Dominic R
33594c9cb4
admin/files: add centralized theme variable support for file URLs ( #19657 )
...
* Revert "admin/files: support %(theme)s variable in media file paths (#19108 )"
This reverts commit 1a963d27c8
2026-01-27 08:09:42 -05:00
Marc 'risson' Schmitt
85434710f3
root: update client-go generation ( #19762 )
2026-01-26 19:51:38 +01:00
Jens L.
9cb7c74e1c
internal: fix certificate not refetched if fingerprint changes ( #19761 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-01-26 17:07:35 +01:00
Jens L.
03e16b3a14
root: make logged HTTP headers configurable ( #19716 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-01-26 14:31:54 +01:00
Jens L.
30ad2b78cb
internal: fix incorrect metric calculation ( #19701 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-01-23 16:52:53 +01:00
Vít Skalický
bc3a1f128b
providers/proxy: Fix incorrect comparison of redirect URL and CookieDomain ( #15686 )
...
* Fix incorect comparison of redirect URL and CookieDomain. Fixes #15685
According to docs, URL.Host contains the host and port, while Hostname
returns only the host without the port. CookieDomain obviously does not
contain the port. string.HasSuffix function is used, so if a port is set
in the redirect URL, this check always fails.
* Fixed missing parentheses
---------
Co-authored-by: Dewi Roberts <dewi@goauthentik.io >
2026-01-22 17:44:22 +00:00
Dominic R
3873f43ea3
outpost/proxyv2: fix stale session cookie causing 400 error in createState ( #19026 )
2026-01-13 10:52:42 -05:00
Dominic R
a479c79b34
internal/outpost: improve PostgreSQL connection options parsing ( #19118 )
...
* internal: Outpost's conn options should be base64 json
* correctly parse target_session_attrs + tests
* fix port handling to use env provided port
* add multiple port handling abilities to mirror the python config parser
---------
Co-authored-by: Duncan Tasker <tasatree@gmail.com >
2026-01-13 10:52:28 -05:00
Jens L.
34547048a1
internal: rework liveness probe and proxy ( #19312 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2026-01-13 15:11:07 +01:00
Marc 'risson' Schmitt
1a4ae2f102
outpost/proxyv2: reduce max number of postgres connections ( #19211 )
2026-01-06 18:19:41 +00:00
Dominic R
1a963d27c8
admin/files: support %(theme)s variable in media file paths ( #19108 )
...
* admin/files: support %(theme)s variable in media file paths
* wip
* Apply suggestion from @rissson
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: Dominic R <dominic@sdko.org >
---------
Signed-off-by: Dominic R <dominic@sdko.org >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2026-01-06 13:21:11 +00:00
Connor Peshek
4ac01724a5
rbac: Add show all to roles tab, add role tab to groups ( #19097 )
...
* improve sort order and inherit visual
* Update web/src/admin/groups/GroupViewPage.ts
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update web/src/admin/users/UserViewPage.ts
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update web/src/admin/roles/RelatedRoleList.ts
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update web/src/admin/roles/RelatedRoleList.ts
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update web/src/admin/roles/RelatedRoleList.ts
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* Update web/src/admin/roles/RelatedRoleList.ts
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
* setup include inherited roles and fix returning nothing
* update api calls
* fix rendering error
* do not use set
* change from exception handling
* go off query param
* fix wording
* fix linting error for new group api structure
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me >
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com >
2026-01-05 23:14:44 +00:00
Jens L.
b5848765b2
internal: update TLS Suite ( #19076 )
...
* internal: update TLS Suite
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* disable chacha20 due to fips
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-12-28 14:46:27 +01:00
Jens L.
9ef7f706e9
internal: don't warn on empty outpost for embedded ( #18786 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-12-14 00:50:58 +01:00
authentik-automation[bot]
fbe8028b08
root: bump version to 2026.2.0-rc1 ( #18794 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2025-12-12 20:59:47 +00:00
Marcelo Elizeche Landó
15b93a5e9d
stages/identification: Add WebAuthn conditional UI (passkey autofill) support ( #18377 )
...
* add passkey_login to identification stage
* handle passkey auth in identification stage
* Add passkey settings in identification stage in the admin UI
* Add UI changes for basic passkey conditional login
* Fix linting
* rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update tests
* update admin form
* allow passing stage to validate_challenge_webauthn
* update flows/tests/test_inspector.py
* update for new field
* Fix linting
* update go solvers for identification challenge
* Refactor tests
* Skip mfa validation if user already authenticated via passkey at identification stage
* Add skip_if_passkey_authenticated option to authenticator validate stage and UI
* Add e2e test for passkey login conditional ui
* add policy
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* Remove skip_if_passkey_authenticated
* fix blueprint
* Set backend so password stage policy knows user is already authenticated
* Set backend so password stage policy knows user is already authenticated
* fix linting
* slight tweaks
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* simplify e2e test
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Marcelo Elizeche Landó <marcelo@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2025-12-11 11:49:05 -03:00
Dominic R
3353db0d7f
outpost/proxyv2: more tests, fix pg password with spaces, and existing session on restart ( #18211 )
...
