Bapuji Koraganti
24edee3e78
flows: add warning message for expired password reset links ( #21395 )
...
* flows: add warning message for expired password reset links
Fixes #21306
* Replace token expiry check with REQUIRE_TOKEN authentication requirement
Incorporate review comments to move expired/invalid token handling from executor-level check to flow planner authentication requirement. This avoids disclosing whether a token ever existed and handles already-cleaned-up tokens.
* The fix was changing gettext_lazy to gettext
* remove unneeded migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update form
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 15:09:05 +02:00
Jens L.
915b5a73fc
enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login ( #20766 )
...
* enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix API url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove optional settings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add a missing text
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-18 20:29:17 +02:00
Jens L.
00639d9596
policies/event_matcher: Add query option to filter events ( #21618 )
...
* policies/event_matcher: support QL query
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix lit dev warning
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cache autocomplete data if QL isn't setup yet
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* dont use ql input in modal
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix codespell
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-16 01:52:11 +02:00
Fletcher Heisler
c32f21046d
enterprise/search: move QL to open source] ( #21484 )
...
* enterprise/search move to /search
* use make gen for schema updates
* update docs
* re-org
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup more
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* oops
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* huh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* typing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-09 16:37:11 +02:00
Simonyi Gergő
2b8313ee91
core: fix policy binding objects not being nullable ( #21421 )
...
* fix policy binding objects not being nullable
* `make gen-clients`
* fix schema
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* tidy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix test
* `make gen`
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-08 16:39:00 +02:00
Jens L.
57d2135c8a
sources/ldap: Switch to new connection tracking, deprecated attribute-based connection ( #21392 )
...
* init user
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix and update groups
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* split api
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include user and group in ldap conn
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ldap users/groups page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ui cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update error message
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix import
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add forms for user/group connections
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix py sync
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fixup web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix connection not always saved
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix help text
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-07 16:13:05 +02:00
Connor Peshek
8c3d5f1269
providers/oauth: post_logout_redirect_uri support ( #20011 )
...
* oauth2/providers: add post logout redirect uri to providers
* properly handle post_logout_redirect_uri and frontchannel message to rp
* add backchannel support
* move logout url logic
* hanlde forbidden_uri_schemes on post_logout_redirect_uri
* merge post_logout with redirect_uri
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-04-07 03:46:11 -05:00
Jens L.
ea2bdde5a3
enterprise/providers/ssf: test conformance ( #21383 )
...
* bump conformance server
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add support for rfc push
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make format and aud optional
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix some endpoints
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* force 401
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* implement get and patch for streams
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* enable async stream deletion
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow configuring remote certificate validation
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add verification endpoint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add support for authorization_header
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set default aud cause spec cant agree with itself
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* bump timeout
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix header `typ`
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* enabled -> status
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* re-migrate
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests and a fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make streams deletable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* and more logs and fix a silly bug
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add stream status endpoint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* move ssf out of preview
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated typing fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sigh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-05 16:35:39 +02:00
Jens L.
827a77dd52
web/admin: more and more polish ( #21303 )
...
* fix user edit button
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix impersonate button not aligned
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup oauth2 provider page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better desc for outpost health
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix static table not updating when items change
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix lint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include oidc providers in ssf provider retrieve
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* consistent oauth provider label
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* rework ssf view page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make client-rust makefile on macos
specifically when gnu sed is installed in the path
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-04 22:35:11 +02:00
Jens L.
8610c25bd3
blueprints: rework one-time import ( #18074 )
...
* initial move
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* rework permissions
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* initial UI rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add option to one-time import from file
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* adjust ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update api
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix import form logs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* reset correctly
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* improve error handling
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-01 15:03:16 +02:00
Connor Peshek
8dddc05bc0
source/saml: Add forceauthn to saml authnrequest ( #20883 )
...
* source/saml: Add ForceAuthn support to SAML AuthnRequest
2026-03-31 22:54:01 -05:00
Jens L.
06408cba59
core: fix provider not nullable ( #21275 )
...
* core: fix provider not nullable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix more inconsistencies
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* idk man
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-31 18:27:22 +02:00
Jens L.
0b1ba60354
stages/authenticator_webauthn: save attestation certificate when creating credential ( #20095 )
...
* stages/authenticator_webauthn: save attestation certificate when creating credential
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add toggle
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* squash
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-30 13:55:39 +02:00
Jens L.
d1c997b2fe
core: Application stats, device events & cleanup ( #21225 )
...
