Merge branch 'main' into sdko/remove-stale-compat

Bumps [globals](https://github.com/sindresorhus/globals) from 17.5.0 to 17.6.0.
- [Release notes](https://github.com/sindresorhus/globals/releases)
- [Commits](https://github.com/sindresorhus/globals/compare/v17.5.0...v17.6.0)

---
updated-dependencies:
- dependency-name: globals
  dependency-version: 17.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

authentik/blueprints/tests/fixtures/conditional_fields.yaml

@@ -31,7 +31,7 @@ entries:
         slug: "%(uid)s-source"
       attrs:
         name: "%(uid)s-source"
-        provider_type: azuread
+        provider_type: entraid
         consumer_key: "%(uid)s"
         consumer_secret: "%(uid)s"
         icon: https://goauthentik.io/img/icon.png

authentik/events/apps.py

@@ -7,13 +7,6 @@ from authentik.lib.config import CONFIG, ENV_PREFIX
 from authentik.lib.utils.time import fqdn_rand
 from authentik.tasks.schedules.common import ScheduleSpec
 
-# TODO: Deprecated metric - remove in 2024.2 or later
-GAUGE_TASKS = Gauge(
-    "authentik_system_tasks",
-    "System tasks and their status",
-    ["tenant", "task_name", "task_uid", "status"],
-)
-
 SYSTEM_TASK_TIME = Histogram(
     "authentik_system_tasks_time_seconds",
     "Runtime of system tasks",

authentik/events/logs.py

@@ -49,15 +49,6 @@ class LogEventSerializer(PassiveSerializer):
     event = CharField()
     attributes = DictField()
 
-    # TODO(2024.6?): This is a migration helper to return a correct API response for logs that
-    # have been saved in an older format (mostly just list[str] with just the messages)
-    def to_representation(self, instance):
-        if isinstance(instance, str):
-            instance = LogEvent(instance, "", "")
-        elif isinstance(instance, list):
-            instance = [LogEvent(x, "", "") for x in instance]
-        return super().to_representation(instance)
-
 
 @contextmanager
 def capture_logs(log_default_output=True) -> Generator[list[LogEvent]]:

authentik/sources/oauth/apps.py

@@ -10,7 +10,6 @@ LOGGER = get_logger()
 
 AUTHENTIK_SOURCES_OAUTH_TYPES = [
     "authentik.sources.oauth.types.apple",
-    "authentik.sources.oauth.types.azure_ad",
     "authentik.sources.oauth.types.discord",
     "authentik.sources.oauth.types.entra_id",
     "authentik.sources.oauth.types.facebook",

authentik/sources/oauth/migrations/0014_migrate_azuread_to_entraid.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.2.14 on 2026-05-09 19:01
+
+from django.db import migrations
+
+
+def migrate_azuread_to_entraid(apps, schema_editor):
+    OAuthSource = apps.get_model("authentik_sources_oauth", "OAuthSource")
+
+    db_alias = schema_editor.connection.alias
+    OAuthSource.objects.using(db_alias).filter(provider_type="azuread").update(
+        provider_type="entraid"
+    )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0013_useroauthsourceconnection_refresh_token"),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_azuread_to_entraid, migrations.RunPython.noop),
+    ]

authentik/sources/oauth/models.py

@@ -251,17 +251,6 @@ class GoogleOAuthSource(CreatableType, OAuthSource):
         verbose_name_plural = _("Google OAuth Sources")
 
 
-class AzureADOAuthSource(CreatableType, OAuthSource):
-    """(Deprecated) Social Login using Azure AD."""
-
-    class Meta:
-        abstract = True
-        verbose_name = _("Azure AD OAuth Source")
-        verbose_name_plural = _("Azure AD OAuth Sources")
-
-
-# TODO: When removing this, add a migration for OAuthSource that sets
-# provider_type to `entraid` if it is currently `azuread`
 class EntraIDOAuthSource(CreatableType, OAuthSource):
     """Social Login using Entra ID."""
 

