dependabot[bot]
86de4955aa
ci: bump taiki-e/install-action from 2.75.18 to 2.75.19 in /.github/actions/setup ( #21814 )
...
ci: bump taiki-e/install-action in /.github/actions/setup
Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action ) from 2.75.18 to 2.75.19.
- [Release notes](https://github.com/taiki-e/install-action/releases )
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md )
- [Commits](055f5df8c3...5f57d6cb7csupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-24 11:39:26 +01:00
dependabot[bot]
bea9b23555
lifecycle/aws: bump aws-cdk from 2.1118.2 to 2.1118.3 in /lifecycle/aws ( #21801 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 18:09:55 +02:00
dependabot[bot]
9820ee1d67
core: bump rustls from 0.23.38 to 0.23.39 ( #21802 )
...
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 14:18:04 +00:00
Marc 'risson' Schmitt
1379637389
ci: add rustls and aws-lc ecosystem crates to delay ignore list ( #21800 )
2026-04-23 13:42:25 +00:00
Dominic R
39e6c41566
admin/files: sign custom-domain S3 URLs for the final host ( #21704 )
2026-04-23 15:23:05 +02:00
Sai Asish Y
92a2d26c86
core: survive the empty-queryset race in chunked_queryset ( #21666 )
2026-04-23 15:21:57 +02:00
Simonyi Gergő
0f8d8c81d7
core: simplify boolean ( #21790 )
2026-04-23 14:47:23 +02:00
Sai Asish Y
cce646b132
providers/oauth2: clip device authorization scope against the provider's ScopeMapping set ( #21701 )
...
* providers/oauth2: clip device authorization scope against the provider's ScopeMapping set
DeviceView.parse_request stored the raw request scope straight onto the
DeviceToken:
self.scopes = self.request.POST.get("scope", "").split(" ")
...
token = DeviceToken.objects.create(..., _scope=" ".join(self.scopes))
The token-exchange side then reads those scopes back directly:
if SCOPE_OFFLINE_ACCESS in self.params.device_code.scope:
refresh_token = RefreshToken(...)
...
so a caller that adds offline_access to the device authorization
request body gets a refresh_token at the exchange, even when the
provider has no offline_access ScopeMapping configured. Every other
grant type clips scope against ScopeMapping for the provider inside
TokenParams.__check_scopes, but the device authorization endpoint
runs before TokenParams is ever constructed, so the clip never
happens for the device flow.
Combined with #20828 (missing client_secret verification on device
code exchange for confidential clients, now being fixed separately)
and the lack of per-app opt-out for the device flow, this gives any
caller that knows the client_id a path to an offline refresh token
against any OIDC application the deployment exposes.
Intersect the requested scope set with the provider's ScopeMapping
names before we ever persist the DeviceToken. offline_access that is
not configured is silently dropped, matching __check_scopes on the
other grant types. Configured offline_access still flows through
unchanged.
Fixes #20825
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
* rework and add tests
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-23 13:44:44 +02:00
dependabot[bot]
6d274d1e3d
core: bump library/nginx from 3acc8b9 to 6e23479 in /website ( #21794 )
...
Bumps library/nginx from `3acc8b9` to `6e23479`.
---
updated-dependencies:
- dependency-name: library/nginx
dependency-version: 1.29-trixie
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 11:20:09 +02:00
dependabot[bot]
8d5489e441
core: bump library/node from b272ff1 to 74ff139 in /website ( #21795 )
...
Bumps library/node from `b272ff1` to `74ff139`.
---
updated-dependencies:
- dependency-name: library/node
dependency-version: 25.9.0-trixie
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 11:19:56 +02:00
dependabot[bot]
8ea9a48017
core: bump library/golang from cd8540d to 982ae92 in /lifecycle/container ( #21793 )
...
core: bump library/golang in /lifecycle/container
Bumps library/golang from `cd8540d` to `982ae92`.
---
updated-dependencies:
- dependency-name: library/golang
dependency-version: 1.26.2-trixie
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 10:19:37 +01:00
Sai Asish Y
c6b5869b48
stages/user_write: refuse to write id/pk claims onto the user model ( #21667 )
...
