205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity
22,450 Commits 384 Branches 449 Tags
6df226188fb1564c3d38897ac7788d25bd7be230
Commit Graph

249 Commits

Author SHA1 Message Date
Dominic R 6df226188f providers/scim: Add GitLab compatibility mode (#22906) 
* providers/scim: Add GitLab compatibility mode

Add a GitLab SCIM compatibility mode that skips ServiceProviderConfig probing and document when to use it.

Also wrap non-JSON SCIM responses so providers that return HTML redirects fall back through the existing ServiceProviderConfig default path.

Agent-thread: https://sdko.org/internal/thr/per/019ea36a-92dd-7651-8a2d-0d838e724a7d

A7k-product: product

A7k-product-repo: 1

Co-authored-by: Agent <agent@svc.sdko.net>

* providers/scim: Fold GitLab mode into existing migration

Agent-thread: https://sdko.org/internal/thr/ak/019ea7bd-ce63-77a2-90d6-5dcc25d4402d

A7k-product: product

A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>

---------

Co-authored-by: Agent <agent@svc.sdko.net>
 2026-06-15 16:30:07 -04:00
Dominic R fc8424ac50 stages/captcha: add Cap and JSON verification support (#22373) 
* stages/captcha: add Cap and JSON verification support

Add a configurable verification request content type so CAPTCHA providers can use either form-encoded or JSON token verification.

Add Cap as a preset and flow controller, including module-script loading, interactive widget handling, generated API/client types, tests, and docs.

* web/admin: clarify Cap captcha configuration

Treat the Cap endpoint as a form-only alias for the existing public key field and document Cap alongside the other CAPTCHA providers.

Agent-thread: https://sdko.org/internal/threads/019e737a-314e-72d0-98ae-201cb855df3a

A7k-product: product

A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>

* stages/captcha: prefer self-hosted Cap widget URL

Default the Cap provider guidance to the self-hosted widget asset and keep CDN usage pinned to reviewed releases.

Agent-thread: https://sdko.org/internal/thr/ak/019ead31-2435-7e12-b933-e873155d6894

A7k-product: product

A7k-product-repo: 2

Co-authored-by: Agent <agent@svc.sdko.net>

* floating

---------

Co-authored-by: Agent <agent@svc.sdko.net>
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2026-06-11 16:15:21 +00:00
Dominic R 226c69d213 core, web: Remove stale compatibility paths (#22192) 
* Remove stale compatibility paths

* fix schema

* should have vibecoded this

---------

Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
 2026-06-10 12:31:48 -04:00
Marc 'risson' Schmitt f4e4bfcbe5 root: fix schema and API clients (#22735) 
* regenerate schema

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* update ts client

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2026-06-01 18:42:06 +02:00
Connor Peshek b9e1b27d59 events: fix certificate typo (#22542) 
authentik/events: fix certificate typo
 2026-05-21 21:52:01 +00:00
Jens L. a712e5bb2f enterprise/providers/scim: add support for interactive OAuth2 (#22072) 
* enterprise/providers/scim: add support for interactive OAuth2

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* prep different oauth mode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* implement it

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add data to API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fixes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start adding tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove not-needed migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fixup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix last_updated not being updated

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-05-13 18:27:34 +02:00
authentik-automation[bot] ea61e1cf3b root: bump version to 2026.8.0-rc1 (#22167) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-05-08 17:15:32 +00:00
Alexander Tereshkin 93abd2e041 stage/authenticator*: expand attempt throttling to email- and sms-based 2FA (#21751) 
* stages/authenticator*: enable attempt throttling for email- and sms-based second authentication factor

* stages/authenticator*: add throttling tests

* stage/authenticator_validate: add throttling documentation

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* stages/authenticator_validate: update docs wording

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

---------

Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@sdko.org>
 2026-05-07 12:12:06 -05:00
Dominic R 821b74d7c1 enterprise: account lockdown (#18615) 2026-04-30 23:02:46 +00:00
Dominic R 899994027d core: support hashed password in users API + automated install (#18686) 
* core: add hash_password command and password_hash bootstrap support

