website/docs: clarify OAuth2 provider overview

.github/actions/setup/action.yml

@@ -25,7 +25,7 @@ runs:
       if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
       uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
       with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext libclang-dev libkadm5clnt-mit12 libkadm5clnt7t64-heimdal libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
         update: true
         upgrade: false
         install-recommends: false
@@ -52,19 +52,19 @@ runs:
       run: uv sync --all-extras --dev --locked
     - name: Setup rust (stable)
       if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         rustflags: ""
     - name: Setup rust (nightly)
       if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
       with:
         toolchain: nightly
         components: rustfmt
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@ec28e287910af896fd98e04056d31fa68607e7ad # v2
+      uses: taiki-e/install-action@711e1c3275189d76dcc4d34ddea63bf96ac49090 # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (web)

.github/workflows/qa-codeql.yml

@@ -28,10 +28,10 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.35.4
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4.35.4
+        uses: github/codeql-action/autobuild@v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.35.4
+        uses: github/codeql-action/analyze@v4

.github/workflows/release-branch-off.yml

@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
     inputs:
       next_version:
-        description: Next version (for example, if you're currently releasing 2026.5, then enter 2026.8)
+        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
         required: true
         type: string
 
@@ -68,14 +68,10 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
       - name: Run migrations
         run: make migrate
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
-      - name: Re-generate API Clients
-        run: make gen
       - name: Create pull request
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
         with:

.github/workflows/release-publish.yml

@@ -191,7 +191,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}

.github/workflows/release-tag.yml

@@ -82,14 +82,10 @@ jobs:
           token: "${{ steps.app-token.outputs.token }}"
       - name: Setup authentik env
         uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
       - name: Run migrations
         run: make migrate
       - name: Bump version
         run: "make bump version=${{ inputs.version }}"
-      - name: Re-generate API Clients
-        run: make gen
       - name: Commit and push
         run: |
           # ID from https://api.github.com/users/authentik-automation[bot]

.npmrc

@@ -1,20 +0,0 @@
-# Block lifecycle scripts (preinstall/install/postinstall/prepare) from dependencies.
-# This neutralizes the dominant npm supply-chain attack vector.
-#
-# Packages that legitimately need a build step (e.g. esbuild, chromedriver, tree-sitter)
-# must be rebuilt explicitly:
-#
-#   npm rebuild --foreground-scripts esbuild chromedriver tree-sitter tree-sitter-json
-ignore-scripts=true
-
-# Fail fast if the active Node/npm doesn't match the "engines" field.
-engine-strict=true
-
-# Pin exact versions so `npm install <pkg>` writes "1.2.3" not "^1.2.3".
-save-exact=true
-
-# Surface CVE warnings during install; doesn't block.
-audit=true
-
-# Suppress funding banners.
-fund=false

CODEOWNERS

@@ -34,7 +34,6 @@ packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
-.npmrc                                  @goauthentik/frontend
 tsconfig.json                           @goauthentik/frontend
 package.json                            @goauthentik/frontend
 package-lock.json                       @goauthentik/frontend

Cargo.lock

@@ -171,7 +171,7 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 
 [[package]]
 name = "authentik"
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 dependencies = [
  "arc-swap",
  "argh",
@@ -196,7 +196,7 @@ dependencies = [
 
 [[package]]
 name = "authentik-axum"
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 dependencies = [
  "authentik-common",
  "axum",
@@ -216,7 +216,7 @@ dependencies = [
 
 [[package]]
 name = "authentik-client"
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 dependencies = [
  "aws-lc-rs",
  "reqwest",
@@ -232,7 +232,7 @@ dependencies = [
 
 [[package]]
 name = "authentik-common"
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 dependencies = [
  "arc-swap",
  "authentik-client",
@@ -1744,6 +1744,16 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "iri-string"
+version = "0.7.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.2"
@@ -3193,9 +3203,9 @@ checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
 
 [[package]]
 name = "sentry"
-version = "0.48.1"
+version = "0.48.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b93b3e19f45495ddd41d8222a152c48c84f6ba45abe9c69e2527e9cdea29bb5b"
+checksum = "e8ac94aab850a23d7507307cc505332ed2bafd36c65930dfc5c43610f9e9b477"
 dependencies = [
  "cfg_aliases",
  "httpdate",
@@ -3390,9 +3400,9 @@ dependencies = [
 
 [[package]]
 name = "serde_with"
-version = "3.19.0"
+version = "3.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f05839ce67618e14a09b286535c0d9c94e85ef25469b0e13cb4f844e5593eb19"
+checksum = "dd5414fad8e6907dbdd5bc441a50ae8d6e26151a03b1de04d89a5576de61d01f"
 dependencies = [
  "base64 0.22.1",
  "chrono",
@@ -3924,9 +3934,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.52.3"
+version = "1.52.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe"
+checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
 dependencies = [
  "bytes",
  "libc",
@@ -4072,21 +4082,21 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.10"
+version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
  "bitflags 2.11.0",
  "bytes",
  "futures-util",
  "http",
  "http-body",
+ "iri-string",
  "pin-project-lite",
  "tokio",
  "tower",
  "tower-layer",
  "tower-service",
- "url",
 ]
 
 [[package]]

Cargo.toml

@@ -8,7 +8,7 @@ members = [
 resolver = "3"
 
 [workspace.package]
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 authors = ["authentik Team <hello@goauthentik.io>"]
 description = "Making authentication simple."
 edition = "2024"
@@ -67,7 +67,7 @@ reqwest-middleware = { version = "= 0.5.1", features = [
   "rustls",
 ] }
 rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.48.1", default-features = false, features = [
+sentry = { version = "= 0.48.0", default-features = false, features = [
   "backtrace",
   "contexts",
   "debug-images",
@@ -80,7 +80,7 @@ sentry = { version = "= 0.48.1", default-features = false, features = [
 serde = { version = "= 1.0.228", features = ["derive"] }
 serde_json = "= 1.0.149"
 serde_repr = "= 0.1.20"
-serde_with = { version = "= 3.19.0", default-features = false, features = [
+serde_with = { version = "= 3.18.0", default-features = false, features = [
   "base64",
 ] }
 sqlx = { version = "= 0.8.6", default-features = false, features = [
@@ -97,12 +97,12 @@ sqlx = { version = "= 0.8.6", default-features = false, features = [
 tempfile = "= 3.27.0"
 thiserror = "= 2.0.18"
 time = { version = "= 0.3.47", features = ["macros"] }
-tokio = { version = "= 1.52.3", features = ["full", "tracing"] }
+tokio = { version = "= 1.52.1", features = ["full", "tracing"] }
 tokio-retry2 = "= 0.9.1"
 tokio-rustls = "= 0.26.4"
 tokio-util = { version = "= 0.7.18", features = ["full"] }
 tower = "= 0.5.3"
-tower-http = { version = "= 0.6.10", features = ["timeout"] }
+tower-http = { version = "= 0.6.8", features = ["timeout"] }
 tracing = "= 0.1.44"
 tracing-error = "= 0.2.1"
 tracing-subscriber = { version = "= 0.3.23", features = [
@@ -115,9 +115,9 @@ url = "= 2.5.8"
 uuid = { version = "= 1.23.1", features = ["serde", "v4"] }
 which = "= 8.0.2"
 
-ak-axum = { package = "authentik-axum", version = "2026.8.0-rc1", path = "./packages/ak-axum" }
-ak-client = { package = "authentik-client", version = "2026.8.0-rc1", path = "./packages/client-rust" }
-ak-common = { package = "authentik-common", version = "2026.8.0-rc1", path = "./packages/ak-common", default-features = false }
+ak-axum = { package = "authentik-axum", version = "2026.5.0-rc1", path = "./packages/ak-axum" }
+ak-client = { package = "authentik-client", version = "2026.5.0-rc1", path = "./packages/client-rust" }
+ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common", default-features = false }
 
 [workspace.lints.rust]
 ambiguous_negative_literals = "warn"

Makefile

@@ -125,7 +125,7 @@ core-i18n-extract:
 		--ignore website \
 		-l en
 
-install: node-install web-install core-install  ## Install all requires dependencies for `node`, `web` and `core`
+install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
 
 dev-drop-db:
 	$(eval pg_user := $(shell $(UV) run python -m authentik.lib.config postgresql.user 2>/dev/null))
@@ -160,7 +160,7 @@ endif
 	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
 	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
 	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
-	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"/" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
+	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
 	$(MAKE) gen-build gen-compose aws-cfn
 	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
@@ -228,26 +228,14 @@ gen-dev-config:  ## Generate a local development config file
 ## Node.js
 #########################
 