authentik/sources/oauth/types/azure_ad.py

@@ -1,17 +0,0 @@
-"""AzureAD OAuth2 Views"""
-
-from authentik.sources.oauth.types.entra_id import EntraIDType
-from authentik.sources.oauth.types.registry import registry
-
-# TODO: When removing this, add a migration for OAuthSource that sets
-# provider_type to `entraid` if it is currently `azuread`
-
-
-@registry.register()
-class AzureADType(EntraIDType):
-    """Azure AD Type definition"""
-
-    verbose_name = "Azure AD"
-    name = "azuread"
-
-    urls_customizable = True

blueprints/example/flow-default-account-lockdown.yaml

@@ -36,14 +36,10 @@ entries:
       attrs:
         order: 50
         initial_value: |
-          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
-          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == current_user_uuid
-          pending_user = None
-          if target_uuid and not is_self_service:
-              from authentik.core.models import User
-
-              pending_user = User.objects.filter(pk=target_uuid).first()
+          actor_uuid = str(getattr(http_request.user, "pk", ""))
+          pending_user = user if getattr(user, "is_authenticated", False) else None
+          target_uuid = str(getattr(pending_user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == actor_uuid
           if is_self_service:
               return (
                   "<p><strong>You are about to lock down your own account.</strong></p>"
@@ -63,14 +59,15 @@ entries:
           from django.utils.html import escape
 
           if pending_user:
-              email = escape(pending_user.email or pending_user.name or "No email")
-              user_html = f"<p><code>{escape(pending_user.username)}</code> ({email})</p>"
+              detail = pending_user.email or pending_user.name
+              user_html = f"<code>{escape(pending_user.username)}</code>"
+              if detail and detail != pending_user.username:
+                  user_html = f"{user_html} ({escape(detail)})"
           else:
-              user_html = "<p>the account selected when this one-time lockdown link was created</p>"
+              user_html = "the account selected when this one-time lockdown link was created"
 
           return (
-              "<p><strong>You are about to lock down the following account:</strong></p>"
-              f"{user_html}"
+              f"<p><strong>You are about to lock down the following account:</strong> {user_html}</p>"
               "<p>This is an emergency action for cutting off access to the account right away. "
               "It does not lock the administrator who opened this page.</p>"
               "<p><strong>This will immediately:</strong></p>"
@@ -99,9 +96,9 @@ entries:
       attrs:
         order: 100
         initial_value: |
-          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
-          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          actor_uuid = str(getattr(http_request.user, "pk", ""))
+          target_uuid = str(getattr(user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == actor_uuid
           if is_self_service:
               info = (
                   "Use this if you no longer trust your current password or sessions. "
@@ -134,9 +131,9 @@ entries:
       attrs:
         order: 200
         placeholder: |
-          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
-          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          actor_uuid = str(getattr(http_request.user, "pk", ""))
+          target_uuid = str(getattr(user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == actor_uuid
           if is_self_service:
               return "Describe why you are locking your account..."
           return "Describe why this account is being locked down..."
@@ -184,14 +181,10 @@ entries:
       attrs:
         order: 300
         initial_value: |
-          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
           from django.utils.html import escape
-          from authentik.core.models import User
 
-          if target_uuid:
-              target = User.objects.filter(pk=target_uuid).first()
-              if target:
-                  return f"<p><code>{escape(target.username)}</code> has been locked down.</p>"
+          if getattr(user, "is_authenticated", False):
+              return f"<p><code>{escape(user.username)}</code> has been locked down.</p>"
 
           return "<p>The selected account has been locked down.</p>"
         initial_value_expression: true
@@ -221,9 +214,9 @@ entries:
       attrs:
         name: default-account-lockdown-admin-policy
         expression: |
-          target_uuid = (request.http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
-          current_user_uuid = str(getattr(request.user, "pk", "") or getattr(request.http_request.user, "pk", ""))
-          return bool(target_uuid) and target_uuid != current_user_uuid
+          actor_uuid = str(getattr(request.http_request.user, "pk", ""))
+          target_uuid = str(getattr(request.user, "pk", ""))
+          return bool(target_uuid) and target_uuid != actor_uuid
       identifiers:
         name: default-account-lockdown-admin-policy
       id: admin-policy

