Cherry-pick #21701 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21701
Original commit: cce646b132
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
# authentik/providers/oauth2/tests/test_device_backchannel.py
# authentik/providers/oauth2/views/device_backchannel.py
Co-authored-by: Sai Asish Y <say.apm35@gmail.com>
providers/oauth2: device code flow client id via auth header (#20457)
* Use `extract_client_auth` which can get client id from either HTTP
Authorization header or POST body
* Update documentation to reflect allow sending client id via header
* Add tests for using HTTP Basic Auth to pass in client id
Co-authored-by: Michael Beigelmacher <brooklynbagel@gmail.com>
Cherry-pick #21513 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21513
Original commit: c84c8d86f8
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Cherry-pick #21746 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21746
Original commit: 189056e19a
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Cherry-pick #21520 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21520
Original commit: 76a5e62405
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
* Cherry-pick #21219 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #21219
Original commit: 9fc8df0838
* fix
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
web/admin: handle non-string values in formatUUID to prevent Event Log crash (#20804)
fix(web): handle non-string values in formatUUID to prevent Event Log crash
When event context contains a device with a non-string pk value,
formatUUID crashes with TypeError: s.substring is not a function,
preventing the entire Event Log page from loading.
Add a type guard to coerce non-string values to their string
representation instead of crashing.
Fixes#20803
Co-authored-by: Tyson Cung <45380903+tysoncung@users.noreply.github.com>
Cherry-pick #20984 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #20984
Original commit: 046bc8ac98
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Cherry-pick #20719 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #20719
Original commit: 6b207ca73a
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
website/docs: kerberos: add note about caching (#20663)
* Add note about caching
* Update website/docs/users-sources/sources/protocols/kerberos/index.md
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
internal: make http timeouts configurable (#20472)
* internal: make http timeouts configurable
* Changed formatting to match the rest of the doc
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
* Cherry-pick #20489 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #20489
Original commit: 9da1014271
* Update index.mdx
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
* Update index.mdx
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
* Cherry-pick #19739 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19739
Original commit: 8610ec2d52
* fix merge conflict
---------
Co-authored-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
root: do not rely on npm cli for version bump
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
website/docs: add okta source doc (#20296)
* Begin
* Add steps
* Apply suggestions
* Update website/docs/users-sources/sources/social-logins/okta/index.md
* Apply suggestion from @dominic-r
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
website/docs: rac: fixes the property mapping formatting (#20200)
Fixes the property mapping formatting
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
website/docs: add email verification scope doc (#20141)
* WIP
* Add link to 2025.10 release notes
* Apply suggestions from code review
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
* Cherry-pick #20049 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #20049
Original commit: 95233dd9f8
* Conflicts
* Conflicts V2
---------
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
* Cherry-pick #20045 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #20045
Original commit: b01833c143
* Conflict fix
* Conflicts
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
website/docs: endpoint devices: specify name and slug (#20016)
* specify name and slug
* Update configuration.md
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
outposts: fix docker_tls created files permission (#19978)
* security: use restrictive file permissions for TLS certificate files
The write_file() method used plain open() without specifying permissions,
creating files with the default umask (typically 0o644). This made private
keys readable by other users. Added an opener parameter with 0o600 mode
to ensure sensitive cryptographic material is only accessible by the owner.
* reuse
* revert import change
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Kolega.dev <security@kolega.ai>
Co-authored-by: kolega.dev <faizan@kolega.ai>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Cherry-pick #19988 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19988
Original commit: 46771748aa
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
recovery: consume token in transaction (#19967)
security: prevent recovery token reuse via race condition
Token validation, user login, and token deletion were performed as
separate non-atomic operations, allowing concurrent requests to reuse
a single recovery token. Wrapped the operation in transaction.atomic()
with select_for_update() to ensure exclusive access during token use.
Co-authored-by: Kolega.dev <security@kolega.ai>
Co-authored-by: kolega.dev <faizan@kolega.ai>
providers/oauth2: use compare_digest for client_secret comparison (#19979)
* security: use constant-time comparison for client secrets
Replace insecure '!=' comparisons with hmac.compare_digest() to prevent
timing attacks on client secret validation. This matches the existing
security pattern used elsewhere in the codebase.