-# Packages whose install/postinstall scripts are required for correct
-# operation (binary downloads, native bindings). The root .npmrc sets
-# `ignore-scripts=true` to block dependency lifecycle scripts by default;
-# this list is rebuilt explicitly with scripts re-enabled. Audit any
-# additions: each entry runs arbitrary code at install time.
-TRUSTED_INSTALL_SCRIPTS := esbuild chromedriver tree-sitter tree-sitter-json
-
 node-install:  ## Install the necessary libraries to build Node.js packages
 	npm ci
+	npm ci --prefix web
 
 #########################
 ## Web
 #########################
 
-web-install: ## Install the necessary libraries to build the Authentik UI
-	npm ci --prefix web
-
-web-postinstall:  ## Trigger postinstall scripts for packages with native bindings or binary downloads, which are blocked by default for security reasons.
-	npm rebuild --prefix web --ignore-scripts=false --foreground-scripts $(TRUSTED_INSTALL_SCRIPTS)
-
 web-build: node-install  ## Build the Authentik UI
 	npm run --prefix web build
 
@@ -280,7 +268,7 @@ web-i18n-extract:
 
 docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it
 
-docs-install: node-install
+docs-install:
 	npm ci --prefix website
 
 docs-lint-fix: lint-spellcheck

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2026.8.0-rc1"
+VERSION = "2026.5.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/api/authentication.py

@@ -42,29 +42,11 @@ def validate_auth(header: bytes, format="bearer") -> str | None:
     return auth_credentials
 
 
-class VirtualUser(AnonymousUser):
-    is_active = True
-
-    @property
-    def type(self):
-        return UserTypes.INTERNAL_SERVICE_ACCOUNT
-
-    @property
-    def is_anonymous(self):
-        return False
-
-    @property
-    def is_authenticated(self):
-        return True
-
-    def all_roles(self):
-        return []
-
-
-class IPCUser(VirtualUser):
+class IPCUser(AnonymousUser):
     """'Virtual' user for IPC communication between authentik core and the authentik router"""
 
     username = "authentik:system"
+    is_active = True
     is_superuser = True
 
     @property
@@ -80,6 +62,17 @@ class IPCUser(VirtualUser):
     def has_module_perms(self, module):
         return True
 
+    @property
+    def is_anonymous(self):
+        return False
+
+    @property
+    def is_authenticated(self):
+        return True
+
+    def all_roles(self):
+        return []
+
 
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""

authentik/blueprints/api.py

@@ -217,7 +217,10 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
 
     @extend_schema(
         request={"multipart/form-data": BlueprintUploadSerializer},
-        responses={200: BlueprintImportResultSerializer},
+        responses={
+            204: BlueprintImportResultSerializer,
+            400: BlueprintImportResultSerializer,
+        },
     )
     @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
     @validate(
@@ -244,13 +247,21 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
 
         import_response = self.BlueprintImportResultSerializer(
             data={
-                "logs": [LogEventSerializer(log).data for log in logs],
-                "success": valid,
+                "logs": [],
+                "success": False,
             }
         )
         import_response.is_valid(raise_exception=True)
 
-        if valid:
-            import_response.initial_data["success"] = importer.apply()
-            import_response.is_valid()
+        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
+        import_response.initial_data["success"] = valid
+        import_response.is_valid()
+        if not valid:
+            return Response(data=import_response.initial_data, status=200)
+
+        successful = importer.apply()
+        import_response.initial_data["success"] = successful
+        import_response.is_valid()
+        if not successful:
+            return Response(data=import_response.initial_data, status=200)
         return Response(data=import_response.initial_data, status=200)

authentik/blueprints/tests/test_v1_api.py

@@ -3,7 +3,6 @@
 from json import dumps, loads
 from tempfile import NamedTemporaryFile, mkdtemp
 
-from django.core.files.uploadedfile import SimpleUploadedFile
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import dump
@@ -142,20 +141,6 @@ class TestBlueprintsV1API(APITestCase):
             )
         self.assertEqual(res.status_code, 200)
 
-    def test_api_import_invalid_blueprint_returns_result_payload(self):
-        """Invalid blueprint content returns a result payload instead of a 400 response."""
-        file = SimpleUploadedFile("invalid-blueprint.yaml", b'{"version": 3}')
-
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={"file": file},
-            format="multipart",
-        )
-
-        self.assertEqual(res.status_code, 200)
-        self.assertFalse(res.json()["success"])
-        self.assertGreater(len(res.json()["logs"]), 0)
-
     def test_api_import_unknown_path(self):
         """Path not in available blueprints is rejected (covers api.py:56)."""
         res = self.client.post(

authentik/core/api/groups.py

@@ -246,25 +246,6 @@ class GroupSerializer(ModelSerializer):
                 )
         return superuser
 
-    def validate_users(self, users: list) -> list:
-        """Require add_user_to_group permission when adding new members via group PATCH."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return users
-        if not self.instance:
-            return users
-        # BulkManyRelatedField returns raw PKs, not model instances
-        current_user_pks = set(self.instance.users.values_list("pk", flat=True))
-        new_users = [u for u in users if u not in current_user_pks]
-        if not new_users:
-            return users
-        has_perm = request.user.has_perm(
-            "authentik_core.add_user_to_group"
-        ) or request.user.has_perm("authentik_core.add_user_to_group", self.instance)
-        if not has_perm:
-            raise ValidationError(_("User does not have permission to add members to this group."))
-        return users
-
     class Meta:
         model = Group
         fields = [

authentik/core/api/users.py

@@ -297,36 +297,6 @@ class UserSerializer(ModelSerializer):
             raise ValidationError(_("Setting a user to internal service account is not allowed."))
         return user_type
 
-    def validate_groups(self, groups: list) -> list:
-        """Require enable_group_superuser permission when adding a user to a superuser group."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return groups
-        current_groups = set(self.instance.groups.all()) if self.instance else set()
-        for group in groups:
-            if not group.is_superuser:
-                continue
-            if group in current_groups:
-                continue
-            if not request.user.has_perm("authentik_core.enable_group_superuser"):
-                raise ValidationError(
-                    _("User does not have permission to add members to a superuser group.")
-                )
-        return groups
-
-    def validate_roles(self, roles: list) -> list:
-        """Require change_role permission when assigning new roles to a user."""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return roles
-        current_roles = set(self.instance.roles.all()) if self.instance else set()
-        new_roles = [r for r in roles if r not in current_roles]
-        if not new_roles:
-            return roles
-        if not request.user.has_perm("authentik_rbac.change_role"):
-            raise ValidationError(_("User does not have permission to assign roles."))
-        return roles
-
     def validate(self, attrs: dict) -> dict:
         if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
             raise ValidationError(_("Can't modify internal service account users"))

authentik/core/tests/test_groups_api.py

@@ -158,58 +158,3 @@ class TestGroupsAPI(APITestCase):
             data={"name": generate_id(), "is_superuser": True},
         )
         self.assertEqual(res.status_code, 201)
-
-    def test_patch_users_no_perm(self):
-        """PATCH group with new users without add_user_to_group must be rejected."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_users_with_global_perm(self):
-        """PATCH group with new users with global add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group")
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_users_with_obj_perm(self):
-        """PATCH group with new users with object-level add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.add_user_to_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_users_no_perm(self):
-        """PATCH group keeping existing membership without add_user_to_group must succeed."""
-        group = Group.objects.create(name=generate_id())
-        group.users.add(self.user)
-        self.login_user.assign_perms_to_managed_role("authentik_core.view_group", group)
-        self.login_user.assign_perms_to_managed_role("authentik_core.change_group", group)
-        self.client.force_login(self.login_user)
-        res = self.client.patch(
-            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
-            data={"users": [self.user.pk]},
-            content_type="application/json",
-        )
-        self.assertEqual(res.status_code, 200)

authentik/core/tests/test_users_api.py

@@ -12,7 +12,6 @@ from authentik.brands.models import Brand
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     AuthenticatedSession,
-    Group,
     Session,
     Token,
     User,
@@ -26,7 +25,6 @@ from authentik.core.tests.utils import (
 )
 from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
-from authentik.rbac.models import Role
 from authentik.stages.email.models import EmailStage
 