* core: prevent hash format exposure in validation error

* core: remove redundant password length check

* core: remove extra blank lines from hash_password command

* core: add password_hash serializer tests, refine validation and imports

* core: add null password fields test, add hash warning to docs

* core: move hash validation to User.set_password_from_hash method

* core: emit password_changed signal in set_password_from_hash

* website: remove redundant hash security warning

* core: wrap conflict error message for translation

* core: wrap invalid hash error message for translation

* web, core: add set_password_hash API endpoint and admin UI

* core: simplify password_hash check to None comparison

* core: use None check for password conflict validation

* website: clarify Docker Compose $ escaping for .env vs compose.yml

* website: lint

* web: lint

* core: add nosec comment for empty password string in signal

* core: lint

* web: Fix Password Hash help text

* sources/kerberos,ldap: Gergo's review

* add testing for ^^ and type fix

* more general signal tests; not provider specific

* only used in tests

* add warning

* we can do this

* signals fix????

* core, web, website: review fixes

* style(docs): format automated install guide

* web: restore modal invoker import after rebase

Co-authored-by: Codex <codex@openai.com>

* fix generated clients

* core: trim hash password command tests

* core: add password hash permission

* core: cover service account password hashes

* web: remove password hash form

* core: regenerate password hash migration

* core: reuse password serializer for hashes

* docs: clarify hashed password imports

* Regenerate

* core: deduplicate user serializer writes

* core: deduplicate password update actions

* core: deduplicate password change signaling

* tests: reuse password hash API helper

* tests: reuse SSF credential assertions

* docs: centralize hashed password caveat

* core: name password hash signal source

* core: centralize password hash validation

* core: deduplicate serializer password saves

* docs: link source writeback caveats

* api: clarify password hash request field

* tests: deduplicate password hash API assertions

* web: reuse user display-name helper

* web: use existing user display formatter

* core: reuse reset password permission for hash endpoint

* core: keep separate password hash serializer

* tests: remove redundant password hash permission test

* 21745

Co-authored-by: Gergo <gergo@goauthentik.io>

* core: preserve empty password handling in user serializer

* core: inline blueprint user serializer fields

* Use password hash constant

* Simplify user serializer flow

* Inline password update handling

* Apply serializer cleanup

* Clean blueprint password handling

* Drop extra returns

* Split password hash signal

* Align hash signal receivers

* Remove stale password guards

* Inline password signal

---------

Co-authored-by: Codex <codex@openai.com>
Co-authored-by: Gergo <gergo@goauthentik.io>
 2026-04-29 06:27:59 +02:00
Connor Peshek a2ca19d718 providers/saml: generate issuer url when provider is set on app (#18022) 
* providers/saml: generate issuer url in saml processors unless overridded

* remove issuer

* remove duplicate

* Generate url when assertion is created and save to session

* cleanup

* Fix front-end rendering of issuer

* Update web/src/admin/providers/saml/SAMLProviderViewPage.ts

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* Update authentik/providers/saml/models.py

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* Update authentik/providers/saml/models.py

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* use reverse for urls and update tests

* update issuer description

* Don't absorb sp entity id

* rename issuer_url to issuer_override

* fix migration file to rename to override

* fix migration file order

* lint, fix tests

* fix tests

* fix once again not importing the sp issuer

* build

* use const for default issuer

---------

Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2026-04-28 17:31:12 -05:00
Marcelo Elizeche Landó 05005f4eb9 core: add support for hiding applications from the user dashboard (#21530) 
* Add meta_hide field to hide apps

* exclude hidden applications from user dashboard

* Add the hide option to the UI

* Add schema

* Add hide setting to application wizard

* Add typescript client changes

* fix linting

* Convert blank://blank to meta_hide=True in the migration

* fix tests

* update docs

* fix continuous login

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Apply suggestions from code review

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>

* fix linting

* fix migrations

* Apply suggestions from code review

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>

* rename all mentions of dashboard to My applications

* generate schema

* generate TS client

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
 2026-04-28 13:05:56 -03:00
Dominic R 620387f294 providers/scim: fix vCenter compatibility mode (#21830) 2026-04-27 12:00:00 +00:00
Jens L. 8f1bdc01b6 providers/oauth2: Configure allowed grant types (#20363) 
* naming cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* adjust defaults, start adding tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix proxy

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add UI

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* attempt to fix e2e

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* allow refresh token for conformance

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix e2e

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-04-27 13:36:57 +02:00
Bapuji Koraganti 24edee3e78 flows: add warning message for expired password reset links (#21395) 
* flows: add warning message for expired password reset links

Fixes #21306

* Replace token expiry check with REQUIRE_TOKEN authentication requirement

Incorporate review comments to move expired/invalid token handling from executor-level check to flow planner authentication requirement. This avoids disclosing whether a token ever existed and handles already-cleaned-up tokens.

