dependabot[bot]
ea4848c7c6
web: bump postcss from 8.5.8 to 8.5.10 in /web ( #21819 )
...
Bumps [postcss](https://github.com/postcss/postcss ) from 8.5.8 to 8.5.10.
- [Release notes](https://github.com/postcss/postcss/releases )
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md )
- [Commits](https://github.com/postcss/postcss/compare/8.5.8...8.5.10 )
---
updated-dependencies:
- dependency-name: postcss
dependency-version: 8.5.10
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-25 11:28:06 +02:00
dependabot[bot]
2fd9a09055
web: bump brace-expansion from 1.1.13 to 1.1.14 ( #21820 )
...
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion ) from 1.1.13 to 1.1.14.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases )
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v1.1.13...v1.1.14 )
---
updated-dependencies:
- dependency-name: brace-expansion
dependency-version: 1.1.14
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-25 11:27:27 +02:00
dependabot[bot]
b07b71f528
web: bump postcss from 8.5.8 to 8.5.10 ( #21821 )
...
Bumps [postcss](https://github.com/postcss/postcss ) from 8.5.8 to 8.5.10.
- [Release notes](https://github.com/postcss/postcss/releases )
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md )
- [Commits](https://github.com/postcss/postcss/compare/8.5.8...8.5.10 )
---
updated-dependencies:
- dependency-name: postcss
dependency-version: 8.5.10
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-25 11:27:09 +02:00
Jens L.
c058363180
website/docs: improve social login docs titles ( #21816 )
...
* website/docs: improve social login docs titles
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sigh twitter
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-24 17:40:27 +02:00
Sai Asish Y
b5a92b783f
providers/oauth2: require client_secret on device_code exchange for confidential clients ( #21700 )
...
* providers/oauth2: require client_secret on device_code exchange for confidential clients
TokenParams.__post_init__ only ran the client_secret check for the
authorization_code and refresh_token grant types:
if self.grant_type in [GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN]:
if self.provider.client_type == ClientTypes.CONFIDENTIAL and not compare_digest(
self.provider.client_secret, self.client_secret,
):
raise TokenError("invalid_client")
The device_code path (__post_init_device_code) then looked up the
DeviceToken solely by device_code and issued an access token if one
matched. A caller that knows the client_id and has stolen a
device_code (e.g. via the standard phishing flow: attacker starts
device authorization, sends user_code to a victim, victim completes
authorization, attacker redeems the device_code) did not have to
prove ownership of the confidential client.
RFC 6749 Section 2.3.1 requires confidential clients to authenticate
to the token endpoint, and RFC 8628 Section 3.4 inherits that: the
device_code is bearer-shaped but not a substitute for client
credentials. Keycloak and Okta both enforce client_secret on the
device token exchange for confidential clients; we didn't.
Add GRANT_TYPE_DEVICE_CODE to the list so the existing compare_digest
check runs for it too. Public clients are unaffected (the guard is
gated on ClientTypes.CONFIDENTIAL). client_credentials/password keep
their own client-auth path in __post_init_client_credentials, which
also enforces the secret (and supports client assertion).
Fixes #20828
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
* Apply suggestion from @BeryJu
Signed-off-by: Jens L. <jens@beryju.org >
* update tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
Signed-off-by: Jens L. <jens@beryju.org >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com >
Co-authored-by: Jens L. <jens@beryju.org >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-24 17:23:36 +02:00
Marc 'risson' Schmitt
a4c60ece8b
lifecycle/container: allow cross-compilation from arm64 to amd64 ( #21817 )
...
Co-authored-by: João C. Fernandes <jfernandes@cloudflare.com >
2026-04-24 17:00:46 +02:00
Jens L.
d1d38edb50
enterprise/endpoints/connectors: Fleet conditional access stage ( #20978 )
...
* rework mtls stage to be more modular
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sync fleet conditional access CA to authentik
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* save host uuid
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* initial stage impl
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add fixtures & tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add lookup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* migrate to parsing mobileconfig
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* directly use stage_invalid
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add more test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* test team mapping
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix endpoint test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Add document for this. Update sidebar.
* Doc improvement
* Add note about Fleet licensing
Signed-off-by: Dewi Roberts <dewi@goauthentik.io >
* re-fix tests after mtls traefik encoding change
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Add info about fleet and device config. Add link from fleet connector doc.