 INVALID_PASSWORD_HASH = "not-a-valid-hash"
@@ -941,79 +939,3 @@ class TestUsersAPI(APITestCase):
         self.assertIn(user2.pk, pks)
         # Verify user2 comes before user1 in descending order
         self.assertLess(pks.index(user2.pk), pks.index(user1.pk))
-
-
-class TestUsersAPIGroupRoleValidation(APITestCase):
-    """Test that PATCH /api/v3/core/users/{pk}/ enforces group and role permission checks."""
-
-    def setUp(self) -> None:
-        self.actor = create_test_user()
-        self.target = create_test_user()
-
-    def _patch(self, data: dict):
-        self.client.force_login(self.actor)
-        return self.client.patch(
-            reverse("authentik_api:user-detail", kwargs={"pk": self.target.pk}),
-            data=data,
-            content_type="application/json",
-        )
-
-    def test_patch_superuser_group_no_perm(self):
-        """Assigning a superuser group without enable_group_superuser must be rejected."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_superuser_group_with_perm(self):
-        """Assigning a superuser group with enable_group_superuser must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        self.actor.assign_perms_to_managed_role("authentik_core.enable_group_superuser")
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_non_superuser_group_no_perm(self):
-        """Assigning a non-superuser group without special permission must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=False)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_superuser_group_no_perm(self):
-        """Keeping an existing superuser group membership without the permission must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        group = Group.objects.create(name=generate_id(), is_superuser=True)
-        self.target.groups.add(group)
-        res = self._patch({"groups": [str(group.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_role_no_perm(self):
-        """Assigning a new role without change_role must be rejected."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        role = Role.objects.create(name=generate_id())
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 400)
-
-    def test_patch_role_with_perm(self):
-        """Assigning a new role with change_role must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        self.actor.assign_perms_to_managed_role("authentik_rbac.change_role")
-        role = Role.objects.create(name=generate_id())
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 200)
-
-    def test_patch_existing_role_no_perm(self):
-        """Keeping an existing role without change_role must succeed."""
-        self.actor.assign_perms_to_managed_role("authentik_core.view_user")
-        self.actor.assign_perms_to_managed_role("authentik_core.change_user", self.target)
-        role = Role.objects.create(name=generate_id())
-        self.target.roles.add(role)
-        res = self._patch({"roles": [str(role.pk)]})
-        self.assertEqual(res.status_code, 200)

authentik/endpoints/connectors/agent/api/connectors.py

@@ -7,7 +7,7 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import ChoiceField
-from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -44,6 +44,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_ME
 
 
 class AgentConnectorSerializer(ConnectorSerializer):
+
     class Meta(ConnectorSerializer.Meta):
         model = AgentConnector
         fields = ConnectorSerializer.Meta.fields + [
@@ -62,6 +63,7 @@ class AgentConnectorSerializer(ConnectorSerializer):
 
 
 class MDMConfigSerializer(PassiveSerializer):
+
     platform = ChoiceField(choices=OSFamily.choices)
     enrollment_token = PrimaryKeyRelatedField(
         queryset=EnrollmentToken.objects.including_expired().all()
@@ -87,6 +89,7 @@ class AgentConnectorViewSet(
     UsedByMixin,
     ModelViewSet,
 ):
+
     queryset = AgentConnector.objects.all()
     serializer_class = AgentConnectorSerializer
     search_fields = ["name"]
@@ -118,8 +121,6 @@ class AgentConnectorViewSet(
         methods=["POST"],
         detail=False,
         authentication_classes=[AgentEnrollmentAuth],
-        # Permissions are handled via AgentEnrollmentAuth
-        permission_classes=[AllowAny],
     )
     def enroll(self, request: Request):
         token: EnrollmentToken = request.auth
@@ -150,13 +151,7 @@ class AgentConnectorViewSet(
         request=OpenApiTypes.NONE,
         responses=AgentConfigSerializer(),
     )
-    @action(
-        methods=["GET"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["GET"], detail=False, authentication_classes=[AgentAuth])
     def agent_config(self, request: Request):
         token: DeviceToken = request.auth
         connector: AgentConnector = token.device.connector.agentconnector
@@ -170,13 +165,7 @@ class AgentConnectorViewSet(
         request=DeviceFacts(),
         responses={204: OpenApiResponse(description="Successfully checked in")},
     )
-    @action(
-        methods=["POST"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
     def check_in(self, request: Request):
         token: DeviceToken = request.auth
         data = DeviceFacts(data=request.data)

authentik/endpoints/connectors/agent/auth.py

@@ -1,6 +1,5 @@
 from typing import Any
 
-from django.db.models import Model
 from django.http import HttpRequest
 from django.utils.timezone import now
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
@@ -10,7 +9,7 @@ from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
-from authentik.api.authentication import VirtualUser, validate_auth
+from authentik.api.authentication import IPCUser, validate_auth
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import User
 from authentik.crypto.apps import MANAGED_KEY
@@ -26,18 +25,9 @@ LOGGER = get_logger()
 PLATFORM_ISSUER = "goauthentik.io/platform"
 
 
-class DeviceUser(VirtualUser):
-
+class DeviceUser(IPCUser):
     username = "authentik:endpoints:device"
 
-    def has_perm(self, perm: str, obj: Model | None = None) -> bool:
-        if perm in [
-            "authentik_core.view_user",
-            "authentik_core.view_group",
-        ]:
-            return True
-        return False
-
 
 class AgentEnrollmentAuth(BaseAuthentication):
 

authentik/endpoints/connectors/agent/tests/test_agent_api.py

@@ -223,17 +223,3 @@ class TestAgentAPI(APITestCase):
             data={"platform": OSFamily.macOS, "enrollment_token": self.token.pk},
         )
         self.assertEqual(res.status_code, 200)
-
-    def test_users_list(self):
-        response = self.client.get(
-            reverse("authentik_api:user-list"),
-            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_other_api_forbidden(self):
-        response = self.client.get(
-            reverse("authentik_api:application-list"),
-            HTTP_AUTHORIZATION=f"Bearer+agent {self.device_token.key}",
-        )
-        self.assertEqual(response.status_code, 403)

authentik/enterprise/endpoints/connectors/agent/api/connectors.py

@@ -2,7 +2,6 @@ from django.urls import reverse
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
-from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
 from structlog.stdlib import get_logger
@@ -26,13 +25,7 @@ class AgentConnectorViewSetMixin:
         request=OpenApiTypes.NONE,
         responses=AgentAuthenticationResponse(),
     )
-    @action(
-        methods=["POST"],
-        detail=False,
-        authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
-    )
+    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
     @enterprise_action
     def auth_ia(self, request: Request) -> Response:
         token: DeviceToken = request.auth

authentik/enterprise/providers/ws_federation/processors/sign_in.py

@@ -1,5 +1,4 @@
 from dataclasses import dataclass
-from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -56,9 +55,7 @@ class SignInRequest:
         _, provider = req.get_app_provider()
         if not req.wreply:
             req.wreply = provider.acs_url
-        reply = urlparse(req.wreply)
-        configured = urlparse(provider.acs_url)
-        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
+        if not req.wreply.startswith(provider.acs_url):
             raise ValueError("Invalid wreply")
         return req
 

authentik/enterprise/providers/ws_federation/processors/sign_out.py

@@ -1,5 +1,4 @@
 from dataclasses import dataclass
-from urllib.parse import urlparse
 
 from django.http import HttpRequest
 from django.shortcuts import get_object_or_404
@@ -33,9 +32,7 @@ class SignOutRequest:
         _, provider = req.get_app_provider()
         if not req.wreply:
             req.wreply = provider.acs_url
-        reply = urlparse(req.wreply)
-        configured = urlparse(provider.acs_url)
-        if not (reply[:2] == configured[:2] and reply.path.startswith(configured.path)):
+        if not req.wreply.startswith(provider.acs_url):
             raise ValueError("Invalid wreply")
         return req
 

authentik/enterprise/providers/ws_federation/tests/test_sign_in.py

@@ -27,27 +27,12 @@ class TestWSFedSignIn(TestCase):
             name=generate_id(),
             authorization_flow=self.flow,
             signing_kp=self.cert,
-            acs_url="https://t.goauthentik.io",
-            audience="foo",
         )
         self.app = Application.objects.create(
             name=generate_id(), slug=generate_id(), provider=self.provider
         )
         self.factory = RequestFactory()
 
-    def test_wreply(self):
-        request = self.factory.get(
-            "/?wreply=https://t.goauthentik.io/foo&wa=wsignin1.0&wtrealm=foo",
-            user=get_anonymous_user(),
-        )
-        SignInRequest.parse(request)
-        with self.assertRaises(ValueError):
-            request = self.factory.get(
-                "/?wreply=https://t.goauthentik.io.invalid.com&wa=wsignin1.0&wtrealm=foo",
-                user=get_anonymous_user(),
-            )
-            SignInRequest.parse(request)
-
     def test_token_gen(self):
         request = self.factory.get("/", user=get_anonymous_user())
         proc = SignInProcessor(

authentik/events/api/notification_rules.py

@@ -11,9 +11,7 @@ from authentik.events.models import NotificationRule
 class NotificationRuleSerializer(ModelSerializer):
     """NotificationRule Serializer"""
 
-    destination_group_obj = GroupSerializer(
-        read_only=True, source="destination_group", required=False, allow_null=True
-    )
+    destination_group_obj = GroupSerializer(read_only=True, source="destination_group")
 
     class Meta:
         model = NotificationRule

authentik/providers/oauth2/api/tokens.py

@@ -9,10 +9,10 @@ from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.providers.oauth2.api.providers import OAuth2ProviderSerializer
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 
 