* The fix was changing gettext_lazy to gettext

* remove unneeded migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update form

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-04-22 15:09:05 +02:00
Jens L. 915b5a73fc enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login (#20766) 
* enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix API url

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove optional settings

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add a missing text

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-04-18 20:29:17 +02:00
Jens L. 00639d9596 policies/event_matcher: Add query option to filter events (#21618) 
* policies/event_matcher: support QL query

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix lit dev warning

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cache autocomplete data if QL isn't setup yet

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* dont use ql input in modal

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix codespell

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-04-16 01:52:11 +02:00
Fletcher Heisler c32f21046d enterprise/search: move QL to open source] (#21484) 
* enterprise/search move to /search

* use make gen for schema updates

* update docs

* re-org

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup more

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* oops

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* huh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* typing

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-04-09 16:37:11 +02:00
Connor Peshek 8c3d5f1269 providers/oauth: post_logout_redirect_uri support (#20011) 
* oauth2/providers: add post logout redirect uri to providers

* properly handle post_logout_redirect_uri and frontchannel message to rp

* add backchannel support

* move logout url logic

* hanlde forbidden_uri_schemes on post_logout_redirect_uri

* merge post_logout with redirect_uri

---------

Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2026-04-07 03:46:11 -05:00
Jens L. ea2bdde5a3 enterprise/providers/ssf: test conformance (#21383) 
* bump conformance server

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add support for rfc push

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make format and aud optional

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix some endpoints

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* force 401

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* implement get and patch for streams

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* enable async stream deletion

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* allow configuring remote certificate validation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add verification endpoint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add support for authorization_header

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set default aud cause spec cant agree with itself

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* bump timeout

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix header `typ`

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* enabled -> status

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-migrate

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more tests and a fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make streams deletable

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* and more logs and fix a silly bug

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add stream status endpoint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* move ssf out of preview

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated typing fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sigh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-04-05 16:35:39 +02:00
Connor Peshek 8dddc05bc0 source/saml: Add forceauthn to saml authnrequest (#20883) 
* source/saml: Add ForceAuthn support to SAML AuthnRequest
 2026-03-31 22:54:01 -05:00
Jens L. 0b1ba60354 stages/authenticator_webauthn: save attestation certificate when creating credential (#20095) 
* stages/authenticator_webauthn: save attestation certificate when creating credential

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add toggle

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* squash

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* better test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-03-30 13:55:39 +02:00
Jens L. 1a43ac1dc2 providers/scim: add webex compatibility mode (#21208) 
* providers/scim: add webex compatibility mode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-03-27 21:39:39 +01:00
Jens L. 59263ae678 events: add option to configure webhook CA (#20823) 
* events: add option to configure webhook CA

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Update website/docs/sys-mgmt/events/transports.md

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
 2026-03-14 21:01:01 +01:00
Marcelo Elizeche Landó e9b33be694 stages/authenticator_webauthn: Add WebAuthn client hints support (#20700) 
* Add webauthn_hints to models

* Add migrations

* Add webauthn_hints to the API

* Add enum to settings.py

* Add webauthn client hints to configuration forms in authenticator_webauthn and authenticator_validate

* Add compatability for older user agents auto infering authenticatorAttachment

* Rewording

* Fix capitalization

* Add tests

* Use ak-dual-select instead of checkboxes for hints

* Add preserve-order, no-search and no-status properties to ak-dual-select

* add no-search and no-status to ak-dual-select in AuthenticatorValidateStageForm.ts
 2026-03-13 20:36:28 -03:00
Jens L. d880c46d7c enterprise/endpoints/connectors: add google_chrome (#19129) 
* init

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add icon

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* actually load

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix serializer

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* init ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix duplicated element name