* format
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Kolega.dev <security@kolega.ai>
Co-authored-by: kolega.dev <faizan@kolega.ai>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
docs/release notes: Add changes in 2025.12.2 and 2025.12.3 to the release notes (#19949)
Add changes in 2025.12.2 and 2025.12.3 to the release notes
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
core: fix non-expiring service accounts and app passwords (#19913)
core: fix datetime (de)?serialization
We aim to fix
https://github.com/goauthentik/authentik/issues/19911 in the next patch
release, so this commit shouldn't include an API change, which is why we
do it a bit awkwardly. Additionally, `serializeForm` has no typechecking
for its return value (`return json as unknown as T`), and should be
refactored for type safety if at all possible.
There are at least two bugs we're solving in this commit:
1. Type checking fails on `serializeForm`, which results in
`expires: null` POSTed in a `UserServiceAccountRequest`, where it is not
allowed. The backend "correctly" returns a 400. For now we address this
by returning `undefined` from `serializeForm` on a `datetime-local`
input element when it is unset.
2. The schema allows for `expires: null` in `TokenModel`, but fails with
a 500 when that is actually sent. For now we address this with a `None`
check. (Note: this bug will not be encountered by the frontend after the
change from `null` to `undefined`, but it's still nice to fix.)
Both of these issues should eventually be solved by the backend handling
`ExpiringModel` in an `ExpiringModelSerializer` instead of the current
ad hoc way.
Introduced by https://github.com/goauthentik/authentik/pull/19561
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Simonyi Gergő <gergo@goauthentik.io>
website/docs: Update location of media storage and outdated references (#19885)
* website/docs: Update location of media storage and outdated references
* lint
* Add content-type header info
* Apply suggestion from @dominic-r
---------
Signed-off-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: dewi-tik <dewi@goauthentik.io>
web: fix Brand CSS not applied to nested Shadow DOM components (#19892)
* web: fix Brand CSS not applied to nested Shadow DOM components
After PR #17444, Brand CSS was only applied when ThemeChangeEvent fired.
Components created after the initial event never received the custom styles.
This fix immediately applies Brand CSS when a style root is set, ensuring
all nested Shadow DOM components (like flow stages) receive brand styling
regardless of when they are created.
* Update web/src/elements/Base.ts
* Clarify.
---------
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Co-authored-by: Mmx233 <36563672+Mmx233@users.noreply.github.com>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
web/admin: fix toggle-group for bindings now showing up (#19820)
* web/admin: fix toggle-group for bindings now showing up
* actually dont use object.values
* actually even cleaner
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
So, a previous PR of mine, fixed an issue in scope of the PR, and upon
merging, I encountered CI errors. To fix that, I regenerated schema and
fixed a quick frontend issue for the bulk session revocation PR from
a contributor which was merged earlier that say. That caused the CI to
pass, life went on until the PR was cherry-picked and merged before I
remembered to do this. Cherry-picking brought the unneeded schema.yml
change and the added file into the release branch (file didn't exist, so
it was created instead of just modified). oops
website/docs: endpoint devices: add version command (#19767)
* Add version command
* Add version command to install docs
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Cherry-pick #19555 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19555
Original commit: 1fa2cc075b
Co-authored-by: Dominic R <dominic@sdko.org>
Cherry-pick #19548 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19548
Original commit: c67447d4db
Co-authored-by: Dominic R <dominic@sdko.org>
web/table: align row action icons and tooltip color (#19736)
Overview:
Normalize row-action icon padding and inherit icon color through
tooltips to avoid misalignment and false "active" styling on the Tokens
page.
Testing:
Replicate linked issue
Motivation:
Fix minor visual inconsistencies in action icons.
Closes https://github.com/goauthentik/authentik/issues/19315
Co-authored-by: Dominic R <dominic@sdko.org>
website/docs: add tip for recovering from accidental main branch work (#19865)
Overview:
Add a tip to the contributing guide explaining how to recover if you accidentally started making changes on `main` instead of a feature branch.
Testing:
n/a
Motivation:
Closes: https://github.com/goauthentik/authentik/issues/18740
Co-authored-by: Dominic R <dominic@sdko.org>
sources/oauth: Fix an issue where wechat may crash duing login. (#18973)
* Fix an issue where wechat may crash duing login.
The WeChatOAuth2Client.get_access_token method was defined with a signature that required redirect_uri and code arguments, but the generic OAuth callback handler calls this method without any arguments (expecting the client to retrieve them from the request context).