@@ -20,7 +20,7 @@ class ExpiringBaseGrantModelSerializer(ModelSerializer, MetaNameSerializer):
     """Serializer for BaseGrantModel and ExpiringBaseGrant"""
 
     user = UserSerializer()
-    provider = ProviderSerializer()
+    provider = OAuth2ProviderSerializer()
     scope = ListField(child=CharField())
 
     class Meta:

authentik/providers/saml/api/providers.py

@@ -61,11 +61,6 @@ class SAMLProviderSerializer(ProviderSerializer):
     url_download_metadata = SerializerMethodField()
     url_issuer = SerializerMethodField()
 
-    # Unified SAML endpoint (primary)
-    url_unified = SerializerMethodField()
-    url_unified_init = SerializerMethodField()
-
-    # Legacy endpoints (for backward compatibility)
     url_sso_post = SerializerMethodField()
     url_sso_redirect = SerializerMethodField()
     url_sso_init = SerializerMethodField()
@@ -102,21 +97,6 @@ class SAMLProviderSerializer(ProviderSerializer):
         if "request" not in self._context:
             return DEFAULT_ISSUER
         request: HttpRequest = self._context["request"]._request
-        try:
-            return request.build_absolute_uri(
-                reverse(
-                    "authentik_providers_saml:metadata-download",
-                    kwargs={"application_slug": instance.application.slug},
-                )
-            )
-        except Provider.application.RelatedObjectDoesNotExist:
-            return DEFAULT_ISSUER
-
-    def get_url_unified(self, instance: SAMLProvider) -> str:
-        """Get unified SAML endpoint URL (handles SSO and SLO)"""
-        if "request" not in self._context:
-            return ""
-        request: HttpRequest = self._context["request"]._request
         try:
             return request.build_absolute_uri(
                 reverse(
@@ -125,22 +105,7 @@ class SAMLProviderSerializer(ProviderSerializer):
                 )
             )
         except Provider.application.RelatedObjectDoesNotExist:
-            return "-"
-
-    def get_url_unified_init(self, instance: SAMLProvider) -> str:
-        """Get IdP-initiated SAML URL"""
-        if "request" not in self._context:
-            return ""
-        request: HttpRequest = self._context["request"]._request
-        try:
-            return request.build_absolute_uri(
-                reverse(
-                    "authentik_providers_saml:init",
-                    kwargs={"application_slug": instance.application.slug},
-                )
-            )
-        except Provider.application.RelatedObjectDoesNotExist:
-            return "-"
+            return DEFAULT_ISSUER
 
     def get_url_sso_post(self, instance: SAMLProvider) -> str:
         """Get SSO Post URL"""
@@ -278,8 +243,6 @@ class SAMLProviderSerializer(ProviderSerializer):
             "default_name_id_policy",
             "url_download_metadata",
             "url_issuer",
-            "url_unified",
-            "url_unified_init",
             "url_sso_post",
             "url_sso_redirect",
             "url_sso_init",

authentik/providers/saml/models.py

@@ -241,7 +241,7 @@ class SAMLProvider(Provider):
         """Use IDP-Initiated SAML flow as launch URL"""
         try:
             return reverse(
-                "authentik_providers_saml:init",
+                "authentik_providers_saml:sso-init",
                 kwargs={"application_slug": self.application.slug},
             )
         except Provider.application.RelatedObjectDoesNotExist:

authentik/providers/saml/processors/assertion.py

@@ -147,7 +147,7 @@ class AssertionProcessor:
 
         return self.http_request.build_absolute_uri(
             reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                 kwargs={"application_slug": self.provider.application.slug},
             )
         )

authentik/providers/saml/processors/metadata.py

@@ -48,7 +48,7 @@ class MetadataProcessor:
 
         return self.http_request.build_absolute_uri(
             reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                 kwargs={"application_slug": self.provider.application.slug},
             )
         )
@@ -81,35 +81,54 @@ class MetadataProcessor:
             element.text = name_id_format
             yield element
 
-    def _get_unified_url(self) -> str:
-        """Get the unified SAML endpoint URL"""
-        return self.http_request.build_absolute_uri(
-            reverse(
-                "authentik_providers_saml:base",
-                kwargs={"application_slug": self.provider.application.slug},
-            )
-        )
-
     def get_sso_bindings(self) -> Iterator[Element]:
-        """Get all SSO Bindings - both point to unified endpoint"""
-        unified_url = self._get_unified_url()
-        for binding in [SAML_BINDING_REDIRECT, SAML_BINDING_POST]:
+        """Get all Bindings supported"""
+        binding_url_map = {
+            (SAML_BINDING_REDIRECT, "SingleSignOnService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:sso-redirect",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+            (SAML_BINDING_POST, "SingleSignOnService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:sso-post",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+        }
+        for binding_svc, url in binding_url_map.items():
+            binding, svc = binding_svc
             if self.force_binding and self.force_binding != binding:
                 continue
-            element = Element(f"{{{NS_SAML_METADATA}}}SingleSignOnService")
+            element = Element(f"{{{NS_SAML_METADATA}}}{svc}")
             element.attrib["Binding"] = binding
-            element.attrib["Location"] = unified_url
+            element.attrib["Location"] = url
             yield element
 
     def get_slo_bindings(self) -> Iterator[Element]:
-        """Get all SLO Bindings - both point to unified endpoint"""
-        unified_url = self._get_unified_url()
-        for binding in [SAML_BINDING_REDIRECT, SAML_BINDING_POST]:
+        """Get all Bindings supported"""
+        binding_url_map = {
+            (SAML_BINDING_REDIRECT, "SingleLogoutService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:slo-redirect",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+            (SAML_BINDING_POST, "SingleLogoutService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:slo-post",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+        }
+        for binding_svc, url in binding_url_map.items():
+            binding, svc = binding_svc
             if self.force_binding and self.force_binding != binding:
                 continue
-            element = Element(f"{{{NS_SAML_METADATA}}}SingleLogoutService")
+            element = Element(f"{{{NS_SAML_METADATA}}}{svc}")
             element.attrib["Binding"] = binding
-            element.attrib["Location"] = unified_url
+            element.attrib["Location"] = url
             yield element
 
     def _prepare_signature(self, entity_descriptor: _Element):

authentik/providers/saml/urls.py

@@ -4,26 +4,19 @@ from django.urls import path
 
 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingViewSet
 from authentik.providers.saml.api.providers import SAMLProviderViewSet
-from authentik.providers.saml.views import metadata, sso, unified
+from authentik.providers.saml.views import metadata, sso
 from authentik.providers.saml.views.sp_slo import (
     SPInitiatedSLOBindingPOSTView,
     SPInitiatedSLOBindingRedirectView,
 )
 
 urlpatterns = [
-    # Unified Endpoint - handles SSO and SLO based on message type
+    # Base path for Issuer/Entity ID
     path(
         "<slug:application_slug>/",
-        unified.SAMLUnifiedView.as_view(),
+        sso.SAMLSSOBindingRedirectView.as_view(),
         name="base",
     ),
-    # IdP-initiated
-    path(
-        "<slug:application_slug>/init/",
-        sso.SAMLSSOBindingInitView.as_view(),
-        name="init",
-    ),
-    # LEGACY Endpoints (backward compatibility)
     # SSO Bindings
     path(
         "<slug:application_slug>/sso/binding/redirect/",

