e220d8e29b
events: fix destination_group_obj not being nullable ( #22161 )
...
* events: fix `destination_group_obj` not being nullable
* `make lint-fix`
2026-05-08 17:16:20 +02:00
93abd2e041
stage/authenticator*: expand attempt throttling to email- and sms-based 2FA ( #21751 )
...
* stages/authenticator*: enable attempt throttling for email- and sms-based second authentication factor
* stages/authenticator*: add throttling tests
* stage/authenticator_validate: add throttling documentation
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* stages/authenticator_validate: update docs wording
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* Update website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-05-07 12:12:06 -05:00
b420e4fdbd
packages/django-dramatiq-postgres/broker: avoid task processing stopping on decode error ( #22110 )
2026-05-07 15:35:21 +00:00
b32df17513
core: bump dramatiq from 1.17.1 to 2.1.0 ( #22076 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-05-06 14:42:29 +00:00
e40187179d
packages/client-ts: Fix TypeScript config, ESBuild warnings ( #21863 )
...
* packages/client-ts: drop composite/incremental from tsconfig template
Sync with goauthentik/client-ts#13 . The flags are the mechanism of
the missing-dist release bug upstream; harmless in the monorepo (no
publishing) but pointless for a single-package, no-project-references
setup. Keeping the two trees aligned avoids drift.
Co-Authored-By: Agent (authentik-m-sync-packages-final-concrete-buff) <279763771+playpen-agent@users.noreply.github.com >
* Fix package not building.
---------
Co-authored-by: Agent (authentik-m-sync-packages-final-concrete-buff) <279763771+playpen-agent@users.noreply.github.com >
2026-05-06 12:29:46 +02:00
a8db2882ec
stages/invitation: Invitation wizard ( #20399 )
2026-05-05 11:47:31 -05:00
7cffbb4d07
tenants: add option to mark flag as deprecated ( #22063 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-05 17:25:01 +02:00
716bc6e136
api: set authenticated session user agent nullable properties ( #22059 )
...
* Set properties to nullable and regenerate schema
* Make gen
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-05-05 14:47:27 +02:00
b04f8a6177
providers/oauth2: override RedirectURITypeEnum capitalization for generated API ( #22037 )
...
* fix(providers/oauth2): correct RedirectURITypeEnum capitalization in API schema
* fix: remove encoding artifacts introduced during client regeneration
2026-05-05 14:18:02 +02:00
ba62507fc2
root: introduce allinone mode ( #21990 )
2026-05-04 16:43:11 +02:00
4851179522
enterprise/providers/ssf: more conformance fixes ( #21521 )
...
* enterprise/providers/ssf: more conformance fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include request when possible
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove null state
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* t
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* re-gen & format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove None state
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix ci
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* revert a thing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix ssf conformance test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* no subtest
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix network
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add test for stream update
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-05-04 14:11:21 +02:00
821b74d7c1
enterprise: account lockdown ( #18615 )
2026-04-30 23:02:46 +00:00
8963d29ab4
enterprise/lifecycle: remove one review per object limitation ( #21046 )
...
* enterprise/lifecycle: allow multiple rules to apply to a single object (and thus, multiple concurrent reviews)
* enterprise/lifecyle: add missing migration to allow multiple lifecycle rules per object, add tests, update documentation
* enterprise/lifecycle: add a bit of padding to individual review iterations on Review tab for better visual separation
* enterprise/lifecycle: remove validation preventing the creation of multiple lifecycle rules for one object type
* enterprise/lifecycle: change the approach to querying the list of reviews with user_is_reviewer annotation to prevent duplicate rows
* enterprise/lifecycle: add custom per-type logic to get object name for use in a notification to prevent texts like "Review is due for Group Group X"
* enterprise/lifecycle: updated wording on lifecycle rule form and preview banner padding
* enterprise/lifecycle: remove task list from lifecycle rules and switch to using per-rule schedules
* enterprise/lifecycle: add a title to the lifecycle tab
* Revert "enterprise/lifecycle: remove task list from lifecycle rules and switch to using per-rule schedules"
This reverts commit 8a060015b693f65f651a71bdb0c47092d3463af1.
* enterprise/lifecycle: remove task list from the lifecycle rule list page and attach the tasks to the schedule
* enterprise/lifecycle: add proper caption when there are no reviews for an object
* enterprise/lifecycle: attach individual apply_lifecycle_rule tasks to the schedule when launched from apply_lifecycle_rules
* enterprise/lifecycle: update generated API clients
* enterprise/lifecycle: update wording
* enterprise/lifecycle: fix ts issues after rebase
* Update website/docs/sys-mgmt/object-lifecycle-management.md
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* enterprise/lifecycle: remove fmall code artifact
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-04-30 14:11:07 -05:00
3f94f830fc
packages/ak-common/tracing: make log level lowercase ( #21991 )
2026-04-30 14:58:10 +00:00
899994027d
core: support hashed password in users API + automated install ( #18686 )
...
