* main: (77 commits)
web: Ignore Storybook when running codespell. (#13454)
core: bump ruff from 0.9.9 to 0.9.10 (#13448)
core: bump webauthn from 2.5.1 to 2.5.2 (#13449)
website/docs: backup and restore: remove extra period (#13440)
website: bump prismjs from 1.29.0 to 1.30.0 in /website (#13456)
web: bump prismjs from 1.29.0 to 1.30.0 in /web (#13455)
web: admin interface: faster card load (#13331)
web/admin: fix display bug for assigned users in application bindings in the wizard (#13435)
website: bump the build group across 1 directory with 9 updates (#13442)
core: bump django from 5.0.12 to 5.0.13 (#13425)
providers/SCIM: fix object exists error for users, attempt to look up user ID in remote system (#13437)
website/docs: sys mgmt: document authentik backups/restoration (#12943)
website: fix build in docker (#13430)
website/integrations: zipline: add (#13257)
translate: Updates for file web/xliff/en.xlf in fr (#13431)
lifecycle/aws: bump aws-cdk from 2.1002.0 to 2.1003.0 in /lifecycle/aws (#13426)
translate: Updates for file web/xliff/en.xlf in zh_CN (#13428)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#13429)
core, web: update translations (#13423)
website: add a better edit this page element (#13391)
...
* website/docs: backup and restore: remove extra period
shameful
Signed-off-by: Dominic R <dominic@sdko.org>
* wip
---------
Signed-off-by: Dominic R <dominic@sdko.org>
* wip
* wip
* try to make this work with ken's writeup
Signed-off-by: Dominic R <dominic@sdko.org>
* wip
---------
Signed-off-by: Dominic R <dominic@sdko.org>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: fix display bug for assigned users in application bindings in the wizard
## What
Modifies the type-of-binding detection algorithm to check if there's a user field and
that it's a number.
## Why
The original type-of-binding detector checked if the field was set and asserted that it was a string
of at least one character. Unfortunately, this doesn't work for `user`, where the primary key is an
integer. Changing the algorithm to "It's really a string with something in it, *or* it's a number,"
works.
## Testing
- Ensure you have at least one user you can use, and that user has a username.
- Navigate through the Application Wizard until you reach the binding page.
- Create a user binding
- See that the user shows up in the table.
* init
Signed-off-by: Dominic R <dominic@sdko.org>
* docs: sys mgmt: add backup documentation
* adapt command as you're already as root in postgres from what I tested and this is the easiest no-config-change solution that works
* Marc's comment
* href continuous archiving for pg
* add to sidebar
* restore documentation
* tana is gonna yell at me
* start
* static directories table fix my mess
* Update website/docs/sys-mgmt/ops/backup-restore.md
Signed-off-by: Dominic R <dominic@sdko.org>
* Update website/docs/sys-mgmt/ops/backup-restore.md
Signed-off-by: Dominic R <dominic@sdko.org>
---------
Signed-off-by: Dominic R <dominic@sdko.org>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: allow admins to show only active users in Group assignments
## What
Adds a flag and a visible control to the "Add users to groups" dialog to limit the users
shown to only those marked as "active."
## Why
Requested, it was small, it made sense, and it was fairly trivial to implement. All the
infrastructure already existed.
## Testing
- Ensure you have both "active" and "inactive" users in your sample group.
- Visit Groups -> (One Group) -> Users ->. Click "Add existing user." Click the `+` symbol.
- A new toggle control, "Show inactive users," should now be visible.
- Click it and note whether or not the visible display corresponds to the stote of the control.
## Note
This commit does not address the second half of the request, "... the ability to add more than one
user to an entitlement." We recommend that if you have a group of people who correspond to a given
entitlement that you create a named group for them.
## Related Issue:
- [Hide disabled users when adding users to a group or entitlement
#12653](https://github.com/goauthentik/authentik/issues/12653)
* Provided an explanation for the odd expression around `CoreApi.coreUsersList:isActive`
* Use logical CSS; give room to expand
* Disambiguate variable names
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: ensure modal container on user-settings page is min-height: 100%
## What
Add a min-height and auto-scroll directives to the CSS for the main section of the user-settings
page.
```
+ .pf-c-page__main {
+ min-height: 100vw;
+ overflow-y: auto;
```
## Why
Without this, Safari refused to render any pop-up modals that were "centered" on the viewport but
were "beneath" the rendered content space of the container. As a result, users could not create new
access tokens or app passwords. This is arguably incorrect behavior on Safari's part, but 🤷♀️.
