* Cherry-pick #22956 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #22956
Original commit: 6e8176cdf7
* fix merge conflicts
---------
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
* Cherry-pick #22785 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #22785
Original commit: 9508ac62ce
* Apply suggestion from @BeryJu
Signed-off-by: Jens L. <jens@beryju.org>
---------
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Jens L. <jens@goauthentik.io>
website/docs: add global to values.yaml snippets and update version (#22524)
Add global to values.yaml snippets and update version
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Cherry-pick #22064 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #22064
Original commit: 6be7b2f7b7
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
fix(rbac): ensure migration 0056 runs before 0010 removes group field (#21964)
fix(rbac): ensure migration 0056 runs before group field is removed
Migration 0010 removes the `group` FK from the Role model, but
migration 0056 (authentik_core) queries `group_id` on Role as part of
a data migration to move guardian permissions to RBAC roles.
When upgrading from 2025.x, Django's migration executor can schedule
0010 before 0056 because neither depends on the other — only 0056
depends on 0008. This causes a FieldError at runtime:
Cannot resolve keyword 'group_id' into field.
Adding 0056 as a dependency of 0010 enforces the correct ordering:
the data migration that reads `group_id` must complete before the
schema migration that removes it.
Co-authored-by: Chris <cxm6467@gmail.com>
* Cherry-pick #21833 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21833
Original commit: b66024f26f
* fix conflict
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (#21701)
* providers/oauth2: clip device authorization scope against the provider's ScopeMapping set
DeviceView.parse_request stored the raw request scope straight onto the
DeviceToken:
self.scopes = self.request.POST.get("scope", "").split(" ")
...
token = DeviceToken.objects.create(..., _scope=" ".join(self.scopes))
The token-exchange side then reads those scopes back directly:
if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
refresh_token = RefreshToken(...)
...
so a caller that adds offline_access to the device authorization
request body gets a refresh_token at the exchange, even when the
provider has no offline_access ScopeMapping configured. Every other
grant type clips scope against ScopeMapping for the provider inside
TokenParams.__check_scopes, but the device authorization endpoint
runs before TokenParams is ever constructed, so the clip never
happens for the device flow.
Combined with #20828 (missing client_secret verification on device
code exchange for confidential clients, now being fixed separately)
and the lack of per-app opt-out for the device flow, this gives any
caller that knows the client_id a path to an offline refresh token
against any OIDC application the deployment exposes.
Intersect the requested scope set with the provider's ScopeMapping
names before we ever persist the DeviceToken. offline_access that is
not configured is silently dropped, matching __check_scopes on the
other grant types. Configured offline_access still flows through
unchanged.
Fixes#20825
* rework and add tests
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Sai Asish Y <say.apm35@gmail.com>
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
website/docs: add authorization header info to all proxy configs (#21664)
Add authorization header info to all proxy configs
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Cherry-pick #21746 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21746
Original commit: 189056e19a
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Cherry-pick #21513 to version-2026.2 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21513
Original commit: c84c8d86f8
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
authentik-automation[bot]
Simonyi Gergő
Jens L.