-06 12:29:46 +02:00
a8db2882ec
stages/invitation: Invitation wizard ( #20399 )
2026-05-05 11:47:31 -05:00
7cffbb4d07
tenants: add option to mark flag as deprecated ( #22063 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-05 17:25:01 +02:00
716bc6e136
api: set authenticated session user agent nullable properties ( #22059 )
...
* Set properties to nullable and regenerate schema
* Make gen
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-05-05 14:47:27 +02:00
b04f8a6177
providers/oauth2: override RedirectURITypeEnum capitalization for generated API ( #22037 )
...
* fix(providers/oauth2): correct RedirectURITypeEnum capitalization in API schema
* fix: remove encoding artifacts introduced during client regeneration
2026-05-05 14:18:02 +02:00
ba62507fc2
root: introduce allinone mode ( #21990 )
2026-05-04 16:43:11 +02:00
4851179522
enterprise/providers/ssf: more conformance fixes ( #21521 )
...
* enterprise/providers/ssf: more conformance fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include request when possible
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove null state
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* t
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* re-gen & format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove None state
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix ci
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* revert a thing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix ssf conformance test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* no subtest
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix network
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add test for stream update
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-04 14:11:21 +02:00
821b74d7c1
enterprise: account lockdown ( #18615 )
2026-04-30 23:02:46 +00:00
8963d29ab4
enterprise/lifecycle: remove one review per object limitation ( #21046 )
...
* enterprise/lifecycle: allow multiple rules to apply to a single object (and thus, multiple concurrent reviews)
* enterprise/lifecyle: add missing migration to allow multiple lifecycle rules per object, add tests, update documentation
* enterprise/lifecycle: add a bit of padding to individual review iterations on Review tab for better visual separation
* enterprise/lifecycle: remove validation preventing the creation of multiple lifecycle rules for one object type
* enterprise/lifecycle: change the approach to querying the list of reviews with user_is_reviewer annotation to prevent duplicate rows
* enterprise/lifecycle: add custom per-type logic to get object name for use in a notification to prevent texts like "Review is due for Group Group X"
* enterprise/lifecycle: updated wording on lifecycle rule form and preview banner padding
* enterprise/lifecycle: remove task list from lifecycle rules and switch to using per-rule schedules
* enterprise/lifecycle: add a title to the lifecycle tab
* Revert "enterprise/lifecycle: remove task list from lifecycle rules and switch to using per-rule schedules"
This reverts commit 8a060015b693f65f651a71bdb0c47092d3463af1.
* enterprise/lifecycle: remove task list from the lifecycle rule list page and attach the tasks to the schedule
* enterprise/lifecycle: add proper caption when there are no reviews for an object
* enterprise/lifecycle: attach individual apply_lifecycle_rule tasks to the schedule when launched from apply_lifecycle_rules
* enterprise/lifecycle: update generated API clients
* enterprise/lifecycle: update wording
* enterprise/lifecycle: fix ts issues after rebase
* Update website/docs/sys-mgmt/object-lifecycle-management.md
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* enterprise/lifecycle: remove fmall code artifact
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-04-30 14:11:07 -05:00
3f94f830fc
packages/ak-common/tracing: make log level lowercase ( #21991 )
2026-04-30 14:58:10 +00:00
899994027d
core: support hashed password in users API + automated install ( #18686 )
...
* core: add hash_password command and password_hash bootstrap support
* core: prevent hash format exposure in validation error
* core: remove redundant password length check
* core: remove extra blank lines from hash_password command
* core: add password_hash serializer tests, refine validation and imports
* core: add null password fields test, add hash warning to docs
* core: move hash validation to User.set_password_from_hash method
* core: emit password_changed signal in set_password_from_hash
* website: remove redundant hash security warning
* core: wrap conflict error message for translation
* core: wrap invalid hash error message for translation
* web, core: add set_password_hash API endpoint and admin UI
* core: simplify password_hash check to None comparison
* core: use None check for password conflict validation
* website: clarify Docker Compose $ escaping for .env vs compose.yml
* website: lint
* web: lint
* core: add nosec comment for empty password string in signal
* core: lint
* web: Fix Password Hash help text
* sources/kerberos,ldap: Gergo's review
* add testing for ^^ and type fix
* more general signal tests; not provider specific
* only used in tests
* add warning
* we can do this
* signals fix????