Adding `overflow-y: auto` on the container means that if the page is not long enough to host the
pop-up, it will be accessible via scrolling.
## Testing
- Using Safari, Visit the User->User Settings, click "Tokens and App Passwords" tab, and click
"Create Token" or "Create App Password"
- Observe that the dialog is now accessible.
## Related Issue:
- [Unable to create API token in Safari
#12891](https://github.com/goauthentik/authentik/issues/12891)
* Fix a really stupid typo.
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: fix markdown being completely whited out in dark mode on proxy provider pages
## What
Removed the `pf-m-light` hard-code specification from the wrapper for Markdown.
## Why
Color themes backed with CSS custom properties are vulnerable to overspecification, and that's what
this class did; overspecified the background color to always be in "light mode," which the Markdown
component then inherited.
## Testing
Create a proxy provider page for Forward Auth Proxy (Domain-Level). Using the browser's inspector,
choose the "Styles" tab and click on the paintbrush. Alternate between dark mode and light, and
observe that the styled markdown is changing color along with the rest of the application.
## Related Issue:
- [Proxy Provider setup section completely whited out.
#13335](https://github.com/goauthentik/authentik/issues/13335)
* web/admin: use card background color directly when not in dark mode
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: decorative display in user's page breaks in other locales
## What
Move the decorations out of the display string and make them part of the presentation instead:
```
- <small>${item.name === "" ? msg("<No name set>") : item.name}</small>
+ <small>${item.name ? item.name : html`<${msg("No name set")}>`}</small>
```
Also a bit of logic re-arrangement; whenever possible, try to put the fallback condition in the
secondary position. A ternary is appropriate here; the nullish coalescing operator (`??`) is not
triggered by an empty string.
## Why
The decorations are being misinterpreted as HTML markers. The localization function re-interprets
the ampersand a second time, creating the string `&lt;No name set&gt;.
## Testing
- Visit the user administration page in English mode:
http://localhost:9000/if/admin/#/identity/users
- Create a user but do NOT fill in the Name field (the second field, which lacks an asterisk
indicating "required.")
- Note that the user shows up, and `<No name set>` is displayed for the user's display name.
- Visit the user administration page in French mode:
http://localhost:9000/if/admin/?locale=fr#/identity/users
- Note that the user shows up, and `<No name set>` (or, if the field is translated, "Aucun nom
spécifié") is displayed for the user's display name.
## Related Issue:
- [Users list wrong display when Locale is not "EN - English"
#12951](https://github.com/goauthentik/authentik/issues/12951)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* ## What
Replaces `moment.js` with `date-fns` as a runtime dependency for Chart.js and other features
requiring date manipulation libraries. `date-fns` (and `chartjs-adapter-date-fns`) provides a 1:1
compatible API with Moment.js, is significantly faster and smaller. Moment.js adds
74KB to our bundle; in constrast, using DateFns adds only 18KB.
## Why
[Because ChartJS recommends it](https://github.com/chartjs/chartjs-adapter-moment#overview), and
because DateFns are easier to import and use.
It's worth noting that chartjs-adapter-date-fns was last updated three years ago, but
chartjs-adapter-moment was last updated *four* years ago. Both can be considered stable at this
point, so this cannot be considered an untested swap.
## Testing
1. In the *built* version of the product, assert that in the `./dist/admin/*` folder, no instance of
`node_modules/moment` is included. `grep "node_modules/moment" ./dist/admin/*` is sufficient for
this. On the other hand, searching for `date-fns` will get you entries in the maps:
```
// ... many lines of date-fns inclusion; this is near the end, to show the chartjs adapter is
// also included.
admin/chunk-TRZMFVHL.js:// node_modules/date-fns/startOfSecond.js
admin/chunk-TRZMFVHL.js:// node_modules/date-fns/parseISO.js
admin/chunk-TRZMFVHL.js:// node_modules/chartjs-adapter-date-fns/dist/chartjs-adapter-date-fns.esm.js
admin/chunk-TRZMFVHL.js: _id: "date-fns",
admin/chunk-TRZMFVHL.js:chartjs-adapter-date-fns/dist/chartjs-adapter-date-fns.esm.js:
```
2. Visually inspect and assert that the graphs in Dashboard➜Overview, User➜Statistics, and
Directory➜Users➜A User are functioning unchanged.
## Documentation Changes Required
None. No developer or user documentation changes are required.
---------
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Update index.md
I updated SOCIAL_AUTH_OIDC_SCOPE so it can dynamically be updated in Docker vs authentik.py.