* core: app stats
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* refctor
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* rework to generic API
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* oops
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* handling
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow filtering events by device
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* show device events on device page
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* simply event tables
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-29 21:58:12 +02:00
Jens L.
1a43ac1dc2
providers/scim: add webex compatibility mode ( #21208 )
...
* providers/scim: add webex compatibility mode
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* migrate
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-27 21:39:39 +01:00
Jens L.
5108be6554
api: cleanup enums ( #21201 )
...
* api: cleanup choice enums
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more names
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix?
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* try custom template
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sed it instead?
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* correct sed
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-27 15:54:59 +01:00
dependabot[bot]
237423d458
core: bump drf-spectacular from 0.28.0 to 0.29.0 ( #19420 )
...
* core: bump drf-spectacular from 0.28.0 to 0.29.0
Bumps [drf-spectacular](https://github.com/tfranzel/drf-spectacular ) from 0.28.0 to 0.29.0.
- [Release notes](https://github.com/tfranzel/drf-spectacular/releases )
- [Changelog](https://github.com/tfranzel/drf-spectacular/blob/master/CHANGELOG.rst )
- [Commits](https://github.com/tfranzel/drf-spectacular/compare/0.28.0...0.29.0 )
---
updated-dependencies:
- dependency-name: drf-spectacular
dependency-version: 0.29.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
* add fix for warnings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update API
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-03-25 16:23:38 +01:00
Jens L.
d1ed30b6e0
core: add flag for future default behaviour of requiring a binding to access an application ( #16247 )
...
* core: add flag to configure if apps without bindings should be accessible to everyone or not
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# authentik/policies/views.py
# schema.yml
* add description
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# web/src/admin/admin-settings/AdminSettingsForm.ts
* fix flag check
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include scim
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add description
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-23 18:14:00 +01:00
Marc 'risson' Schmitt
48e1edfaa2
tasks: fix workers API URL missing trailing / ( #20954 )
2026-03-17 18:55:43 +00:00
Jens L.
db9081e7dc
policies: remove BufferedPolicyAccessView ( #20521 )
...
* policies: remove BufferedPolicyAccessView
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# authentik/policies/views.py
# authentik/providers/oauth2/views/authorize.py
# schema.yml
# tests/e2e/test_provider_saml.py
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-16 18:19:15 +01:00
Jens L.
59263ae678
events: add option to configure webhook CA ( #20823 )
...
* events: add option to configure webhook CA
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Update website/docs/sys-mgmt/events/transports.md
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-03-14 21:01:01 +01:00
Marcelo Elizeche Landó
e9b33be694
stages/authenticator_webauthn: Add WebAuthn client hints support ( #20700 )
...
* Add webauthn_hints to models
* Add migrations
* Add webauthn_hints to the API
* Add enum to settings.py
* Add webauthn client hints to configuration forms in authenticator_webauthn and authenticator_validate
* Add compatability for older user agents auto infering authenticatorAttachment
* Rewording
* Fix capitalization
* Add tests
* Use ak-dual-select instead of checkboxes for hints
* Add preserve-order, no-search and no-status properties to ak-dual-select
* add no-search and no-status to ak-dual-select in AuthenticatorValidateStageForm.ts
2026-03-13 20:36:28 -03:00
Jens L.
d880c46d7c
enterprise/endpoints/connectors: add google_chrome ( #19129 )
...
* init
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add icon
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* actually load
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix serializer
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* init ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix duplicated element name
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include chrome url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make it work, some small UI fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* invisible submit for frame
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix device not set in flow plan, fix other small things, more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* simplify
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Minor doc changes
* dedupe templates
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-03-09 11:17:56 +01:00
Jens L.
6245809eae
web/flows: continuous login ( #19862 )
...
* wip
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# authentik/core/signals.py
# authentik/stages/identification/stage.py
# web/src/flow/stages/RedirectStage.ts
# Conflicts:
# web/src/flow/FlowExecutor.ts
* fix race conditions
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* prevent stale locks
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add to feature flag
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add separate flag
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make it build
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* revisit
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better origin check
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-03-04 10:37:53 +00:00
Alexander Tereshkin
9ba7b373b1
enterprise/lifecycle: use datetime instead of date to track review cycles ( #20283 )
...
* enterprise/lifecycle: use datetime instead of date to track review cycles (fix for #20265 )
* Update authentik/enterprise/lifecycle/api/iterations.py
Co-authored-by: Jens L. <jens@beryju.org >
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
* enterprise/lifecycle: replace extend_schema_field with type annotations
---------
Signed-off-by: Alexander Tereshkin <96586+atereshkin@users.noreply.github.com >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Jens L. <jens@beryju.org >
2026-02-23 14:55:44 +01:00
dependabot[bot]
fe0f559cd2
core: bump django-countries from 7.6.1 to 8.2.0 ( #19459 )
...