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Dewi Roberts <dewi@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-24 16:17:00 +02:00
Jens L.
c6ee7b6881
core: complete rework to oobe and setup experience ( #21753 )
...
* initial
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* use same startup template
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix check not working
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated: fix inspector auth
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ensure oobe flow can only accessed via correct url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set setup flag when applying bootstrap blueprint when env is set
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add system visibility to flags to make them non-editable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set setup flag for e2e tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests and linting
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make github lint happy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make tests have less assumptions
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Update docs
* include more heuristics in migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add management command to set any flag
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* migrate worker command to signal
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* improved api for setting flags
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* short circuit
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-24 14:47:05 +02:00
dependabot[bot]
0459568a96
core: bump github.com/Azure/go-ntlmssp from 0.1.0 to 0.1.1 in the go_modules group across 1 directory ( #21807 )
...
core: bump github.com/Azure/go-ntlmssp
Bumps the go_modules group with 1 update in the / directory: [github.com/Azure/go-ntlmssp](https://github.com/Azure/go-ntlmssp ).
Updates `github.com/Azure/go-ntlmssp` from 0.1.0 to 0.1.1
- [Release notes](https://github.com/Azure/go-ntlmssp/releases )
- [Commits](https://github.com/Azure/go-ntlmssp/compare/v0.1.0...v0.1.1 )
---
updated-dependencies:
- dependency-name: github.com/Azure/go-ntlmssp
dependency-version: 0.1.1
dependency-type: indirect
dependency-group: go_modules
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:57 +01:00
dependabot[bot]
aa746e7585
lifecycle/aws: bump aws-cdk from 2.1118.3 to 2.1118.4 in /lifecycle/aws ( #21808 )
...
Bumps [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk ) from 2.1118.3 to 2.1118.4.
- [Release notes](https://github.com/aws/aws-cdk-cli/releases )
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1118.4/packages/aws-cdk )
---
updated-dependencies:
- dependency-name: aws-cdk
dependency-version: 2.1118.4
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:53 +01:00
dependabot[bot]
a4dcf097b3
core: bump pydantic from 2.13.2 to 2.13.3 ( #21809 )
...
Bumps [pydantic](https://github.com/pydantic/pydantic ) from 2.13.2 to 2.13.3.
- [Release notes](https://github.com/pydantic/pydantic/releases )
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md )
- [Commits](https://github.com/pydantic/pydantic/compare/v2.13.2...v2.13.3 )
---
updated-dependencies:
- dependency-name: pydantic
dependency-version: 2.13.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:48 +01:00
dependabot[bot]
c2ecff559c
web: bump @sentry/browser from 10.48.0 to 10.49.0 in /web in the sentry group across 1 directory ( #21810 )
...
web: bump @sentry/browser in /web in the sentry group across 1 directory
Bumps the sentry group with 1 update in the /web directory: [@sentry/browser](https://github.com/getsentry/sentry-javascript ).
Updates `@sentry/browser` from 10.48.0 to 10.49.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases )
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md )
- [Commits](https://github.com/getsentry/sentry-javascript/compare/10.48.0...10.49.0 )
---
updated-dependencies:
- dependency-name: "@sentry/browser"
dependency-version: 10.49.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: sentry
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:43 +01:00
dependabot[bot]
c20ecb48f8
core: bump cachetools from 7.0.5 to 7.0.6 ( #21811 )
...
Bumps [cachetools](https://github.com/tkem/cachetools ) from 7.0.5 to 7.0.6.
- [Changelog](https://github.com/tkem/cachetools/blob/master/CHANGELOG.rst )
- [Commits](https://github.com/tkem/cachetools/compare/v7.0.5...v7.0.6 )
---
updated-dependencies:
- dependency-name: cachetools
dependency-version: 7.0.6
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:39 +01:00
dependabot[bot]
34a50ad46e
ci: bump calibreapp/image-actions from 4f7260f5dbd809ec86d03721c1ad71b8a841d3e0 to e2cc8db5d49c849e00844dfebf01438318e96fa2 ( #21812 )
...
ci: bump calibreapp/image-actions
Bumps [calibreapp/image-actions](https://github.com/calibreapp/image-actions ) from 4f7260f5dbd809ec86d03721c1ad71b8a841d3e0 to e2cc8db5d49c849e00844dfebf01438318e96fa2.