uv.lock

@@ -1106,7 +1106,7 @@ requires-dist = [
     { name = "django", specifier = ">=4.2,<6.0" },
     { name = "django-pgtrigger", specifier = ">=4,<5" },
     { name = "msgpack", specifier = ">=1,<2" },
-    { name = "psycopg", extras = ["pool"], specifier = ">=3.3.4,<4" },
+    { name = "psycopg", extras = ["pool"], specifier = ">=3,<4" },
     { name = "structlog", specifier = ">=25,<26" },
 ]
 

web/package-lock.json

@@ -75,7 +75,7 @@
                 "eslint-plugin-lit": "^2.2.1",
                 "eslint-plugin-wc": "^3.1.0",
                 "fuse.js": "^7.3.0",
-                "globals": "^17.5.0",
+                "globals": "^17.6.0",
                 "guacamole-common-js": "^1.5.0",
                 "hastscript": "^9.0.1",
                 "knip": "^6.11.0",
@@ -85,7 +85,7 @@
                 "lit-element": "^4.2.2",
                 "lit-html": "^3.3.2",
                 "md-front-matter": "^1.0.4",
-                "mermaid": "^11.14.0",
+                "mermaid": "^11.15.0",
                 "node-domexception": "^2025.11.0",
                 "npm-run-all": "^4.1.5",
                 "pino": "^10.3.1",
@@ -429,41 +429,10 @@
             "integrity": "sha512-jigsZK+sMF/cuiB7sERuo9V7N9jx+dhmHHnQyDSVdpZwVutaBu7WvNYqMDLSgFgfB30n452TP3vjDAvFC973mA==",
             "license": "MIT"
         },
-        "node_modules/@chevrotain/cst-dts-gen": {
-            "version": "12.0.0",
-            "resolved": "https://registry.npmjs.org/@chevrotain/cst-dts-gen/-/cst-dts-gen-12.0.0.tgz",
-            "integrity": "sha512-fSL4KXjTl7cDgf0B5Rip9Q05BOrYvkJV/RrBTE/bKDN096E4hN/ySpcBK5B24T76dlQ2i32Zc3PAE27jFnFrKg==",
-            "license": "Apache-2.0",
-            "dependencies": {
-                "@chevrotain/gast": "12.0.0",
-                "@chevrotain/types": "12.0.0"
-            }
-        },
-        "node_modules/@chevrotain/gast": {
-            "version": "12.0.0",
-            "resolved": "https://registry.npmjs.org/@chevrotain/gast/-/gast-12.0.0.tgz",
-            "integrity": "sha512-1ne/m3XsIT8aEdrvT33so0GUC+wkctpUPK6zU9IlOyJLUbR0rg4G7ZiApiJbggpgPir9ERy3FRjT6T7lpgetnQ==",
-            "license": "Apache-2.0",
-            "dependencies": {
-                "@chevrotain/types": "12.0.0"
-            }
-        },
-        "node_modules/@chevrotain/regexp-to-ast": {
-            "version": "12.0.0",
-            "resolved": "https://registry.npmjs.org/@chevrotain/regexp-to-ast/-/regexp-to-ast-12.0.0.tgz",
-            "integrity": "sha512-p+EW9MaJwgaHguhoqwOtx/FwuGr+DnNn857sXWOi/mClXIkPGl3rn7hGNWvo31HA3vyeQxjqe+H36yZJwYU8cA==",
-            "license": "Apache-2.0"
-        },
         "node_modules/@chevrotain/types": {
-            "version": "12.0.0",
-            "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-12.0.0.tgz",
-            "integrity": "sha512-S+04vjFQKeuYw0/eW3U52LkAHQsB1ASxsPGsLPUyQgrZ2iNNibQrsidruDzjEX2JYfespXMG0eZmXlhA6z7nWA==",
-            "license": "Apache-2.0"
-        },
-        "node_modules/@chevrotain/utils": {
-            "version": "12.0.0",
-            "resolved": "https://registry.npmjs.org/@chevrotain/utils/-/utils-12.0.0.tgz",
-            "integrity": "sha512-lB59uJoaGIfOOL9knQqQRfhl9g7x8/wqFkp13zTdkRu1huG9kg6IJs1O8hqj9rs6h7orGxHJUKb+mX3rPbWGhA==",
+            "version": "11.1.2",
+            "resolved": "https://registry.npmjs.org/@chevrotain/types/-/types-11.1.2.tgz",