I have fixed
authentik/sources/oauth/types/wechat.py
by:
Updating
get_access_token
signature: It now accepts **request_kwargs instead of mandatory positional arguments, matching the base
OAuth2Client
.
Retrieving code correctly: It now looks for code in the request parameters using self.get_request_arg, just like standard OAuth clients.
Adding State Validation: I added self.check_application_state() to ensure the
state
parameter matches, preventing CSRF attacks.
Improving Error Handling: Both
get_access_token
and
get_profile_info
now return None (or error dicts) instead of raising exceptions when API calls fail. This prevents the "Server Error" (500) crashes you were seeing and allows Authentik to handle login failures gracefully.
* Update wechat.py
* Update wechat.py
* Remove unnecessary blank lines in wechat.py
* Fix linting issues in wechat.py
---------
Signed-off-by: Anduin Xue <anduin@aiursoft.com>
Co-authored-by: Anduin Xue <anduin@aiursoft.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
website/docs: endpoint devices: fix local device login (#19698)
* Start PR
* WIP
* Spelling and link fix
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
web/elements: stabilize dual-select status height (#19734)
* web/elements: stabilize dual-select status height
Overview:
Reserve a stable two-line height for the selected-status row to minimize layout shifts on small screens, and use proper singular/plural wording for status messages.
Testing:
Behavior shown in linked issue
Motivation:
Avoid accidental removals caused by status text reflow/jumping on narrow
viewports.
Closes: https://github.com/goauthentik/authentik/issues/19732
* web: Comment to explain first suggestion
Ref: https://authentiksecurity.slack.com/archives/C08C0SCU2JV/p1769471926609429
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
web/elements: reduce spacing between collapsible form groups (#19627)
Overview:
Reduce vertical padding on ak-form-group sections to create tighter spacing between collapsible form sections.
- Reduce summary padding-block from 1rem to 0.5rem when open
- Reduce summary padding-block to 0.25rem when closed
- Reduce content bottom padding from 1rem to 0.5rem
- Remove debug red outline on marker hover
Testing:
Visiting the UI
Screenshots:
Before:
<!-- TODO -->
After:
<!-- TODO -->
Motivation:
Tooooo muchhhh spaceeeeee wasssstedddd
Co-authored-by: Dominic R <dominic@sdko.org>
Cherry-pick #19763 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19763
Original commit: cdd3fb7827
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
web/admin: fix impersonation form requesting data without being opened (#19673)
* reverse bubble events
* rework impersonation form to not use firstUpdated
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
* sources/oauth: add fallback for id_token when profile URL is not available (#19311)
* sources/oauth: add fallback for id_token when profile URL is not available
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix syntax
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Cherry-pick #19658 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19658
Original commit: 7550b85495
Co-authored-by: Dominic R <dominic@sdko.org>
web/forms: fix forms not resetting state when modal closes (#19562)
* web/forms: fix forms not resetting state when modal closes
Overview:
Forms were not properly resetting their state when closing modals, which caused stale values to persist when reopening forms. This affected all forms with @state() decorated properties.
Testing:
1. Create any item (user, token, application, etc.), close modal
2. Click Create again, form should show default/empty values
3. Edit an item, cancel, click Create - form should be empty
4. Edit an item, cancel, edit same item - should show correct data
Motivation:
Form inputs retained values from previous create/edit operations.
* Fix linter errors, types.
* Add property accessors, types.
---------
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
sources/saml: Set AuthnRequest ProtocolBinding to HTTP-POST instead of HTTP-Redirect (#17378)
* Use HTTP-POST instead of HTTP-Redirect for ProtocolBinding attribute in AuthnRequest
* Fix nits
---------
Signed-off-by: Katsushi Kobayashi <ikob@acm.org>
Co-authored-by: Katsushi Kobayashi <ikob@acm.org>
web/maintenance: no missing element type definitions (#18950)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* website: fix bad escaping of URLs in release notes
## What
Fixes bad escaping of URLs in the release notes that resulted in mangled output.
v2024.6.4 had entries that looked like this:
```
##### `GET` /providers/google_workspace/{#123;id}#125;/
```
v2025.4.md had entries that looked like this:
```
##### `GET` /policies/unique_password/{#125;#123;policy_uuid}/
```
A couple of straightforward search-and-replaces has fixed the issue.
## Notes
Two of the release notes had bad escaping of URLs. I'm not sure how the error was made or got past,
but it was obvious when visiting the page.