- [Release notes](https://github.com/calibreapp/image-actions/releases )
- [Commits](4f7260f5db...e2cc8db5d4support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:34 +01:00
dependabot[bot]
99410f3775
web: bump @patternfly/elements from 4.3.1 to 4.4.0 in /web ( #21813 )
...
Bumps [@patternfly/elements](https://github.com/patternfly/patternfly-elements/tree/HEAD/elements ) from 4.3.1 to 4.4.0.
- [Release notes](https://github.com/patternfly/patternfly-elements/releases )
- [Changelog](https://github.com/patternfly/patternfly-elements/blob/main/elements/CHANGELOG.md )
- [Commits](https://github.com/patternfly/patternfly-elements/commits/@patternfly/elements@4.4.0/elements )
---
updated-dependencies:
- dependency-name: "@patternfly/elements"
dependency-version: 4.4.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:30 +01:00
dependabot[bot]
86de4955aa
ci: bump taiki-e/install-action from 2.75.18 to 2.75.19 in /.github/actions/setup ( #21814 )
...
ci: bump taiki-e/install-action in /.github/actions/setup
Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action ) from 2.75.18 to 2.75.19.
- [Release notes](https://github.com/taiki-e/install-action/releases )
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md )
- [Commits](055f5df8c3...5f57d6cb7csupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:26 +01:00
dependabot[bot]
bea9b23555
lifecycle/aws: bump aws-cdk from 2.1118.2 to 2.1118.3 in /lifecycle/aws ( #21801 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 18:09:55 +02:00
dependabot[bot]
9820ee1d67
core: bump rustls from 0.23.38 to 0.23.39 ( #21802 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 14:18:04 +00:00
Marc 'risson' Schmitt
1379637389
ci: add rustls and aws-lc ecosystem crates to delay ignore list ( #21800 )
2026-04-23 13:42:25 +00:00
Dominic R
39e6c41566
admin/files: sign custom-domain S3 URLs for the final host ( #21704 )
2026-04-23 15:23:05 +02:00
Sai Asish Y
92a2d26c86
core: survive the empty-queryset race in chunked_queryset ( #21666 )
2026-04-23 15:21:57 +02:00
Simonyi Gergő
0f8d8c81d7
core: simplify boolean ( #21790 )
2026-04-23 14:47:23 +02:00
Sai Asish Y
cce646b132
providers/oauth2: clip device authorization scope against the provider's ScopeMapping set ( #21701 )
...
* providers/oauth2: clip device authorization scope against the provider's ScopeMapping set
DeviceView.parse_request stored the raw request scope straight onto the
DeviceToken:
self.scopes = self.request.POST.get("scope", "").split(" ")
...
token = DeviceToken.objects.create(..., _scope=" ".join(self.scopes))
The token-exchange side then reads those scopes back directly:
if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
refresh_token = RefreshToken(...)
...
so a caller that adds offline_access to the device authorization
request body gets a refresh_token at the exchange, even when the
provider has no offline_access ScopeMapping configured. Every other
grant type clips scope against ScopeMapping for the provider inside
TokenParams.__check_scopes, but the device authorization endpoint
runs before TokenParams is ever constructed, so the clip never
happens for the device flow.
Combined with #20828 (missing client_secret verification on device
code exchange for confidential clients, now being fixed separately)
and the lack of per-app opt-out for the device flow, this gives any
caller that knows the client_id a path to an offline refresh token
against any OIDC application the deployment exposes.
Intersect the requested scope set with the provider's ScopeMapping
names before we ever persist the DeviceToken. offline_access that is
not configured is silently dropped, matching __check_scopes on the
other grant types. Configured offline_access still flows through
unchanged.
Fixes #20825
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
* rework and add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-23 13:44:44 +02:00
dependabot[bot]
6d274d1e3d
core: bump library/nginx from 3acc8b9 to 6e23479 in /website ( #21794 )
...
Bumps library/nginx from `3acc8b9` to `6e23479`.
---
updated-dependencies:
- dependency-name: library/nginx
dependency-version: 1.29-trixie
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 11:20:09 +02:00
dependabot[bot]
8d5489e441
core: bump library/node from b272ff1 to 74ff139 in /website ( #21795 )
...
