diff --git a/.github/workflows/api-py-publish.yml b/.github/workflows/api-py-publish.yml new file mode 100644 index 0000000000..6de216aace --- /dev/null +++ b/.github/workflows/api-py-publish.yml @@ -0,0 +1,58 @@ +name: authentik-api-py-publish +on: + push: + branches: [main] + paths: + - "schema.yml" + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - id: generate_token + uses: tibdex/github-app-token@v2 + with: + app_id: ${{ secrets.GH_APP_ID }} + private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.generate_token.outputs.token }} + - uses: actions/setup-python@v4 + with: + python-version-file: "pyproject.toml" + cache: "poetry" + - name: Generate API Client + run: make gen-client-py + - name: Publish package + working-directory: gen-py-api/ + run: | + poetry build + - name: Publish package to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + packages-dir: gen-py-api/dist/ + # We can't easily upgrade the API client being used due to poetry being poetry + # so we'll have to rely on dependabot + # - name: Upgrade / + # run: | + # export VERSION=$(cd gen-py-api && poetry version -s) + # poetry add "authentik_client=$VERSION" --allow-prereleases --lock + # - uses: peter-evans/create-pull-request@v6 + # id: cpr + # with: + # token: ${{ steps.generate_token.outputs.token }} + # branch: update-root-api-client + # commit-message: "root: bump API Client version" + # title: "root: bump API Client version" + # body: "root: bump API Client version" + # delete-branch: true + # signoff: true + # # ID from https://api.github.com/users/authentik-automation[bot] + # author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com> + # - uses: peter-evans/enable-pull-request-automerge@v3 + # with: + # token: ${{ steps.generate_token.outputs.token }} + # pull-request-number: ${{ steps.cpr.outputs.pull-request-number }} + # merge-method: squash diff --git a/.github/workflows/web-api-publish.yml b/.github/workflows/api-ts-publish.yml similarity index 98% rename from .github/workflows/web-api-publish.yml rename to .github/workflows/api-ts-publish.yml index 7e63c50ac0..8920a0b602 100644 --- a/.github/workflows/web-api-publish.yml +++ b/.github/workflows/api-ts-publish.yml @@ -1,4 +1,4 @@ -name: authentik-web-api-publish +name: authentik-api-ts-publish on: push: branches: [main] diff --git a/Makefile b/Makefile index 8bc4e70b50..4cc73e0c8c 100644 --- a/Makefile +++ b/Makefile @@ -9,6 +9,7 @@ PY_SOURCES = authentik tests scripts lifecycle .github DOCKER_IMAGE ?= "authentik:test" GEN_API_TS = "gen-ts-api" +GEN_API_PY = "gen-py-api" GEN_API_GO = "gen-go-api" pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null) @@ -137,7 +138,10 @@ gen-clean-ts: ## Remove generated API client for Typescript gen-clean-go: ## Remove generated API client for Go rm -rf ./${GEN_API_GO}/ -gen-clean: gen-clean-ts gen-clean-go ## Remove generated API clients +gen-clean-py: ## Remove generated API client for Python + rm -rf ./${GEN_API_PY}/ + +gen-clean: gen-clean-ts gen-clean-go gen-clean-py ## Remove generated API clients gen-client-ts: gen-clean-ts ## Build and install the authentik API for Typescript into the authentik UI Application docker run \ @@ -155,6 +159,20 @@ gen-client-ts: gen-clean-ts ## Build and install the authentik API for Typescri cd ./${GEN_API_TS} && npm i \cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api +gen-client-py: gen-clean-py ## Build and install the authentik API for Python + docker run \ + --rm -v ${PWD}:/local \ + --user ${UID}:${GID} \ + docker.io/openapitools/openapi-generator-cli:v7.4.0 generate \ + -i /local/schema.yml \ + -g python \ + -o /local/${GEN_API_PY} \ + -c /local/scripts/api-py-config.yaml \ + --additional-properties=packageVersion=${NPM_VERSION} \ + --git-repo-id authentik \ + --git-user-id goauthentik + pip install ./${GEN_API_PY} + gen-client-go: gen-clean-go ## Build and install the authentik API for Golang mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py index 9a8b49ab2a..8532dee2e7 100644 --- a/authentik/core/api/users.py +++ b/authentik/core/api/users.py @@ -85,7 +85,7 @@ class UserGroupSerializer(ModelSerializer): """Simplified Group Serializer for user's groups""" attributes = JSONDictField(required=False) - parent_name = CharField(source="parent.name", read_only=True) + parent_name = CharField(source="parent.name", read_only=True, allow_null=True) class Meta: model = Group diff --git a/authentik/root/settings.py b/authentik/root/settings.py index 4870b278a5..a5683de80b 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -156,6 +156,7 @@ SPECTACULAR_SETTINGS = { "UserTypeEnum": "authentik.core.models.UserTypes", }, "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False, + "ENUM_GENERATE_CHOICE_DESCRIPTION": False, "POSTPROCESSING_HOOKS": [ "authentik.api.schema.postprocess_schema_responses", "drf_spectacular.hooks.postprocess_schema_enums", diff --git a/schema.yml b/schema.yml index 01b43f6e52..af9e37b04e 100644 --- a/schema.yml +++ b/schema.yml @@ -4006,11 +4006,6 @@ paths: - app_password - recovery - verification - description: |- - * `verification` - Intent Verification - * `api` - Intent Api - * `recovery` - Intent Recovery - * `app_password` - Intent App Password - in: query name: managed schema: @@ -4618,11 +4613,6 @@ paths: - internal - internal_service_account - service_account - description: |- - * `internal` - Internal - * `external` - External - * `service_account` - Service Account - * `internal_service_account` - Internal Service Account explode: true style: form - in: query @@ -6393,10 +6383,6 @@ paths: - alert - notice - warning - description: |- - * `notice` - Notice - * `warning` - Warning - * `alert` - Alert - in: query name: user schema: @@ -6672,12 +6658,9 @@ paths: - alert - notice - warning - description: |- + description: |+ Controls which severity level the created notifications will have. - * `notice` - Notice - * `warning` - Warning - * `alert` - Alert tags: - events security: @@ -6956,11 +6939,6 @@ paths: - successful - unknown - warning - description: |- - * `unknown` - Unknown - * `successful` - Successful - * `warning` - Warning - * `error` - Error - in: query name: uid schema: @@ -7072,11 +7050,6 @@ paths: - local - webhook - webhook_slack - description: |- - * `local` - authentik inbuilt notifications - * `webhook` - Generic Webhook - * `webhook_slack` - Slack Webhook (Slack/Discord) - * `email` - Email - in: query name: name schema: @@ -7410,12 +7383,9 @@ paths: - restart - restart_with_context - retry - description: |- + description: |+ Configure how the flow executor should handle an invalid response to a challenge. RETRY returns the error message and a similar challenge to the executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT restarts the flow while keeping the current context. - * `retry` - Retry - * `restart` - Restart - * `restart_with_context` - Restart With Context - in: query name: order schema: @@ -7459,9 +7429,6 @@ paths: enum: - all - any - description: |- - * `all` - all, all policies must pass - * `any` - any, any policy must pass - in: query name: re_evaluate_policies schema: @@ -7845,12 +7812,9 @@ paths: - continue - message - message_continue - description: |- + description: |+ Configure what should happen when a flow denies access to a user. - * `message_continue` - Message Continue - * `message` - Message - * `continue` - Continue - in: query name: designation schema: @@ -7863,16 +7827,9 @@ paths: - recovery - stage_configuration - unenrollment - description: |- + description: |+ Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. - * `authentication` - Authentication - * `authorization` - Authorization - * `invalidation` - Invalidation - * `enrollment` - Enrollment - * `unenrollment` - Unrenollment - * `recovery` - Recovery - * `stage_configuration` - Stage Configuration - in: query name: flow_uuid schema: @@ -11573,36 +11530,9 @@ paths: - system_task_execution - update_available - user_write - description: |- + description: |+ Match created events with this action type. When left empty, all action types will be matched. - * `login` - Login - * `login_failed` - Login Failed - * `logout` - Logout - * `user_write` - User Write - * `suspicious_request` - Suspicious Request - * `password_set` - Password Set - * `secret_view` - Secret View - * `secret_rotate` - Secret Rotate - * `invitation_used` - Invite Used - * `authorize_application` - Authorize Application - * `source_linked` - Source Linked - * `impersonation_started` - Impersonation Started - * `impersonation_ended` - Impersonation Ended - * `flow_execution` - Flow Execution - * `policy_execution` - Policy Execution - * `policy_exception` - Policy Exception - * `property_mapping_exception` - Property Mapping Exception - * `system_task_execution` - System Task Execution - * `system_task_exception` - System Task Exception - * `system_exception` - System Exception - * `configuration_error` - Configuration Error - * `model_created` - Model Created - * `model_updated` - Model Updated - * `model_deleted` - Model Deleted - * `email_sent` - Email Sent - * `update_available` - Update Available - * `custom_` - Custom Prefix - in: query name: app schema: @@ -15745,11 +15675,9 @@ paths: enum: - confidential - public - description: |- + description: |+ Confidential clients are capable of maintaining the confidentiality of their credentials. Public clients are incapable - * `confidential` - Confidential - * `public` - Public - in: query name: include_claims_in_id_token schema: @@ -15761,11 +15689,9 @@ paths: enum: - global - per_provider - description: |- + description: |+ Configure how the issuer field of the ID Token should be filled. - * `global` - Same identifier is used for all providers - * `per_provider` - Each provider has a different issuer, based on the application slug. - in: query name: name schema: @@ -15827,15 +15753,9 @@ paths: - user_upn - user_username - user_uuid - description: |- + description: |+ Configure what data should be used as unique User Identifier. For most cases, the default should be fine. - * `hashed_user_id` - Based on the Hashed User ID - * `user_id` - Based on user ID - * `user_uuid` - Based on user UUID - * `user_username` - Based on the username - * `user_email` - Based on the User's Email. This is recommended over the UPN method. - * `user_upn` - Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains. tags: - providers security: @@ -17060,11 +16980,6 @@ paths: - http://www.w3.org/2001/04/xmldsig-more#sha384 - http://www.w3.org/2001/04/xmlenc#sha256 - http://www.w3.org/2001/04/xmlenc#sha512 - description: |- - * `http://www.w3.org/2000/09/xmldsig#sha1` - SHA1 - * `http://www.w3.org/2001/04/xmlenc#sha256` - SHA256 - * `http://www.w3.org/2001/04/xmldsig-more#sha384` - SHA384 - * `http://www.w3.org/2001/04/xmlenc#sha512` - SHA512 - in: query name: is_backchannel schema: @@ -17129,12 +17044,6 @@ paths: - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 - description: |- - * `http://www.w3.org/2000/09/xmldsig#rsa-sha1` - RSA-SHA1 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` - RSA-SHA256 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` - RSA-SHA384 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` - RSA-SHA512 - * `http://www.w3.org/2000/09/xmldsig#dsa-sha1` - DSA-SHA1 - in: query name: signing_kp schema: @@ -17148,11 +17057,9 @@ paths: enum: - post - redirect - description: |- + description: |+ This determines how authentik sends the response back to the Service Provider. - * `redirect` - Redirect - * `post` - Post - in: query name: verification_kp schema: @@ -18518,82 +18425,6 @@ paths: - authentik_stages_user_logout.userlogoutstage - authentik_stages_user_write.userwritestage - authentik_tenants.domain - description: |- - * `authentik_tenants.domain` - Domain - * `authentik_crypto.certificatekeypair` - Certificate-Key Pair - * `authentik_flows.flow` - Flow - * `authentik_flows.flowstagebinding` - Flow Stage Binding - * `authentik_outposts.dockerserviceconnection` - Docker Service-Connection - * `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection - * `authentik_outposts.outpost` - Outpost - * `authentik_policies_dummy.dummypolicy` - Dummy Policy - * `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy - * `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy - * `authentik_policies_expression.expressionpolicy` - Expression Policy - * `authentik_policies_password.passwordpolicy` - Password Policy - * `authentik_policies_reputation.reputationpolicy` - Reputation Policy - * `authentik_policies.policybinding` - Policy Binding - * `authentik_providers_ldap.ldapprovider` - LDAP Provider - * `authentik_providers_oauth2.scopemapping` - Scope Mapping - * `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider - * `authentik_providers_proxy.proxyprovider` - Proxy Provider - * `authentik_providers_radius.radiusprovider` - Radius Provider - * `authentik_providers_saml.samlprovider` - SAML Provider - * `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping - * `authentik_providers_scim.scimprovider` - SCIM Provider - * `authentik_providers_scim.scimmapping` - SCIM Mapping - * `authentik_rbac.role` - Role - * `authentik_sources_ldap.ldapsource` - LDAP Source - * `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping - * `authentik_sources_oauth.oauthsource` - OAuth Source - * `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection - * `authentik_sources_plex.plexsource` - Plex Source - * `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection - * `authentik_sources_saml.samlsource` - SAML Source - * `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection - * `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage - * `authentik_stages_authenticator_duo.duodevice` - Duo Device - * `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage - * `authentik_stages_authenticator_sms.smsdevice` - SMS Device - * `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Setup Stage - * `authentik_stages_authenticator_static.staticdevice` - Static Device - * `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage - * `authentik_stages_authenticator_totp.totpdevice` - TOTP Device - * `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage - * `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage - * `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device - * `authentik_stages_captcha.captchastage` - Captcha Stage - * `authentik_stages_consent.consentstage` - Consent Stage - * `authentik_stages_consent.userconsent` - User Consent - * `authentik_stages_deny.denystage` - Deny Stage - * `authentik_stages_dummy.dummystage` - Dummy Stage - * `authentik_stages_email.emailstage` - Email Stage - * `authentik_stages_identification.identificationstage` - Identification Stage - * `authentik_stages_invitation.invitationstage` - Invitation Stage - * `authentik_stages_invitation.invitation` - Invitation - * `authentik_stages_password.passwordstage` - Password Stage - * `authentik_stages_prompt.prompt` - Prompt - * `authentik_stages_prompt.promptstage` - Prompt Stage - * `authentik_stages_user_delete.userdeletestage` - User Delete Stage - * `authentik_stages_user_login.userloginstage` - User Login Stage - * `authentik_stages_user_logout.userlogoutstage` - User Logout Stage - * `authentik_stages_user_write.userwritestage` - User Write Stage - * `authentik_brands.brand` - Brand - * `authentik_blueprints.blueprintinstance` - Blueprint Instance - * `authentik_core.group` - Group - * `authentik_core.user` - User - * `authentik_core.application` - Application - * `authentik_core.token` - Token - * `authentik_enterprise.license` - License - * `authentik_providers_rac.racprovider` - RAC Provider - * `authentik_providers_rac.endpoint` - RAC Endpoint - * `authentik_providers_rac.racpropertymapping` - RAC Property Mapping - * `authentik_stages_source.sourcestage` - Source Stage - * `authentik_events.event` - Event - * `authentik_events.notificationtransport` - Notification Transport - * `authentik_events.notification` - Notification - * `authentik_events.notificationrule` - Notification Rule - * `authentik_events.notificationwebhookmapping` - Webhook Mapping required: true - in: query name: object_pk @@ -18808,82 +18639,6 @@ paths: - authentik_stages_user_logout.userlogoutstage - authentik_stages_user_write.userwritestage - authentik_tenants.domain - description: |- - * `authentik_tenants.domain` - Domain - * `authentik_crypto.certificatekeypair` - Certificate-Key Pair - * `authentik_flows.flow` - Flow - * `authentik_flows.flowstagebinding` - Flow Stage Binding - * `authentik_outposts.dockerserviceconnection` - Docker Service-Connection - * `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection - * `authentik_outposts.outpost` - Outpost - * `authentik_policies_dummy.dummypolicy` - Dummy Policy - * `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy - * `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy - * `authentik_policies_expression.expressionpolicy` - Expression Policy - * `authentik_policies_password.passwordpolicy` - Password Policy - * `authentik_policies_reputation.reputationpolicy` - Reputation Policy - * `authentik_policies.policybinding` - Policy Binding - * `authentik_providers_ldap.ldapprovider` - LDAP Provider - * `authentik_providers_oauth2.scopemapping` - Scope Mapping - * `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider - * `authentik_providers_proxy.proxyprovider` - Proxy Provider - * `authentik_providers_radius.radiusprovider` - Radius Provider - * `authentik_providers_saml.samlprovider` - SAML Provider - * `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping - * `authentik_providers_scim.scimprovider` - SCIM Provider - * `authentik_providers_scim.scimmapping` - SCIM Mapping - * `authentik_rbac.role` - Role - * `authentik_sources_ldap.ldapsource` - LDAP Source - * `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping - * `authentik_sources_oauth.oauthsource` - OAuth Source - * `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection - * `authentik_sources_plex.plexsource` - Plex Source - * `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection - * `authentik_sources_saml.samlsource` - SAML Source - * `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection - * `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage - * `authentik_stages_authenticator_duo.duodevice` - Duo Device - * `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage - * `authentik_stages_authenticator_sms.smsdevice` - SMS Device - * `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Setup Stage - * `authentik_stages_authenticator_static.staticdevice` - Static Device - * `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage - * `authentik_stages_authenticator_totp.totpdevice` - TOTP Device - * `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage - * `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage - * `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device - * `authentik_stages_captcha.captchastage` - Captcha Stage - * `authentik_stages_consent.consentstage` - Consent Stage - * `authentik_stages_consent.userconsent` - User Consent - * `authentik_stages_deny.denystage` - Deny Stage - * `authentik_stages_dummy.dummystage` - Dummy Stage - * `authentik_stages_email.emailstage` - Email Stage - * `authentik_stages_identification.identificationstage` - Identification Stage - * `authentik_stages_invitation.invitationstage` - Invitation Stage - * `authentik_stages_invitation.invitation` - Invitation - * `authentik_stages_password.passwordstage` - Password Stage - * `authentik_stages_prompt.prompt` - Prompt - * `authentik_stages_prompt.promptstage` - Prompt Stage - * `authentik_stages_user_delete.userdeletestage` - User Delete Stage - * `authentik_stages_user_login.userloginstage` - User Login Stage - * `authentik_stages_user_logout.userlogoutstage` - User Logout Stage - * `authentik_stages_user_write.userwritestage` - User Write Stage - * `authentik_brands.brand` - Brand - * `authentik_blueprints.blueprintinstance` - Blueprint Instance - * `authentik_core.group` - Group - * `authentik_core.user` - User - * `authentik_core.application` - Application - * `authentik_core.token` - Token - * `authentik_enterprise.license` - License - * `authentik_providers_rac.racprovider` - RAC Provider - * `authentik_providers_rac.endpoint` - RAC Endpoint - * `authentik_providers_rac.racpropertymapping` - RAC Property Mapping - * `authentik_stages_source.sourcestage` - Source Stage - * `authentik_events.event` - Event - * `authentik_events.notificationtransport` - Notification Transport - * `authentik_events.notification` - Notification - * `authentik_events.notificationrule` - Notification Rule - * `authentik_events.notificationwebhookmapping` - Webhook Mapping required: true - in: query name: object_pk @@ -20364,9 +20119,6 @@ paths: enum: - all - any - description: |- - * `all` - all, all policies must pass - * `any` - any, any policy must pass - in: query name: profile_url schema: @@ -20399,14 +20151,9 @@ paths: - identifier - username_deny - username_link - description: |- + description: |+ How the source determines if an existing user should be authenticated or a new user enrolled. - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. tags: - sources security: @@ -20730,9 +20477,6 @@ paths: enum: - all - any - description: |- - * `all` - all, all policies must pass - * `any` - any, any policy must pass - name: search required: false in: query @@ -20753,14 +20497,9 @@ paths: - identifier - username_deny - username_link - description: |- + description: |+ How the source determines if an existing user should be authenticated or a new user