* stages/user_write: refuse to write id/pk claims onto the user model
When an enrollment or source flow maps IdP-supplied attributes onto the
User model, update_user walks each key and, if the user already has an
attribute by that name, calls setattr(user, key, value) unconditionally.
"id" is always present on the User model (it is the Django PK), so a
SAML assertion that ships an "id" claim, e.g. a hex string from
mocksaml, was written straight into the PK field. Django then rejected
the save:
ValueError: Field 'id' expected a number but got '<hex>'.
The log surfaced as "Failed to save user" and the enrollment flow
silently failed for every incoming user.
Treat "id" and "pk" the same way the existing "groups" entry is
treated: add them to disallowed_user_attributes so the walker logs and
skips them. IdP attributes can still be stored on user.attributes via
the dotted/underscored forms (e.g. attributes.id), which go through
write_attribute and land in the JSONField safely.
Added a regression test covering both id and pk in the prompt context.
Fixes #21580
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
* fix lint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-23 11:03:12 +02:00
authentik-automation[bot]
e4971f9aa5
core, web: update translations ( #21785 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-04-23 10:39:13 +02:00
Dominic R
028ec05a8b
website: Merge branch ( #21684 )
...
Co-authored-by: Codex <codex@openai.com >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-23 01:46:10 +00:00
Ryan Pesek
b4c9ac57e0
core/applications: Optimize list applications when only_with_launch_url=true ( #20428 )
...
* Performance optimizations for the application list API endpoint when only_with_launch_url=true
* lint
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com >
2026-04-23 03:15:16 +02:00
Dewi Roberts
80b93e1fbc
website/docs: add authorization header info to all proxy configs ( #21664 )
...
Add authorization header info to all proxy configs
2026-04-23 02:35:02 +02:00
dependabot[bot]
dff6b48f53
web: bump @xmldom/xmldom from 0.8.12 to 0.8.13 in /web ( #21784 )
...
Bumps [@xmldom/xmldom](https://github.com/xmldom/xmldom ) from 0.8.12 to 0.8.13.
- [Release notes](https://github.com/xmldom/xmldom/releases )
- [Changelog](https://github.com/xmldom/xmldom/blob/master/CHANGELOG.md )
- [Commits](https://github.com/xmldom/xmldom/compare/0.8.12...0.8.13 )
---
updated-dependencies:
- dependency-name: "@xmldom/xmldom"
dependency-version: 0.8.13
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 02:33:20 +02:00
gp-somni-labs
79473341d6
internal/outpost: serialize websocket writes to prevent panic ( #21728 )
...
The outpost API controller shares a single *websocket.Conn across
multiple goroutines: the event-handler loop, the 10s health ticker
(SendEventHello), the shutdown path (WriteMessage close), initEvent
writing the hello frame on (re)connect, and RAC session handlers that
also invoke SendEventHello. gorilla/websocket explicitly documents that
concurrent WriteMessage/WriteJSON calls are unsafe and will panic with
"concurrent write to websocket connection", which takes the outpost
(and embedded-outpost authentik-server) pod down.
Fix by adding a sync.Mutex on APIController guarding every write path
on eventConn (initEvent hello, Shutdown close message, SendEventHello).
Reads (ReadJSON in startEventHandler) are left unsynchronized as
gorilla permits a single concurrent reader alongside a writer.
Minimal, localized change: no API changes, no behavior changes, writes
are already infrequent so lock contention is negligible.
Refs #11090
Co-authored-by: curiosity <curiosity@somni.dev >
2026-04-23 02:33:10 +02:00
dependabot[bot]
99f9682d61
core: bump rand from 0.8.5 to 0.8.6 in the cargo group across 1 directory ( #21783 )
...
core: bump rand in the cargo group across 1 directory
Bumps the cargo group with 1 update in the / directory: [rand](https://github.com/rust-random/rand ).