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include chrome url

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make it work, some small UI fixes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* invisible submit for frame

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix device not set in flow plan, fix other small things, more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* simplify

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Minor doc changes

* dedupe templates

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
 2026-03-09 11:17:56 +01:00
dependabot[bot] fe0f559cd2 core: bump django-countries from 7.6.1 to 8.2.0 (#19459) 
* core: bump django-countries from 7.6.1 to 8.2.0

Bumps [django-countries](https://github.com/SmileyChris/django-countries) from 7.6.1 to 8.2.0.
- [Changelog](https://github.com/SmileyChris/django-countries/blob/main/CHANGES.md)
- [Commits](https://github.com/SmileyChris/django-countries/compare/v7.6.1...v8.2.0)

---
updated-dependencies:
- dependency-name: django-countries
  dependency-version: 8.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
# Conflicts:
#	pyproject.toml
#	uv.lock

* re-gen schema

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-02-17 18:13:41 +01:00
Connor Peshek 858a040dfb providers/saml: send logoutResponse on sp-init logout (#17691) 
* providers/saml: send logoutResponse on sp-init logout

* Use first updated to fix multiple submits

* add backchannel logoutResponse

* tests

---------

Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local>
 2026-02-11 14:18:39 -06:00
authentik-automation[bot] 7cb789e777 root: bump version to 2026.5.0-rc1 (#20174) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2026-02-11 01:43:16 +01:00
Alexander Tereshkin 2f2488b326 enterprise/lifecycle: implement Object Lifecycle Management (#20015) 
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Jens L. <jens@beryju.org>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
 2026-02-10 18:33:06 +01:00
Jens L. ef74ca01a2 enterprise/providers: WSFed configurable realm, default wreply (#19996) 
* enterprise/providers/wsfed: make realm configurable

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make wreply optional, fallback to configure

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use audience instead of issuer

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix lookup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2026-02-06 00:14:10 +01:00
Jens L. 68c7037eea flows: add option for flow layout with frame background (#19527) 
* flows: add option for flow layout with frame background

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Tidy variables. Fix mobile and tablet layouts, shadows.

* Update web/src/flow/FlowExecutor.ts

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
 2026-02-04 17:39:01 +01:00
Simonyi Gergő 1b9653901c rbac: clean up roles and permissions (#19588) 
* clean up roles and permissions

This was purposefully not included in `2025.12` to split the changes up.

The main content of this patch is in the migrations. Everything else
follows more or less automatically.

* add breaking change warning to release notes

* add `ak_groups` --> `groups` deprecated proxy

* fixup! add `ak_groups` --> `groups` deprecated proxy

* fixup! add `ak_groups` --> `groups` deprecated proxy

* fixup! add `ak_groups` --> `groups` deprecated proxy

* add configuration warning to default notifications blueprint

* add rudimentary tests for User.ak_groups

* remove no longer used permissions

* clarify deprecation

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>

* remove integration changes

These will be included in a separate PR once this is released.

---------

Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
 2026-01-29 19:12:38 +01:00
Immanuel von Neumann 6ca26b501b providers/scim: modify user- and group syncing behavior (#13947) 
* providers/scim: modify user- and group syncing behavior

rename filtergroup to groupfilters and allow multiple values
only sync groups which are in the scimprovider's attribute \"group_filters\"
only sync users which are entitled to view the scimprovider's application

* Update authentik/providers/scim/api/providers.py

Signed-off-by: Immanuel von Neumann <45020096+ImmanuelVonNeumann@users.noreply.github.com>

* fix(authentik/scim): update schema.yml and test name

* merge migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* providers/scim: fix linting

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* filter eagerly

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Immanuel von Neumann <45020096+ImmanuelVonNeumann@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-01-29 17:07:58 +01:00
Jens L. d1fb7dde14 enterprise/providers: WS-Federation (#19583) 
* init

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix metadata

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* aight

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* progress

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix timedelta

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start testing metadata

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add some more tests and schemas

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test signature

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* attempt to fix signed xml linebreak

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1258
https://github.com/robrichards/xmlseclibs/issues/28
https://github.com/xmlsec/python-xmlsec/issues/196
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format + gen

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more validation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* hmm

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add e2e test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* qol fix in wait_for_url