* core: bump django-countries from 7.6.1 to 8.2.0
Bumps [django-countries](https://github.com/SmileyChris/django-countries ) from 7.6.1 to 8.2.0.
- [Changelog](https://github.com/SmileyChris/django-countries/blob/main/CHANGES.md )
- [Commits](https://github.com/SmileyChris/django-countries/compare/v7.6.1...v8.2.0 )
---
updated-dependencies:
- dependency-name: django-countries
dependency-version: 8.2.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
# Conflicts:
# pyproject.toml
# uv.lock
* re-gen schema
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-02-17 18:13:41 +01:00
Marcelo Elizeche Landó
b76539e73f
stage/invitation: Send invite via email UI ( #19823 )
...
* first approach
* add cc and bcc support, better ui
* remove unnecessary data return
* add template support
* fix linting
* do the ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* display invite info in InvitationSendEmailForm.ts
* Select the invitation template by default
* Fix linting
* fix tests
* Add tests, clean code
* Add docs
* fix link
* Make the UI less disgusting
* Make the UI less disgusting
* Apply suggestions from code review
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
* small formatting fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Use writeToClipboard function, better wording for CC and BCC
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-02-13 11:00:31 -03:00
Connor Peshek
858a040dfb
providers/saml: send logoutResponse on sp-init logout ( #17691 )
...
* providers/saml: send logoutResponse on sp-init logout
* Use first updated to fix multiple submits
* add backchannel logoutResponse
* tests
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: connor peshek <connorpeshek@connors-MacBook-Pro.local >
2026-02-11 14:18:39 -06:00
authentik-automation[bot]
7cb789e777
root: bump version to 2026.5.0-rc1 ( #20174 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-02-11 01:43:16 +01:00
Alexander Tereshkin
2f2488b326
enterprise/lifecycle: implement Object Lifecycle Management ( #20015 )
...
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com >
Co-authored-by: Jens L. <jens@beryju.org >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Dominic R <dominic@sdko.org >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-02-10 18:33:06 +01:00
Jens L.
ef74ca01a2
enterprise/providers: WSFed configurable realm, default wreply ( #19996 )
...
* enterprise/providers/wsfed: make realm configurable
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make wreply optional, fallback to configure
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* use audience instead of issuer
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix lookup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-02-06 00:14:10 +01:00
Jens L.
68c7037eea
flows: add option for flow layout with frame background ( #19527 )
...
* flows: add option for flow layout with frame background
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Tidy variables. Fix mobile and tablet layouts, shadows.
* Update web/src/flow/FlowExecutor.ts
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-02-04 17:39:01 +01:00
Simonyi Gergő
68f70a0953
core: ask for token duration on recovery link/email by admin ( #19875 )
...
* add translations to `ValidationError`s in user api
* deduplicate recovery buttons
* refactor `recovery_email`
* simplify request.brand call
* ask for token duration on recovery link/email by admin
* use `@validate` decorator for admin recovery
* stylize if/else
* return uniform error message on no `view_` permission
* clarify wording on email success
2026-02-03 16:48:51 +01:00
Connor Peshek
ff87929dcf
crypto: Add ED25519 and ED448 support to the certificate builder ( #19465 )
...
* Add ED25519 and ED448 support to the certificate builder.
* retain cert format for non ed certs.
2026-02-03 14:29:33 +01:00
Simonyi Gergő
1b9653901c
rbac: clean up roles and permissions ( #19588 )
...
* clean up roles and permissions
This was purposefully not included in `2025.12` to split the changes up.
The main content of this patch is in the migrations. Everything else
follows more or less automatically.
* add breaking change warning to release notes
* add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* add configuration warning to default notifications blueprint
* add rudimentary tests for User.ak_groups
* remove no longer used permissions
* clarify deprecation
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
* remove integration changes
These will be included in a separate PR once this is released.
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Jens L. <jens@goauthentik.io >
2026-01-29 19:12:38 +01:00
Immanuel von Neumann
6ca26b501b
providers/scim: modify user- and group syncing behavior ( #13947 )
...