* core: add hash_password command and password_hash bootstrap support
* core: prevent hash format exposure in validation error
* core: remove redundant password length check
* core: remove extra blank lines from hash_password command
* core: add password_hash serializer tests, refine validation and imports
* core: add null password fields test, add hash warning to docs
* core: move hash validation to User.set_password_from_hash method
* core: emit password_changed signal in set_password_from_hash
* website: remove redundant hash security warning
* core: wrap conflict error message for translation
* core: wrap invalid hash error message for translation
* web, core: add set_password_hash API endpoint and admin UI
* core: simplify password_hash check to None comparison
* core: use None check for password conflict validation
* website: clarify Docker Compose $ escaping for .env vs compose.yml
* website: lint
* web: lint
* core: add nosec comment for empty password string in signal
* core: lint
* web: Fix Password Hash help text
* sources/kerberos,ldap: Gergo's review
* add testing for ^^ and type fix
* more general signal tests; not provider specific
* only used in tests
* add warning
* we can do this
* signals fix????
* core, web, website: review fixes
* style(docs): format automated install guide
* web: restore modal invoker import after rebase
Co-authored-by: Codex <codex@openai.com >
* fix generated clients
* core: trim hash password command tests
* core: add password hash permission
* core: cover service account password hashes
* web: remove password hash form
* core: regenerate password hash migration
* core: reuse password serializer for hashes
* docs: clarify hashed password imports
* Regenerate
* core: deduplicate user serializer writes
* core: deduplicate password update actions
* core: deduplicate password change signaling
* tests: reuse password hash API helper
* tests: reuse SSF credential assertions
* docs: centralize hashed password caveat
* core: name password hash signal source
* core: centralize password hash validation
* core: deduplicate serializer password saves
* docs: link source writeback caveats
* api: clarify password hash request field
* tests: deduplicate password hash API assertions
* web: reuse user display-name helper
* web: use existing user display formatter
* core: reuse reset password permission for hash endpoint
* core: keep separate password hash serializer
* tests: remove redundant password hash permission test
* 21745
Co-authored-by: Gergo <gergo@goauthentik.io >
* core: preserve empty password handling in user serializer
* core: inline blueprint user serializer fields
* Use password hash constant
* Simplify user serializer flow
* Inline password update handling
* Apply serializer cleanup
* Clean blueprint password handling
* Drop extra returns
* Split password hash signal
* Align hash signal receivers
* Remove stale password guards
* Inline password signal
---------
Co-authored-by: Codex <codex@openai.com >
Co-authored-by: Gergo <gergo@goauthentik.io >
2026-04-29 06:27:59 +02:00
a2ca19d718
providers/saml: generate issuer url when provider is set on app ( #18022 )
...
* providers/saml: generate issuer url in saml processors unless overridded
* remove issuer
* remove duplicate
* Generate url when assertion is created and save to session
* cleanup
* Fix front-end rendering of issuer
* Update web/src/admin/providers/saml/SAMLProviderViewPage.ts
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update authentik/providers/saml/models.py
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update authentik/providers/saml/models.py
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* use reverse for urls and update tests
* update issuer description
* Don't absorb sp entity id
* rename issuer_url to issuer_override
* fix migration file to rename to override
* fix migration file order
* lint, fix tests
* fix tests
* fix once again not importing the sp issuer
* build
* use const for default issuer
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-28 17:31:12 -05:00
05005f4eb9
core: add support for hiding applications from the user dashboard ( #21530 )
...
* Add meta_hide field to hide apps
* exclude hidden applications from user dashboard
* Add the hide option to the UI
* Add schema
* Add hide setting to application wizard
* Add typescript client changes
* fix linting
* Convert blank://blank to meta_hide=True in the migration
* fix tests
* update docs
* fix continuous login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Apply suggestions from code review
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* fix linting
* fix migrations
* Apply suggestions from code review
Co-authored-by: Dominic R <dominic@sdko.org >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* rename all mentions of dashboard to My applications
* generate schema
* generate TS client
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Co-authored-by: Dominic R <dominic@sdko.org >
2026-04-28 13:05:56 -03:00
e4b0ea7d15
packages/ak-axum/router: add X-Powered-By to all responses ( #21940 )
2026-04-28 15:35:17 +02:00
2a027264b3
packages/ak-axum/accept/catch_panic: add acceptor to catch panics in lower acceptors, streams and services ( #21860 )
2026-04-27 16:40:50 +00:00
3e75278052
packages/ak-common/config: fix string load broken after previous fix ( #21854 )
2026-04-27 14:03:55 +00:00
620387f294
providers/scim: fix vCenter compatibility mode ( #21830 )
2026-04-27 12:00:00 +00:00
8f1bdc01b6
providers/oauth2: Configure allowed grant types ( #20363 )
...
* naming cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* adjust defaults, start adding tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix proxy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add UI
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* attempt to fix e2e
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow refresh token for conformance
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix e2e
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-27 13:36:57 +02:00
5c3cd2c6ed
packages/ak-common/config: fix boolean parsing from env variable ( #21835 )
2026-04-27 12:53:47 +02:00
97c9626bd4
root: init rust worker ( #21324 )
2026-04-27 01:08:32 +02:00
24edee3e78
flows: add warning message for expired password reset links ( #21395 )
...