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add UI

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* acs -> reply url

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sign_out

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix some XML typing

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove verification_kp as its not used

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix reply url

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add ws-fed to tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add logout test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add SAMLSession

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* refactor

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated type fixes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add backchannel logout

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* delete import_metadata in wsfed

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include generated realm

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Update web/src/admin/providers/wsfed/WSFederationProviderViewPage.ts

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Jens L. <jens@beryju.org>

* include wtrealm in ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
 2026-01-28 17:43:16 +01:00
Jens L. e2cb1a8d0c endpoints: FleetDM connector (#18589) 
* enterprise/endpoints/connectors/fleet: init

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	blueprints/schema.json
#	schema.yml

* add ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix desc

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add configurable headers

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Address review feedback on FleetDM connector implementation (#18651)

* Initial plan

* Add public override modifiers to updated method

Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com>

* Address additional feedback from PR #18589

Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com>

* Fix indentation in ak-switch-input component

Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com>

* fix permission model

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add attributes to device access group

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add option to map device team

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update schema

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* switch connector to grid, add icons

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix pagination

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add software tab

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix pages in test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more test devices

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add fedora test machine

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* better formatting for OS version

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com>
 2026-01-23 21:40:28 +01:00
dependabot[bot] 288f6f50f6 core: bump bandit from 1.9.2 to 1.9.3 (#19566) 
* core: bump bandit from 1.9.2 to 1.9.3

Bumps [bandit](https://github.com/PyCQA/bandit) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/PyCQA/bandit/releases)
- [Commits](https://github.com/PyCQA/bandit/compare/1.9.2...1.9.3)

---
updated-dependencies:
- dependency-name: bandit
  dependency-version: 1.9.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update config, fix warnings

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2026-01-20 01:45:45 +01:00
Dominic R 39f6f72e96 stages/authenticator_static: set max token length to 100 chars (#19162) 
* stages/authenticator_static: add max length validation for token_length field

* wip

* wip
 2026-01-07 22:50:10 +00:00
Jens L. 46297698d6 blueprints: set enrollment token key (#19061) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2025-12-26 17:37:48 +01:00
authentik-automation[bot] fbe8028b08 root: bump version to 2026.2.0-rc1 (#18794) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
 2025-12-12 20:59:47 +00:00
Marcelo Elizeche Landó 15b93a5e9d stages/identification: Add WebAuthn conditional UI (passkey autofill) support (#18377) 
* add passkey_login to identification stage

* handle passkey auth in identification stage

* Add passkey settings in identification stage in the admin UI

* Add UI changes for basic passkey conditional login

* Fix linting

* rework

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update tests

* update admin form

* allow passing stage to validate_challenge_webauthn

* update flows/tests/test_inspector.py

* update for new field

* Fix linting

* update go solvers for identification challenge

* Refactor tests

* Skip mfa validation if user already authenticated via passkey at identification stage

* Add skip_if_passkey_authenticated option to authenticator validate stage and UI

* Add e2e test for passkey login conditional ui

* add policy

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Remove skip_if_passkey_authenticated

* fix blueprint

* Set backend so password stage policy knows user is already authenticated

* Set backend so password stage policy knows user is already authenticated

* fix linting

* slight tweaks

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* simplify e2e test

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2025-12-11 11:49:05 -03:00
Marc 'risson' Schmitt 92c5efbac1 sources/sync: configuration for outgoing sync trigger mode (#17669) 
* sources/sync: configuration for outgoing sync trigger mode

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* api and frontend

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix tests

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* update migrations

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Wrap `msg` calls in function to fix translation. Update props to accept
callbacks.

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Teffen Ellis <teffen@goauthentik.io>
 2025-12-10 12:40:32 -03:00
Anduin Xue cd09bff247 sources/oauth: add WeChat type (#18086) 
* Add wechat.

* Refactor comments and formatting in wechat.py

Signed-off-by: Anduin Xue <anduin@aiursoft.com>

* Fix lint.

Signed-off-by: Anduin Xue <anduin@aiursoft.com>

* Fix lint.

* fix: Rename `WeChat` enum member to `Wechat` for consistency

* docs: Add WeChat social login integration guide.

* Docs updates

* Revise WeChat integration instructions

Updated instructions for creating a WeChat Website Application and added details about scopes and user attribute mappings.