* providers/scim: modify user- and group syncing behavior
rename filtergroup to groupfilters and allow multiple values
only sync groups which are in the scimprovider's attribute \"group_filters\"
only sync users which are entitled to view the scimprovider's application
* Update authentik/providers/scim/api/providers.py
Signed-off-by: Immanuel von Neumann <45020096+ImmanuelVonNeumann@users.noreply.github.com >
* fix(authentik/scim): update schema.yml and test name
* merge migrations
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* providers/scim: fix linting
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* filter eagerly
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Immanuel von Neumann <45020096+ImmanuelVonNeumann@users.noreply.github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-01-29 17:07:58 +01:00
Dominic R
5834f43a8b
web: display custom attributes on admin view pages ( #19720 )
...
* web: display custom attributes on admin view pages
Overview:
Add a reusable ak-object-attributes-card component that displays custom attributes on User, Group, and Device admin view pages.
This allows admins to see custom attributes directly on the overview tab without needing to open the edit form.
The component:
- Filters out system attributes (goauthentik.io/* prefixed keys)
- Optionally excludes the notes attribute
- Renders values based on type: booleans as status labels, arrays as comma-separated lists, objects as formatted JSON
Testing:
1. Navigate to Admin > Identity > Users > [any user]
2. Verify "Custom Attributes" card appears below Changelog
3. Add custom attributes via Edit form:
```
{
"department": "Engineering",
"employee_id": 12345,
"is_contractor": false,
"is_manager": true,
"skills": ["Python", "TypeScript", "Go"],
"office_location": {
"building": "HQ",
"floor": 3,
"desk": "A-42"
},
"notes": "This should NOT appear in Custom Attributes card",
"goauthentik.io/user/sources": ["should-be-filtered"]
}
```
4. Confirm they appear in the card, system attributes are hidden
5. Repeat for Groups and Devices
Screenshot:
<!-- todo -->
Motivation:
Admins frequently need to view custom attributes on users, groups, and devices. Currently this requires clicking Edit and scrolling to the attributes field.
Closes: https://github.com/goauthentik/authentik/issues/18625
* web: Ken's suggestion
2026-01-29 01:42:43 +00:00
Jens L.
d1fb7dde14
enterprise/providers: WS-Federation ( #19583 )
...
* init
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix metadata
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* aight
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* progress
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix timedelta
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* start testing metadata
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add some more tests and schemas
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* test signature
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* attempt to fix signed xml linebreak
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1258
https://github.com/robrichards/xmlseclibs/issues/28
https://github.com/xmlsec/python-xmlsec/issues/196
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format + gen
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update web
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more validation
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* hmm
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add e2e test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* qol fix in wait_for_url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add UI
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* acs -> reply url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sign_out
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix some XML typing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove verification_kp as its not used
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix reply url
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add ws-fed to tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add logout test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add SAMLSession
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* refactor
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* unrelated type fixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add backchannel logout
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* delete import_metadata in wsfed
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include generated realm
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Update web/src/admin/providers/wsfed/WSFederationProviderViewPage.ts
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Signed-off-by: Jens L. <jens@beryju.org >
* include wtrealm in ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Jens L. <jens@beryju.org >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-01-28 17:43:16 +01:00
Connor Peshek
25820f063e
providers/oauth2: Support login_hint ( #19498 )
...
* clean up code
* simplify skipping logic
* clean up reading flag, fix user submission on identification stage
* do not auto add login_hint if user doesnt exist and pretend_user_exists is off
* rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* sigh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix login_hint conformance test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-01-27 15:15:24 +01:00
Dominic R
33594c9cb4
admin/files: add centralized theme variable support for file URLs ( #19657 )
...
* Revert "admin/files: support %(theme)s variable in media file paths (#19108 )"
This reverts commit 1a963d27c8
2026-01-27 08:09:42 -05:00
Marc 'risson' Schmitt
85434710f3
root: update client-go generation ( #19762 )
2026-01-26 19:51:38 +01:00
Jens L.
9a806f7e49
enterprise/audit: Expanded Diff ( #19726 )
...
* add cleanup for tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* make .get classmethod
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add flag to include more data
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add UI
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix flag tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-01-26 14:30:37 +01:00
Jens L.
e2cb1a8d0c
endpoints: FleetDM connector ( #18589 )
...