* flows: add warning message for expired password reset links
Fixes #21306
* Replace token expiry check with REQUIRE_TOKEN authentication requirement
Incorporate review comments to move expired/invalid token handling from executor-level check to flow planner authentication requirement. This avoids disclosing whether a token ever existed and handles already-cleaned-up tokens.
* The fix was changing gettext_lazy to gettext
* remove unneeded migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update form
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 15:09:05 +02:00
915b5a73fc
enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login ( #20766 )
...
* enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix API url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove optional settings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add a missing text
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-18 20:29:17 +02:00
05bb1d1fdd
packages/ak-axum/server: fix unix socket cleanup when allow_failure is unset ( #21645 )
2026-04-16 16:20:16 +00:00
d51296cbb9
scripts/api_filter_schema: fix authentication ( #21644 )
2026-04-16 16:19:32 +00:00
1b53426e2c
packages/ak-common/tracing: get sentry config from API for outposts ( #21625 )
2026-04-16 14:00:01 +02:00
00639d9596
policies/event_matcher: Add query option to filter events ( #21618 )
...
* policies/event_matcher: support QL query
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix lit dev warning
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cache autocomplete data if QL isn't setup yet
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* dont use ql input in modal
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix codespell
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-16 01:52:11 +02:00
668f37ea41
packages/clients: only generate needed endpoints ( #21578 )
...
* packages/clients: only generate needed endpoints
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* lint
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* machete
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* fixup
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* lint
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-04-15 13:11:25 +00:00
bbd0cb2521
packages/django-dramatiq-postgres: reset db connections in raise_connection_error ( #21577 )
...
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-04-14 12:20:23 +00:00
c32f21046d
enterprise/search: move QL to open source] ( #21484 )
...
* enterprise/search move to /search
* use make gen for schema updates
* update docs
* re-org
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup more
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* oops
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* huh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* typing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-09 16:37:11 +02:00
0dbd6a68b6
packages/ak-common/db: init ( #21357 )
2026-04-09 13:57:44 +02:00
dedbbee55c
packages/ak-axum/extract/host: init ( #21323 )
2026-04-09 13:57:15 +02:00
ad9f0feb68
packages/ak-common: use imports where possible ( #21478 )
2026-04-08 14:58:55 +00:00
300e77b30c
packages/ak-axum/server: cleanup unix socket ( #21477 )
2026-04-08 14:52:12 +00:00
318ed2eca0
packages/ak-common, ak-axum: improve logging ( #21476 )
2026-04-08 14:48:48 +00:00
d4e651d893
packages/ak-axum/extract/scheme: init ( #21322 )
2026-04-08 14:39:58 +00:00
2b8313ee91
core: fix policy binding objects not being nullable ( #21421 )
...
* fix policy binding objects not being nullable
* `make gen-clients`
* fix schema
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* tidy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix test
* `make gen`
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-08 16:39:00 +02:00
c4627de55e
packages/ak-axum/extract/client_ip: init ( #21321 )
2026-04-08 14:03:30 +00:00
5dc2f2e2b4
packages/docusaurus-config: update config for docusaurus 3.10 ( #21471 )
...
* packages/docusaurus-config: update config for docusaurus 3.10
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* bump deps
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-08 15:08:31 +02:00
5b3caa598f
packages/ak-axum/extract/trusted_proxy: init ( #21320 )
2026-04-08 13:03:14 +00:00
e2a578fc66
packages/ak-axum/accept/proxy_protocol: init ( #21319 )
2026-04-08 14:33:32 +02:00
ab911c364e
packages/ak-axum/accept/tls: init ( #21318 )
2026-04-07 17:56:17 +00:00
db9de1ba3c
packages/ak-axum/server: init ( #21317 )
2026-04-07 17:11:53 +00:00
f76736be2f
packages/ak-axum/tracing: init ( #21316 )
2026-04-07 16:18:08 +00:00
34da1bbd6f
packages/ak-axum/error: init ( #21315 )
2026-04-07 15:26:01 +00:00
a5aac6e0d2
packages/ak-axum: init ( #21313 )
2026-04-07 14:22:22 +00:00
57d2135c8a
sources/ldap: Switch to new connection tracking, deprecated attribute-based connection ( #21392 )
...
* init user
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix and update groups
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* split api
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include user and group in ldap conn
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ldap users/groups page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ui cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update error message
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix import
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add forms for user/group connections
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix py sync
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix connection not always saved
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix help text
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-07 16:13:05 +02:00
Simonyi Gergő
Alexander Tereshkin
Marc 'risson' Schmitt
dependabot[bot]
Teffen Ellis
Marcelo Elizeche Landó
Jens L.
Dewi Roberts
Luca Sannitu
Dominic R
Connor Peshek
Bapuji Koraganti
João C. Fernandes
Fletcher Heisler