Updates `rand` from 0.8.5 to 0.8.6
- [Release notes](https://github.com/rust-random/rand/releases )
- [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md )
- [Commits](https://github.com/rust-random/rand/compare/0.8.5...0.8.6 )
---
updated-dependencies:
- dependency-name: rand
dependency-version: 0.8.6
dependency-type: indirect
dependency-group: cargo
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-23 02:02:24 +02:00
Bapuji Koraganti
987f367d7b
web: merge MFA devices and tokens into unified Credentials tab ( #21705 )
...
* web: merge MFA devices and tokens into unified Credentials tab
Combines the separate "MFA Devices" and "Tokens and App passwords"
tabs into a single "Credentials" tab on the user settings page,
so users can manage all credentials from one place.
Fixes #21637
Signed-off-by: Bapuji Koraganti <bapuk.2008@gmail.com >
* add card title
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Bapuji Koraganti <bapuk.2008@gmail.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-23 02:02:00 +02:00
Jens L.
805ff9f1ab
web/admin: fix policy/stage wizard label, fix connector create wizard, cleanup ( #21781 )
...
* update labels
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove unused app wizard hint
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* connector wizard should use grid
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 19:32:23 +02:00
dependabot[bot]
42fc9d537e
website: bump the build group in /website with 6 updates ( #21777 )
...
* website: bump the build group in /website with 6 updates
Bumps the build group in /website with 6 updates:
| Package | From | To |
| --- | --- | --- |
| [@swc/core-darwin-arm64](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/core-linux-arm64-gnu](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/core-linux-x64-gnu](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/html-darwin-arm64](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/html-linux-arm64-gnu](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
| [@swc/html-linux-x64-gnu](https://github.com/swc-project/swc ) | `1.15.26` | `1.15.30` |
Updates `@swc/core-darwin-arm64` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-arm64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-x64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/html-darwin-arm64` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/html-linux-arm64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/html-linux-x64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
---
updated-dependencies:
- dependency-name: "@swc/core-darwin-arm64"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/core-linux-arm64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/core-linux-x64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/html-darwin-arm64"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/html-linux-arm64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
- dependency-name: "@swc/html-linux-x64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: build
...
Signed-off-by: dependabot[bot] <support@github.com >
* sigh
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 17:38:32 +02:00
dependabot[bot]
3f4c0fb35d
core: bump library/nginx from 7f0adca to 3acc8b9 in /website ( #21775 )
...
Bumps library/nginx from `7f0adca` to `3acc8b9`.
---
updated-dependencies:
- dependency-name: library/nginx
dependency-version: 1.29-trixie
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 17:32:46 +02:00
dependabot[bot]
42d87072cf
core: bump library/node from f57f0c7 to b272ff1 in /website ( #21776 )
...
core: bump library/node from `f57f0c7` to `7e77811` in /website
Bumps library/node from `f57f0c7` to `7e77811`.
---
updated-dependencies:
- dependency-name: library/node
dependency-version: 25.9.0-trixie
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 17:32:36 +02:00
Jens L.
075a1f5875
web/admin: Allow binding users/groups in policy binding wizard and existing stage in stage binding wizard ( #21697 )
...
* web/admin: allow creating only binding for policies
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* dont show type selector if only one is allowed
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* do the same for stage wizard
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* minor unrelated fix: alignment in table desc
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add option to bind existing policy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* adjust labels?
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Clean up post-type select state. Types.
* Clean up brand form.
* Flesh out parse.
* Tidy textarea.
* Fix table alignment when images are present.
* Simplify radio.
* Fix form group layout, styles.
* Flesh out plural helper.
* Flesh out formatted user display name.
* Allow slotted HTML in page description.
* Clean up transclusion types.
* Allow null.
* Flesh out user activation toggle.
* Clean up activation labeling.
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-04-22 16:08:31 +02:00
Bapuji Koraganti
24edee3e78
flows: add warning message for expired password reset links ( #21395 )
...
* flows: add warning message for expired password reset links
Fixes #21306
* Replace token expiry check with REQUIRE_TOKEN authentication requirement
Incorporate review comments to move expired/invalid token handling from executor-level check to flow planner authentication requirement. This avoids disclosing whether a token ever existed and handles already-cleaned-up tokens.