* enterprise/endpoints/connectors/fleet: init
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
# Conflicts:
# blueprints/schema.json
# schema.yml
* add ui
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix desc
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add configurable headers
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Address review feedback on FleetDM connector implementation (#18651 )
* Initial plan
* Add public override modifiers to updated method
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
* Address additional feedback from PR #18589
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
* Fix indentation in ak-switch-input component
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com >
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
* fix permission model
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add attributes to device access group
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add option to map device team
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* cleanup
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update schema
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* switch connector to grid, add icons
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix pagination
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add software tab
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix pages in test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add more test devices
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add fedora test machine
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better formatting for OS version
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com >
Co-authored-by: GirlBossRush <592134+GirlBossRush@users.noreply.github.com >
2026-01-23 21:40:28 +01:00
Dominic R
c67447d4db
web/admin: fix file upload not preserving extension for custom names with dots ( #19548 )
...
* web/admin: fix file upload not preserving extension for custom names with dots
Overview:
The `hasBasenameExtension()` function in `FileUploadForm.ts` incorrectly determined whether a custom filename already had an extension by checking if it contained any dot at position > 0.
This caused filenames like "e._.e" to be treated as having an extension, so the original file's extension was not appended. The file would be saved as "e._.e" instead of "e._.e.jpg", which caused `mimetypes.guess_type()` to return `None` (since ".e" is not a recognized extension) and the backend to fall back to "application/octet-stream".
Removed `hasBasenameExtension()` entirely. Since the UI explicitly states "Optionally rename the file (without extension)", we now always append the original file's extension when a custom name is provided.
Testing:
1. Upload a JPG file with custom name "e" --> saves as "e.jpg", and is detected as "image/jpeg"
2. Upload a JPG file with custom name "e._.e" --> now saves as "e._.e.jpg",and is detected as "image/jpeg"
Motivation:
Fixes incorrect MIME type detection for uploaded files when users provide custom filenames containing dots.
* web: lint
* web: Ken's suggestion
2026-01-23 00:39:10 +00:00
CodeMax IT Solutions Pvt. Ltd.
d60806dfc3
core: add bulk session revocation ( #18564 )
...
* feat: add bulk session revocation functionality for users
* feat: add bulk delete functionality for authenticated sessions
- Implemented BulkDeleteSessionSerializer for handling bulk session deletions.
- Added bulk_delete action to AuthenticatedSessionViewSet for revoking sessions by user IDs.
- Updated API schema to include new endpoint for bulk session deletion.
- Modified UserBulkRevokeSessionsForm to utilize the new bulk delete API.
* Update authentik/core/api/authenticated_sessions.py
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: CodeMax IT Solutions Pvt. Ltd. <137166088+cdmx-in@users.noreply.github.com >
* Update authentik/core/api/authenticated_sessions.py
PassiveSerializer for BulkDeleteSessionSerializer
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: CodeMax IT Solutions Pvt. Ltd. <137166088+cdmx-in@users.noreply.github.com >
* Update authentik/core/api/authenticated_sessions.py
user_pks instead of user_ids
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: CodeMax IT Solutions Pvt. Ltd. <137166088+cdmx-in@users.noreply.github.com >
* feat: enhance bulk delete functionality for authenticated sessions
* feat: update bulk delete endpoint for authenticated sessions to use DELETE method and query parameters
* Update authentik/core/api/authenticated_sessions.py
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: CodeMax IT Solutions Pvt. Ltd. <137166088+cdmx-in@users.noreply.github.com >
* lint
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* Prettier
---------
Signed-off-by: CodeMax IT Solutions Pvt. Ltd. <137166088+cdmx-in@users.noreply.github.com >
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-01-22 17:17:04 +00:00
dependabot[bot]
288f6f50f6
core: bump bandit from 1.9.2 to 1.9.3 ( #19566 )
...
* core: bump bandit from 1.9.2 to 1.9.3
Bumps [bandit](https://github.com/PyCQA/bandit ) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/PyCQA/bandit/releases )
- [Commits](https://github.com/PyCQA/bandit/compare/1.9.2...1.9.3 )
---
updated-dependencies:
- dependency-name: bandit
dependency-version: 1.9.3
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
* update config, fix warnings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-01-20 01:45:45 +01:00
Jens L.
3e9b59cc13
endpoints: show agent version ( #19239 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-01-08 20:01:10 +01:00
Dominic R
39f6f72e96
stages/authenticator_static: set max token length to 100 chars ( #19162 )
...
* stages/authenticator_static: add max length validation for token_length field
* wip
* wip
2026-01-07 22:50:10 +00:00
Jens L.
85759d5fd2
endpoints: include license status in agent config ( #19227 )
...
* web/admin: consistent OS display
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* include license status with agent config
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* slightly rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-01-07 17:23:13 +01:00
Dominic R
c3cf94550f
core: add last_login filter to users API ( #18993 )
2026-01-06 04:02:02 +00:00