+            "integrity": "sha512-U+HFai5+zmJCkK86QsaJtoITlboZHBqrVketcO2ROv865xfCMSFpELQoz1GkX5GzME8pTa+3kbKrZHQtI0gdbw==",
             "license": "Apache-2.0"
         },
         "node_modules/@codemirror/autocomplete": {
@@ -1817,12 +1786,12 @@
             }
         },
         "node_modules/@mermaid-js/parser": {
-            "version": "1.1.0",
-            "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.0.tgz",
-            "integrity": "sha512-gxK9ZX2+Fex5zu8LhRQoMeMPEHbc73UKZ0FQ54YrQtUxE1VVhMwzeNtKRPAu5aXks4FasbMe4xB4bWrmq6Jlxw==",
+            "version": "1.1.1",
+            "resolved": "https://registry.npmjs.org/@mermaid-js/parser/-/parser-1.1.1.tgz",
+            "integrity": "sha512-VuHdsYMK1bT6X2JbcAaWAhugTRvRBRyuZgd+c22swUeI9g/ntaxF7CY7dYarhZovofCbUNO0G7JesfmNtjYOCw==",
             "license": "MIT",
             "dependencies": {
-                "langium": "^4.0.0"
+                "@chevrotain/types": "~11.1.1"
             }
         },
         "node_modules/@mrmarble/djangoql-completion": {
@@ -7176,34 +7145,6 @@
                 "node": ">= 16"
             }
         },
-        "node_modules/chevrotain": {
-            "version": "12.0.0",
-            "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-12.0.0.tgz",
-            "integrity": "sha512-csJvb+6kEiQaqo1woTdSAuOWdN0WTLIydkKrBnS+V5gZz0oqBrp4kQ35519QgK6TpBThiG3V1vNSHlIkv4AglQ==",
-            "license": "Apache-2.0",
-            "dependencies": {
-                "@chevrotain/cst-dts-gen": "12.0.0",
-                "@chevrotain/gast": "12.0.0",
-                "@chevrotain/regexp-to-ast": "12.0.0",
-                "@chevrotain/types": "12.0.0",
-                "@chevrotain/utils": "12.0.0"
-            },
-            "engines": {
-                "node": ">=22.0.0"
-            }
-        },
-        "node_modules/chevrotain-allstar": {
-            "version": "0.4.1",
-            "resolved": "https://registry.npmjs.org/chevrotain-allstar/-/chevrotain-allstar-0.4.1.tgz",
-            "integrity": "sha512-PvVJm3oGqrveUVW2Vt/eZGeiAIsJszYweUcYwcskg9e+IubNYKKD+rHHem7A6XVO22eDAL+inxNIGAzZ/VIWlA==",
-            "license": "MIT",
-            "dependencies": {
-                "lodash-es": "^4.17.21"
-            },
-            "peerDependencies": {
-                "chevrotain": "^12.0.0"
-            }
-        },
         "node_modules/chokidar": {
             "version": "3.6.0",
             "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
@@ -8635,6 +8576,16 @@
                 "url": "https://github.com/sponsors/ljharb"
             }
         },
+        "node_modules/es-toolkit": {
+            "version": "1.46.1",
+            "resolved": "https://registry.npmjs.org/es-toolkit/-/es-toolkit-1.46.1.tgz",
+            "integrity": "sha512-5eNtXOs3tbfxXOj04tjjseeWkRWaoCjdEI+96DgwzZoe6c9juL49pXlzAFTI72aWC9Y8p7168g6XIKjh7k6pyQ==",
+            "license": "MIT",
+            "workspaces": [
+                "docs",
+                "benchmarks"
+            ]
+        },
         "node_modules/esast-util-from-estree": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/esast-util-from-estree/-/esast-util-from-estree-2.0.0.tgz",
@@ -10054,9 +10005,9 @@
             }
         },
         "node_modules/globals": {
-            "version": "17.5.0",
-            "resolved": "https://registry.npmjs.org/globals/-/globals-17.5.0.tgz",
-            "integrity": "sha512-qoV+HK2yFl/366t2/Cb3+xxPUo5BuMynomoDmiaZBIdbs+0pYbjfZU+twLhGKp4uCZ/+NbtpVepH5bGCxRyy2g==",