@Beryju suggested that the bug is due to our using `{...}` to symbolize parameters in a URL while
Docusaurus wants to interpret `{...}` as an internal template instruction, resulting in odd
behavior. In either case, docusarus interpreted the hashtagged entries as links to unrelated issues
in Github (the same two issues, which were "bump version of pylint" and "bump version of sentry"),
which could be very confusing.
The inconsistencies between the two releases, and the working releases, suggests that the error was
introduced manually.
* web/maintenance: lint pass to add missing HTMLElementTagNameMap entries
# What
This code mechanically adds HTMLElementTagNameMap entries to those files that were missing it.
Every entry in the report is in this format:
./src/elements/ak-table/stories/ak-select-table.stories.ts
'ak-select-table-test-sort' has not been registered on HTMLElementTagNameMap
84: export class SimpleTableSortTest extends LitElem
no-missing-element-type-definition
It was trivial to create a Perl script that extracted the file name, the tag name, and the class name, and turn that into a “Open this file and append the HTMLElementTagNameMap definition to the end,” then run `prettier` and `build` to validate that nothing broke.
I also had to hand-edit the JSDoc for `Form`. It is not, by itself, an element. It is an abstract class from which you can derive elements. The `@element` tag there confused lit-analyze, and lit-analyze was correct to call it out.
# Why
These entries help Typescript & Lit-Analyze lint our product, validating that each element is being used correctly and that the types being passed to it are correct.
Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>
providers/oauth2: add `logout+jwt` token type for oidc logout token. (#19554)
* providers/oauth2: add `logout+jwt` token type for oidc logout token.
The oidc back-channel logout spec recommends using explicitly typed JWTs using the `typ` parameter in the JWT's header.
[spec](https://openid.net/specs/openid-connect-backchannel-1_0.html#CrossJWT)
This may be a breaking change for some implementations if they were already checking the type of the token to be `JWT` (the default value).
* Apply suggestion from @BeryJu
---------
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Jeroen <jeroen@velzen.cc>
Co-authored-by: Jens L. <jens@beryju.org>
web/maintenance: fix missing custom web component imports (#18942)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* website: fix bad escaping of URLs in release notes
## What
Fixes bad escaping of URLs in the release notes that resulted in mangled output.
v2024.6.4 had entries that looked like this:
```
##### `GET` /providers/google_workspace/{#123;id}#125;/
```
v2025.4.md had entries that looked like this:
```
##### `GET` /policies/unique_password/{#125;#123;policy_uuid}/
```
A couple of straightforward search-and-replaces has fixed the issue.
## Notes
Two of the release notes had bad escaping of URLs. I'm not sure how the error was made or got past,
but it was obvious when visiting the page.
@Beryju suggested that the bug is due to our using `{...}` to symbolize parameters in a URL while
Docusaurus wants to interpret `{...}` as an internal template instruction, resulting in odd
behavior. In either case, docusarus interpreted the hashtagged entries as links to unrelated issues
in Github (the same two issues, which were "bump version of pylint" and "bump version of sentry"),
which could be very confusing.
The inconsistencies between the two releases, and the working releases, suggests that the error was
introduced manually.
* web: lint pass to add all missing custom component imports
# What
The latest version of lit-analyze found 53(!) places in the codebase where we referenced a custom web component but not guarantee that it had been registered with the browser. Most of these are so commonplace that they had already been pulled in and registered elsewhere, but it’s still bad practice to leave these out.
* web/maintenance: lint pass to fix broken or unrecognized tag names
# What
This code removes two places in the code that referenced obsolete tag names.
In AkWizardFormPage, the case was a tag that was defined but never used. It, in turn, referenced a tag that did not exist.
In AkApplicationWizard’s ProviderChoices, we referenced eight custom components that did not exist and were never defined anywhere in the code. The references to `renderers` were obsolete; despite being defined they were never used. (This lack of use was covered up by lots of `export`s discarding Typescript’s check against unused field.)
- [x] The code has been formatted
# Why
- WizardFormPage references ‘ak-wizard-form’, which does not exist
- No other component imports, inherits, or extends WizardFormPage. It only exists by itself.
``` shell
$ rg 'WizardFormPage'
src/elements/wizard/WizardFormPage.ts
39:export class WizardFormPage extends WizardPage {
```
- The objects referenced here in these renderers do not exist.