enrolled. - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. tags: - sources security: @@ -21073,10 +20812,6 @@ paths: - POST - POST_AUTO - REDIRECT - description: |- - * `REDIRECT` - Redirect Binding - * `POST` - POST Binding - * `POST_AUTO` - POST Binding with auto-confirmation - in: query name: digest_algorithm schema: @@ -21086,11 +20821,6 @@ paths: - http://www.w3.org/2001/04/xmldsig-more#sha384 - http://www.w3.org/2001/04/xmlenc#sha256 - http://www.w3.org/2001/04/xmlenc#sha512 - description: |- - * `http://www.w3.org/2000/09/xmldsig#sha1` - SHA1 - * `http://www.w3.org/2001/04/xmlenc#sha256` - SHA256 - * `http://www.w3.org/2001/04/xmldsig-more#sha384` - SHA384 - * `http://www.w3.org/2001/04/xmlenc#sha512` - SHA512 - in: query name: enabled schema: @@ -21122,14 +20852,9 @@ paths: - urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - urn:oasis:names:tc:SAML:2.0:nameid-format:transient - description: |- + description: |+ NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent. - * `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` - Email - * `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` - Persistent - * `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName` - X509 - * `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName` - Windows - * `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` - Transient - name: ordering required: false in: query @@ -21155,9 +20880,6 @@ paths: enum: - all - any - description: |- - * `all` - all, all policies must pass - * `any` - any, any policy must pass - in: query name: pre_authentication_flow schema: @@ -21179,12 +20901,6 @@ paths: - http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 - http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 - description: |- - * `http://www.w3.org/2000/09/xmldsig#rsa-sha1` - RSA-SHA1 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` - RSA-SHA256 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` - RSA-SHA384 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` - RSA-SHA512 - * `http://www.w3.org/2000/09/xmldsig#dsa-sha1` - DSA-SHA1 - in: query name: signing_kp schema: @@ -21216,14 +20932,9 @@ paths: - identifier - username_deny - username_link - description: |- + description: |+ How the source determines if an existing user should be authenticated or a new user enrolled. - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. - in: query name: verification_kp schema: @@ -23128,9 +22839,6 @@ paths: enum: - basic - bearer - description: |- - * `basic` - Basic - * `bearer` - Bearer - in: query name: configure_flow schema: @@ -23178,9 +22886,6 @@ paths: enum: - generic - twilio - description: |- - * `twilio` - Twilio - * `generic` - Generic - name: search required: false in: query @@ -23740,9 +23445,6 @@ paths: enum: - '6' - '8' - description: |- - * `6` - 6 digits, widely compatible - * `8` - 8 digits, not compatible with apps like Google Authenticator - in: query name: friendly_name schema: @@ -24042,10 +23744,6 @@ paths: - configure - deny - skip - description: |- - * `skip` - Skip - * `deny` - Deny - * `configure` - Configure - name: ordering required: false in: query @@ -24319,9 +24017,6 @@ paths: enum: - cross-platform - platform - description: |- - * `platform` - Platform - * `cross-platform` - Cross Platform - in: query name: configure_flow schema: @@ -24361,10 +24056,6 @@ paths: - discouraged - preferred - required - description: |- - * `discouraged` - Discouraged - * `preferred` - Preferred - * `required` - Required - name: search required: false in: query @@ -24384,10 +24075,6 @@ paths: - discouraged - preferred - required - description: |- - * `required` - Required - * `preferred` - Preferred - * `discouraged` - Discouraged tags: - stages security: @@ -24914,10 +24601,6 @@ paths: - always_require - expiring - permanent - description: |- - * `always_require` - Always Require - * `permanent` - Permanent - * `expiring` - Expiring - in: query name: name schema: @@ -27300,25 +26983,6 @@ paths: - text_area_read_only - text_read_only - username - description: |- - * `text` - Text: Simple Text input - * `text_area` - Text area: Multiline Text Input. - * `text_read_only` - Text (read-only): Simple Text input, but cannot be edited. - * `text_area_read_only` - Text area (read-only): Multiline Text input, but cannot be edited. - * `username` - Username: Same as Text input, but checks for and prevents duplicate usernames. - * `email` - Email: Text field with Email type. - * `password` - Password: Masked input, multiple inputs of this type on the same prompt need to be identical. - * `number` - Number - * `checkbox` - Checkbox - * `radio-button-group` - Fixed choice field rendered as a group of radio buttons. - * `dropdown` - Fixed choice field rendered as a dropdown. - * `date` - Date - * `date-time` - Date Time - * `file` - File: File upload for arbitrary files. File content will be available in flow context as data-URI - * `separator` - Separator: Static Separator Line - * `hidden` - Hidden: Hidden field, can be used to insert data into form. - * `static` - Static: Static value, displayed as-is. - * `ak-locale` - authentik: Selection of locales authentik supports tags: - stages security: @@ -28451,13 +28115,9 @@ paths: - bind_continent_country - bind_continent_country_city - no_binding - description: |- + description: |+ Bind sessions created by this stage to the configured GeoIP location - * `no_binding` - No Binding - * `bind_continent` - Bind Continent - * `bind_continent_country` - Bind Continent Country - * `bind_continent_country_city` - Bind Continent Country City - in: query name: name schema: @@ -28471,13 +28131,9 @@ paths: - bind_asn_network - bind_asn_network_ip - no_binding - description: |- + description: |+ Bind sessions created by this stage to the configured network - * `no_binding` - No Binding - * `bind_asn` - Bind Asn - * `bind_asn_network` - Bind Asn Network - * `bind_asn_network_ip` - Bind Asn Network Ip - name: ordering required: false in: query @@ -29084,10 +28740,6 @@ paths: - always_create - create_when_required - never_create - description: |- - * `never_create` - Never Create - * `create_when_required` - Create When Required - * `always_create` - Always Create - in: query name: user_path_template schema: @@ -29101,11 +28753,6 @@ paths: - internal - internal_service_account - service_account - description: |- - * `internal` - Internal - * `external` - External - * `service_account` - Service Account - * `internal_service_account` - Internal Service Account tags: - stages security: @@ -29936,60 +29583,6 @@ components: - authentik.enterprise.stages.source - authentik.events type: string - description: |- - * `authentik.tenants` - authentik Tenants - * `authentik.admin` - authentik Admin - * `authentik.api` - authentik API - * `authentik.crypto` - authentik Crypto - * `authentik.flows` - authentik Flows - * `authentik.outposts` - authentik Outpost - * `authentik.policies.dummy` - authentik Policies.Dummy - * `authentik.policies.event_matcher` - authentik Policies.Event Matcher - * `authentik.policies.expiry` - authentik Policies.Expiry - * `authentik.policies.expression` - authentik Policies.Expression - * `authentik.policies.password` - authentik Policies.Password - * `authentik.policies.reputation` - authentik Policies.Reputation - * `authentik.policies` - authentik Policies - * `authentik.providers.ldap` - authentik Providers.LDAP - * `authentik.providers.oauth2` - authentik Providers.OAuth2 - * `authentik.providers.proxy` - authentik Providers.Proxy - * `authentik.providers.radius` - authentik Providers.Radius - * `authentik.providers.saml` - authentik Providers.SAML - * `authentik.providers.scim` - authentik Providers.SCIM - * `authentik.rbac` - authentik RBAC - * `authentik.recovery` - authentik Recovery - * `authentik.sources.ldap` - authentik Sources.LDAP - * `authentik.sources.oauth` - authentik Sources.OAuth - * `authentik.sources.plex` - authentik Sources.Plex - * `authentik.sources.saml` - authentik Sources.SAML - * `authentik.stages.authenticator` - authentik Stages.Authenticator - * `authentik.stages.authenticator_duo` - authentik Stages.Authenticator.Duo - * `authentik.stages.authenticator_sms` - authentik Stages.Authenticator.SMS - * `authentik.stages.authenticator_static` - authentik Stages.Authenticator.Static - * `authentik.stages.authenticator_totp` - authentik Stages.Authenticator.TOTP - * `authentik.stages.authenticator_validate` - authentik Stages.Authenticator.Validate - * `authentik.stages.authenticator_webauthn` - authentik Stages.Authenticator.WebAuthn - * `authentik.stages.captcha` - authentik Stages.Captcha - * `authentik.stages.consent` - authentik Stages.Consent - * `authentik.stages.deny` - authentik Stages.Deny - * `authentik.stages.dummy` - authentik Stages.Dummy - * `authentik.stages.email` - authentik Stages.Email - * `authentik.stages.identification` - authentik Stages.Identification - * `authentik.stages.invitation` - authentik Stages.User Invitation - * `authentik.stages.password` - authentik Stages.Password - * `authentik.stages.prompt` - authentik Stages.Prompt - * `authentik.stages.user_delete` - authentik Stages.User Delete - * `authentik.stages.user_login` - authentik Stages.User Login - * `authentik.stages.user_logout` - authentik Stages.User Logout - * `authentik.stages.user_write` - authentik Stages.User Write - * `authentik.brands` - authentik Brands - * `authentik.blueprints` - authentik Blueprints - * `authentik.core` - authentik Core - * `authentik.enterprise` - authentik Enterprise - * `authentik.enterprise.audit` - authentik Enterprise.Audit - * `authentik.enterprise.providers.rac` - authentik Enterprise.Providers.RAC - * `authentik.enterprise.stages.source` - authentik Enterprise.Stages.Source - * `authentik.events` - authentik Events AppleChallengeResponseRequest: type: object description: Pseudo class for apple response @@ -30140,17 +29733,11 @@ components: - static - prompt type: string - description: |- - * `static` - Static - * `prompt` - Prompt AuthTypeEnum: enum: - basic - bearer type: string - description: |- - * `basic` - Basic - * `bearer` - Bearer AuthenticateWebAuthnStage: type: object description: AuthenticateWebAuthnStage Serializer @@ -30382,20 +29969,11 @@ components: - require_superuser - require_outpost type: string - description: |- - * `none` - None - * `require_authenticated` - Require Authenticated - * `require_unauthenticated` - Require Unauthenticated - * `require_superuser` - Require Superuser - * `require_outpost` - Require Outpost AuthenticatorAttachmentEnum: enum: - platform - cross-platform type: string - description: |- - * `platform` - Platform - * `cross-platform` - Cross Platform AuthenticatorDuoChallenge: type: object description: Duo Challenge @@ -31017,12 +30595,7 @@ components: webauthn_user_verification: allOf: - $ref: '#/components/schemas/UserVerificationEnum' - description: |- - Enforce user verification for WebAuthn devices. - - * `required` - Required - * `preferred` - Preferred - * `discouraged` - Discouraged + description: Enforce user verification for WebAuthn devices. required: - component - meta_model_name @@ -31064,12 +30637,7 @@ components: webauthn_user_verification: allOf: - $ref: '#/components/schemas/UserVerificationEnum' - description: |- - Enforce user verification for WebAuthn devices. - - * `required` - Required - * `preferred` - Preferred - * `discouraged` - Discouraged + description: Enforce user verification for WebAuthn devices. required: - name AuthenticatorValidationChallenge: @@ -31213,20 +30781,12 @@ components: - authentik.core.auth.TokenBackend - authentik.sources.ldap.auth.LDAPBackend type: string - description: |- - * `authentik.core.auth.InbuiltBackend` - User database + standard password - * `authentik.core.auth.TokenBackend` - User database + app passwords - * `authentik.sources.ldap.auth.LDAPBackend` - User database + LDAP password BindingTypeEnum: enum: - REDIRECT - POST - POST_AUTO type: string - description: |- - * `REDIRECT` - Redirect Binding - * `POST` - POST Binding - * `POST_AUTO` - POST Binding with auto-confirmation BlueprintFile: type: object properties: @@ -31316,12 +30876,6 @@ components: - orphaned - unknown type: string - description: |- - * `successful` - Successful - * `warning` - Warning - * `error` - Error - * `orphaned` - Orphaned - * `unknown` - Unknown Brand: type: object description: Brand Serializer @@ -31445,13 +30999,6 @@ components: - can_debug - is_enterprise type: string - description: |- - * `can_save_media` - Can Save Media - * `can_geo_ip` - Can Geo Ip - * `can_asn` - Can Asn - * `can_impersonate` - Can Impersonate - * `can_debug` - Can Debug - * `is_enterprise` - Is Enterprise CaptchaChallenge: type: object description: Site public key @@ -31691,10 +31238,6 @@ components: - shell - redirect type: string - description: |- - * `native` - NATIVE - * `shell` - SHELL - * `redirect` - REDIRECT ChallengeTypes: oneOf: - $ref: '#/components/schemas/AccessDeniedChallenge' @@ -31751,9 +31294,6 @@ components: - confidential - public type: string - description: |- - * `confidential` - Confidential - * `public` - Public Config: type: object description: Serialize authentik Config into DRF Object @@ -31940,10 +31480,6 @@ components: - permanent - expiring type: string - description: |- - * `always_require` - Always Require - * `permanent` - Permanent - * `expiring` - Expiring ConsentStageRequest: type: object description: ConsentStage Serializer @@ -31987,12 +31523,6 @@ components: - sidebar_left - sidebar_right type: string - description: |- - * `stacked` - STACKED - * `content_left` - CONTENT_LEFT - * `content_right` - CONTENT_RIGHT - * `sidebar_left` - SIDEBAR_LEFT - * `sidebar_right` - SIDEBAR_RIGHT Coordinate: type: object description: Coordinates for diagrams @@ -32057,10 +31587,6 @@ components: - message - continue type: string - description: |- - * `message_continue` - Message Continue - * `message` - Message - * `continue` - Continue DenyStage: type: object description: DenyStage Serializer @@ -32190,12 +31716,6 @@ components: - duo - sms type: string - description: |- - * `static` - Static - * `totp` - TOTP - * `webauthn` - WebAuthn - * `duo` - Duo - * `sms` - SMS DigestAlgorithmEnum: enum: - http://www.w3.org/2000/09/xmldsig#sha1 @@ -32203,19 +31723,11 @@ components: - http://www.w3.org/2001/04/xmldsig-more#sha384 - http://www.w3.org/2001/04/xmlenc#sha512 type: string - description: |- - * `http://www.w3.org/2000/09/xmldsig#sha1` - SHA1 - * `http://www.w3.org/2001/04/xmlenc#sha256` - SHA256 - * `http://www.w3.org/2001/04/xmldsig-more#sha384` - SHA384 - * `http://www.w3.org/2001/04/xmlenc#sha512` - SHA512 DigitsEnum: enum: - '6' - '8' type: string - description: |- - * `6` - 6 digits, widely compatible - * `8` - 8 digits, not compatible with apps like Google Authenticator DockerServiceConnection: type: object description: DockerServiceConnection Serializer @@ -32538,10 +32050,6 @@ components: - waiting - invalid type: string - description: |- - * `success` - Success - * `waiting` - Waiting - * `invalid` - Invalid EmailChallenge: type: object description: Email challenge @@ -32880,34 +32388,6 @@ components: - update_available - custom_ type: string - description: |- - * `login` - Login - * `login_failed` - Login Failed - * `logout` - Logout - * `user_write` - User Write - * `suspicious_request` - Suspicious Request - * `password_set` - Password Set - * `secret_view` - Secret View - * `secret_rotate` - Secret Rotate - * `invitation_used` - Invite Used - * `authorize_application` - Authorize Application - * `source_linked` - Source Linked - * `impersonation_started` - Impersonation Started - * `impersonation_ended` - Impersonation Ended - * `flow_execution` - Flow Execution - * `policy_execution` - Policy Execution - * `policy_exception` - Policy Exception - * `property_mapping_exception` - Property Mapping Exception - * `system_task_execution` - System Task Execution - * `system_task_exception` - System Task Exception - * `system_exception` - System Exception - * `configuration_error` - Configuration Error - * `model_created` - Model Created - * `model_updated` - Model Updated - * `model_deleted` - Model Deleted - * `email_sent` - Email Sent - * `update_available` - Update Available - * `custom_` - Custom Prefix EventMatcherPolicy: type: object description: Event Matcher Policy Serializer @@ -32947,36 +32427,8 @@ components: allOf: - $ref: '#/components/schemas/EventActions' nullable: true - description: |- - Match created events with this action type. When left empty, all action types will be matched. - - * `login` - Login - * `login_failed` - Login Failed - * `logout` - Logout - * `user_write` - User Write - * `suspicious_request` - Suspicious Request - * `password_set` - Password Set - * `secret_view` - Secret View - * `secret_rotate` - Secret Rotate - * `invitation_used` - Invite Used - * `authorize_application` - Authorize Application - * `source_linked` - Source Linked - * `impersonation_started` - Impersonation Started - * `impersonation_ended` - Impersonation Ended - * `flow_execution` - Flow Execution - * `policy_execution` - Policy Execution - * `policy_exception` - Policy Exception - * `property_mapping_exception` - Property Mapping Exception - * `system_task_execution` - System Task Execution - * `system_task_exception` - System Task Exception - * `system_exception` - System Exception - * `configuration_error` - Configuration Error - * `model_created` - Model Created - * `model_updated` - Model Updated - * `model_deleted` - Model Deleted - * `email_sent` - Email Sent - * `update_available` - Update Available - * `custom_` - Custom Prefix + description: Match created events with this action type. When left empty, + all action types will be matched. client_ip: type: string nullable: true @@ -32986,144 +32438,15 @@ components: allOf: - $ref: '#/components/schemas/AppEnum' nullable: true - description: |- - Match events created by selected application. When left empty, all applications are matched. - - * `authentik.tenants` - authentik Tenants - * `authentik.admin` - authentik Admin - * `authentik.api` - authentik API - * `authentik.crypto` - authentik Crypto - * `authentik.flows` - authentik Flows - * `authentik.outposts` - authentik Outpost - * `authentik.policies.dummy` - authentik Policies.Dummy - * `authentik.policies.event_matcher` - authentik Policies.Event Matcher - * `authentik.policies.expiry` - authentik Policies.Expiry - * `authentik.policies.expression` - authentik Policies.Expression - * `authentik.policies.password` - authentik Policies.Password - * `authentik.policies.reputation` - authentik Policies.Reputation - * `authentik.policies` - authentik Policies - * `authentik.providers.ldap` - authentik Providers.LDAP - * `authentik.providers.oauth2` - authentik Providers.OAuth2 - * `authentik.providers.proxy` - authentik Providers.Proxy - * `authentik.providers.radius` - authentik Providers.Radius - * `authentik.providers.saml` - authentik Providers.SAML - * `authentik.providers.scim` - authentik Providers.SCIM - * `authentik.rbac` - authentik RBAC - * `authentik.recovery` - authentik Recovery - * `authentik.sources.ldap` - authentik Sources.LDAP - * `authentik.sources.oauth` - authentik Sources.OAuth - * `authentik.sources.plex` - authentik Sources.Plex - * `authentik.sources.saml` - authentik Sources.SAML - * `authentik.stages.authenticator` - authentik Stages.Authenticator - * `authentik.stages.authenticator_duo` - authentik Stages.Authenticator.Duo - * `authentik.stages.authenticator_sms` - authentik Stages.Authenticator.SMS - * `authentik.stages.authenticator_static` - authentik Stages.Authenticator.Static - * `authentik.stages.authenticator_totp` - authentik Stages.Authenticator.TOTP - * `authentik.stages.authenticator_validate` - authentik Stages.Authenticator.Validate - * `authentik.stages.authenticator_webauthn` - authentik Stages.Authenticator.WebAuthn - * `authentik.stages.captcha` - authentik Stages.Captcha - * `authentik.stages.consent` - authentik Stages.Consent - * `authentik.stages.deny` - authentik Stages.Deny - * `authentik.stages.dummy` - authentik Stages.Dummy - * `authentik.stages.email` - authentik Stages.Email - * `authentik.stages.identification` - authentik Stages.Identification - * `authentik.stages.invitation` - authentik Stages.User Invitation - * `authentik.stages.password` - authentik Stages.Password - * `authentik.stages.prompt` - authentik Stages.Prompt - * `authentik.stages.user_delete` - authentik Stages.User Delete - * `authentik.stages.user_login` - authentik Stages.User Login - * `authentik.stages.user_logout` - authentik Stages.User Logout - * `authentik.stages.user_write` - authentik Stages.User Write - * `authentik.brands` - authentik Brands - * `authentik.blueprints` - authentik Blueprints - * `authentik.core` - authentik Core - * `authentik.enterprise` - authentik Enterprise - * `authentik.enterprise.audit` - authentik Enterprise.Audit - * `authentik.enterprise.providers.rac` - authentik Enterprise.Providers.RAC - * `authentik.enterprise.stages.source` - authentik Enterprise.Stages.Source - * `authentik.events` - authentik Events + description: Match events created by selected application. When left empty, + all applications are matched. model: allOf: - $ref: '#/components/schemas/ModelEnum' nullable: true - description: |- - Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. - - * `authentik_tenants.domain` - Domain - * `authentik_crypto.certificatekeypair` - Certificate-Key Pair - * `authentik_flows.flow` - Flow - * `authentik_flows.flowstagebinding` - Flow Stage Binding - * `authentik_outposts.dockerserviceconnection` - Docker Service-Connection - * `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection - * `authentik_outposts.outpost` - Outpost - * `authentik_policies_dummy.dummypolicy` - Dummy Policy - * `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy - * `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy - * `authentik_policies_expression.expressionpolicy` - Expression Policy - * `authentik_policies_password.passwordpolicy` - Password Policy - * `authentik_policies_reputation.reputationpolicy` - Reputation Policy - * `authentik_policies.policybinding` - Policy Binding - * `authentik_providers_ldap.ldapprovider` - LDAP Provider - * `authentik_providers_oauth2.scopemapping` - Scope Mapping - * `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider - * `authentik_providers_proxy.proxyprovider` - Proxy Provider - * `authentik_providers_radius.radiusprovider` - Radius Provider - * `authentik_providers_saml.samlprovider` - SAML Provider - * `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping - * `authentik_providers_scim.scimprovider` - SCIM Provider - * `authentik_providers_scim.scimmapping` - SCIM Mapping - * `authentik_rbac.role` - Role - * `authentik_sources_ldap.ldapsource` - LDAP Source - * `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping - * `authentik_sources_oauth.oauthsource` - OAuth Source - * `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection - * `authentik_sources_plex.plexsource` - Plex Source - * `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection - * `authentik_sources_saml.samlsource` - SAML Source - * `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection - * `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage - * `authentik_stages_authenticator_duo.duodevice` - Duo Device - * `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage - * `authentik_stages_authenticator_sms.smsdevice` - SMS Device - * `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Setup Stage - * `authentik_stages_authenticator_static.staticdevice` - Static Device - * `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage - * `authentik_stages_authenticator_totp.totpdevice` - TOTP Device - * `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage - * `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage - * `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device - * `authentik_stages_captcha.captchastage` - Captcha Stage - * `authentik_stages_consent.consentstage` - Consent Stage - * `authentik_stages_consent.userconsent` - User Consent - * `authentik_stages_deny.denystage` - Deny Stage - * `authentik_stages_dummy.dummystage` - Dummy Stage - * `authentik_stages_email.emailstage` - Email Stage - * `authentik_stages_identification.identificationstage` - Identification Stage - * `authentik_stages_invitation.invitationstage` - Invitation Stage - * `authentik_stages_invitation.invitation` - Invitation - * `authentik_stages_password.passwordstage` - Password Stage - * `authentik_stages_prompt.prompt` - Prompt - * `authentik_stages_prompt.promptstage` - Prompt Stage - * `authentik_stages_user_delete.userdeletestage` - User Delete Stage - * `authentik_stages_user_login.userloginstage` - User Login Stage - * `authentik_stages_user_logout.userlogoutstage` - User Logout Stage - * `authentik_stages_user_write.userwritestage` - User Write Stage - * `authentik_brands.brand` - Brand - * `authentik_blueprints.blueprintinstance` - Blueprint Instance - * `authentik_core.group` - Group - * `authentik_core.user` - User - * `authentik_core.application` - Application - * `authentik_core.token` - Token - * `authentik_enterprise.license` - License - * `authentik_providers_rac.racprovider` - RAC Provider - * `authentik_providers_rac.endpoint` - RAC Endpoint - * `authentik_providers_rac.racpropertymapping` - RAC Property Mapping - * `authentik_stages_source.sourcestage` - Source Stage - * `authentik_events.event` - Event - * `authentik_events.notificationtransport` - Notification Transport - * `authentik_events.notification` - Notification - * `authentik_events.notificationrule` - Notification Rule - * `authentik_events.notificationwebhookmapping` - Webhook Mapping + description: Match events created by selected model. When left empty, all + models are matched. When an app is selected, all the application's models + are matched. required: - bound_to - component @@ -33147,36 +32470,8 @@ components: allOf: - $ref: '#/components/schemas/EventActions' nullable: true - description: |- - Match created events with this action type. When left empty, all action types will be matched. - - * `login` - Login - * `login_failed` - Login Failed - * `logout` - Logout - * `user_write` - User Write - * `suspicious_request` - Suspicious Request - * `password_set` - Password Set - * `secret_view` - Secret View - * `secret_rotate` - Secret Rotate - * `invitation_used` - Invite Used - * `authorize_application` - Authorize Application - * `source_linked` - Source Linked - * `impersonation_started` - Impersonation Started - * `impersonation_ended` - Impersonation Ended - * `flow_execution` - Flow Execution - * `policy_execution` - Policy Execution - * `policy_exception` - Policy Exception - * `property_mapping_exception` - Property Mapping Exception - * `system_task_execution` - System Task Execution - * `system_task_exception` - System Task Exception - * `system_exception` - System Exception - * `configuration_error` - Configuration Error - * `model_created` - Model Created - * `model_updated` - Model Updated - * `model_deleted` - Model Deleted - * `email_sent` - Email Sent - * `update_available` - Update Available - * `custom_` - Custom Prefix + description: Match created events with this action type. When left empty, + all action types will be matched. client_ip: type: string nullable: true @@ -33187,144 +32482,15 @@ components: allOf: - $ref: '#/components/schemas/AppEnum' nullable: true - description: |- - Match events created by selected application. When left empty, all applications are matched. - - * `authentik.tenants` - authentik Tenants - * `authentik.admin` - authentik Admin - * `authentik.api` - authentik API - * `authentik.crypto` - authentik Crypto - * `authentik.flows` - authentik Flows - * `authentik.outposts` - authentik Outpost - * `authentik.policies.dummy` - authentik Policies.Dummy - * `authentik.policies.event_matcher` - authentik Policies.Event Matcher - * `authentik.policies.expiry` - authentik Policies.Expiry - * `authentik.policies.expression` - authentik Policies.Expression - * `authentik.policies.password` - authentik Policies.Password - * `authentik.policies.reputation` - authentik Policies.Reputation - * `authentik.policies` - authentik Policies - * `authentik.providers.ldap` - authentik Providers.LDAP - * `authentik.providers.oauth2` - authentik Providers.OAuth2 - * `authentik.providers.proxy` - authentik Providers.Proxy - * `authentik.providers.radius` - authentik Providers.Radius - * `authentik.providers.saml` - authentik Providers.SAML - * `authentik.providers.scim` - authentik Providers.SCIM - * `authentik.rbac` - authentik RBAC - * `authentik.recovery` - authentik Recovery - * `authentik.sources.ldap` - authentik Sources.LDAP - * `authentik.sources.oauth` - authentik Sources.OAuth - * `authentik.sources.plex` - authentik Sources.Plex - * `authentik.sources.saml` - authentik Sources.SAML - * `authentik.stages.authenticator` - authentik Stages.Authenticator - * `authentik.stages.authenticator_duo` - authentik Stages.Authenticator.Duo - * `authentik.stages.authenticator_sms` - authentik Stages.Authenticator.SMS - * `authentik.stages.authenticator_static` - authentik Stages.Authenticator.Static - * `authentik.stages.authenticator_totp` - authentik Stages.Authenticator.TOTP - * `authentik.stages.authenticator_validate` - authentik Stages.Authenticator.Validate - * `authentik.stages.authenticator_webauthn` - authentik Stages.Authenticator.WebAuthn - * `authentik.stages.captcha` - authentik Stages.Captcha - * `authentik.stages.consent` - authentik Stages.Consent - * `authentik.stages.deny` - authentik Stages.Deny - * `authentik.stages.dummy` - authentik Stages.Dummy - * `authentik.stages.email` - authentik Stages.Email - * `authentik.stages.identification` - authentik Stages.Identification - * `authentik.stages.invitation` - authentik Stages.User Invitation - * `authentik.stages.password` - authentik Stages.Password - * `authentik.stages.prompt` - authentik Stages.Prompt - * `authentik.stages.user_delete` - authentik Stages.User Delete - * `authentik.stages.user_login` - authentik Stages.User Login - * `authentik.stages.user_logout` - authentik Stages.User Logout - * `authentik.stages.user_write` - authentik Stages.User Write - * `authentik.brands` - authentik Brands - * `authentik.blueprints` - authentik Blueprints - * `authentik.core` - authentik Core - * `authentik.enterprise` - authentik Enterprise - * `authentik.enterprise.audit` - authentik Enterprise.Audit - * `authentik.enterprise.providers.rac` - authentik Enterprise.Providers.RAC - * `authentik.enterprise.stages.source` - authentik Enterprise.Stages.Source - * `authentik.events` - authentik Events + description: Match events created by selected application. When left empty, + all applications are matched. model: allOf: - $ref: '#/components/schemas/ModelEnum' nullable: true - description: |- - Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. - - * `authentik_tenants.domain` - Domain - * `authentik_crypto.certificatekeypair` - Certificate-Key Pair - * `authentik_flows.flow` - Flow - * `authentik_flows.flowstagebinding` - Flow Stage Binding - * `authentik_outposts.dockerserviceconnection` - Docker Service-Connection - * `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection - * `authentik_outposts.outpost` - Outpost - * `authentik_policies_dummy.dummypolicy` - Dummy Policy - * `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy - * `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy - * `authentik_policies_expression.expressionpolicy` - Expression Policy - * `authentik_policies_password.passwordpolicy` - Password Policy - * `authentik_policies_reputation.reputationpolicy` - Reputation Policy - * `authentik_policies.policybinding` - Policy Binding - * `authentik_providers_ldap.ldapprovider` - LDAP Provider - * `authentik_providers_oauth2.scopemapping` - Scope Mapping - * `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider - * `authentik_providers_proxy.proxyprovider` - Proxy Provider - * `authentik_providers_radius.radiusprovider` - Radius Provider - * `authentik_providers_saml.samlprovider` - SAML Provider - * `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping - * `authentik_providers_scim.scimprovider` - SCIM Provider - * `authentik_providers_scim.scimmapping` - SCIM Mapping - * `authentik_rbac.role` - Role - * `authentik_sources_ldap.ldapsource` - LDAP Source - * `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping - * `authentik_sources_oauth.oauthsource` - OAuth Source - * `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection - * `authentik_sources_plex.plexsource` - Plex Source - * `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection - * `authentik_sources_saml.samlsource` - SAML Source - * `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection - * `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage - * `authentik_stages_authenticator_duo.duodevice` - Duo Device - * `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage - * `authentik_stages_authenticator_sms.smsdevice` - SMS Device - * `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Setup Stage - * `authentik_stages_authenticator_static.staticdevice` - Static Device - * `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage - * `authentik_stages_authenticator_totp.totpdevice` - TOTP Device - * `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage - * `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage - * `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device - * `authentik_stages_captcha.captchastage` - Captcha Stage - * `authentik_stages_consent.consentstage` - Consent Stage - * `authentik_stages_consent.userconsent` - User Consent - * `authentik_stages_deny.denystage` - Deny Stage - * `authentik_stages_dummy.dummystage` - Dummy Stage - * `authentik_stages_email.emailstage` - Email Stage - * `authentik_stages_identification.identificationstage` - Identification Stage - * `authentik_stages_invitation.invitationstage` - Invitation Stage - * `authentik_stages_invitation.invitation` - Invitation - * `authentik_stages_password.passwordstage` - Password Stage - * `authentik_stages_prompt.prompt` - Prompt - * `authentik_stages_prompt.promptstage` - Prompt Stage - * `authentik_stages_user_delete.userdeletestage` - User Delete Stage - * `authentik_stages_user_login.userloginstage` - User Login Stage - * `authentik_stages_user_logout.userlogoutstage` - User Logout Stage - * `authentik_stages_user_write.userwritestage` - User Write Stage - * `authentik_brands.brand` - Brand - * `authentik_blueprints.blueprintinstance` - Blueprint Instance - * `authentik_core.group` - Group - * `authentik_core.user` - User - * `authentik_core.application` - Application - * `authentik_core.token` - Token - * `authentik_enterprise.license` - License - * `authentik_providers_rac.racprovider` - RAC Provider - * `authentik_providers_rac.endpoint` - RAC Endpoint - * `authentik_providers_rac.racpropertymapping` - RAC Property Mapping - * `authentik_stages_source.sourcestage` - Source Stage - * `authentik_events.event` - Event - * `authentik_events.notificationtransport` - Notification Transport - * `authentik_events.notification` - Notification - * `authentik_events.notificationrule` - Notification Rule - * `authentik_events.notificationwebhookmapping` - Webhook Mapping + description: Match events created by selected model. When left empty, all + models are matched. When an app is selected, all the application's models + are matched. required: - name EventRequest: @@ -33601,16 +32767,8 @@ components: designation: allOf: - $ref: '#/components/schemas/FlowDesignationEnum' - description: |- - Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. - - * `authentication` - Authentication - * `authorization` - Authorization - * `invalidation` - Invalidation - * `enrollment` - Enrollment - * `unenrollment` - Unrenollment - * `recovery` - Recovery - * `stage_configuration` - Stage Configuration + description: Decides what this Flow is used for. For example, the Authentication + flow is redirect to when an un-authenticated user visits authentik. background: type: string description: |- @@ -33648,23 +32806,13 @@ components: denied_action: allOf: - $ref: '#/components/schemas/DeniedActionEnum' - description: |- - Configure what should happen when a flow denies access to a user. - - * `message_continue` - Message Continue - * `message` - Message - * `continue` - Continue + description: Configure what should happen when a flow denies access to a + user. authentication: allOf: - $ref: '#/components/schemas/AuthenticationEnum' - description: |- - Required level of authentication and authorization to access a flow. - - * `none` - None - * `require_authenticated` - Require Authenticated - * `require_unauthenticated` - Require Unauthenticated - * `require_superuser` - Require Superuser - * `require_outpost` - Require Outpost + description: Required level of authentication and authorization to access + a flow. required: - background - cache_count @@ -33730,14 +32878,6 @@ components: - recovery - stage_configuration type: string - description: |- - * `authentication` - Authentication - * `authorization` - Authorization - * `invalidation` - Invalidation - * `enrollment` - Enrollment - * `unenrollment` - Unrenollment - * `recovery` - Recovery - * `stage_configuration` - Stage Configuration FlowDiagram: type: object description: response of the flow's diagram action @@ -33839,12 +32979,6 @@ components: - sidebar_left - sidebar_right type: string - description: |- - * `stacked` - Stacked - * `content_left` - Content Left - * `content_right` - Content Right - * `sidebar_left` - Sidebar Left - * `sidebar_right` - Sidebar Right FlowRequest: type: object description: Flow Serializer @@ -33865,16 +32999,8 @@ components: designation: allOf: - $ref: '#/components/schemas/FlowDesignationEnum' - description: |- - Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. - - * `authentication` - Authentication - * `authorization` - Authorization - * `invalidation` - Invalidation - * `enrollment` - Enrollment - * `unenrollment` - Unrenollment - * `recovery` - Recovery - * `stage_configuration` - Stage Configuration + description: Decides what this Flow is used for. For example, the Authentication + flow is redirect to when an un-authenticated user visits authentik. policy_engine_mode: $ref: '#/components/schemas/PolicyEngineMode' compatibility_mode: @@ -33886,23 +33012,13 @@ components: denied_action: allOf: - $ref: '#/components/schemas/DeniedActionEnum' - description: |- - Configure what should happen when a flow denies access to a user. - - * `message_continue` - Message Continue - * `message` - Message - * `continue` - Continue + description: Configure what should happen when a flow denies access to a + user. authentication: allOf: - $ref: '#/components/schemas/AuthenticationEnum' - description: |- - Required level of authentication and authorization to access a flow. - - * `none` - None - * `require_authenticated` - Require Authenticated - * `require_unauthenticated` - Require Unauthenticated - * `require_superuser` - Require Superuser - * `require_outpost` - Require Outpost + description: Required level of authentication and authorization to access + a flow. required: - designation - name @@ -33934,16 +33050,8 @@ components: designation: allOf: - $ref: '#/components/schemas/FlowDesignationEnum' - description: |- - Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. - - * `authentication` - Authentication - * `authorization` - Authorization - * `invalidation` - Invalidation - * `enrollment` - Enrollment - * `unenrollment` - Unrenollment - * `recovery` - Recovery - * `stage_configuration` - Stage Configuration + description: Decides what this Flow is used for. For example, the Authentication + flow is redirect to when an un-authenticated user visits authentik. background: type: string description: |- @@ -33965,12 +33073,8 @@ components: denied_action: allOf: - $ref: '#/components/schemas/DeniedActionEnum' - description: |- - Configure what should happen when a flow denies access to a user. - - * `message_continue` - Message Continue - * `message` - Message - * `continue` - Continue + description: Configure what should happen when a flow denies access to a + user. required: - background - designation @@ -34000,16 +33104,8 @@ components: designation: allOf: - $ref: '#/components/schemas/FlowDesignationEnum' - description: |- - Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. - - * `authentication` - Authentication - * `authorization` - Authorization - * `invalidation` - Invalidation - * `enrollment` - Enrollment - * `unenrollment` - Unrenollment - * `recovery` - Recovery - * `stage_configuration` - Stage Configuration + description: Decides what this Flow is used for. For example, the Authentication + flow is redirect to when an un-authenticated user visits authentik. policy_engine_mode: $ref: '#/components/schemas/PolicyEngineMode' compatibility_mode: @@ -34021,12 +33117,8 @@ components: denied_action: allOf: - $ref: '#/components/schemas/DeniedActionEnum' - description: |- - Configure what should happen when a flow denies access to a user. - - * `message_continue` - Message Continue - * `message` - Message - * `continue` - Continue + description: Configure what should happen when a flow denies access to a + user. required: - designation - name @@ -34070,12 +33162,10 @@ components: invalid_response_action: allOf: - $ref: '#/components/schemas/InvalidResponseActionEnum' - description: |- - Configure how the flow executor should handle an invalid response to a challenge. RETRY returns the error message and a similar challenge to the executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT restarts the flow while keeping the current context. - - * `retry` - Retry - * `restart` - Restart - * `restart_with_context` - Restart With Context + description: Configure how the flow executor should handle an invalid response + to a challenge. RETRY returns the error message and a similar challenge + to the executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT + restarts the flow while keeping the current context. required: - order - pk @@ -34108,12 +33198,10 @@ components: invalid_response_action: allOf: - $ref: '#/components/schemas/InvalidResponseActionEnum' - description: |- - Configure how the flow executor should handle an invalid response to a challenge. RETRY returns the error message and a similar challenge to the executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT restarts the flow while keeping the current context. - - * `retry` - Retry - * `restart` - Restart - * `restart_with_context` - Restart With Context + description: Configure how the flow executor should handle an invalid response + to a challenge. RETRY returns the error message and a similar challenge + to the executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT + restarts the flow while keeping the current context. required: - order - stage @@ -34148,11 +33236,6 @@ components: - bind_continent_country - bind_continent_country_city type: string - description: |- - * `no_binding` - No Binding - * `bind_continent` - Bind Continent - * `bind_continent_country` - Bind Continent