+            "version": "17.6.0",
+            "resolved": "https://registry.npmjs.org/globals/-/globals-17.6.0.tgz",
+            "integrity": "sha512-sepffkT8stwnIYbsMBpoCHJuJM5l98FUF2AnE07hfvE0m/qp3R586hw4jF4uadbhvg1ooIdzuu7CsfD2jzCaNA==",
             "license": "MIT",
             "engines": {
                 "node": ">=18"
@@ -11635,24 +11586,6 @@
                 "url": "https://github.com/sponsors/SuperchupuDev"
             }
         },
-        "node_modules/langium": {
-            "version": "4.2.2",
-            "resolved": "https://registry.npmjs.org/langium/-/langium-4.2.2.tgz",
-            "integrity": "sha512-JUshTRAfHI4/MF9dH2WupvjSXyn8JBuUEWazB8ZVJUtXutT0doDlAv1XKbZ1Pb5sMexa8FF4CFBc0iiul7gbUQ==",
-            "license": "MIT",
-            "dependencies": {
-                "@chevrotain/regexp-to-ast": "~12.0.0",
-                "chevrotain": "~12.0.0",
-                "chevrotain-allstar": "~0.4.1",
-                "vscode-languageserver": "~9.0.1",
-                "vscode-languageserver-textdocument": "~1.0.11",
-                "vscode-uri": "~3.1.0"
-            },
-            "engines": {
-                "node": ">=20.10.0",
-                "npm": ">=10.2.3"
-            }
-        },
         "node_modules/layout-base": {
             "version": "1.0.2",
             "resolved": "https://registry.npmjs.org/layout-base/-/layout-base-1.0.2.tgz",
@@ -12682,14 +12615,14 @@
             }
         },
         "node_modules/mermaid": {
-            "version": "11.14.0",
-            "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.14.0.tgz",
-            "integrity": "sha512-GSGloRsBs+JINmmhl0JDwjpuezCsHB4WGI4NASHxL3fHo3o/BRXTxhDLKnln8/Q0lRFRyDdEjmk1/d5Sn1Xz8g==",
+            "version": "11.15.0",
+            "resolved": "https://registry.npmjs.org/mermaid/-/mermaid-11.15.0.tgz",
+            "integrity": "sha512-pTMbcf3rWdtLiYGpmoTjHEpeY8seiy6sR+9nD7LOs8KfUbHE4lOUAprTRqRAcWSQ6MQpdX+YEsxShtGsINtPtw==",
             "license": "MIT",
             "dependencies": {
                 "@braintree/sanitize-url": "^7.1.1",
                 "@iconify/utils": "^3.0.2",
-                "@mermaid-js/parser": "^1.1.0",
+                "@mermaid-js/parser": "^1.1.1",
                 "@types/d3": "^7.4.3",
                 "@upsetjs/venn.js": "^2.0.0",
                 "cytoscape": "^3.33.1",
@@ -12700,14 +12633,14 @@
                 "dagre-d3-es": "7.0.14",
                 "dayjs": "^1.11.19",
                 "dompurify": "^3.3.1",
+                "es-toolkit": "^1.45.1",
                 "katex": "^0.16.25",
                 "khroma": "^2.1.0",
-                "lodash-es": "^4.17.23",
                 "marked": "^16.3.0",
                 "roughjs": "^4.6.6",
                 "stylis": "^4.3.6",
                 "ts-dedent": "^2.2.0",
-                "uuid": "^11.1.0"
+                "uuid": "^11.1.0 || ^12 || ^13 || ^14.0.0"
             }
         },
         "node_modules/mermaid-isomorphic": {
@@ -18330,16 +18263,16 @@
             }
         },
         "node_modules/uuid": {
-            "version": "11.1.0",
-            "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
-            "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
+            "version": "14.0.0",
+            "resolved": "https://registry.npmjs.org/uuid/-/uuid-14.0.0.tgz",
+            "integrity": "sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==",