authentik/providers/saml/views/unified.py

@@ -1,118 +0,0 @@
-"""Unified SAML endpoint - handles SSO and SLO based on message type"""
-
-from base64 import b64decode
-
-from defusedxml.lxml import fromstring
-from django.http import HttpRequest, HttpResponse
-from django.utils.decorators import method_decorator
-from django.views import View
-from django.views.decorators.clickjacking import xframe_options_sameorigin
-from django.views.decorators.csrf import csrf_exempt
-from structlog.stdlib import get_logger
-
-from authentik.common.saml.constants import NS_MAP
-from authentik.flows.views.executor import SESSION_KEY_POST
-from authentik.lib.views import bad_request_message
-from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
-from authentik.providers.saml.views.flows import (
-    REQUEST_KEY_SAML_REQUEST,
-    REQUEST_KEY_SAML_RESPONSE,
-)
-from authentik.providers.saml.views.sp_slo import (
-    SPInitiatedSLOBindingPOSTView,
-    SPInitiatedSLOBindingRedirectView,
-)
-from authentik.providers.saml.views.sso import (
-    SAMLSSOBindingPOSTView,
-    SAMLSSOBindingRedirectView,
-)
-
-LOGGER = get_logger()
-
-# SAML message type constants
-SAML_MESSAGE_TYPE_AUTHN_REQUEST = "AuthnRequest"
-SAML_MESSAGE_TYPE_LOGOUT_REQUEST = "LogoutRequest"
-
-
-def detect_saml_message_type(saml_request: str, is_post_binding: bool) -> str | None:
-    """Parse SAML request to determine if AuthnRequest or LogoutRequest."""
-    try:
-        if is_post_binding:
-            decoded_xml = b64decode(saml_request.encode())
-        else:
-            decoded_xml = decode_base64_and_inflate(saml_request)
-
-        root = fromstring(decoded_xml)
-        if len(root.xpath("//samlp:AuthnRequest", namespaces=NS_MAP)):
-            return SAML_MESSAGE_TYPE_AUTHN_REQUEST
-        if len(root.xpath("//samlp:LogoutRequest", namespaces=NS_MAP)):
-            return SAML_MESSAGE_TYPE_LOGOUT_REQUEST
-        return None
-    except Exception:  # noqa: BLE001
-        return None
-
-
-@method_decorator(xframe_options_sameorigin, name="dispatch")
-@method_decorator(csrf_exempt, name="dispatch")
-class SAMLUnifiedView(View):
-    """Unified SAML endpoint - handles SSO and SLO based on message type.
-
-    The operation type is determined by parsing
-    the incoming SAML message:
-    - AuthnRequest -> SSO flow (delegates to SAMLSSOBindingRedirectView/POSTView)
-    - LogoutRequest -> SLO flow (delegates to SPInitiatedSLOBindingRedirectView/POSTView)
-    - LogoutResponse -> SLO completion (delegates to SPInitiatedSLOBindingRedirectView/POSTView)
-    """
-
-    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
-        """Route the request based on SAML message type."""
-        # ak user was not logged in, redirected to login, and is back w POST payload in session
-        if SESSION_KEY_POST in request.session:
-            return self._delegate_to_sso(request, application_slug, is_post_binding=True)
-
-        # Determine binding from HTTP method
-        is_post_binding = request.method == "POST"
-        data = request.POST if is_post_binding else request.GET
-
-        # LogoutResponse - delegate to SLO view (handles it in dispatch)
-        if REQUEST_KEY_SAML_RESPONSE in data:
-            return self._delegate_to_slo(request, application_slug, is_post_binding)
-
-        # Check for SAML request
-        if REQUEST_KEY_SAML_REQUEST not in data:
-            LOGGER.info("SAML payload missing")
-            return bad_request_message(request, "The SAML request payload is missing.")
-
-        # Detect message type and delegate
-        saml_request = data[REQUEST_KEY_SAML_REQUEST]
-        message_type = detect_saml_message_type(saml_request, is_post_binding)
-
-        if message_type == SAML_MESSAGE_TYPE_AUTHN_REQUEST:
-            return self._delegate_to_sso(request, application_slug, is_post_binding)
-        elif message_type == SAML_MESSAGE_TYPE_LOGOUT_REQUEST:
-            return self._delegate_to_slo(request, application_slug, is_post_binding)
-        else:
-            LOGGER.warning("Unknown SAML message type", message_type=message_type)
-            return bad_request_message(
-                request, f"Unsupported SAML message type: {message_type or 'unknown'}"
-            )
-
-    def _delegate_to_sso(
-        self, request: HttpRequest, application_slug: str, is_post_binding: bool
-    ) -> HttpResponse:
-        """Delegate to the appropriate SSO view."""
-        if is_post_binding:
-            view = SAMLSSOBindingPOSTView.as_view()
-        else:
-            view = SAMLSSOBindingRedirectView.as_view()
-        return view(request, application_slug=application_slug)
-
-    def _delegate_to_slo(
-        self, request: HttpRequest, application_slug: str, is_post_binding: bool
-    ) -> HttpResponse:
-        """Delegate to the appropriate SLO view."""
-        if is_post_binding:
-            view = SPInitiatedSLOBindingPOSTView.as_view()
-        else:
-            view = SPInitiatedSLOBindingRedirectView.as_view()
-        return view(request, application_slug=application_slug)

authentik/sources/saml/processors/response.py

@@ -1,7 +1,6 @@
 """authentik saml source processor"""
 
 from base64 import b64decode
-from datetime import UTC, datetime
 from time import mktime
 from typing import TYPE_CHECKING
 
@@ -41,7 +40,6 @@ from authentik.sources.saml.exceptions import (
     InvalidSignature,
     MismatchedRequestID,
     MissingSAMLResponse,
-    SAMLException,
     UnsupportedNameIDFormat,
 )
 from authentik.sources.saml.models import (
@@ -97,7 +95,6 @@ class ResponseProcessor:
 
         self._verify_request_id()
         self._verify_status()
-        self._verify_conditions()
 
     def _decrypt_response(self):
         """Decrypt SAMLResponse EncryptedAssertion Element"""
@@ -129,20 +126,6 @@ class ResponseProcessor:
         )
         self._assertion = decrypted_assertion
 
-    def _verify_conditions(self):
-        conditions = self.get_assertion().find(f"{{{NS_SAML_ASSERTION}}}Conditions")
-        if conditions is None:
-            return
-        _now = now()
-        before = conditions.attrib.get("NotBefore")
-        if before:
-            if datetime.fromisoformat(before).replace(tzinfo=UTC) > _now:
-                raise SAMLException("Assertion is not valid yet or expired.")
-        on_or_after = conditions.attrib.get("NotOnOrAfter")
-        if on_or_after:
-            if datetime.fromisoformat(on_or_after).replace(tzinfo=UTC) < _now:
-                raise SAMLException("Assertion is not valid yet or expired.")
-
     def _verify_signature(self, signature_node: _Element):
         """Verify a single signature node"""
         xmlsec.tree.add_ids(self._root, ["ID"])
@@ -232,9 +215,10 @@ class ResponseProcessor:
         user has an attribute that refers to our Source for cleanup. The user is also deleted
         on logout and periodically."""
         # Create a temporary User
-        name_id_el, name_id = self._get_name_id()
+        name_id = self._get_name_id()
+        username = name_id.text
         # trim username to ensure it is max 150 chars
-        username = f"ak-{name_id[: USERNAME_MAX_LENGTH - 14]}-transient"
+        username = f"ak-{username[: USERNAME_MAX_LENGTH - 14]}-transient"
         expiry = mktime(
             (now() + timedelta_from_string(self._source.temporary_user_delete_after)).timetuple()
         )
@@ -250,18 +234,20 @@ class ResponseProcessor:
             },
             path=self._source.get_user_path(),
         )
-        LOGGER.debug("Created temporary user for NameID Transient", username=name_id)
+        LOGGER.debug("Created temporary user for NameID Transient", username=name_id.text)
         user.set_unusable_password()
         user.save()
-        UserSAMLSourceConnection.objects.create(source=self._source, user=user, identifier=name_id)
+        UserSAMLSourceConnection.objects.create(
+            source=self._source, user=user, identifier=name_id.text
+        )
         return SAMLSourceFlowManager(
             source=self._source,
             request=self._http_request,
-            identifier=str(name_id),
+            identifier=str(name_id.text),
             user_info={
                 "root": self._root,
                 "assertion": self.get_assertion(),
-                "name_id": name_id_el,
+                "name_id": name_id,
             },
             policy_context={},
         )
@@ -272,7 +258,7 @@ class ResponseProcessor:
             return self._assertion
         return self._root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")
 
-    def _get_name_id(self) -> tuple[Element, str]:
+    def _get_name_id(self) -> Element:
         """Get NameID Element"""
         assertion = self.get_assertion()
         if assertion is None:
@@ -283,11 +269,12 @@ class ResponseProcessor:
         name_id = subject.find(f"{{{NS_SAML_ASSERTION}}}NameID")
         if name_id is None:
             raise ValueError("NameID element not found")
-        return name_id, "".join(name_id.itertext())
+        return name_id
 
     def _get_name_id_filter(self) -> dict[str, str]:
         """Returns the subject's NameID as a Filter for the `User`"""
-        name_id_el, name_id = self._get_name_id()
+        name_id_el = self._get_name_id()
+        name_id = name_id_el.text
         if not name_id:
             raise UnsupportedNameIDFormat("Subject's NameID is empty.")
         _format = name_id_el.attrib["Format"]
@@ -308,26 +295,26 @@ class ResponseProcessor:
 
     def prepare_flow_manager(self) -> SourceFlowManager:
         """Prepare flow plan depending on whether or not the user exists"""
-        name_id_el, name_id = self._get_name_id()
+        name_id = self._get_name_id()
         # Sanity check, show a warning if NameIDPolicy doesn't match what we go
-        if self._source.name_id_policy != name_id_el.attrib["Format"]:
+        if self._source.name_id_policy != name_id.attrib["Format"]:
             LOGGER.warning(
                 "NameID from IdP doesn't match our policy",
                 expected=self._source.name_id_policy,
-                got=name_id_el.attrib["Format"],
+                got=name_id.attrib["Format"],
             )
         # transient NameIDs are handled separately as they don't have to go through flows.
-        if name_id_el.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
+        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
             return self._handle_name_id_transient()
 