* outpost/proxyv2: handle PostgreSQL passwords with spaces and special characters
And modify / add some more tests and a bit of refactoring
* Potential fix for code scanning alert no. 268: Disabled TLS certificate check
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Dominic R <dominic@sdko.org >
* Revert "Potential fix for code scanning alert no. 268: Disabled TLS certificate check"
This reverts commit ead227a272jens@goauthentik.io >
---------
Signed-off-by: Dominic R <dominic@sdko.org >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2025-12-11 14:25:41 +00:00
Simonyi Gergő
f7e23295ed
core: add digraph group hierarchy ( #17050 )
...
* move imports
* core: add digraph group hierarchy
* move to permissions from Group or User to Role
* set group parents on frontend
* do not serialize `GroupParentageNode` directly
* core: enforce unique group name on database level
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* use group parents in LDAP provider
* add user-role relationship control to frontend
* move materialized view to be more discoverable
* add guardian to mypy exceptions
* make `Role` a `ManagedModel`
* fixup! make `Role` a `ManagedModel`
* simplify `get_objects_for_user`
* fix flaky unit test
* rename `django-guardian` fork to `ak-guardian`
* add tests around users/groups/roles
* remove unused guardian config variable
* simplify guardian file structure
* clean up frontend
* initial docs
* remove `mode` from `InitialPermissions`
This is no longer needed, since users no longer directly have permissions.
* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy
* clean up docs for managing permissions
* addendums from docs review
* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy
* tweaks
* dewi and tana edits to docs
* tweak
* truly final tweaks, for now
* relabel Role Permissions table
* clarify button label
* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy
* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy
* merge migrations
* fixup! Merge branch 'main' into core/add-digraph-group-hierarchy
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Tana M Berry <tana@goauthentik.io >
2025-12-08 12:04:04 +01:00
Marc 'risson' Schmitt
c30d1a478d
files: rework ( #17535 )
...
Co-authored-by: Dominic R <dominic@sdko.org >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Tana M Berry <tana@goauthentik.io >
2025-12-02 18:01:51 +01:00
Jens L.
1aff2c2b3a
providers/radius: revert fix inverted message authenticator validation ( #17855 ) ( #17915 )
...
Revert "providers/radius: fix inverted message authenticator validation (#17855 )"
This reverts commit 09e3301c8f
2025-11-03 16:10:41 +01:00
Jens L.
894db1237a
internal: add default go http server timeouts ( #17858 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-11-01 19:04:13 +01:00
Jens L.
09e3301c8f
providers/radius: fix inverted message authenticator validation ( #17855 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-11-01 17:58:48 +01:00
Jens L.
f242de17f5
internal: full openssl path ( #17856 )
2025-10-31 15:14:43 +01:00
Teffen Ellis
45d0c7c24b
web/a11y: Isolated Outpost Error Page ( #17683 )
...
* web: Remove external resources from error page.
* web: Remove home link.
2025-10-30 23:00:01 +00:00
Dominic R
ec00a918b3
outposts: update permissions more eagerly ( #17783 )
...
* wip
* wip
* a
* a
Signed-off-by: Dominic R <dominic@sdko.org >
* rm
* this
* rm test files
* cover one more case
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Dominic R <dominic@sdko.org >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2025-10-30 18:33:51 +01:00
Marc 'risson' Schmitt
1b77e93ecb
internal/web/proxy: fix return status code during startup ( #17827 )
2025-10-30 17:12:42 +01:00
Jens L.
9b6aa56df2
providers/radius: fix panic when no cert is configured ( #17762 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-10-28 15:42:11 +01:00
Jens L.
e7235732bb
providers/proxy: fix missing JWT/claims header ( #17759 )
...
* replace interface{} with any
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix raw token not saved to map or json
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* also fix proxy claims
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix test
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-10-28 15:14:07 +01:00
Jens L.
e2904d13a9
providers/proxy: add gorm logging ( #17758 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-10-28 14:39:47 +01:00
Jens L.
e9347e88e1
providers/proxy: drop headers with underscores ( #17650 )
...
drop any headers with underscores that we set in the remote system
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-10-22 15:19:34 +02:00
authentik-automation[bot]
db213a8944
root: bump version to 2025.12.0-rc1 ( #17603 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2025-10-21 01:10:16 +02:00
Jens L.
9847c3adc8
providers/proxy: fix missing postgres import ( #17582 )
...
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-10-21 00:09:54 +02:00
Dominic R
795a025af9
outpost/proxyv2: postgresstore: db/pool/misc cleanup and enhancement ( #17511 )
...
* wip
* Update internal/outpost/proxyv2/application/session_postgres_test.go
Signed-off-by: Dominic R <dominic@sdko.org >
* Update refresh.go
Co-authored-by: Jens L. <jens@goauthentik.io >
Signed-off-by: Dominic R <dominic@sdko.org >
---------
Signed-off-by: Dominic R <dominic@sdko.org >
Co-authored-by: Jens L. <jens@goauthentik.io >
2025-10-20 16:25:13 +02:00
Dominic R
06bfcf04e3
outpost/proxyv2: postgresstore: credential refresh ( #17414 )
...