* The fix was changing gettext_lazy to gettext
* remove unneeded migration
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update form
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 15:09:05 +02:00
dependabot[bot]
9d55b9a9b0
web: bump the swc group across 1 directory with 11 updates ( #21778 )
...
Bumps the swc group with 1 update in the /web directory: [@swc/core](https://github.com/swc-project/swc/tree/HEAD/packages/core ).
Updates `@swc/core` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/commits/v1.15.30/packages/core )
Updates `@swc/core-darwin-arm64` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-darwin-x64` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-arm-gnueabihf` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-arm64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-arm64-musl` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-x64-gnu` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-linux-x64-musl` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-win32-arm64-msvc` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-win32-ia32-msvc` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
Updates `@swc/core-win32-x64-msvc` from 1.15.26 to 1.15.30
- [Release notes](https://github.com/swc-project/swc/releases )
- [Changelog](https://github.com/swc-project/swc/blob/main/CHANGELOG.md )
- [Commits](https://github.com/swc-project/swc/compare/v1.15.26...v1.15.30 )
---
updated-dependencies:
- dependency-name: "@swc/core"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-darwin-arm64"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-darwin-x64"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-arm-gnueabihf"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-arm64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-arm64-musl"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-x64-gnu"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-linux-x64-musl"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-win32-arm64-msvc"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-win32-ia32-msvc"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
- dependency-name: "@swc/core-win32-x64-msvc"
dependency-version: 1.15.30
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: swc
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:55:56 +02:00
dependabot[bot]
349be68d52
core: bump tokio from 1.52.0 to 1.52.1 ( #21774 )
...
Bumps [tokio](https://github.com/tokio-rs/tokio ) from 1.52.0 to 1.52.1.
- [Release notes](https://github.com/tokio-rs/tokio/releases )
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.52.0...tokio-1.52.1 )
---
updated-dependencies:
- dependency-name: tokio
dependency-version: 1.52.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:55:34 +02:00
dependabot[bot]
7dfb8d6129
core: bump library/node from a31ca31 to 735dd68 in /lifecycle/container ( #21773 )
...
core: bump library/node in /lifecycle/container
Bumps library/node from `a31ca31` to `735dd68`.
---
updated-dependencies:
- dependency-name: library/node
dependency-version: '24'
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:55:24 +02:00
dependabot[bot]
7f7965e42c
core: bump fido2 from 2.1.1 to 2.2.0 ( #21772 )
...
Bumps [fido2](https://github.com/Yubico/python-fido2 ) from 2.1.1 to 2.2.0.
- [Release notes](https://github.com/Yubico/python-fido2/releases )
- [Changelog](https://github.com/Yubico/python-fido2/blob/main/NEWS )
- [Commits](https://github.com/Yubico/python-fido2/compare/2.1.1...2.2.0 )
---
updated-dependencies:
- dependency-name: fido2
dependency-version: 2.2.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:55:13 +02:00
dependabot[bot]
2e2b471b94
core: bump library/golang from c0074c7 to cd8540d in /lifecycle/container ( #21771 )
...
core: bump library/golang in /lifecycle/container
Bumps library/golang from `c0074c7` to `cd8540d`.
---
updated-dependencies:
- dependency-name: library/golang
dependency-version: 1.26.2-trixie
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:54:51 +02:00
dependabot[bot]
4d53cd0790
core: bump github.com/pires/go-proxyproto from 0.11.0 to 0.12.0 ( #21770 )
...
Bumps [github.com/pires/go-proxyproto](https://github.com/pires/go-proxyproto ) from 0.11.0 to 0.12.0.
- [Release notes](https://github.com/pires/go-proxyproto/releases )
- [Commits](https://github.com/pires/go-proxyproto/compare/v0.11.0...v0.12.0 )
---
updated-dependencies:
- dependency-name: github.com/pires/go-proxyproto
dependency-version: 0.12.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 13:54:42 +02:00
Jens L.
7b913eaaa9
root: update rustls-webpki ( #21769 )
...