SOCIAL_AUTH_OIDC_ENDPOINT needs to be SOCIAL_AUTH_OIDC_OIDC_ENDPOINT. I found the correct variable in venv/lib/python3.12/site-packages/social_core/backends/open_id_connect.py.
Signed-off-by: dustindkoch <63759985+dustindkoch@users.noreply.github.com>
* added Enterprise label
* fix date to be semantic version
* added Ent label, for real this time
* add Ent to procedural page too
---------
Co-authored-by: Tana M Berry <tana@goauthentik.com>
* Add Passkeys reference in several parts where WebAuthn is mentioned for better docs UX and SEO)
* Add version badge to Webauthn / passkeys authenticator
* fix linting issues
* Better wording to differenciate concepts
* Revert to css class for version badge because the ak-version tag don't support versions=<2023
* first pass at removing wizard
* missed one
* Replaced the word modal wth the word box or simply rewrote to avoid saying modal.
* typo
---------
Co-authored-by: Tana M Berry <tana@goauthentik.com>
* website/docs/add-secure-apps/providers/sff/index.md
* draft
* dir name
* added procedural
* first draft for review
* tweak
* tweak
* backchannel info
* tweak
* edits form Ken and Dominic
* not sure
* tweak to rebuild
* tweak
* added finishing sentence
* tweaks
* typos
---------
Co-authored-by: Tana M Berry <tana@goauthentik.com>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* web/legible/disambiguate-footer-links
# What
- Replaces the "brand links" box at the bottom of FlowExecutor with a component for showing brand
links.
# Why
- Confusion arose about what "footer links" mean in any given context, and breaking this out,
labeling it "brand-links," reduces that confusion. It also isolates and reduces the testable
surface area of the Executor.
* rename
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* simplify
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
The sentence is broken; fixing typo to clarify that a secure connection is established *before* an LDAP bind.
Signed-off-by: klmmr <35450576+klmmr@users.noreply.github.com>
Determining the state of the caps-lock key can be tricky as we're
dependant on a user-provided input to set a value. Thus, our initial
state defaults to not display any warning until the first keystroke.
- Revise to better use lit-html.
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web: Make using the wizard the default for new applications
# What
1. I removed the "Wizard Hint" bar and migrated the "Create With Wizard" button down to the default
position as "Create With Provider," moving the "Create" button to a secondary position.
Primary coloring has been kept for both.
2. Added an alert to the "Create" legacy dialog:
> Using this form will only create an Application. In order to authenticate with the application,
> you will have to manually pair it with a Provider.
3. Updated the subtitle on the Wizard dialog:
``` diff
- wizardDescription = msg("Create a new application");
+ wizardDescription = msg("Create a new application and configure a provider for it.");
```
4. Updated the User page so that, if the User is-a Administrator and the number of Applications in
the system is zero, the user will be invited to create a new Application using the Wizard rather
than the legacy Form:
```diff
renderNewAppButton() {
const href = paramURL("/core/applications", {
- createForm: true,
+ createWizard: true,
});
```
5. Fixed a bug where, on initial render, if the `this.brand` field was not available, an error would
appear in the console. The effects were usually harmless, as brand information came quickly and
filled in before the user could notice, but it looked bad in the debugger.
6. Fixed a bug in testing where the wizard page "Configure Policy Bindings" had been changed to
"Configure Policy/User/Group Binding".
# Testing
Since the wizard OUID didn't change (`data-ouia-component-id="start-application-wizard"`), the E2E
tests for "Application Wizard" completed without any substantial changes to the routine or to the
tests.
``` sh
npm run test:e2e:watch -- --spec ./tests/specs/new-application-by-wizard.ts
```
# User documentation changes required.
These changes were made at the request of docs, as an initial draft to show how the page looks with
the Application Wizard as he default tool for creating new Applications.
# Developer documentation changes required.
None.