             "funding": [
                 "https://github.com/sponsors/broofa",
                 "https://github.com/sponsors/ctavan"
             ],
             "license": "MIT",
             "bin": {
-                "uuid": "dist/esm/bin/uuid"
+                "uuid": "dist-node/bin/uuid"
             }
         },
         "node_modules/validate-npm-package-license": {
@@ -18661,43 +18594,6 @@
             "integrity": "sha512-8TEXQxlldWAuIODdukIb+TR5s+9Ds40eSJrw+1iDDA9IFORPjMELarNQE3myz5XIkWWpdprmJjm1/SxMlWOC8A==",
             "license": "MIT"
         },
-        "node_modules/vscode-jsonrpc": {
-            "version": "8.2.0",
-            "resolved": "https://registry.npmjs.org/vscode-jsonrpc/-/vscode-jsonrpc-8.2.0.tgz",
-            "integrity": "sha512-C+r0eKJUIfiDIfwJhria30+TYWPtuHJXHtI7J0YlOmKAo7ogxP20T0zxB7HZQIFhIyvoBPwWskjxrvAtfjyZfA==",
-            "license": "MIT",
-            "engines": {
-                "node": ">=14.0.0"
-            }
-        },
-        "node_modules/vscode-languageserver": {
-            "version": "9.0.1",
-            "resolved": "https://registry.npmjs.org/vscode-languageserver/-/vscode-languageserver-9.0.1.tgz",
-            "integrity": "sha512-woByF3PDpkHFUreUa7Hos7+pUWdeWMXRd26+ZX2A8cFx6v/JPTtd4/uN0/jB6XQHYaOlHbio03NTHCqrgG5n7g==",
-            "license": "MIT",
-            "dependencies": {
-                "vscode-languageserver-protocol": "3.17.5"
-            },
-            "bin": {
-                "installServerIntoExtension": "bin/installServerIntoExtension"
-            }
-        },
-        "node_modules/vscode-languageserver-protocol": {
-            "version": "3.17.5",
-            "resolved": "https://registry.npmjs.org/vscode-languageserver-protocol/-/vscode-languageserver-protocol-3.17.5.tgz",
-            "integrity": "sha512-mb1bvRJN8SVznADSGWM9u/b07H7Ecg0I3OgXDuLdn307rl/J3A9YD6/eYOssqhecL27hK1IPZAsaqh00i/Jljg==",
-            "license": "MIT",
-            "dependencies": {
-                "vscode-jsonrpc": "8.2.0",
-                "vscode-languageserver-types": "3.17.5"
-            }
-        },
-        "node_modules/vscode-languageserver-protocol/node_modules/vscode-languageserver-types": {
-            "version": "3.17.5",
-            "resolved": "https://registry.npmjs.org/vscode-languageserver-types/-/vscode-languageserver-types-3.17.5.tgz",
-            "integrity": "sha512-Ld1VelNuX9pdF39h2Hgaeb5hEZM2Z3jUrrMgWQAu82jMtZp7p3vJT3BzToKtZI7NgQssZje5o0zryOrhQvzQAg==",
-            "license": "MIT"
-        },
         "node_modules/vscode-languageserver-textdocument": {
             "version": "1.0.12",
             "resolved": "https://registry.npmjs.org/vscode-languageserver-textdocument/-/vscode-languageserver-textdocument-1.0.12.tgz",
@@ -18716,12 +18612,6 @@
             "integrity": "sha512-7bOHxPsfyuCqmP+hZXscLhiHwe7CSuFE4hyhbs22xPIhQ4jv99FcR4eBzfYYVLP356HNFpdvz63FFb/xw6T4Iw==",
             "license": "MIT"
         },
-        "node_modules/vscode-uri": {
-            "version": "3.1.0",
-            "resolved": "https://registry.npmjs.org/vscode-uri/-/vscode-uri-3.1.0.tgz",
-            "integrity": "sha512-/BpdSx+yCQGnCvecbyXdxHDkuk55/G3xwnC0GqY4gmQ3j+A+g8kzzgB4Nk/SINjqn6+waqw3EgbVF2QKExkRxQ==",
-            "license": "MIT"
-        },
         "node_modules/w3c-keyname": {
             "version": "2.2.8",
             "resolved": "https://registry.npmjs.org/w3c-keyname/-/w3c-keyname-2.2.8.tgz",