* root: update rustls-webpki
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* allow earlier rustls-webpki updates since this is the second time this happened
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 13:00:11 +02:00
authentik-automation[bot]
880c1ec89a
core, web: update translations ( #21695 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2026-04-22 11:41:48 +02:00
dependabot[bot]
d7724a52f2
core: bump python-dotenv from 1.2.1 to 1.2.2 in the uv group across 1 directory ( #21752 )
...
core: bump python-dotenv in the uv group across 1 directory
Bumps the uv group with 1 update in the / directory: [python-dotenv](https://github.com/theskumar/python-dotenv ).
Updates `python-dotenv` from 1.2.1 to 1.2.2
- [Release notes](https://github.com/theskumar/python-dotenv/releases )
- [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md )
- [Commits](https://github.com/theskumar/python-dotenv/compare/v1.2.1...v1.2.2 )
---
updated-dependencies:
- dependency-name: python-dotenv
dependency-version: 1.2.2
dependency-type: indirect
dependency-group: uv
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:41:23 +02:00
dependabot[bot]
508b45b6e3
core: bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 ( #21755 )
...
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx ) from 5.9.1 to 5.9.2.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md )
- [Commits](https://github.com/jackc/pgx/compare/v5.9.1...v5.9.2 )
---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
dependency-version: 5.9.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:41:05 +02:00
dependabot[bot]
2d52756761
core: bump github.com/go-openapi/runtime from 0.29.3 to 0.29.4 ( #21756 )
...
Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime ) from 0.29.3 to 0.29.4.
- [Release notes](https://github.com/go-openapi/runtime/releases )
- [Commits](https://github.com/go-openapi/runtime/compare/v0.29.3...v0.29.4 )
---
updated-dependencies:
- dependency-name: github.com/go-openapi/runtime
dependency-version: 0.29.4
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:40:56 +02:00
dependabot[bot]
6e84b74797
core: bump pydantic from 2.13.0 to 2.13.2 ( #21757 )
...
Bumps [pydantic](https://github.com/pydantic/pydantic ) from 2.13.0 to 2.13.2.
- [Release notes](https://github.com/pydantic/pydantic/releases )
- [Changelog](https://github.com/pydantic/pydantic/blob/main/HISTORY.md )
- [Commits](https://github.com/pydantic/pydantic/compare/v2.13.0...v2.13.2 )
---
updated-dependencies:
- dependency-name: pydantic
dependency-version: 2.13.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:40:28 +02:00
dependabot[bot]
aff93d35ef
core: bump django-stubs[compatible-mypy] from 6.0.2 to 6.0.3 ( #21758 )
...
Bumps [django-stubs[compatible-mypy]](https://github.com/typeddjango/django-stubs ) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/typeddjango/django-stubs/releases )
- [Commits](https://github.com/typeddjango/django-stubs/compare/6.0.2...6.0.3 )
---
updated-dependencies:
- dependency-name: django-stubs[compatible-mypy]
dependency-version: 6.0.3
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:40:12 +02:00
dependabot[bot]
d995613212
core: bump aws-cdk-lib from 2.249.0 to 2.250.0 ( #21759 )
...
Bumps [aws-cdk-lib](https://github.com/aws/aws-cdk ) from 2.249.0 to 2.250.0.
- [Release notes](https://github.com/aws/aws-cdk/releases )
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md )
- [Commits](https://github.com/aws/aws-cdk/compare/v2.249.0...v2.250.0 )
---
updated-dependencies:
- dependency-name: aws-cdk-lib
dependency-version: 2.250.0
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:40:03 +02:00
dependabot[bot]
194f04bb6f
core: bump packaging from 26.0 to 26.1 ( #21760 )
...
Bumps [packaging](https://github.com/pypa/packaging ) from 26.0 to 26.1.
- [Release notes](https://github.com/pypa/packaging/releases )
- [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pypa/packaging/compare/26.0...26.1 )
---
updated-dependencies:
- dependency-name: packaging
dependency-version: '26.1'
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:39:50 +02:00
dependabot[bot]
ba14cac535
core: bump library/node from 28fd420 to a31ca31 in /lifecycle/container ( #21761 )
...
core: bump library/node in /lifecycle/container
Bumps library/node from `28fd420` to `a31ca31`.