* main:
web/user: fix opening application with Enter not respecting new tab setting (#13115)
web: bump API Client version (#13113)
providers/rac: move to open source (#13015)
website/docs: add 2025.2 release notes (#13002)
core: clear expired database sessions (#13105)
core: bump sentry-sdk from 2.21.0 to 2.22.0 (#13098)
core: bump bandit from 1.8.2 to 1.8.3 (#13097)
core: bump aws-cdk-lib from 2.178.2 to 2.179.0 (#13099)
core: bump goauthentik.io/api/v3 from 3.2024123.4 to 3.2024123.6 (#13100)
lifecycle/aws: bump aws-cdk from 2.178.2 to 2.179.0 in /lifecycle/aws (#13101)
website/docs: Add AdventureLog Community Integration Documentation (#12928)
website/docs: minor fixes (#13095)
website/integrations: Update to Wizard and Styling Guide (#12919)
web: bump API Client version (#13093)
policies/geoip: distance + impossible travel (#12541)
root: fix generated API docs not being excluded from codespell (#13091)
* main: (24 commits)
core: add additional RBAC permission to restrict setting the superuser status on groups (#12900)
web: bump API Client version (#13089)
core: bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (#13085)
stages/authenticator_email: Email OTP (#12630)
website: bump dompurify and mermaid in /website (#13077)
web: bump dompurify and mermaid in /web (#13078)
core: bump django-filter from 24.3 to 25.1 (#13086)
enterprise/audit: fix diff being created when not enabled (#13084)
core, web: update translations (#13088)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#13080)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#13081)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#13082)
translate: Updates for file web/xliff/en.xlf in zh_CN (#13083)
core: bump django-storages from 1.14.4 to 1.14.5 (#13087)
web/user: fix redirects back to user settings (#13076)
ci: parallelize unit tests (#13036)
core, web: update translations (#13072)
stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#13073)
root: Improve debugging experience (#12961)
core, web: update translations (#13071)
...
* main: (35 commits)
translate: Updates for file web/xliff/en.xlf in ko [Manual Sync] (#13045)
translate: Updates for file web/xliff/en.xlf in pl [Manual Sync] (#13043)
translate: Updates for file web/xliff/en.xlf in ru [Manual Sync] (#13055)
translate: Updates for file locale/en/LC_MESSAGES/django.po in pl [Manual Sync] (#13062)
translate: Updates for file web/xliff/en.xlf in zh_TW [Manual Sync] (#13056)
translate: Updates for file locale/en/LC_MESSAGES/django.po in nl [Manual Sync] (#13058)
translate: Updates for file locale/en/LC_MESSAGES/django.po in ru [Manual Sync] (#13063)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_TW [Manual Sync] (#13064)
translate: Updates for file locale/en/LC_MESSAGES/django.po in ko [Manual Sync] (#13060)
translate: Updates for file web/xliff/en.xlf in nl [Manual Sync] (#13044)
web: Silence ESBuild warning. (#13025)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans [Manual Sync] (#13066)
translate: Updates for file locale/en/LC_MESSAGES/django.po in tr [Manual Sync] (#13061)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN [Manual Sync] (#13065)
translate: Updates for file locale/en/LC_MESSAGES/django.po in it [Manual Sync] (#13057)
translate: Updates for file locale/en/LC_MESSAGES/django.po in pt_BR [Manual Sync] (#13059)
translate: Updates for file locale/en/LC_MESSAGES/django.po in de [Manual Sync] (#13051)
translate: Updates for file locale/en/LC_MESSAGES/django.po in fi [Manual Sync] (#13052)
translate: Updates for file web/xliff/en.xlf in zh-Hans [Manual Sync] (#13050)
translate: Updates for file locale/en/LC_MESSAGES/django.po in es [Manual Sync] (#13054)
...
* main: (111 commits)
root: correctly use correct schema for install_id (#13018)
website: bump docusaurus-plugin-openapi-docs from 4.3.3 to 4.3.4 in /website (#13011)
web: bump API Client version (#13017)
core: bump aws-cdk-lib from 2.178.1 to 2.178.2 (#13013)
core: bump oss/go/microsoft/golang from 1.23-fips-bookworm to 1.24-fips-bookworm (#13012)
website: bump docusaurus-theme-openapi-docs from 4.3.3 to 4.3.4 in /website (#13010)
lifecycle/aws: bump aws-cdk from 2.178.1 to 2.178.2 in /lifecycle/aws (#13009)
core: bump github.com/sethvargo/go-envconfig from 1.1.0 to 1.1.1 (#13008)
web/admin: fix source selection for identification stage (#13007)
core: bump sentry-sdk from 2.20.0 to 2.21.0 (#13014)
website/integrations: Open WebUI (#12939)
root: use correct default schema for install_id (#13006)
website/docs: fix a minor typo (#13004)
enterprise/providers/ssf: fixes v2 (#13003)
root: make default postgres schema configurable (#12949)
providers/oauth2: cleanup tokens when user is deactivated (#12859)
website/docs: fix Nginx redirection example (#12920)
core: bump twilio from 9.4.4 to 9.4.5 (#12993)
core: bump coverage from 7.6.11 to 7.6.12 (#12994)
core: bump cryptography from 44.0.0 to 44.0.1 (#12992)
...