Signed-off-by: Anduin Xue <anduin@aiursoft.com>

* Prettier

* Update wechat.py

Signed-off-by: Anduin Xue <anduin@aiursoft.com>

---------

Signed-off-by: Anduin Xue <anduin@aiursoft.com>
Co-authored-by: dewi-tik <dewi@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2025-12-10 12:48:12 +00:00
Jens L. 379a9d09f1 endpoints: fix device access group missing from blueprint (#18703) 
* endpoints: fix device access group missing from blueprint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also fix flow_set not being read_only

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix general blueprint schema issue of incorrect related PK fields having the wrong type some places

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix web format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2025-12-09 19:46:49 +01:00
Alexander Tereshkin 7e9e0a87f7 enterprise/reports: add users and events export (#18088) 
* enterprise: add users and events export (reports app)

* enterprise/reports: replace assert with AsertionError so that the assumption check is not lost when compiling to optimised byte code

* enterprise/reports: use ConditionalInheritance with ExportMixin to make reduce coupling of enterprise with the rest of authentik

* enterprise/reports: use custom iterative File to save data export instead of accessing default_storage directly, so all the FileField.save logic can run correctly (e.g. creating directories)

* enterprise/reports: change app label to simply "authentik_reports"

* wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* update for new file api

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Apply suggestions from code review

Signed-off-by: Dominic R <dominic@sdko.org>

* wip

* sources/oauth: save returned oauth refresh tokens and add slack provider (#18501)

* sources/oauth: save returned oauth refresh tokens

* Update authentik/sources/oauth/models.py

Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>

* lint

* add tests

* fix proper id setting

* update id test

---------

Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: connor peshek <connorpeshek@unknown1641287c8f5d.attlocal.net>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local>

* core: custom avatar url improvements (#10525)

Co-authored-by: Dominic R <dominic@sdko.org>

* website/integrations: add salesforce (#18516)

Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local>
Co-authored-by: dewi-tik <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>

* endpoints: implement endpoint stage (#18468)

* endpoints: implement endpoint stage

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched label

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix url in mdm config

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rephrase

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* and API & UI

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add deprecated support and deprecate gdtc

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add stage mode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fixup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rework stage slightly, add frontend

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include jwks, add iat and exp

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set kid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include device details in event list

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* implement device summary

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add remaining tables

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* revert sanitize

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix uuid format issues

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* web/flows: update default background image (#18540)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* website/integrations: add hoop.dev (#17868)

Co-authored-by: iops <iops@syneforge.com>
Co-authored-by: Dominic R <dominic@sdko.org>

* website: Docusaurus 3.9.2 (#18506)

* endpoints/stage: v2, better error handling, more settings (#18545)

* add options, idle fallback

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* delete other device tokens during enroll

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* better error handling

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* website: Glossary (#16007)

* website: Glossary

fix minor issues

wip

Apply suggestion from @dominic-r

Signed-off-by: Dominic R <dominic@sdko.org>

anchor to param

wip

wip

at least the lockfile changes now

sure

a-z first as tana asked

idk why i switched in the first place

wip

wip

lock

lockfiles are hard

wip

please work

no have?

Revert "no have?"

This reverts commit 743dbc1bc2900eedcc2c93af248e6afdec3688a3.

* changed to sentence-case capitalization

---------

Co-authored-by: Tana M Berry <tana@goauthentik.io>

* web/i18n: Locale Context Merge Branch (#18426)

* web: Update fonts to Patternfly 5 variants.

* Fix order of heading override.

* web: Flesh out locale context.

* Fix Han pattern.

* Remove comment.

* Add additional regional codes.

* Clarify comment.

* Fix typos.

* web/i18n: Add locale-specific font overrides.

* Fix stale session in locale lifecycle.

* core, web: Fix Han language codes.

* Fix warnings about invalid BCP language code.

* Build translations.

* Add locale relative labels.

* Add locale translations for Finnish and Portuguese.

* Fix XLIFF errors.

* Clean up labels.

* Tidy regions.

* Match region comment.

* Update extracted values.

* Fix locale switch not triggering on source language.

* Split labels.

* Clean up labels.