---
updated-dependencies:
- dependency-name: library/node
dependency-version: '24'
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:39:39 +02:00
dependabot[bot]
953c70f5fc
ci: bump actions/setup-node from 6.3.0 to 6.4.0 ( #21762 )
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](53b83947a5...48b55a011bsupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:39:18 +02:00
dependabot[bot]
4c775b2258
ci: bump actions/setup-node from 6.3.0 to 6.4.0 in /.github/actions/setup ( #21764 )
...
ci: bump actions/setup-node in /.github/actions/setup
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](53b83947a5...48b55a011bsupport@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:39:09 +02:00
dependabot[bot]
2c851f7cd0
ci: bump taiki-e/install-action from 2.75.17 to 2.75.18 in /.github/actions/setup ( #21765 )
...
ci: bump taiki-e/install-action in /.github/actions/setup
Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action ) from 2.75.17 to 2.75.18.
- [Release notes](https://github.com/taiki-e/install-action/releases )
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md )
- [Commits](58e8625425...055f5df8c3support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:38:54 +02:00
dependabot[bot]
520f81966c
core: bump tokio from 1.51.1 to 1.52.0 ( #21766 )
...
Bumps [tokio](https://github.com/tokio-rs/tokio ) from 1.51.1 to 1.52.0.
- [Release notes](https://github.com/tokio-rs/tokio/releases )
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.51.1...tokio-1.52.0 )
---
updated-dependencies:
- dependency-name: tokio
dependency-version: 1.52.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-22 11:38:41 +02:00
Jens L.
7f27ee3267
ci: fix postgres path for postgres 18 tests ( #21767 )
...
* ci: test migrations-from-stable failing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix postgres path
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-22 11:27:16 +02:00
Sai Asish Y
6d57854bff
sources/oauth: pick a single pkce method from OIDC discovery, not the whole list ( #21689 )
...
* sources/oauth: pick a single pkce method from OIDC discovery, not the whole list
When an OAuth source is configured with `oidc_well_known_url`, the API
serializer fetches the upstream's OpenID configuration and merges the
selected endpoints into the source attrs. The merge used a straight
field_map that aliased the pkce TextField to
`code_challenge_methods_supported`:
field_map = {
...
"pkce": "code_challenge_methods_supported",
}
for ak_key, oidc_key in field_map.items():
...
attrs[ak_key] = config.get(oidc_key, "")
`code_challenge_methods_supported` is a JSON array per RFC 8414
(e.g. ["plain", "S256"]), but attrs["pkce"] is backed by a TextField
with choices NONE / PLAIN / S256. Django does not validate choices on
plain assignment, so the list survives serialisation and is later
formatted by the client as
str(pkce_mode) -> "['plain', 'S256']"
which ships as `code_challenge_method=%5B%27plain%27%2C+%27S256%27%5D`
on the /authorize request. The upstream rejects the subsequent /token
exchange with HTTP 400 because it has no PKCE state for that value.
Separate the pkce handling from the rest of the field_map loop: only
fill pkce when the user has not set it, and select one scalar method
from the advertised list (prefer S256, the RFC 7636 MUST for public
clients, then plain, then NONE as a last resort). Non-list / missing
values fall back to NONE. User-supplied pkce still wins, matching the
existing "don't overwrite user-set values" intent.
Fixes #21665
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
* update test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* simplify
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: SAY-5 <SAY-5@users.noreply.github.com >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2026-04-21 19:40:03 +02:00
Dominic R
f7871d726e
website/integrations: grafana: migrate to entitlements ( #21676 )
...
* website/integrations: grafana: migrate to entitlements
* website/integrations: migrate Grafana role mappings to entitlements
* rm
* Add scope
* Add scope
* Update website/integrations/monitoring/grafana/index.mdx
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
Signed-off-by: Dominic R <dominic@sdko.org >
---------
Signed-off-by: Dominic R <dominic@sdko.org >
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-04-21 14:08:22 +00:00
Jens L.
189056e19a
providers/oauth2: don't auto-set redirect_uri ( #21746 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-04-21 15:58:57 +02:00