         return SAMLSourceFlowManager(
             source=self._source,
             request=self._http_request,
-            identifier=str(name_id),
+            identifier=str(name_id.text),
             user_info={
                 "root": self._root,
                 "assertion": self.get_assertion(),
-                "name_id": name_id_el,
+                "name_id": name_id,
             },
             policy_context={
                 "saml_response": etree.tostring(self._root),

authentik/sources/saml/tests/test_property_mappings.py

@@ -4,7 +4,6 @@ from base64 import b64encode
 
 from defusedxml.lxml import fromstring
 from django.test import TestCase
-from freezegun import freeze_time
 
 from authentik.common.saml.constants import NS_SAML_ASSERTION
 from authentik.core.tests.utils import RequestFactory, create_test_flow
@@ -35,7 +34,6 @@ class TestPropertyMappings(TestCase):
             pre_authentication_flow=create_test_flow(),
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_user_base_properties(self):
         """Test user base properties"""
         properties = self.source.get_base_user_properties(
@@ -63,7 +61,6 @@ class TestPropertyMappings(TestCase):
             properties = self.source.get_base_group_properties(root=ROOT, group_id=group_id)
             self.assertEqual(properties, {"name": group_id})
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_user_property_mappings(self):
         """Test user property mappings"""
         self.source.user_property_mappings.add(
@@ -97,7 +94,6 @@ class TestPropertyMappings(TestCase):
             },
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_group_property_mappings(self):
         """Test group property mappings"""
         self.source.group_property_mappings.add(

authentik/sources/saml/tests/test_response.py

@@ -3,7 +3,6 @@
 from base64 import b64encode
 
 from django.test import TestCase
-from freezegun import freeze_time
 
 from authentik.core.tests.utils import RequestFactory, create_test_cert, create_test_flow
 from authentik.crypto.models import CertificateKeyPair
@@ -47,7 +46,6 @@ class TestResponseProcessor(TestCase):
         ):
             ResponseProcessor(self.source, request).parse()
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_success(self):
         """Test success"""
         request = self.factory.post(
@@ -74,7 +72,6 @@ class TestResponseProcessor(TestCase):
             },
         )
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_success_with_status_message_and_detail(self):
         """Test success with StatusMessage and StatusDetail present (should not raise error)"""
         request = self.factory.post(
@@ -91,7 +88,6 @@ class TestResponseProcessor(TestCase):
         sfm = parser.prepare_flow_manager()
         self.assertEqual(sfm.user_properties["username"], "jens@goauthentik.io")
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_error_with_message_and_detail(self):
         """Test error status with StatusMessage and StatusDetail includes both in error"""
         request = self.factory.post(
@@ -109,7 +105,6 @@ class TestResponseProcessor(TestCase):
         self.assertIn("User account is disabled", str(ctx.exception))
         self.assertIn("Authentication failed", str(ctx.exception))
 
-    @freeze_time("2024-08-07T15:48:09.325Z")
     def test_encrypted_correct(self):
         """Test encrypted"""
         key = load_fixture("fixtures/encrypted-key.pem")
@@ -147,7 +142,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaises(InvalidEncryption):
             parser.parse()
 
-    @freeze_time("2022-10-14T14:16:40Z")
     def test_verification_assertion(self):
         """Test verifying signature inside assertion"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -170,7 +164,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2014-07-17T01:02:18Z")
     def test_verification_assertion_duplicate(self):
         """Test verifying signature inside assertion, where the response has another assertion
         before our signed assertion"""
@@ -193,35 +186,9 @@ class TestResponseProcessor(TestCase):
 
         parser = ResponseProcessor(self.source, request)
         parser.parse()
-        self.assertNotEqual(parser._get_name_id()[1], "bad")
-        self.assertEqual(parser._get_name_id()[1], "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
+        self.assertNotEqual(parser._get_name_id().text, "bad")
+        self.assertEqual(parser._get_name_id().text, "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
 
-    @freeze_time("2022-10-14T14:15:00")
-    def test_name_id_comment(self):
-        """Test comment in name ID"""
-        fixture = load_fixture("fixtures/response_signed_assertion_dup.xml")
-        fixture = fixture.replace(
-            "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7",
-            "_ce3d2948b4cf20146dee0a0b3dd6f<!--x-->69b6cf86f62d7",
-        )
-        key = load_fixture("fixtures/signature_cert.pem")
-        kp = CertificateKeyPair.objects.create(
-            name=generate_id(),
-            certificate_data=key,
-        )
-        self.source.verification_kp = kp
-        self.source.signed_assertion = True
-        self.source.signed_response = False
-        request = self.factory.post(
-            "/",
-            data={"SAMLResponse": b64encode(fixture.encode()).decode()},
-        )
-
-        parser = ResponseProcessor(self.source, request)
-        parser.parse()
-        self.assertEqual(parser._get_name_id()[1], "_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7")
-
-    @freeze_time("2014-07-17T01:02:18Z")
     def test_verification_response(self):
         """Test verifying signature inside response"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -244,7 +211,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2024-01-18T06:20:48Z")
     def test_verification_response_and_assertion(self):
         """Test verifying signature inside response and assertion"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -291,7 +257,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaisesMessage(InvalidSignature, ""):
             parser.parse()
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_verification_no_signature(self):
         """Test rejecting response without signature when signed_assertion is True"""
         key = load_fixture("fixtures/signature_cert.pem")
@@ -338,7 +303,6 @@ class TestResponseProcessor(TestCase):
         with self.assertRaisesMessage(InvalidSignature, ""):
             parser.parse()
 
-    @freeze_time("2025-10-30T05:45:47.619Z")
     def test_signed_encrypted_response(self):
         """Test signed & encrypted response"""
         verification_key = load_fixture("fixtures/signature_cert2.pem")
@@ -366,7 +330,6 @@ class TestResponseProcessor(TestCase):
         parser = ResponseProcessor(self.source, request)
         parser.parse()
 
-    @freeze_time("2026-01-21T14:23")
     def test_transient(self):
         """Test SAML transient NameID"""
         verification_key = load_fixture("fixtures/signature_cert2.pem")

authentik/sources/saml/tests/test_views.py

@@ -4,7 +4,6 @@ from base64 import b64encode
 
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
-from freezegun import freeze_time
 
 from authentik.core.tests.utils import create_test_flow
 from authentik.flows.planner import PLAN_CONTEXT_REDIRECT, FlowPlan
@@ -27,7 +26,6 @@ class TestViews(TestCase):
             pre_authentication_flow=create_test_flow(),
         )
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_enroll(self):
         """Enroll"""
         flow = create_test_flow()
@@ -54,7 +52,6 @@ class TestViews(TestCase):
         plan: FlowPlan = self.client.session.get(SESSION_KEY_PLAN)
         self.assertIsNotNone(plan)
 
-    @freeze_time("2022-10-14T14:15:00")
     def test_enroll_redirect(self):
         """Enroll when attempting to access a provider"""
         initial_redirect = f"http://{generate_id()}"

authentik/tenants/api/settings.py

@@ -19,30 +19,24 @@ from authentik.tenants.models import Tenant
 
 class FlagJSONField(JSONDictField):
 
-    def to_internal_value(self, data: str):
-        flags = super().to_internal_value(data)
-        for flag in Flag.available(visibility="system", exclude_system=False):
-            flags[flag().key] = flag.get()
-        return flags
-
     def to_representation(self, value: dict) -> dict:
+        """Exclude any system flags that aren't modifiable"""
         new_value = value.copy()
         for flag in Flag.available(exclude_system=False):
             _flag = flag()
-            # Exclude any system flags that aren't modifiable
             if _flag.visibility == "system":
                 new_value.pop(_flag.key, None)
-            # Explicitly present unset flags as if they were set to default
-            if _flag.key not in value:
-                value[_flag.key] = _flag.default
         return super().to_representation(new_value)
 
     def run_validators(self, value: dict):
         super().run_validators(value)
-        for flag in Flag.available():
+        for flag in Flag.available(exclude_system=False):
             _flag = flag()
             if _flag.key not in value:
                 continue
+            if _flag.visibility == "system":
+                value.pop(_flag.key, None)
+                continue
             flag_value = value.get(_flag.key)
             flag_type = get_args(_flag.__orig_bases__[0])[0]
             if flag_value and not isinstance(flag_value, flag_type):