Country - * `bind_continent_country_city` - Bind Continent Country City Group: type: object description: Group Serializer @@ -34544,21 +33627,12 @@ components: - recovery - app_password type: string - description: |- - * `verification` - Intent Verification - * `api` - Intent Api - * `recovery` - Intent Recovery - * `app_password` - Intent App Password InvalidResponseActionEnum: enum: - retry - restart - restart_with_context type: string - description: |- - * `retry` - Retry - * `restart` - Restart - * `restart_with_context` - Restart With Context Invitation: type: object description: Invitation Serializer @@ -34690,9 +33764,6 @@ components: - global - per_provider type: string - description: |- - * `global` - Same identifier is used for all providers - * `per_provider` - Each provider has a different issuer, based on the application slug. KubernetesServiceConnection: type: object description: KubernetesServiceConnection Serializer @@ -34760,9 +33831,6 @@ components: - direct - cached type: string - description: |- - * `direct` - Direct - * `cached` - Cached LDAPDebug: type: object properties: @@ -35157,14 +34225,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. managed: type: string nullable: true @@ -35308,14 +34370,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -35547,15 +34603,6 @@ components: - debug - notset type: string - description: |- - * `critical` - critical - * `exception` - exception - * `error` - error - * `warn` - warn - * `warning` - warning - * `info` - info - * `debug` - debug - * `notset` - notset LoginChallengeTypes: oneOf: - $ref: '#/components/schemas/RedirectChallenge' @@ -35694,82 +34741,6 @@ components: - authentik_events.notificationrule - authentik_events.notificationwebhookmapping type: string - description: |- - * `authentik_tenants.domain` - Domain - * `authentik_crypto.certificatekeypair` - Certificate-Key Pair - * `authentik_flows.flow` - Flow - * `authentik_flows.flowstagebinding` - Flow Stage Binding - * `authentik_outposts.dockerserviceconnection` - Docker Service-Connection - * `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection - * `authentik_outposts.outpost` - Outpost - * `authentik_policies_dummy.dummypolicy` - Dummy Policy - * `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy - * `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy - * `authentik_policies_expression.expressionpolicy` - Expression Policy - * `authentik_policies_password.passwordpolicy` - Password Policy - * `authentik_policies_reputation.reputationpolicy` - Reputation Policy - * `authentik_policies.policybinding` - Policy Binding - * `authentik_providers_ldap.ldapprovider` - LDAP Provider - * `authentik_providers_oauth2.scopemapping` - Scope Mapping - * `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider - * `authentik_providers_proxy.proxyprovider` - Proxy Provider - * `authentik_providers_radius.radiusprovider` - Radius Provider - * `authentik_providers_saml.samlprovider` - SAML Provider - * `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping - * `authentik_providers_scim.scimprovider` - SCIM Provider - * `authentik_providers_scim.scimmapping` - SCIM Mapping - * `authentik_rbac.role` - Role - * `authentik_sources_ldap.ldapsource` - LDAP Source - * `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping - * `authentik_sources_oauth.oauthsource` - OAuth Source - * `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection - * `authentik_sources_plex.plexsource` - Plex Source - * `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection - * `authentik_sources_saml.samlsource` - SAML Source - * `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection - * `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage - * `authentik_stages_authenticator_duo.duodevice` - Duo Device - * `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage - * `authentik_stages_authenticator_sms.smsdevice` - SMS Device - * `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Setup Stage - * `authentik_stages_authenticator_static.staticdevice` - Static Device - * `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage - * `authentik_stages_authenticator_totp.totpdevice` - TOTP Device - * `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage - * `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage - * `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device - * `authentik_stages_captcha.captchastage` - Captcha Stage - * `authentik_stages_consent.consentstage` - Consent Stage - * `authentik_stages_consent.userconsent` - User Consent - * `authentik_stages_deny.denystage` - Deny Stage - * `authentik_stages_dummy.dummystage` - Dummy Stage - * `authentik_stages_email.emailstage` - Email Stage - * `authentik_stages_identification.identificationstage` - Identification Stage - * `authentik_stages_invitation.invitationstage` - Invitation Stage - * `authentik_stages_invitation.invitation` - Invitation - * `authentik_stages_password.passwordstage` - Password Stage - * `authentik_stages_prompt.prompt` - Prompt - * `authentik_stages_prompt.promptstage` - Prompt Stage - * `authentik_stages_user_delete.userdeletestage` - User Delete Stage - * `authentik_stages_user_login.userloginstage` - User Login Stage - * `authentik_stages_user_logout.userlogoutstage` - User Logout Stage - * `authentik_stages_user_write.userwritestage` - User Write Stage - * `authentik_brands.brand` - Brand - * `authentik_blueprints.blueprintinstance` - Blueprint Instance - * `authentik_core.group` - Group - * `authentik_core.user` - User - * `authentik_core.application` - Application - * `authentik_core.token` - Token - * `authentik_enterprise.license` - License - * `authentik_providers_rac.racprovider` - RAC Provider - * `authentik_providers_rac.endpoint` - RAC Endpoint - * `authentik_providers_rac.racpropertymapping` - RAC Property Mapping - * `authentik_stages_source.sourcestage` - Source Stage - * `authentik_events.event` - Event - * `authentik_events.notificationtransport` - Notification Transport - * `authentik_events.notification` - Notification - * `authentik_events.notificationrule` - Notification Rule - * `authentik_events.notificationwebhookmapping` - Webhook Mapping NameIdPolicyEnum: enum: - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress @@ -35778,12 +34749,6 @@ components: - urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName - urn:oasis:names:tc:SAML:2.0:nameid-format:transient type: string - description: |- - * `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` - Email - * `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` - Persistent - * `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName` - X509 - * `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName` - Windows - * `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` - Transient NetworkBindingEnum: enum: - no_binding @@ -35791,21 +34756,12 @@ components: - bind_asn_network - bind_asn_network_ip type: string - description: |- - * `no_binding` - No Binding - * `bind_asn` - Bind Asn - * `bind_asn_network` - Bind Asn Network - * `bind_asn_network_ip` - Bind Asn Network Ip NotConfiguredActionEnum: enum: - skip - deny - configure type: string - description: |- - * `skip` - Skip - * `deny` - Deny - * `configure` - Configure Notification: type: object description: Notification Serializer @@ -35865,12 +34821,8 @@ components: severity: allOf: - $ref: '#/components/schemas/SeverityEnum' - description: |- - Controls which severity level the created notifications will have. - - * `notice` - Notice - * `warning` - Warning - * `alert` - Alert + description: Controls which severity level the created notifications will + have. group: type: string format: uuid @@ -35903,12 +34855,8 @@ components: severity: allOf: - $ref: '#/components/schemas/SeverityEnum' - description: |- - Controls which severity level the created notifications will have. - - * `notice` - Notice - * `warning` - Warning - * `alert` - Alert + description: Controls which severity level the created notifications will + have. group: type: string format: uuid @@ -35956,11 +34904,6 @@ components: - webhook_slack - email type: string - description: |- - * `local` - authentik inbuilt notifications - * `webhook` - Generic Webhook - * `webhook_slack` - Slack Webhook (Slack/Discord) - * `email` - Email NotificationTransportRequest: type: object description: NotificationTransport Serializer @@ -36083,11 +35026,8 @@ components: client_type: allOf: - $ref: '#/components/schemas/ClientTypeEnum' - description: |- - Confidential clients are capable of maintaining the confidentiality of their credentials. Public clients are incapable - - * `confidential` - Confidential - * `public` - Public + description: Confidential clients are capable of maintaining the confidentiality + of their credentials. Public clients are incapable client_id: type: string maxLength: 255 @@ -36122,23 +35062,12 @@ components: sub_mode: allOf: - $ref: '#/components/schemas/SubModeEnum' - description: |- - Configure what data should be used as unique User Identifier. For most cases, the default should be fine. - - * `hashed_user_id` - Based on the Hashed User ID - * `user_id` - Based on user ID - * `user_uuid` - Based on user UUID - * `user_username` - Based on the username - * `user_email` - Based on the User's Email. This is recommended over the UPN method. - * `user_upn` - Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains. + description: Configure what data should be used as unique User Identifier. + For most cases, the default should be fine. issuer_mode: allOf: - $ref: '#/components/schemas/IssuerModeEnum' - description: |- - Configure how the issuer field of the ID Token should be filled. - - * `global` - Same identifier is used for all providers - * `per_provider` - Each provider has a different issuer, based on the application slug. + description: Configure how the issuer field of the ID Token should be filled. jwks_sources: type: array items: @@ -36184,11 +35113,8 @@ components: client_type: allOf: - $ref: '#/components/schemas/ClientTypeEnum' - description: |- - Confidential clients are capable of maintaining the confidentiality of their credentials. Public clients are incapable - - * `confidential` - Confidential - * `public` - Public + description: Confidential clients are capable of maintaining the confidentiality + of their credentials. Public clients are incapable client_id: type: string minLength: 1 @@ -36227,23 +35153,12 @@ components: sub_mode: allOf: - $ref: '#/components/schemas/SubModeEnum' - description: |- - Configure what data should be used as unique User Identifier. For most cases, the default should be fine. - - * `hashed_user_id` - Based on the Hashed User ID - * `user_id` - Based on user ID - * `user_uuid` - Based on user UUID - * `user_username` - Based on the username - * `user_email` - Based