- Without them, the priority ordering code becomes much simpler
- No LocalTypeCreate calls are needed; just use the default API TypeCreate types now
<!-- -->
./src/admin/applications/wizard/steps/ProviderChoices.ts
Unknown tag <ak-application-wizard-authentication-by-oauth>. Did you mean <ak-application-wizard-application-step>?
19: html`<ak-application-wizard-authentication-by-oauth></ak-appl
no-unknown-tag-name
Unknown tag <ak-application-wizard-authentication-by-saml-configuration>. Did you mean <ak-application-wizard-application-step>?
24: html`<ak-application-wizard-authentication-by-saml-configuration></ak-appl
no-unknown-tag-name
* Revert "web/maintenance: lint pass to fix broken or unrecognized tag names"
This reverts commit e9e073fbcc.
Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>
* Cherry-pick #19540 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19540
Original commit: 083b61ca7f
* resolve conflicts
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
providers/saml: allow encryption certificates without private keys (#19526)
* providers/saml: allow selection of certificates without private keys for saml encryption
* fix back-end to support cert only
Co-authored-by: Connor Peshek <connor@connorpeshek.me>
web/forms: fix invalid date error for empty datetime-local inputs (#19561)
* web/forms: fix invalid date error for empty datetime-local inputs
Overview:
When a datetime-local input is empty, `valueAsNumber` returns `NaN` and `new Date("")` creates an Invalid Date. Previously, form serialization passed these invalid dates to the API, which caused "RangeError: Invalid time value" when `toISOString()` was called. Now empty datetime inputs correctly serialize to `null`.
Testing:
1. Go to Directory > Tokens and App passwords
2. Create or edit a token
3. Uncheck the "Expiring" checkbox
4. Save the token
5. Verify no error occurs and token is saved without expiry
Motivation:
Closes: https://github.com/goauthentik/authentik/issues/19558
* web: lint
Co-authored-by: Dominic R <dominic@sdko.org>
web: update @goauthentik/api (#19542)
Otherwise, e.g. the edit modal of Applications hangs infinitely on a
loading spinner because `AdminFileListUsageEnum` is undefined and not an
object.
Co-authored-by: Maximilian Bosch <maximilian@mbosch.me>
core: Update supported versions in SECURITY.md (#19385)
* core: Update supported versions in SECURITY.md
Added support for version 2025.12.x in the security policy.
* Apply suggestion from @BeryJu
---------
Signed-off-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
fix duplicate bucket name in presigned URLs with custom domain (#19537)
tests/e2e: Add delay and serialized rollback to saml e2e test (#18840)
* Add delay and serialized rollback to saml e2e test
* Apply suggestion from @BeryJu
* trigger build
---------
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
* Cherry-pick #19487 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19487
Original commit: 2c29698415
* Apply suggestion from @BeryJu
Signed-off-by: Jens L. <jens@beryju.org>
---------
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Jens L. <jens@goauthentik.io>
website/docs: limiting permissions of AD service account (#19483)
* Add info about limiting permissions
* Simplified instructions
* OU > organizational unit
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
endpoints/connectors/agent: Skip Endpoint stage on device IA & fix confusing identification subtext (#19482)
* when doing device interactive auth, let the endpoint stage continue as we already know the device based on the DTH header
* only show "continuing to device xyz" when using device IA flow, not when using an endpoint stage with browser extension
* format
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
providers/oauth2: allow property mappings to override scope claim in access tokens (#19226)
* test(oauth2): add failing test for scope claim override via property mapping
Reproduces issue #19224 where property mappings cannot override the scope claim.
* fix(oauth2): allow property mappings to override scope claim in access tokens
Previously, the scope claim in access tokens was unconditionally set to
the requested scopes, ignoring any custom scope value returned by
property mappings.
This change uses setdefault() instead of direct assignment, so the
default scope is only set if no custom scope was provided by property
mappings.
Fixes#19224
Co-authored-by: Jean-Marc Le Roux <jeanmarc.leroux@aerys.in>
web/startup: deprecated theme names break theming (#19431)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* website: fix bad escaping of URLs in release notes
## What
Fixes bad escaping of URLs in the release notes that resulted in mangled output.
v2024.6.4 had entries that looked like this:
```
##### `GET` /providers/google_workspace/{#123;id}#125;/
```
v2025.4.md had entries that looked like this:
```
##### `GET` /policies/unique_password/{#125;#123;policy_uuid}/
```
A couple of straightforward search-and-replaces has fixed the issue.