authentik/tenants/tests/test_local_settings.py

@@ -85,30 +85,10 @@ class TestLocalSettingsAPI(APITestCase):
                 "flags": {"tenants_test_flag_sys": 123},
             },
         )
+        print(response.content)
         self.assertEqual(response.status_code, 200)
         self.tenant.refresh_from_db()
-        self.assertEqual(self.tenant.flags, {"setup": False, "tenants_test_flag_sys": False})
-
-    def test_settings_flags_system_empty_put(self):
-        """Test settings API"""
-        self.tenant.flags = {}
-        self.tenant.save()
-
-        class _TestFlag(Flag[bool], key="tenants_test_flag_sys"):
-
-            default = False
-            visibility = "system"
-
-        self.client.force_login(self.local_admin)
-        response = self.client.patch(
-            reverse("authentik_api:tenant_settings"),
-            data={
-                "flags": {},
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-        self.tenant.refresh_from_db()
-        self.assertEqual(self.tenant.flags, {"setup": False, "tenants_test_flag_sys": False})
+        self.assertEqual(self.tenant.flags, {})
 
     def test_command(self):
         self.tenant.flags = {}

blueprints/example/flow-default-account-lockdown.yaml

@@ -36,10 +36,14 @@ entries:
       attrs:
         order: 50
         initial_value: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          pending_user = user if getattr(user, "is_authenticated", False) else None
-          target_uuid = str(getattr(pending_user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
+          pending_user = None
+          if target_uuid and not is_self_service:
+              from authentik.core.models import User
+
+              pending_user = User.objects.filter(pk=target_uuid).first()
           if is_self_service:
               return (
                   "<p><strong>You are about to lock down your own account.</strong></p>"
@@ -59,15 +63,14 @@ entries:
           from django.utils.html import escape
 
           if pending_user:
-              detail = pending_user.email or pending_user.name
-              user_html = f"<code>{escape(pending_user.username)}</code>"
-              if detail and detail != pending_user.username:
-                  user_html = f"{user_html} ({escape(detail)})"
+              email = escape(pending_user.email or pending_user.name or "No email")
+              user_html = f"<p><code>{escape(pending_user.username)}</code> ({email})</p>"
           else:
-              user_html = "the account selected when this one-time lockdown link was created"
+              user_html = "<p>the account selected when this one-time lockdown link was created</p>"
 
           return (
-              f"<p><strong>You are about to lock down the following account:</strong> {user_html}</p>"
+              "<p><strong>You are about to lock down the following account:</strong></p>"
+              f"{user_html}"
               "<p>This is an emergency action for cutting off access to the account right away. "
               "It does not lock the administrator who opened this page.</p>"
               "<p><strong>This will immediately:</strong></p>"
@@ -96,9 +99,9 @@ entries:
       attrs:
         order: 100
         initial_value: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          target_uuid = str(getattr(user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
           if is_self_service:
               info = (
                   "Use this if you no longer trust your current password or sessions. "
@@ -131,9 +134,9 @@ entries:
       attrs:
         order: 200
         placeholder: |
-          actor_uuid = str(getattr(http_request.user, "pk", ""))
-          target_uuid = str(getattr(user, "pk", ""))
-          is_self_service = not target_uuid or target_uuid == actor_uuid
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(user, "pk", "") or getattr(http_request.user, "pk", ""))
+          is_self_service = not target_uuid or target_uuid == current_user_uuid
           if is_self_service:
               return "Describe why you are locking your account..."
           return "Describe why this account is being locked down..."
@@ -181,10 +184,14 @@ entries:
       attrs:
         order: 300
         initial_value: |
+          target_uuid = (http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
           from django.utils.html import escape
+          from authentik.core.models import User
 
-          if getattr(user, "is_authenticated", False):
-              return f"<p><code>{escape(user.username)}</code> has been locked down.</p>"
+          if target_uuid:
+              target = User.objects.filter(pk=target_uuid).first()
+              if target:
+                  return f"<p><code>{escape(target.username)}</code> has been locked down.</p>"
 
           return "<p>The selected account has been locked down.</p>"
         initial_value_expression: true
@@ -214,9 +221,9 @@ entries:
       attrs:
         name: default-account-lockdown-admin-policy
         expression: |
-          actor_uuid = str(getattr(request.http_request.user, "pk", ""))
-          target_uuid = str(getattr(request.user, "pk", ""))
-          return bool(target_uuid) and target_uuid != actor_uuid
+          target_uuid = (request.http_request.session.get("authentik/flows/get", {}) or {}).get("user_uuid")
+          current_user_uuid = str(getattr(request.user, "pk", "") or getattr(request.http_request.user, "pk", ""))
+          return bool(target_uuid) and target_uuid != current_user_uuid
       identifiers:
         name: default-account-lockdown-admin-policy
       id: admin-policy

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2026.8.0-rc1 Blueprint schema",
+    "title": "authentik 2026.5.0-rc1 Blueprint schema",
     "required": [
         "version",
         "entries"

go.mod

@@ -7,10 +7,10 @@ require (
 	beryju.io/radius-eap v0.1.0
 	github.com/avast/retry-go/v4 v4.7.0
 	github.com/coreos/go-oidc/v3 v3.18.0
-	github.com/getsentry/sentry-go v0.46.2
+	github.com/getsentry/sentry-go v0.46.1
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.13
-	github.com/go-openapi/runtime v0.29.5
+	github.com/go-openapi/runtime v0.29.4
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -57,7 +57,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.5 // indirect
 	github.com/go-openapi/loads v0.23.3 // indirect
 	github.com/go-openapi/spec v0.22.4 // indirect
-	github.com/go-openapi/strfmt v0.26.2 // indirect
+	github.com/go-openapi/strfmt v0.26.1 // indirect
 	github.com/go-openapi/swag/conv v0.26.0 // indirect
 	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
 	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
@@ -90,10 +90,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
-	golang.org/x/net v0.53.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -20,8 +20,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.46.2 h1:1jhYwrKGa3sIpo/y5iDNXS5wDoT7I1KNzMHrnK6ojns=
-github.com/getsentry/sentry-go v0.46.2/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
+github.com/getsentry/sentry-go v0.46.1 h1:mZyQFaQYkPxAdDG4HR8gDg6j4CnKYVWt4TF92N7i3XY=
+github.com/getsentry/sentry-go v0.46.1/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -51,12 +51,12 @@ github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe
 github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
 github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ=
 github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA=
-github.com/go-openapi/runtime v0.29.5 h1:uc5+/TtqLIfDBTUxnF3uppoGMt+9DzonwUWsviINlrY=
-github.com/go-openapi/runtime v0.29.5/go.mod h1:D9IUbWccdYv+km8QwmAm90FZvDcQk47vP2Y7y5as/D8=
+github.com/go-openapi/runtime v0.29.4 h1:k2lDxrGoSAJRdhFG2tONKMpkizY/4X1cciSdtzk4Jjo=
+github.com/go-openapi/runtime v0.29.4/go.mod h1:K0k/2raY6oqXJnZAgWJB2i/12QKrhUKpZcH4PfV9P18=
 github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
 github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
-github.com/go-openapi/strfmt v0.26.2 h1:ysjheCh4i1rmFEo2LanhELDNucNzfWTZhUDKgWWPaFM=
-github.com/go-openapi/strfmt v0.26.2/go.mod h1:fXh1e449cyUn2NYuz+wb3wARBUdMl7qPEZwX00nqivY=
+github.com/go-openapi/strfmt v0.26.1 h1:7zGCHji7zSYDC2tCXIusoxYQz/48jAf2q+sF6wXTG+c=
+github.com/go-openapi/strfmt v0.26.1/go.mod h1:Zslk5VZPOISLwmWTMBIS7oiVFem1o1EI6zULY8Uer7Y=
 github.com/go-openapi/swag/conv v0.26.0 h1:5yGGsPYI1ZCva93U0AoKi/iZrNhaJEjr324YVsiD89I=
 github.com/go-openapi/swag/conv v0.26.0/go.mod h1:tpAmIL7X58VPnHHiSO4uE3jBeRamGsFsfdDeDtb5ECE=
 github.com/go-openapi/swag/fileutils v0.26.0 h1:WJoPRvsA7QRiiWluowkLJa9jaYR7FCuxmDvnCgaRRxU=
@@ -77,10 +77,10 @@ github.com/go-openapi/swag/typeutils v0.26.0 h1:2kdEwdiNWy+JJdOvu5MA2IIg2SylWAFu
 github.com/go-openapi/swag/typeutils v0.26.0/go.mod h1:oovDuIUvTrEHVMqWilQzKzV4YlSKgyZmFh7AlfABNVE=
 github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ=
 github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ=
-github.com/go-openapi/testify/enable/yaml/v2 v2.5.0 h1:3hZD1fwydvCx/cc1R2uYNQirHqf2s6lqpKV3FcNTURA=
-github.com/go-openapi/testify/enable/yaml/v2 v2.5.0/go.mod h1:TvDZKBH7ZbMaF3EqH2AwTvNQCmzyZq8K1agRjf1B+Nk=
-github.com/go-openapi/testify/v2 v2.5.0 h1:UOCr63aAsMIDydZbZGqo5Ev01D4eydItRbekDuZMJLw=
-github.com/go-openapi/testify/v2 v2.5.0/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDNBjj74rBh0N2BGQbSR0=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE=
+github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4=
+github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
 github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0=
 github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
@@ -216,8 +216,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab h1:628ME69lBm9C6JY2wXhAph/yjN3jezx1z7BIDLUwxjo=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -227,8 +227,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -245,8 +245,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -258,8 +258,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/constants/VERSION