web/package.json

@@ -151,7 +151,7 @@
         "eslint-plugin-lit": "^2.2.1",
         "eslint-plugin-wc": "^3.1.0",
         "fuse.js": "^7.3.0",
-        "globals": "^17.5.0",
+        "globals": "^17.6.0",
         "guacamole-common-js": "^1.5.0",
         "hastscript": "^9.0.1",
         "knip": "^6.11.0",
@@ -161,7 +161,7 @@
         "lit-element": "^4.2.2",
         "lit-html": "^3.3.2",
         "md-front-matter": "^1.0.4",
-        "mermaid": "^11.14.0",
+        "mermaid": "^11.15.0",
         "node-domexception": "^2025.11.0",
         "npm-run-all": "^4.1.5",
         "pino": "^10.3.1",

web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts

@@ -1,5 +1,4 @@
 import "#elements/ak-checkbox-group/ak-checkbox-group";
-import "#elements/Alert";
 import "#elements/ak-dual-select/ak-dual-select-dynamic-selected-provider";
 import "#elements/ak-dual-select/ak-dual-select-provider";
 import "#elements/forms/FormGroup";
@@ -362,14 +361,6 @@ export class AuthenticatorValidateStageForm extends BaseStageForm<AuthenticatorV
                                 "Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.",
                             )}
                         </p>
-                        <ak-alert inline>
-                            ${
-                                /* TODO: Remove this after 2024.6..or maybe later? */
-                                msg(
-                                    "This restriction only applies to devices created in authentik 2024.4 or later.",
-                                )
-                            }
-                        </ak-alert>
                     </ak-form-element-horizontal>
                 </div>
             </ak-form-group>

web/src/admin/users/UserViewPage.ts

@@ -54,7 +54,7 @@ import { ToggleUserActivationButton } from "#admin/users/UserActiveForm";
 import { UserForm } from "#admin/users/UserForm";
 import { UserImpersonateForm } from "#admin/users/UserImpersonateForm";
 
-import { CapabilitiesEnum, CoreApi, ModelEnum, User } from "@goauthentik/api";
+import { CapabilitiesEnum, CoreApi, ModelEnum, User, UserTypeEnum } from "@goauthentik/api";
 
 import { msg, str } from "@lit/localize";
 import { css, html, PropertyValues, TemplateResult } from "lit";
@@ -192,7 +192,10 @@ export class UserViewPage extends WithLicenseSummary(
     protected renderActionButtons(user: User) {
         const showImpersonate =
             this.can(CapabilitiesEnum.CanImpersonate) && user.pk !== this.currentUser?.pk;
-        const showLockdown = this.hasEnterpriseLicense && user.pk !== this.currentUser?.pk;
+        const showLockdown =
+            this.hasEnterpriseLicense &&
+            user.pk !== this.currentUser?.pk &&
+            user.type !== UserTypeEnum.InternalServiceAccount;
 
         const displayName = formatUserDisplayName(user);
 

website/docs/releases/2026/v2026.8.md

@@ -12,7 +12,7 @@ draft: true
 
 ## Upgrading
 
-This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../install-config/upgrade.mdx).
+This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).
 
 :::warning
 When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance.

website/integrations/chat-communication-collaboration/affine/index.md

@@ -6,7 +6,7 @@ support_level: community
 
 ## What is AFFiNE?
 
-> AFFiNE is an open-source platform that allows you to bring together documents, whiteboards, and databases. It is a reliable tool designed to create a professional workspace for your work. With AFFiNE, you can focus on practicality and efficiency, making it easier to collaborate on your projects.
+> AFFiNE is an open-source, self-hostable workspace for documents, whiteboards, and databases.
 >
 > -- https://affine.pro/
 
@@ -29,28 +29,26 @@ To support the integration of AFFiNE with authentik, you need to create an appli
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
-
-- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Create a `Strict` redirect URI and set to `https://affine.company/oauth/callback`.
-    - Select any available signing key.
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
+        - Add one `Strict` redirect URI and set it to `https://affine.company/oauth/callback`.
+        - Select any available signing key.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
 3. Click **Submit** to save the new application and provider.
 