* core, web, website: review fixes
* style(docs): format automated install guide
* web: restore modal invoker import after rebase
Co-authored-by: Codex <codex@openai.com >
* fix generated clients
* core: trim hash password command tests
* core: add password hash permission
* core: cover service account password hashes
* web: remove password hash form
* core: regenerate password hash migration
* core: reuse password serializer for hashes
* docs: clarify hashed password imports
* Regenerate
* core: deduplicate user serializer writes
* core: deduplicate password update actions
* core: deduplicate password change signaling
* tests: reuse password hash API helper
* tests: reuse SSF credential assertions
* docs: centralize hashed password caveat
* core: name password hash signal source
* core: centralize password hash validation
* core: deduplicate serializer password saves
* docs: link source writeback caveats
* api: clarify password hash request field
* tests: deduplicate password hash API assertions
* web: reuse user display-name helper
* web: use existing user display formatter
* core: reuse reset password permission for hash endpoint
* core: keep separate password hash serializer
* tests: remove redundant password hash permission test
* 21745
Co-authored-by: Gergo <gergo@goauthentik.io >
* core: preserve empty password handling in user serializer
* core: inline blueprint user serializer fields
* Use password hash constant
* Simplify user serializer flow
* Inline password update handling
* Apply serializer cleanup
* Clean blueprint password handling
* Drop extra returns
* Split password hash signal
* Align hash signal receivers
* Remove stale password guards
* Inline password signal
---------
Co-authored-by: Codex <codex@openai.com >
Co-authored-by: Gergo <gergo@goauthentik.io >
2026-04-29 06:27:59 +02:00
a2ca19d718
providers/saml: generate issuer url when provider is set on app ( #18022 )
...
* providers/saml: generate issuer url in saml processors unless overridded
* remove issuer
* remove duplicate
* Generate url when assertion is created and save to session
* cleanup
* Fix front-end rendering of issuer
* Update web/src/admin/providers/saml/SAMLProviderViewPage.ts
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update authentik/providers/saml/models.py
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update authentik/providers/saml/models.py
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* use reverse for urls and update tests
* update issuer description
* Don't absorb sp entity id
* rename issuer_url to issuer_override
* fix migration file to rename to override
* fix migration file order
* lint, fix tests
* fix tests
* fix once again not importing the sp issuer
* build
* use const for default issuer
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-28 17:31:12 -05:00
05005f4eb9
core: add support for hiding applications from the user dashboard ( #21530 )
...
* Add meta_hide field to hide apps
* exclude hidden applications from user dashboard
* Add the hide option to the UI
* Add schema
* Add hide setting to application wizard
* Add typescript client changes
* fix linting
* Convert blank://blank to meta_hide=True in the migration
* fix tests
* update docs
* fix continuous login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Apply suggestions from code review
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* fix linting
* fix migrations
* Apply suggestions from code review
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* rename all mentions of dashboard to My applications
* generate schema
* generate TS client
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-04-28 13:05:56 -03:00
e4b0ea7d15
packages/ak-axum/router: add X-Powered-By to all responses ( #21940 )
2026-04-28 15:35:17 +02:00
2a027264b3
packages/ak-axum/accept/catch_panic: add acceptor to catch panics in lower acceptors, streams and services ( #21860 )
2026-04-27 16:40:50 +00:00
3e75278052
packages/ak-common/config: fix string load broken after previous fix ( #21854 )
2026-04-27 14:03:55 +00:00
620387f294
providers/scim: fix vCenter compatibility mode ( #21830 )
2026-04-27 12:00:00 +00:00
8f1bdc01b6
providers/oauth2: Configure allowed grant types ( #20363 )
...
* naming cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* adjust defaults, start adding tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix proxy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add UI
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* attempt to fix e2e
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow refresh token for conformance
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix e2e
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-27 13:36:57 +02:00
5c3cd2c6ed
packages/ak-common/config: fix boolean parsing from env variable ( #21835 )
2026-04-27 12:53:47 +02:00
97c9626bd4
root: init rust worker ( #21324 )
2026-04-27 01:08:32 +02:00
24edee3e78
flows: add warning message for expired password reset links ( #21395 )
...
* flows: add warning message for expired password reset links
Fixes #21306
* Replace token expiry check with REQUIRE_TOKEN authentication requirement
Incorporate review comments to move expired/invalid token handling from executor-level check to flow planner authentication requirement. This avoids disclosing whether a token ever existed and handles already-cleaned-up tokens.
* The fix was changing gettext_lazy to gettext
* remove unneeded migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update form
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 15:09:05 +02:00
915b5a73fc
enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login ( #20766 )
...
* enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix API url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove optional settings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add a missing text
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-18 20:29:17 +02:00
05bb1d1fdd
packages/ak-axum/server: fix unix socket cleanup when allow_failure is unset ( #21645 )
2026-04-16 16:20:16 +00:00
Marc 'risson' Schmitt
dependabot[bot]
Dominic R
Teffen Ellis
Connor Peshek
Jens L.
authentik-automation[bot]
Ken Sternberg
Simonyi Gergő
Alexander Tereshkin
Marcelo Elizeche Landó
Dewi Roberts
Luca Sannitu
Dominic R
Bapuji Koraganti