* providers/scim: cache ServiceProviderConfig (#18047)

* Update authentik/enterprise/reports/api/reports.py

Co-authored-by: Jens L. <jens@beryju.org>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* enterprise/reports: got rid of unnecessary method-level import

* enterprise/reports: celan up code duplication in data export generation (invoke viewset.filter_queryset directly instead of replicating it)

* enterprise/reports: add check for app label when switching on content types

* enterprise/reports: make hyperlink field on Notification larger so it can fit the security token in the export file URL

* enterprise/reports: add is_superuser back in users export

* enterprise/reports: split tests into multiple files

* Apply suggestions from code review

Signed-off-by: Dewi Roberts <dewi@goauthentik.io>

* Fixed prettier issue

* Update web/src/admin/events/DataExportListPage.ts

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update web/src/admin/events/DataExportListPage.ts

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update web/src/admin/events/EventListPage.ts

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update web/src/admin/reports/ExportButton.ts

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update web/src/admin/reports/ExportButton.ts

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update web/src/admin/users/UserListPage.ts

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update web/src/elements/notifications/NotificationDrawer.ts

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* Update web/src/elements/sidebar/SidebarItem.css

Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>

* enterprise/reports: resolve code review merge errors

* enterprise/reports: remove the export button from the dom flow (by settings display:none) when there's no license

* enterprise/reports: improve docs

* include notification link in email

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* enterprise/reports: remove assignment assertion in ExportButton.ts

* cleanup tests after perm update

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Dominic R <dominic@sdko.org>
Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: connor peshek <connorpeshek@unknown1641287c8f5d.attlocal.net>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local>
Co-authored-by: Konrad Mösch <konrad@moesch.org>
Co-authored-by: dewi-tik <dewi@goauthentik.io>
Co-authored-by: shcherbak <ju.shcherbak@gmail.com>
Co-authored-by: iops <iops@syneforge.com>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Co-authored-by: Tana M Berry <tana@goauthentik.io>
Co-authored-by: Jens L. <jens@beryju.org>
 2025-12-09 09:35:41 -05:00
Simonyi Gergő f7e23295ed core: add digraph group hierarchy (#17050) 
* move imports

* core: add digraph group hierarchy

* move to permissions from Group or User to Role

* set group parents on frontend

* do not serialize `GroupParentageNode` directly

* core: enforce unique group name on database level

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use group parents in LDAP provider

* add user-role relationship control to frontend

* move materialized view to be more discoverable

* add guardian to mypy exceptions

* make `Role` a `ManagedModel`

* fixup! make `Role` a `ManagedModel`

* simplify `get_objects_for_user`

* fix flaky unit test

* rename `django-guardian` fork to `ak-guardian`

* add tests around users/groups/roles

* remove unused guardian config variable

* simplify guardian file structure

* clean up frontend

* initial docs

* remove `mode` from `InitialPermissions`

This is no longer needed, since users no longer directly have permissions.

* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy

* clean up docs for managing permissions

* addendums from docs review

* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy

* tweaks

* dewi and tana edits to docs

* tweak

* truly final tweaks, for now

* relabel Role Permissions table

* clarify button label

* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy

* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy

* merge migrations

* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tana@goauthentik.io>
 2025-12-08 12:04:04 +01:00
Jens L. 334c0175f9 crypto: separate permissions for certificate and private keydownload (#18588) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2025-12-04 16:31:52 +01:00
Dominic R c1cfeaf4b5 providers/scim: cache ServiceProviderConfig (#18047) 2025-12-03 08:07:00 -05:00
Jens L. d0ef8a8b8e endpoints/stage: v2, better error handling, more settings (#18545) 
* add options, idle fallback

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* delete other device tokens during enroll

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* better error handling

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2025-12-02 22:25:47 +01:00
Jens L. 5ccd66ddca endpoints: implement endpoint stage (#18468) 
* endpoints: implement endpoint stage

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched label

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix url in mdm config

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rephrase

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* and API & UI

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add deprecated support and deprecate gdtc

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add stage mode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fixup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rework stage slightly, add frontend

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include jwks, add iat and exp

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set kid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include device details in event list

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* implement device summary

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add remaining tables

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* revert sanitize

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix uuid format issues

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2025-12-02 19:19:14 +01:00