Bumps library/node from `b272ff1` to `74ff139`.
---
updated-dependencies:
- dependency-name: library/node
dependency-version: 25.9.0-trixie
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 11:19:56 +02:00
dependabot[bot]
8ea9a48017
core: bump library/golang from cd8540d to 982ae92 in /lifecycle/container ( #21793 )
...
core: bump library/golang in /lifecycle/container
Bumps library/golang from `cd8540d` to `982ae92`.
---
updated-dependencies:
- dependency-name: library/golang
dependency-version: 1.26.2-trixie
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 10:19:37 +01:00
Sai Asish Y
c6b5869b48
stages/user_write: refuse to write id/pk claims onto the user model ( #21667 )
...
* stages/user_write: refuse to write id/pk claims onto the user model
When an enrollment or source flow maps IdP-supplied attributes onto the
User model, update_user walks each key and, if the user already has an
attribute by that name, calls setattr(user, key, value) unconditionally.
"id" is always present on the User model (it is the Django PK), so a
SAML assertion that ships an "id" claim, e.g. a hex string from
mocksaml, was written straight into the PK field. Django then rejected
the save:
ValueError: Field 'id' expected a number but got '<hex>'.
The log surfaced as "Failed to save user" and the enrollment flow
silently failed for every incoming user.
Treat "id" and "pk" the same way the existing "groups" entry is
treated: add them to disallowed_user_attributes so the walker logs and
skips them. IdP attributes can still be stored on user.attributes via
the dotted/underscored forms (e.g. attributes.id), which go through
write_attribute and land in the JSONField safely.
Added a regression test covering both id and pk in the prompt context.
Fixes #21580
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
* fix lint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-23 11:03:12 +02:00
authentik-automation[bot]
e4971f9aa5
core, web: update translations ( #21785 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-04-23 10:39:13 +02:00
Dominic R
028ec05a8b
website: Merge branch ( #21684 )
...
Co-authored-by: Codex <codex@openai.com >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-23 01:46:10 +00:00
Ryan Pesek
b4c9ac57e0
core/applications: Optimize list applications when only_with_launch_url=true ( #20428 )
...
* Performance optimizations for the application list API endpoint when only_with_launch_url=true
* lint
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-04-23 03:15:16 +02:00
Dewi Roberts
80b93e1fbc
website/docs: add authorization header info to all proxy configs ( #21664 )
...
Add authorization header info to all proxy configs
2026-04-23 02:35:02 +02:00
dependabot[bot]
dff6b48f53
web: bump @xmldom/xmldom from 0.8.12 to 0.8.13 in /web ( #21784 )
...
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom ) from 0.8.12 to 0.8.13.
- [Release notes](https://github.com/xmldom/xmldom/releases )
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md )
- [Commits](https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13 )
---
updated-dependencies:
- dependency-name: "@xmldom/xmldom"
dependency-version: 0.8.13
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 02:33:20 +02:00
gp-somni-labs
79473341d6
internal/outpost: serialize websocket writes to prevent panic ( #21728 )
...
The outpost API controller shares a single *websocket.Conn across
multiple goroutines: the event-handler loop, the 10s health ticker
(SendEventHello), the shutdown path (WriteMessage close), initEvent
writing the hello frame on (re)connect, and RAC session handlers that
also invoke SendEventHello. gorilla/websocket explicitly documents that
concurrent WriteMessage/WriteJSON calls are unsafe and will panic with
"concurrent write to websocket connection", which takes the outpost
(and embedded-outpost authentik-server) pod down.
Fix by adding a sync.Mutex on APIController guarding every write path
on eventConn (initEvent hello, Shutdown close message, SendEventHello).
Reads (ReadJSON in startEventHandler) are left unsynchronized as
gorilla permits a single concurrent reader alongside a writer.
Minimal, localized change: no API changes, no behavior changes, writes
are already infrequent so lock contention is negligible.
Refs #11090
Co-authored-by: curiosity <curiosity@somni.dev >
2026-04-23 02:33:10 +02:00
dependabot[bot]
99f9682d61
core: bump rand from 0.8.5 to 0.8.6 in the cargo group across 1 directory ( #21783 )
...
core: bump rand in the cargo group across 1 directory
Bumps the cargo group with 1 update in the / directory: [rand](https://github.com/rust-random/rand ).