## Notes
Two of the release notes had bad escaping of URLs. I'm not sure how the error was made or got past,
but it was obvious when visiting the page.
@Beryju suggested that the bug is due to our using `{...}` to symbolize parameters in a URL while
Docusaurus wants to interpret `{...}` as an internal template instruction, resulting in odd
behavior. In either case, docusarus interpreted the hashtagged entries as links to unrelated issues
in Github (the same two issues, which were "bump version of pylint" and "bump version of sentry"),
which could be very confusing.
The inconsistencies between the two releases, and the working releases, suggests that the error was
introduced manually.
* web: fix early theme identification
# What
Upon initial load of the HTML, even before the Javascript VM has started loading the admin interface, check if the user has a theme name in localstorage and validate it before proceeding.
# Issue
[Leftover localStorage.theme breaks UI after update to 2025.12.0](https://github.com/goauthentik/authentik/issues/19387)
Reported: 2025-01-13 By: Github user @WIPocket
# Why
We’ve changed our theme names to the more customary “light” and “dark”; older installs may have our earlier keys, “light-theme” or “dark-theme”, and those can break the read, resulting in the theme not being loaded at all.
Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>
web/elements: hidden secrets not propagating (#19029)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* website: fix bad escaping of URLs in release notes
## What
Fixes bad escaping of URLs in the release notes that resulted in mangled output.
v2024.6.4 had entries that looked like this:
```
##### `GET` /providers/google_workspace/{#123;id}#125;/
```
v2025.4.md had entries that looked like this:
```
##### `GET` /policies/unique_password/{#125;#123;policy_uuid}/
```
A couple of straightforward search-and-replaces has fixed the issue.
## Notes
Two of the release notes had bad escaping of URLs. I'm not sure how the error was made or got past,
but it was obvious when visiting the page.
@Beryju suggested that the bug is due to our using `{...}` to symbolize parameters in a URL while
Docusaurus wants to interpret `{...}` as an internal template instruction, resulting in odd
behavior. In either case, docusarus interpreted the hashtagged entries as links to unrelated issues
in Github (the same two issues, which were "bump version of pylint" and "bump version of sentry"),
which could be very confusing.
The inconsistencies between the two releases, and the working releases, suggests that the error was
introduced manually.
* web/bug/hidden-secrets-not-propagating
# What
This commit updates ak-secret-text-input, adding the `name` attribute to all valid input fields and updating the value writer to match those of known-working components, to ensure that either variety of the display is fully and correctly updated with the content of the hidden secret.
# Why
The hidden input field is the one that HorizontalFormElement was expecting to read its value from, but that field never received a `name` because it wasn’t present when the field was first updated.
HorizontalFormElement writes the `name` field to the first `<input>` it finds. That was the “dummy” input field, which has no working value.
Form ignored the input element because the value it read came with an undefined name.
Object-oriented state management sometimes bites.
---------
Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
web/admin: always retrieve selected provider when editing the application (#19341)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* website: fix bad escaping of URLs in release notes
## What
Fixes bad escaping of URLs in the release notes that resulted in mangled output.
v2024.6.4 had entries that looked like this:
```
##### `GET` /providers/google_workspace/{#123;id}#125;/
```
v2025.4.md had entries that looked like this:
```
##### `GET` /policies/unique_password/{#125;#123;policy_uuid}/
```
A couple of straightforward search-and-replaces has fixed the issue.
## Notes
Two of the release notes had bad escaping of URLs. I'm not sure how the error was made or got past,
but it was obvious when visiting the page.
@Beryju suggested that the bug is due to our using `{...}` to symbolize parameters in a URL while
Docusaurus wants to interpret `{...}` as an internal template instruction, resulting in odd
behavior. In either case, docusarus interpreted the hashtagged entries as links to unrelated issues
in Github (the same two issues, which were "bump version of pylint" and "bump version of sentry"),
which could be very confusing.
The inconsistencies between the two releases, and the working releases, suggests that the error was
introduced manually.
* web/admin: always retrieve selected provider when editing the application
# What
Re-writes the `fetch` function for ak-provider-search-input so that, if there’s an assigned value and it does not appear in the currently retrieved list of providers, prepend it to the list so that it is always present and always selectable.