* main:
web: update gen-client-ts to OpenAPI 7.11.0 (#12756)
website/integrations: rustdesk-server-pro (#12706)
core: bump codespell from 2.3.0 to 2.4.0 (#12762)
root: docker: ensure apt packages are up-to-date (#12683)
ci: fix missing build args for dev and release (#12760)
web: bump vite from 5.4.11 to 5.4.14 in /web (#12757)
web: bump undici from 6.21.0 to 6.21.1 in /web (#12755)
lifecycle: fix cryptography's OpenSSL path (#12753)
* main: (65 commits)
stages/redirect: fix query parameter when redirecting to flow (#12750)
website/integrations: cloudflare-access: refactor (#12663)
sources/kerberos: handle principal expire time (#12748)
lifecycle: build binary dependencies which link against SSL directly (#12724)
website/docs: style guide: document styling preferences for URLs (#12715)
website/integrations: nextcloud: fix broken link (#12744)
core: bump selenium from 4.27.1 to 4.28.0 (#12745)
lifecycle: move AWS CFN generation to lifecycle and fix CI (#12743)
core: search users' attributes (#12740)
web/components: ak-number-input: add support for min (#12703)
website/integrations: nextcloud: fix url for "disable username changes" (#12725)
core: bump pytest-github-actions-annotate-failures from 0.2.0 to 0.3.0 (#12735)
website: bump katex from 0.16.11 to 0.16.21 in /website (#12731)
web: bump katex from 0.16.11 to 0.16.21 in /web (#12730)
website/integrations: Fix URL for authentik installation instead of mobilizon installation (#12729)
core: bump debugpy from 1.8.11 to 1.8.12 (#12718)
core: bump ruff from 0.9.1 to 0.9.2 (#12717)
core: bump webauthn from 2.4.0 to 2.5.0 (#12719)
core: bump structlog from 24.4.0 to 25.1.0 (#12720)
website/integrations: all: install -> installation (#12676)
...
* main:
website: revise full development environment instructions (#12638)
website: bump typescript from 5.7.2 to 5.7.3 in /website (#12620)
website: bump aws-cdk from 2.174.1 to 2.175.0 in /website (#12621)
ci: bump docker/setup-qemu-action from 3.2.0 to 3.3.0 (#12622)
core: bump twilio from 9.4.1 to 9.4.2 (#12623)
core: bump python-kadmin-rs from 0.5.2 to 0.5.3 (#12624)
core: bump ruff from 0.8.6 to 0.9.0 (#12625)
core: bump pydantic from 2.10.4 to 2.10.5 (#12626)
core: bump google-api-python-client from 2.157.0 to 2.158.0 (#12628)
core: bump goauthentik.io/api/v3 from 3.2024121.3 to 3.2024122.1 (#12629)
web: bump API Client version (#12617)
release: 2024.12.2 (#12615)
website/docs: prepare 2024.12.2 release notes (#12614)
providers/saml: fix invalid SAML Response when assertion and response are signed (#12611)
core: fix error when creating new user with default path (#12609)
rbac: permissions endpoint: allow authenticated users (#12608)
website/docs: update customer portal (#12603)
website/docs: policy for email whitelist: modernize (#12558)
* main:
lib: add expression helper ak_create_jwt to create JWTs (#12599)
api: cleanup owner permissions (#12598)
website: bump aws-cdk from 2.174.0 to 2.174.1 in /website (#12593)
core: bump aws-cdk-lib from 2.174.0 to 2.174.1 (#12594)
website/integrations: portainer: group config steps (#12548)
translate: Updates for file web/xliff/en.xlf in fi (#12586)
translate: Updates for file locale/en/LC_MESSAGES/django.po in fi (#12584)
website/docs: fix Nginx redirection example (#12561)
* main:
core: bump golang.org/x/oauth2 from 0.24.0 to 0.25.0 (#12571)
website: bump the docusaurus group in /website with 9 updates (#12569)
core: bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0 (#12572)
core: bump ruff from 0.8.5 to 0.8.6 (#12573)
ci: release: fix AWS cfn template permissions (#12576)
translate: Updates for file web/xliff/en.xlf in fr (#12578)
translate: Updates for file locale/en/LC_MESSAGES/django.po in fr (#12577)
sources/kerberos: authenticate with the user's username instead of the first username in authentik (#12497)
website/integrations: Fix deprecated terraform ressource authentik_scope_mapping in docs (#12554)
website/user-sources Fix Free IPA docs page (#12549)
core: bump aws-cdk-lib from 2.173.4 to 2.174.0 (#12574)
website/integrations: semaphore: fix formatting (#12567)
website: bump aws-cdk from 2.173.4 to 2.174.0 in /website (#12570)
website/integrations: Update Frappe Application index.md (#12527)
website: add api reference docs to redirect file (#12551)
* main: (118 commits)
outposts: fix version label (#12486)
web: only load version context when authenticated (#12482)
core: bump goauthentik.io/api/v3 from 3.2024120.2 to 3.2024121.2 (#12478)
ci: bump helm/kind-action from 1.11.0 to 1.12.0 (#12479)
web: fix build dev build (#12473)
root: fix dev build version being invalid semver (#12472)
internal: fix missing trailing slash in outpost websocket (#12470)
web: bump API Client version (#12469)
admin: monitor worker version (#12463)
core: bump jinja2 from 3.1.4 to 3.1.5 (#12467)
web: bump API Client version (#12468)
release: 2024.12.1 (#12466)
web: misc fixes for admin and flow inspector (#12461)
website/docs: 2024.12.1 release notes (#12462)
core: bump goauthentik.io/api/v3 from 3.2024120.1 to 3.2024120.2 (#12456)
core: bump urllib3 from 2.2.3 to 2.3.0 (#12457)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12454)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12453)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#12455)
translate: Updates for file web/xliff/en.xlf in zh_CN (#12458)
...