Updates `rand` from 0.8.5 to 0.8.6
- [Release notes](https://github.com/rust-random/rand/releases )
- [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md )
- [Commits](https://github.com/rust-random/rand/compare/0.8.5...0.8.6 )
---
updated-dependencies:
- dependency-name: rand
dependency-version: 0.8.6
dependency-type: indirect
dependency-group: cargo
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 02:02:24 +02:00
Bapuji Koraganti
987f367d7b
web: merge MFA devices and tokens into unified Credentials tab ( #21705 )
...
* web: merge MFA devices and tokens into unified Credentials tab
Combines the separate "MFA Devices" and "Tokens and App passwords"
tabs into a single "Credentials" tab on the user settings page,
so users can manage all credentials from one place.
Fixes #21637
Signed-off-by: Bapuji Koraganti <bapuk.2008@gmail.com >
* add card title
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Bapuji Koraganti <bapuk.2008@gmail.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-23 02:02:00 +02:00
Jens L.
805ff9f1ab
web/admin: fix policy/stage wizard label, fix connector create wizard, cleanup ( #21781 )
...
* update labels
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove unused app wizard hint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* connector wizard should use grid
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 19:32:23 +02:00
dependabot[bot]
42fc9d537e
website: bump the build group in /website with 6 updates ( #21777 )
...
* website: bump the build group in /website with 6 updates
Bumps the build group in /website with 6 updates:
| Package | From | To |
| --- | --- | --- |
| [@swc/core-darwin-arm64](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/core-linux-arm64-gnu](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/core-linux-x64-gnu](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/html-darwin-arm64](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/html-linux-arm64-gnu](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/html-linux-x64-gnu](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
Updates `@swc/core-darwin-arm64` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-arm64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-x64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/html-darwin-arm64` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/html-linux-arm64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/html-linux-x64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
---
updated-dependencies:
- dependency-name: "@swc/core-darwin-arm64"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/core-linux-arm64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/core-linux-x64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/html-darwin-arm64"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/html-linux-arm64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/html-linux-x64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
...
Signed-off-by: dependabot[bot] <support@github.com >
* sigh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 17:38:32 +02:00
dependabot[bot]
3f4c0fb35d
core: bump library/nginx from 7f0adca to 3acc8b9 in /website ( #21775 )
...
Bumps library/nginx from `7f0adca` to `3acc8b9`.
---
updated-dependencies:
- dependency-name: library/nginx
dependency-version: 1.29-trixie
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 17:32:46 +02:00
dependabot[bot]
42d87072cf
core: bump library/node from f57f0c7 to b272ff1 in /website ( #21776 )
...
core: bump library/node from `f57f0c7` to `7e77811` in /website
Bumps library/node from `f57f0c7` to `7e77811`.
---
updated-dependencies:
- dependency-name: library/node
dependency-version: 25.9.0-trixie
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 17:32:36 +02:00
Jens L.
075a1f5875
web/admin: Allow binding users/groups in policy binding wizard and existing stage in stage binding wizard ( #21697 )
...
* web/admin: allow creating only binding for policies
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* dont show type selector if only one is allowed
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* do the same for stage wizard
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* minor unrelated fix: alignment in table desc
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add option to bind existing policy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* adjust labels?
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Clean up post-type select state. Types.
* Clean up brand form.
* Flesh out parse.
* Tidy textarea.
* Fix table alignment when images are present.
* Simplify radio.
* Fix form group layout, styles.
* Flesh out plural helper.
* Flesh out formatted user display name.
* Allow slotted HTML in page description.
* Clean up transclusion types.
* Allow null.
* Flesh out user activation toggle.
* Clean up activation labeling.
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-04-22 16:08:31 +02:00
Bapuji Koraganti
24edee3e78
flows: add warning message for expired password reset links ( #21395 )
...
* flows: add warning message for expired password reset links
Fixes #21306
* Replace token expiry check with REQUIRE_TOKEN authentication requirement
Incorporate review comments to move expired/invalid token handling from executor-level check to flow planner authentication requirement. This avoids disclosing whether a token ever existed and handles already-cleaned-up tokens.
* The fix was changing gettext_lazy to gettext
* remove unneeded migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update form
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 15:09:05 +02:00
dependabot[bot]
9d55b9a9b0
web: bump the swc group across 1 directory with 11 updates ( #21778 )
...