# Why
Our pagination windows can restrict the list of objects retrieved from the server, and when we’re chasing composite objects we have to retrieve the displayable elements of that object from their respective tables. This combination means that a paginated retrieval may not have the object indicated by the parent object’s PK for that object collection. We have to retrieve it separately if it’s not in the current collection.
This problem is probably endemic to some of our design decisions.
Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>
website/docs: Fix documentation example for `app_entitlements_attributes`. (#19316)
Fix example for `app_entitlements_attributes`.
Fix example Python code for `app_entitlements_attributes`.
Signed-off-by: Sebastian Wiesinger <sebastian@karotte.org>
Co-authored-by: Sebastian Wiesinger <sebastian@karotte.org>
Co-authored-by: Dominic R <dominic@sdko.org>
endpoints: include license status in agent config (#19227)
* web/admin: consistent OS display
* include license status with agent config
* slightly rework
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
Cherry-pick #19152 to version-2025.12 (with conflicts)
This cherry-pick has conflicts that need manual resolution.
Original PR: #19152
Original commit: 3838150
Co-authored-by: Teffen Ellis <teffen@goauthentik.io>
rbac: Add show all to roles tab, add role tab to groups (#19097)
* improve sort order and inherit visual
* Update web/src/admin/groups/GroupViewPage.ts
* Update web/src/admin/users/UserViewPage.ts
* Update web/src/admin/roles/RelatedRoleList.ts
* Update web/src/admin/roles/RelatedRoleList.ts
* Update web/src/admin/roles/RelatedRoleList.ts
* Update web/src/admin/roles/RelatedRoleList.ts
* setup include inherited roles and fix returning nothing
* update api calls
* fix rendering error
* do not use set
* change from exception handling
* go off query param
* fix wording
* fix linting error for new group api structure
---------
Signed-off-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: Connor Peshek <connor@connorpeshek.me>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Co-authored-by: Marcelo Elizeche Landó <marcelo@goauthentik.io>
website/docs: remove duplicates in slo docs (#19170)
remove duplicated points in the iframe mode points in slo docs
Co-authored-by: Adithya S Narasinghe <adithyasnarasinghe@gmail.com>
website/docs: endpoints: mention connector key required for stage to work (#19084)
keypair = CertificateKeyPair.objects.filter(pk=stage.connector.challenge_key_id).first()
if not keypair:
return self.executor.stage_ok() # < --- skips the stage
took me a bit of time to find this and yea
Co-authored-by: Dominic R <dominic@sdko.org>
website/docs: endpoint devices: add path to macos setup (#19093)
* Add path
* Update macos.md
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
internal: update TLS Suite (#19076)
* internal: update TLS Suite
* disable chacha20 due to fips
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
lib/sync: fix sync_dispatch (#19053)
* fix: add missing call to all on self.schedules
Fixes#19051
* fix: change the name of syncOutgoingTriggerMode ak-radio-input
Fixes#19052
Co-authored-by: Amélie Lilith Krejčí <krejcar25@blep.cz>
events: notifications live update (#18980)
* this has been broken for a while but no one noticed...? cc @rissson
* send WS broadcast for new notifications
* add tests
* better layout
* fix e2e tests
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
web: fix Open button selecting row instead of navigating (#18992)
the `isEventTargetingListener()` function only checked the click target and the immediate parent for interactive elements (like links, buttons and more). when clicking the icon inside the Open button, the DOM structure is:
<a href=...> <--- 2 levels up, never checked
<pf-tooltip> <--- immediate parent, not interactive
<i> <---- click target, not interactive
Because <i> and <pf-tooltip> did not match the interactive elements query, the function returned false which caused the table rowClickListener to continue with row selection isntead of allowing the click.
The fix is to update the function to to traverse (up) the entire dom tree from the click target to the listener element (the table cell) and check for each ancestor for the interactive elements.
Co-authored-by: Dominic R <dominic@sdko.org>
web/admin: Fix haveibeenpwned link in PasswordPolicyForm (#18984)
web: Fix haveibeenpwned link in PasswordPolicyForm
Co-authored-by: Henry Skrtich <1214484+hskrtich@users.noreply.github.com>
web/admin: fix dark theme on map (#18985)
web/admin: fix dark theme on map broken
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
website/docs: release notes: add endpoint device links to 2025.12 notes (#18940)
Add links to release notes
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