* main:
flows: better test stage's challenge responses (#12316)
enterprise/stages/authenticator_endpoint_gdtc: don't set frame options globally (#12311)
stages/identification: fix invalid challenge warning when no captcha stage is set (#12312)
website/docs: prepare 2024.10.5 release notes (#12309)
website: bump nanoid from 3.3.7 to 3.3.8 in /website (#12307)
flows: silent authz flow (#12213)
root: use healthcheck in depends_on for postgres and redis (#12301)
ci: ensure mark jobs always run and reflect correct status (#12288)
enterprise: allow deletion/modification of users when in read-only mode (#12289)
web/flows: resize captcha iframes (#12260)
* main:
website/docs: add page about the Cobalt pentest (#12249)
core: bump aws-cdk-lib from 2.171.1 to 2.172.0 (#12296)
website: bump aws-cdk from 2.171.1 to 2.172.0 in /website (#12295)
core: bump sentry-sdk from 2.19.1 to 2.19.2 (#12297)
core: bump coverage from 7.6.8 to 7.6.9 (#12299)
core, web: update translations (#12290)
root: fix override locale only if it is not empty (#12283)
translate: Updates for file web/xliff/en.xlf in fr (#12276)
core: bump twilio from 9.3.7 to 9.3.8 (#12282)
website: bump path-to-regexp and express in /website (#12279)
core: bump sentry-sdk from 2.19.0 to 2.19.1 (#12280)
core: bump ruff from 0.8.1 to 0.8.2 (#12281)
website/docs: fix lint (#12287)
website/integrations: netbird: fix redirect URI regex (#12284)
* main:
web: simplify `?inline` handler for Storybook (#12246)
website/docs: Update Traefik middleware example to reflect latest version of Traefik (#12267)
website/docs: add . in https://netbird.company* (#12166)
core: bump goauthentik.io/api/v3 from 3.2024104.1 to 3.2024104.2 (#12263)
core: bump pydantic from 2.10.2 to 2.10.3 (#12262)
core: bump github.com/getsentry/sentry-go from 0.29.1 to 0.30.0 (#12264)
core, web: update translations (#12268)
website: bump @types/react from 18.3.12 to 18.3.13 in /website (#12269)
website: bump prettier from 3.4.1 to 3.4.2 in /website (#12270)
ci: bump actions/attest-build-provenance from 1 to 2 (#12271)
core: bump golang.org/x/sync from 0.9.0 to 0.10.0 (#12272)
core: bump django from 5.0.9 to 5.0.10 (#12273)
core: bump webauthn from 2.3.0 to 2.4.0 (#12274)
website/integrations: add The Lounge (#11971)
core: bump python-kadmin-rs from 0.3.0 to 0.4.0 (#12257)
root: fix health status code (#12255)
ci: fix should_push always being false (#12252)
web: bump API Client version (#12251)
providers/oauth2: Add provider federation between OAuth2 Providers (#12083)
website/integrations: mastodon: set correct uid field (#11945)
* main:
website/docs: Add note about single group per role (#12169)
website/docs: Fix documentation about attribute merging for indirect membership (#12168)
root: support running authentik in subpath (#8675)
docs: fix contribution link (#12189)
core, web: update translations (#12190)
core: Bump msgraph-sdk from 1.12.0 to 1.13.0 (#12191)
core: Bump selenium from 4.26.1 to 4.27.0 (#12192)
* main:
ci: only mirror if secret is available (#12181)
root: fix database ssl options not set correctly (#12180)
core, web: update translations (#12145)
core: bump tornado from 6.4.1 to 6.4.2 (#12165)
website: bump the docusaurus group in /website with 9 updates (#12172)
website: bump typescript from 5.6.3 to 5.7.2 in /website (#12173)
ci: bump actions/checkout from 3 to 4 (#12174)
core: bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12175)
core: bump coverage from 7.6.7 to 7.6.8 (#12176)
core: bump ruff from 0.7.4 to 0.8.0 (#12177)
* main: (33 commits)
ci: mirror repo to internal repo (#12160)
core: bump goauthentik.io/api/v3 from 3.2024102.2 to 3.2024104.1 (#12149)
core: bump debugpy from 1.8.8 to 1.8.9 (#12150)
core: bump webauthn from 2.2.0 to 2.3.0 (#12151)
core: bump pydantic from 2.10.0 to 2.10.1 (#12152)
translate: Updates for file web/xliff/en.xlf in zh_CN (#12156)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#12157)