@@ -1 +1 @@
-2026.8.0-rc1
+2026.5.0-rc1

internal/outpost/proxyv2/application/mode_common.go

@@ -110,6 +110,17 @@ func (a *Application) getTraefikForwardUrl(r *http.Request) (*url.URL, error) {
 
 // getNginxForwardUrl See https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl
 func (a *Application) getNginxForwardUrl(r *http.Request) (*url.URL, error) {
+	ou := r.Header.Get("X-Original-URI")
+	if ou != "" {
+		// Turn this full URL into a relative URL
+		u := &url.URL{
+			Host:   "",
+			Scheme: "",
+			Path:   ou,
+		}
+		a.log.WithField("url", u.String()).Info("building forward URL from X-Original-URI")
+		return u, nil
+	}
 	h := r.Header.Get("X-Original-URL")
 	if len(h) < 1 {
 		return nil, errors.New("no forward URL found")

internal/outpost/proxyv2/application/mode_forward_nginx_test.go

@@ -5,8 +5,10 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
+	"goauthentik.io/internal/outpost/proxyv2/types"
 	api "goauthentik.io/packages/client-go"
 )
 
@@ -45,6 +47,67 @@ func TestForwardHandleNginx_Single_Headers(t *testing.T) {
 	assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
 }
 
+func TestForwardHandleNginx_Single_URI(t *testing.T) {
+	a := newTestApplication()
+	req, _ := http.NewRequest("GET", "https://foo.bar/outpost.goauthentik.io/auth/nginx", nil)
+	req.Header.Set("X-Original-URI", "/app")
+
+	rr := httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+
+	s, _ := a.sessions.Get(req, a.SessionName())
+	assert.Equal(t, "/app", s.Values[constants.SessionRedirect])
+}
+
+func TestForwardHandleNginx_Single_Claims(t *testing.T) {
+	a := newTestApplication()
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/nginx", nil)
+	req.Header.Set("X-Original-URI", "/")
+
+	rr := httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	s, _ := a.sessions.Get(req, a.SessionName())
+	s.ID = uuid.New().String()
+	s.Options.MaxAge = 86400
+	s.Values[constants.SessionClaims] = types.Claims{
+		Sub: "foo",
+		Proxy: &types.ProxyClaims{
+			UserAttributes: map[string]any{
+				"username": "foo",
+				"password": "bar",
+				"additionalHeaders": map[string]any{
+					"foo": "bar",
+				},
+			},
+		},
+	}
+	err := a.sessions.Save(req, rr, s)
+	if err != nil {
+		panic(err)
+	}
+
+	rr = httptest.NewRecorder()
+	a.forwardHandleNginx(rr, req)
+
+	h := rr.Result().Header
+
+	assert.Equal(t, []string{"Basic Zm9vOmJhcg=="}, h["Authorization"])
+	assert.Equal(t, []string{"bar"}, h["Foo"])
+	assert.Equal(t, []string{""}, h["User-Agent"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Email"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Groups"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Jwt"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-App"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-Jwks"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Meta-Outpost"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Name"])
+	assert.Equal(t, []string{"foo"}, h["X-Authentik-Uid"])
+	assert.Equal(t, []string{""}, h["X-Authentik-Username"])
+}
+
 func TestForwardHandleNginx_Domain_Blank(t *testing.T) {
 	a := newTestApplication()
 	a.proxyConfig.Mode = api.PROXYMODE_FORWARD_DOMAIN.Ptr()

lifecycle/ak

@@ -38,10 +38,6 @@ function run_authentik {
             echo cargo run -- "$@"
         fi
         ;;
-    manage)
-        shift 1
-        echo python -m manage "$@"
-        ;;
     *)
         echo "$@"
         ;;

lifecycle/aws/template.yaml

@@ -18,7 +18,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2026.8.0-rc1
+    Default: 2026.5.0-rc1
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

lifecycle/container/Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:4f2b45e32dc7d2caf66b6dbd59fac50e32f8077769efe0ef4d4c3f114672537d AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:735dd688da64d22ebd9dd374b3e7e5a874635668fd2a6ec20ca1f99264294086 AS node-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -228,7 +228,8 @@ RUN apt-get update && \
     # Required for runtime
     apt-get install -y --no-install-recommends \
     libpq5 libmaxminddb0 ca-certificates \
-    libkadm5clnt-mit12 libkadm5clnt7t64-heimdal \
+    krb5-multidev libkrb5-3 libkdb5-10 libkadm5clnt-mit12 \
+    heimdal-multidev libkadm5clnt7t64-heimdal \
     libltdl7 libxslt1.1 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \

lifecycle/container/compose.yml

@@ -31,7 +31,7 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.8.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.5.0-rc1}
     ports:
     - ${COMPOSE_PORT_HTTP:-9000}:9000
     - ${COMPOSE_PORT_HTTPS:-9443}:9443
@@ -53,7 +53,7 @@ services:
       AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
       AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
       AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.8.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.5.0-rc1}
     restart: unless-stopped
     shm_size: 512mb
     user: root

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-13 05:39+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -226,10 +226,6 @@ msgstr ""
 msgid "The slug '{slug}' is reserved and cannot be used for applications."
 msgstr ""
 
-#: authentik/core/api/groups.py
-msgid "User does not have permission to add members to this group."
-msgstr ""
-
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@@ -260,14 +256,6 @@ msgstr ""
 msgid "Setting a user to internal service account is not allowed."
 msgstr ""
 
-#: authentik/core/api/users.py
-msgid "User does not have permission to add members to a superuser group."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "User does not have permission to assign roles."
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "Can't modify internal service account users"
 msgstr ""

locale/en/dictionaries/integrations.txt

@@ -25,9 +25,7 @@ Gravitee
 HACS
 Homarr
 Informatique
-Jellyseerr
 Kimai
-Kiota
 Knoc
 Knocknoc
 Komodo
@@ -46,16 +44,13 @@ Organizr
 Packagify
 Palo
 Papra
-PhotoPrism
 pfSense
 phpipam
 Planka
 Plesk
-PostHog
 proftpd
 Qube
 Relatedly
-Seerr
 Sidero
 snipeit
 sonarqube
@@ -67,6 +62,7 @@ Vikunja
 Wazuh
 Wdio
 Weixin
+Kiota
 Wekan
 Xcreds
 Zammad

locale/en/dictionaries/people.txt

@@ -11,4 +11,3 @@ Naur
 Wärting
 Aadit
 Kilby
-Kahmen

locale/en/dictionaries/software-terms.txt

@@ -164,4 +164,3 @@ yamltags
 zxcvbn
 ~uuid
 ~uuids
-wreply

package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2026.8.0-rc1",
+    "version": "2026.5.0-rc1",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/authentik",
-            "version": "2026.8.0-rc1",
+            "version": "2026.5.0-rc1",
             "dependencies": {
                 "@eslint/js": "^9.39.3",
                 "@goauthentik/eslint-config": "./packages/eslint-config",

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2026.8.0-rc1",
+    "version": "2026.5.0-rc1",
     "private": true,
     "scripts": {
         "lint": "run-s lint:spellcheck lint:lockfile",

packages/client-go/api_core.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/api_crypto.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/api_events.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/api_flows.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/api_outposts.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/api_root.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/client.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 
@@ -41,7 +41,7 @@ var (
 	queryDescape    = strings.NewReplacer("%5B", "[", "%5D", "]")
 )
 
-// APIClient manages communication with the authentik API v2026.8.0-rc1
+// APIClient manages communication with the authentik API v2026.5.0-rc1
 // In most cases there should be only one, shared, APIClient.
 type APIClient struct {
 	cfg    *Configuration

packages/client-go/configuration.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_access_denied_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_apple_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_apple_login_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_duo_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_duo_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_email_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_email_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_sms_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_sms_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_static_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_static_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_totp_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_totp_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_validation_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_validation_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_web_authn_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_authenticator_web_authn_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_auto_submit_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_autosubmit_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_brand.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_capabilities_enum.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_captcha_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_captcha_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_certificate_data.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_certificate_key_pair.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_certificate_key_pair_key_type_enum.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_challenge_types.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_config.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_consent_challenge.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_consent_challenge_response_request.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_consent_permission.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */
 

packages/client-go/model_contextual_flow_info.go

@@ -3,7 +3,7 @@ authentik
 
 Making authentication simple.
 
-API version: 2026.8.0-rc1
+API version: 2026.5.0-rc1
 Contact: hello@goauthentik.io
 */