Bumps the swc group with 1 update in the /web directory: [@swc/core](https://github.com/swc-project/swc/tree/HEAD/packages/core ).
Updates `@swc/core` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/commits/v1.15.30/packages/core )
Updates `@swc/core-darwin-arm64` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-darwin-x64` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-arm-gnueabihf` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-arm64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-arm64-musl` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-x64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-x64-musl` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-win32-arm64-msvc` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-win32-ia32-msvc` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-win32-x64-msvc` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
---
updated-dependencies:
- dependency-name: "@swc/core"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-darwin-arm64"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-darwin-x64"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-arm-gnueabihf"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-arm64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-arm64-musl"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-x64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-x64-musl"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-win32-arm64-msvc"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-win32-ia32-msvc"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-win32-x64-msvc"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:55:56 +02:00
dependabot[bot]
349be68d52
core: bump tokio from 1.52.0 to 1.52.1 ( #21774 )
...
Bumps [tokio](https://github.com/tokio-rs/tokio ) from 1.52.0 to 1.52.1.
- [Release notes](https://github.com/tokio-rs/tokio/releases )
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.52.0...tokio-1.52.1 )
---
updated-dependencies:
- dependency-name: tokio
dependency-version: 1.52.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:55:34 +02:00
dependabot[bot]
7dfb8d6129
core: bump library/node from a31ca31 to 735dd68 in /lifecycle/container ( #21773 )
...
core: bump library/node in /lifecycle/container
Bumps library/node from `a31ca31` to `735dd68`.
---
updated-dependencies:
- dependency-name: library/node
dependency-version: '24'
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:55:24 +02:00
dependabot[bot]
7f7965e42c
core: bump fido2 from 2.1.1 to 2.2.0 ( #21772 )
...
Bumps [fido2](https://github.com/Yubico/python-fido2 ) from 2.1.1 to 2.2.0.
- [Release notes](https://github.com/Yubico/python-fido2/releases )
- [Changelog](https://github.com/Yubico/python-fido2/blob/main/NEWS )
- [Commits](https://github.com/Yubico/python-fido2/compare/2.1.1...2.2.0 )
---
updated-dependencies:
- dependency-name: fido2
dependency-version: 2.2.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:55:13 +02:00
dependabot[bot]
2e2b471b94
core: bump library/golang from c0074c7 to cd8540d in /lifecycle/container ( #21771 )
...
core: bump library/golang in /lifecycle/container
Bumps library/golang from `c0074c7` to `cd8540d`.
---
updated-dependencies:
- dependency-name: library/golang
dependency-version: 1.26.2-trixie
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:54:51 +02:00
dependabot[bot]
4d53cd0790
core: bump github.com/pires/go-proxyproto from 0.11.0 to 0.12.0 ( #21770 )
...
Bumps [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto ) from 0.11.0 to 0.12.0.
- [Release notes](https://github.com/pires/go-proxyproto/releases )
- [Commits](https://github.com/pires/go-proxyproto/compare/v0.11.0...v0.12.0 )
---
updated-dependencies:
- dependency-name: github.com/pires/go-proxyproto
dependency-version: 0.12.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:54:42 +02:00
Jens L.
7b913eaaa9
root: update rustls-webpki ( #21769 )
...
* root: update rustls-webpki
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow earlier rustls-webpki updates since this is the second time this happened
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 13:00:11 +02:00
authentik-automation[bot]
880c1ec89a
core, web: update translations ( #21695 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-04-22 11:41:48 +02:00
dependabot[bot]
d7724a52f2
core: bump python-dotenv from 1.2.1 to 1.2.2 in the uv group across 1 directory ( #21752 )
...
core: bump python-dotenv in the uv group across 1 directory
Bumps the uv group with 1 update in the / directory: [python-dotenv](https://github.com/theskumar/python-dotenv ).
Updates `python-dotenv` from 1.2.1 to 1.2.2
- [Release notes](https://github.com/theskumar/python-dotenv/releases )
- [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md )
- [Commits](https://github.com/theskumar/python-dotenv/compare/v1.2.1...v1.2.2 )
---
updated-dependencies:
- dependency-name: python-dotenv
dependency-version: 1.2.2
dependency-type: indirect
dependency-group: uv
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:41:23 +02:00