core: bump sentry-sdk from 2.18.0 to 2.19.0 (#12153)
web: bump API Client version (#12147)
root: Backport version change (#12146)
website/docs: update info about footer links to match new UI (#12120)
website/docs: prepare release notes (#12142)
providers/oauth2: fix migration (#12138)
providers/oauth2: fix migration dependencies (#12123)
web: bump API Client version (#12129)
providers/oauth2: fix redirect uri input (#12122)
providers/proxy: fix redirect_uri (#12121)
website/docs: prepare release notes (#12119)
web: bump API Client version (#12118)
security: fix CVE 2024 52289 (#12113)
...
* main: (28 commits)
providers/scim: accept string and int for SCIM IDs (#12093)
website: bump the docusaurus group in /website with 9 updates (#12086)
core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (#12080)
translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#12079)
scripts: remove read_replicas from generated dev config (#12078)
core: bump geoip2 from 4.8.0 to 4.8.1 (#12071)
core: bump goauthentik.io/api/v3 from 3.2024100.2 to 3.2024102.2 (#12072)
core: bump maxmind/geoipupdate from v7.0.1 to v7.1.0 (#12073)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12074)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12075)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#12076)
translate: Updates for file web/xliff/en.xlf in zh_CN (#12077)
web/admin: auto-prefill user path for new users based on selected path (#12070)
core: bump aiohttp from 3.10.2 to 3.10.11 (#12069)
web/admin: fix brand title not respected in application list (#12068)
core: bump pyjwt from 2.9.0 to 2.10.0 (#12063)
web: add italian locale (#11958)
web/admin: better footer links (#12004)
core, web: update translations (#12052)
core: bump twilio from 9.3.6 to 9.3.7 (#12061)
...
* main:
providers/ldap: fix global search_full_directory permission not being sufficient (#12028)
website/docs: 2024.10.2 release notes (#12025)
lifecycle: fix ak exit status not being passed (#12024)
core: use versioned_script for path only (#12003)
core, web: update translations (#12020)
core: bump google-api-python-client from 2.152.0 to 2.153.0 (#12021)
providers/oauth2: fix manual device code entry (#12017)
crypto: validate that generated certificate's name is unique (#12015)
core, web: update translations (#12006)
core: bump google-api-python-client from 2.151.0 to 2.152.0 (#12007)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12011)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12010)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#12012)
translate: Updates for file web/xliff/en.xlf in zh_CN (#12013)
providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968)
website/docs: move S3 ad GeoIP to System Management/Operations (#11998)
website/integrations: nextcloud: add SSE warning (#11976)
* main: (21 commits)
web: bump API Client version (#11997)
sources/kerberos: use new python-kadmin implementation (#11932)
core: add ability to provide reason for impersonation (#11951)
website/integrations: update vcenter integration docs (#11768)
core, web: update translations (#11995)
website: bump postcss from 8.4.48 to 8.4.49 in /website (#11996)
web: bump API Client version (#11992)
blueprints: add default Password policy (#11793)
stages/captcha: Run interactive captcha in Frame (#11857)
core, web: update translations (#11979)
core: bump packaging from 24.1 to 24.2 (#11985)
core: bump ruff from 0.7.2 to 0.7.3 (#11986)
core: bump msgraph-sdk from 1.11.0 to 1.12.0 (#11987)
website: bump the docusaurus group in /website with 9 updates (#11988)
website: bump postcss from 8.4.47 to 8.4.48 in /website (#11989)
stages/password: use recovery flow from brand (#11953)
core: bump golang.org/x/sync from 0.8.0 to 0.9.0 (#11962)
web: bump cookie, swagger-client and express in /web (#11966)
core, web: update translations (#11959)
core: bump debugpy from 1.8.7 to 1.8.8 (#11961)
...