* outpost/proxyv2: postgresstore: credential refresh
* wip
* mabye
* mabye fix
2025-10-15 15:22:27 +02:00
Marc 'risson' Schmitt
23357f45e9
*: remove Redis leftovers ( #17146 )
...
* *: remove Redis leftovers
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* more removal
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* fix leftover
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more removal
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* lint
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* fix broken anchor
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* re-add redis for previous version migrations
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2025-10-11 01:46:53 +02:00
Dominic R
6dde8bdd4a
outpost: proxyv2: Use Postgres for the Embedded Outpost ( #16628 )
...
* wip
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Dominic R <dominic@sdko.org >
* remove testing files
* a
* wip
* pls
* pls2
* a
* Update authentik/providers/proxy/models.py
Co-authored-by: Jens L. <jens@beryju.org >
Signed-off-by: Dominic R <dominic@sdko.org >
* makemigrations
* pls
* pls1000
* dont migrate in go
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set uuid
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix more test cases
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* better logging
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* set gorm nowfunc (gorm defaults to local time)
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* improve test db closing
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* move expiration to field
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* dont' manually set table
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* refactor tests more
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* more refactor
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* fix em
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* postgres cleanup is done by worker
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update expiry and set expiring
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Signed-off-by: Dominic R <dominic@sdko.org >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens L. <jens@beryju.org >
2025-10-09 16:59:15 +02:00
Jens L.
68292fede2
enterprise/stages/mtls: Improve Email address extraction ( #17068 )
...
* enterprise/stages/mtls: improve email attribute extraction
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* return error from outpost flow executor correctly
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-09-28 19:28:52 +02:00
Jens L.
4ec785a598
core/api: Better naming for partial user/group serializer, optimise bindings ( #17022 )
...
* core: add index on Group.is_superuser (#17011 )
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update go code
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* also optimise bindings
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* typo
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* remove unused
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2025-09-26 14:43:39 +02:00
Marc 'risson' Schmitt
e2040dc3ad
lib/config: fix listen settings ( #17005 )
2025-09-25 15:31:17 +00:00
Marc 'risson' Schmitt
9df7e50b8f
outposts/ldap: add pwdChangeTime attribute ( #17010 )
...
* outposts/ldap: add pwdChangeTime attribute
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
* simplify
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* update schema
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2025-09-25 16:16:08 +02:00
Daniel Adu-Gyan
e415d3b667
providers/ldap: add include_children parameter to cached search mode ( #16918 )
2025-09-25 14:41:33 +02:00
Katsushi Kobayashi
053c639aa8
outposts: fix flow executor when using subpath ( #16947 )
...
* Refer refConfig's URL
* Update internal/outpost/flow/executor.go
Co-authored-by: Jens L. <jens@beryju.org >
Signed-off-by: Katsushi Kobayashi <ikob@acm.org >
---------
Signed-off-by: Katsushi Kobayashi <ikob@acm.org >
Co-authored-by: Jens L. <jens@beryju.org >
2025-09-25 14:34:44 +02:00
Marco Lecheler
df33b4d3e9
website: fix docs links ( #16926 )
...
* fix: add other docker-compose links
* fix: update other docs urls
2025-09-24 11:48:33 -04:00
Jens L.
1f81d234cb
enterprise/providers/radius: add EAP-TLS support ( #15702 )
...
* implement with library (backend)
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add outpost
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add basic docs
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* add enterprise notice to certificate
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* clearer enterprise stuff
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
* idk
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
2025-09-23 23:54:09 +02:00
Teffen Ellis
04a8357708
web: Automatic reload during server start up. ( #16030 )
...
* web: Automatic reload during server start up.
* web: Flesh out reload behavior.
* web: Flesh out wave boi.
2025-08-26 15:13:22 +00:00
Dominic R
1c36b361b2
router: fix missing response headers on compressed 404 for static files ( #16216 )
...
* router: only serve dist assets if present; fallback to backend 404
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io >
Co-authored-by: Jens Langhammer <jens@goauthentik.io >
2025-08-18 20:18:28 +01:00
authentik-automation[bot]
130fe4cac7
root: bump version to 2025.10.0-rc1 ( #16149 )
...
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
2025-08-12 21:17:14 +00:00
Marc 'risson' Schmitt
a4c7e7ba2e
root: bump version to 2025.8.0-rc1 ( #16135 )
2025-08-12 15:24:23 +00:00
Jens L.
a38239509b
root: Better version bump ( #14905 )
...
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space >
2025-08-12 13:50:12 +00:00
Dominic R
ffe767fe13
outpost: proxy: handle nil HTTP response in attemptBasicAuth function ( #13781 )
...
* outpost: proxy: handle nil HTTP response in attemptBasicAuth function
Fixes a nil pointer dereference that occurs when an HTTP request fails in the attemptBasicAuth function. Added additional checks to safely handle cases where the HTTP response or its body is nil.
* add defer res.Body.Close() to prevent resource leaks in basic auth
* oops
* this
* Revert "this"
This reverts commit 7f7d110291
2025-08-12 11:40:18 +01:00