 ## AFFiNE configuration
 
 1. Log in to AFFiNE as an administrator.
-2. Navigate to the Admin Panel of your instance by clicking on your profile picture.
-3. Navigate to **Settings** > **OAuth**.
-4. Under **OIDC OAuth provider config**, set the following JSON data:
+2. Click your profile picture and navigate to **Admin Panel** > **Settings** > **OAuth**.
+3. Under **OIDC OAuth provider config**, set the following JSON data:
 
 ```json
 {
     "args": {},
-    "issuer": "https://authentik.company/application/o/<application_slug>/",
+    "issuer": "https://authentik.company/application/o/<application_slug>",
     "clientId": "<Client ID from authentik>",
     "clientSecret": "<Client Secret from authentik>"
 }
@@ -60,8 +58,9 @@ To support the integration of AFFiNE with authentik, you need to create an appli
 
 ## Configuration verification
 
-To verify the integration of authentik with AFFiNE, log out of AFFiNE, then on the login page click on **Continue with OIDC**. You should be redirected to authentik, and once authenticated, logged in to AFFiNE.
+To confirm that authentik is properly configured with AFFiNE, open AFFiNE and log in using the **Continue with OIDC** login option. You should be redirected to authentik for authentication and then redirected back to AFFiNE.
 
 ## Resources
 
-- [AFFiNE Docs - OAuth 2.0 ](https://docs.affine.pro/self-host-affine/administer/oauth-2-0#oidc)
+- [AFFiNE OAuth 2.0 documentation](https://docs.affine.pro/self-host-affine/administer/oauth-2-0#oidc)
+- [AFFiNE OIDC provider source](https://github.com/toeverything/AFFiNE/blob/canary/packages/backend/server/src/plugins/oauth/providers/oidc.ts)

website/integrations/chat-communication-collaboration/hedgedoc/index.md

@@ -8,7 +8,7 @@ support_level: community
 
 > HedgeDoc lets you create real-time collaborative markdown notes.
 >
-> -- https://github.com/hedgedoc/hedgedoc
+> -- https://hedgedoc.org/
 
 ## Preparation
 
@@ -29,32 +29,40 @@ To support the integration of HedgeDoc with authentik, you need to create an app
 
 1. Log in to authentik as an administrator and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **New Application** to open the application wizard.
-
-- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
-    - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later.
-    - Set a `Strict` redirect URI to `https://hedgedoc.company/auth/oauth2/callback`.
-    - Select any available signing key.
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
-
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+        - Note the **Client ID** and **Client Secret** values because they will be required later.
+        - Set a `Strict` redirect URI to `https://hedgedoc.company/auth/oauth2/callback`.
+        - Select any available signing key.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 3. Click **Submit** to save the new application and provider.
 
 ## HedgeDoc configuration
 
-You need to set the following `env` Variables for Docker based installations.
-
-Set the following values:
+Set the following environment variables in your HedgeDoc deployment:
 
 ```yaml
 CMD_OAUTH2_PROVIDERNAME: "authentik"
-CMD_OAUTH2_CLIENT_ID: "<Client ID from above>"
-CMD_OAUTH2_CLIENT_SECRET: "<Client Secret from above>"
+CMD_OAUTH2_CLIENT_ID: "<Client ID from authentik>"
+CMD_OAUTH2_CLIENT_SECRET: "<Client Secret from authentik>"
 CMD_OAUTH2_SCOPE: "openid email profile"
 CMD_OAUTH2_USER_PROFILE_URL: "https://authentik.company/application/o/userinfo/"
 CMD_OAUTH2_TOKEN_URL: "https://authentik.company/application/o/token/"
 CMD_OAUTH2_AUTHORIZATION_URL: "https://authentik.company/application/o/authorize/"
+CMD_OAUTH2_USER_PROFILE_ID_ATTR: "sub"
 CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: "preferred_username"
 CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: "name"
 CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: "email"
 ```
+
+Restart HedgeDoc for the changes to take effect.
+
+## Configuration verification
+
+To confirm that authentik is properly configured with HedgeDoc, open HedgeDoc, select the **authentik** login option, and complete the authentik sign-in flow. A successful authentication should return you to HedgeDoc as a signed-in user.
+
+## Resources
+
+- [HedgeDoc documentation - Configuration](https://docs.hedgedoc.org/configuration/)
+- [HedgeDoc documentation - OAuth](https://docs.hedgedoc.org/guides/auth/oauth/)