* main:
website/docs: fix slug matching redirect URI causing broken refresh (#11950)
website/integrations: jellyfin: update plugin catalog location (#11948)
translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#11942)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11946)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11947)
website/docs: clarify traefik ingress setup (#11938)
core: bump importlib-metadata from 8.4.0 to 8.5.0 (#11934)
web: bump API Client version (#11930)
root: backport version bump `2024.10.1` (#11929)
website/docs: `2024.10.1` Release Notes (#11926)
website: bump path-to-regexp from 1.8.0 to 1.9.0 in /website (#11924)
core: bump sentry-sdk from 2.17.0 to 2.18.0 (#11918)
website: bump the docusaurus group in /website with 9 updates (#11917)
core: bump goauthentik.io/api/v3 from 3.2024100.1 to 3.2024100.2 (#11915)
core, web: update translations (#11914)
* main:
core: add `None` check to a device's `extra_description` (#11904)
providers/oauth2: fix size limited index for tokens (#11879)
web: fix missing status code on failed build (#11903)
website: bump docusaurus-theme-openapi-docs from 4.1.0 to 4.2.0 in /website (#11897)
translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#11891)
stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#11884)
translate: Updates for file web/xliff/en.xlf in tr (#11878)
translate: Updates for file locale/en/LC_MESSAGES/django.po in tr (#11866)
core: bump google-api-python-client from 2.149.0 to 2.151.0 (#11885)
core: bump selenium from 4.26.0 to 4.26.1 (#11886)
core, web: update translations (#11896)
website: bump docusaurus-plugin-openapi-docs from 4.1.0 to 4.2.0 in /website (#11898)
core: bump watchdog from 5.0.3 to 6.0.0 (#11899)
core: bump ruff from 0.7.1 to 0.7.2 (#11900)
core: bump django-pglock from 1.6.2 to 1.7.0 (#11901)
website/docs: fix release notes to say Federation (#11889)
* main:
website: bump elliptic from 6.5.7 to 6.6.0 in /website (#11869)
core: bump selenium from 4.25.0 to 4.26.0 (#11875)
core: bump goauthentik.io/api/v3 from 3.2024083.14 to 3.2024100.1 (#11876)
website/docs: add info about invalidation flow, default flows in general (#11800)
website: fix docs redirect (#11873)
website: remove RC disclaimer for version 2024.10 (#11871)
website: update supported versions (#11841)
web: bump API Client version (#11870)
root: backport version bump 2024.10.0 (#11868)
website/docs: 2024.8.4 release notes (#11862)
web/admin: provide default invalidation flows for LDAP and Radius (#11861)
* main: (43 commits)
core, web: update translations (#11858)
web/admin: fix code-based MFA toggle not working in wizard (#11854)
sources/kerberos: add kiprop to ignored system principals (#11852)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11846)
translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#11845)
translate: Updates for file web/xliff/en.xlf in zh_CN (#11847)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#11848)
translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11849)
translate: Updates for file web/xliff/en.xlf in it (#11850)
website: 2024.10 Release Notes (#11839)
translate: Updates for file web/xliff/en.xlf in zh-Hans (#11814)
core, web: update translations (#11821)
core: bump goauthentik.io/api/v3 from 3.2024083.13 to 3.2024083.14 (#11830)
core: bump service-identity from 24.1.0 to 24.2.0 (#11831)
core: bump twilio from 9.3.5 to 9.3.6 (#11832)
core: bump pytest-randomly from 3.15.0 to 3.16.0 (#11833)
website/docs: Update social-logins github (#11822)
website/docs: remove � (#11823)
lifecycle: fix kdc5-config missing (#11826)
website/docs: update preview status of different features (#11817)
...
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
2024-10-23 14:17:30 -07:00
714 changed files with 18492 additions and 2698 deletions
@@ -28,7 +28,11 @@ Output of docker-compose logs or kubectl logs respectively
**Version and Deployment (please complete the following information):**
- authentik version: [e.g. 2021.8.5]
<!--
Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
@@ -20,7 +20,12 @@ Output of docker-compose logs or kubectl logs respectively
**Version and Deployment (please complete the following information):**
- authentik version: [e.g. 2021.8.5]
<!--
Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of[responsible di
## Independent audits and pentests
We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
## What authentik classifies as a CVE
@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