on the User's Email. This is recommended over the UPN method. - * `user_upn` - Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains. + description: Configure what data should be used as unique User Identifier. + For most cases, the default should be fine. issuer_mode: allOf: - $ref: '#/components/schemas/IssuerModeEnum' - description: |- - Configure how the issuer field of the ID Token should be filled. - - * `global` - Same identifier is used for all providers - * `per_provider` - Each provider has a different issuer, based on the application slug. + description: Configure how the issuer field of the ID Token should be filled. jwks_sources: type: array items: @@ -36396,14 +35311,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. managed: type: string nullable: true @@ -36507,14 +35416,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -36758,11 +35661,6 @@ components: - radius - rac type: string - description: |- - * `proxy` - Proxy - * `ldap` - Ldap - * `radius` - Radius - * `rac` - Rac PaginatedApplicationList: type: object properties: @@ -38529,12 +37427,7 @@ components: webauthn_user_verification: allOf: - $ref: '#/components/schemas/UserVerificationEnum' - description: |- - Enforce user verification for WebAuthn devices. - - * `required` - Required - * `preferred` - Preferred - * `discouraged` - Discouraged + description: Enforce user verification for WebAuthn devices. PatchedBlueprintInstanceRequest: type: object description: Info about a single blueprint instance file @@ -38867,36 +37760,8 @@ components: allOf: - $ref: '#/components/schemas/EventActions' nullable: true - description: |- - Match created events with this action type. When left empty, all action types will be matched. - - * `login` - Login - * `login_failed` - Login Failed - * `logout` - Logout - * `user_write` - User Write - * `suspicious_request` - Suspicious Request - * `password_set` - Password Set - * `secret_view` - Secret View - * `secret_rotate` - Secret Rotate - * `invitation_used` - Invite Used - * `authorize_application` - Authorize Application - * `source_linked` - Source Linked - * `impersonation_started` - Impersonation Started - * `impersonation_ended` - Impersonation Ended - * `flow_execution` - Flow Execution - * `policy_execution` - Policy Execution - * `policy_exception` - Policy Exception - * `property_mapping_exception` - Property Mapping Exception - * `system_task_execution` - System Task Execution - * `system_task_exception` - System Task Exception - * `system_exception` - System Exception - * `configuration_error` - Configuration Error - * `model_created` - Model Created - * `model_updated` - Model Updated - * `model_deleted` - Model Deleted - * `email_sent` - Email Sent - * `update_available` - Update Available - * `custom_` - Custom Prefix + description: Match created events with this action type. When left empty, + all action types will be matched. client_ip: type: string nullable: true @@ -38907,144 +37772,15 @@ components: allOf: - $ref: '#/components/schemas/AppEnum' nullable: true - description: |- - Match events created by selected application. When left empty, all applications are matched. - - * `authentik.tenants` - authentik Tenants - * `authentik.admin` - authentik Admin - * `authentik.api` - authentik API - * `authentik.crypto` - authentik Crypto - * `authentik.flows` - authentik Flows - * `authentik.outposts` - authentik Outpost - * `authentik.policies.dummy` - authentik Policies.Dummy - * `authentik.policies.event_matcher` - authentik Policies.Event Matcher - * `authentik.policies.expiry` - authentik Policies.Expiry - * `authentik.policies.expression` - authentik Policies.Expression - * `authentik.policies.password` - authentik Policies.Password - * `authentik.policies.reputation` - authentik Policies.Reputation - * `authentik.policies` - authentik Policies - * `authentik.providers.ldap` - authentik Providers.LDAP - * `authentik.providers.oauth2` - authentik Providers.OAuth2 - * `authentik.providers.proxy` - authentik Providers.Proxy - * `authentik.providers.radius` - authentik Providers.Radius - * `authentik.providers.saml` - authentik Providers.SAML - * `authentik.providers.scim` - authentik Providers.SCIM - * `authentik.rbac` - authentik RBAC - * `authentik.recovery` - authentik Recovery - * `authentik.sources.ldap` - authentik Sources.LDAP - * `authentik.sources.oauth` - authentik Sources.OAuth - * `authentik.sources.plex` - authentik Sources.Plex - * `authentik.sources.saml` - authentik Sources.SAML - * `authentik.stages.authenticator` - authentik Stages.Authenticator - * `authentik.stages.authenticator_duo` - authentik Stages.Authenticator.Duo - * `authentik.stages.authenticator_sms` - authentik Stages.Authenticator.SMS - * `authentik.stages.authenticator_static` - authentik Stages.Authenticator.Static - * `authentik.stages.authenticator_totp` - authentik Stages.Authenticator.TOTP - * `authentik.stages.authenticator_validate` - authentik Stages.Authenticator.Validate - * `authentik.stages.authenticator_webauthn` - authentik Stages.Authenticator.WebAuthn - * `authentik.stages.captcha` - authentik Stages.Captcha - * `authentik.stages.consent` - authentik Stages.Consent - * `authentik.stages.deny` - authentik Stages.Deny - * `authentik.stages.dummy` - authentik Stages.Dummy - * `authentik.stages.email` - authentik Stages.Email - * `authentik.stages.identification` - authentik Stages.Identification - * `authentik.stages.invitation` - authentik Stages.User Invitation - * `authentik.stages.password` - authentik Stages.Password - * `authentik.stages.prompt` - authentik Stages.Prompt - * `authentik.stages.user_delete` - authentik Stages.User Delete - * `authentik.stages.user_login` - authentik Stages.User Login - * `authentik.stages.user_logout` - authentik Stages.User Logout - * `authentik.stages.user_write` - authentik Stages.User Write - * `authentik.brands` - authentik Brands - * `authentik.blueprints` - authentik Blueprints - * `authentik.core` - authentik Core - * `authentik.enterprise` - authentik Enterprise - * `authentik.enterprise.audit` - authentik Enterprise.Audit - * `authentik.enterprise.providers.rac` - authentik Enterprise.Providers.RAC - * `authentik.enterprise.stages.source` - authentik Enterprise.Stages.Source - * `authentik.events` - authentik Events + description: Match events created by selected application. When left empty, + all applications are matched. model: allOf: - $ref: '#/components/schemas/ModelEnum' nullable: true - description: |- - Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. - - * `authentik_tenants.domain` - Domain - * `authentik_crypto.certificatekeypair` - Certificate-Key Pair - * `authentik_flows.flow` - Flow - * `authentik_flows.flowstagebinding` - Flow Stage Binding - * `authentik_outposts.dockerserviceconnection` - Docker Service-Connection - * `authentik_outposts.kubernetesserviceconnection` - Kubernetes Service-Connection - * `authentik_outposts.outpost` - Outpost - * `authentik_policies_dummy.dummypolicy` - Dummy Policy - * `authentik_policies_event_matcher.eventmatcherpolicy` - Event Matcher Policy - * `authentik_policies_expiry.passwordexpirypolicy` - Password Expiry Policy - * `authentik_policies_expression.expressionpolicy` - Expression Policy - * `authentik_policies_password.passwordpolicy` - Password Policy - * `authentik_policies_reputation.reputationpolicy` - Reputation Policy - * `authentik_policies.policybinding` - Policy Binding - * `authentik_providers_ldap.ldapprovider` - LDAP Provider - * `authentik_providers_oauth2.scopemapping` - Scope Mapping - * `authentik_providers_oauth2.oauth2provider` - OAuth2/OpenID Provider - * `authentik_providers_proxy.proxyprovider` - Proxy Provider - * `authentik_providers_radius.radiusprovider` - Radius Provider - * `authentik_providers_saml.samlprovider` - SAML Provider - * `authentik_providers_saml.samlpropertymapping` - SAML Property Mapping - * `authentik_providers_scim.scimprovider` - SCIM Provider - * `authentik_providers_scim.scimmapping` - SCIM Mapping - * `authentik_rbac.role` - Role - * `authentik_sources_ldap.ldapsource` - LDAP Source - * `authentik_sources_ldap.ldappropertymapping` - LDAP Property Mapping - * `authentik_sources_oauth.oauthsource` - OAuth Source - * `authentik_sources_oauth.useroauthsourceconnection` - User OAuth Source Connection - * `authentik_sources_plex.plexsource` - Plex Source - * `authentik_sources_plex.plexsourceconnection` - User Plex Source Connection - * `authentik_sources_saml.samlsource` - SAML Source - * `authentik_sources_saml.usersamlsourceconnection` - User SAML Source Connection - * `authentik_stages_authenticator_duo.authenticatorduostage` - Duo Authenticator Setup Stage - * `authentik_stages_authenticator_duo.duodevice` - Duo Device - * `authentik_stages_authenticator_sms.authenticatorsmsstage` - SMS Authenticator Setup Stage - * `authentik_stages_authenticator_sms.smsdevice` - SMS Device - * `authentik_stages_authenticator_static.authenticatorstaticstage` - Static Authenticator Setup Stage - * `authentik_stages_authenticator_static.staticdevice` - Static Device - * `authentik_stages_authenticator_totp.authenticatortotpstage` - TOTP Authenticator Setup Stage - * `authentik_stages_authenticator_totp.totpdevice` - TOTP Device - * `authentik_stages_authenticator_validate.authenticatorvalidatestage` - Authenticator Validation Stage - * `authentik_stages_authenticator_webauthn.authenticatewebauthnstage` - WebAuthn Authenticator Setup Stage - * `authentik_stages_authenticator_webauthn.webauthndevice` - WebAuthn Device - * `authentik_stages_captcha.captchastage` - Captcha Stage - * `authentik_stages_consent.consentstage` - Consent Stage - * `authentik_stages_consent.userconsent` - User Consent - * `authentik_stages_deny.denystage` - Deny Stage - * `authentik_stages_dummy.dummystage` - Dummy Stage - * `authentik_stages_email.emailstage` - Email Stage - * `authentik_stages_identification.identificationstage` - Identification Stage - * `authentik_stages_invitation.invitationstage` - Invitation Stage - * `authentik_stages_invitation.invitation` - Invitation - * `authentik_stages_password.passwordstage` - Password Stage - * `authentik_stages_prompt.prompt` - Prompt - * `authentik_stages_prompt.promptstage` - Prompt Stage - * `authentik_stages_user_delete.userdeletestage` - User Delete Stage - * `authentik_stages_user_login.userloginstage` - User Login Stage - * `authentik_stages_user_logout.userlogoutstage` - User Logout Stage - * `authentik_stages_user_write.userwritestage` - User Write Stage - * `authentik_brands.brand` - Brand - * `authentik_blueprints.blueprintinstance` - Blueprint Instance - * `authentik_core.group` - Group - * `authentik_core.user` - User - * `authentik_core.application` - Application - * `authentik_core.token` - Token - * `authentik_enterprise.license` - License - * `authentik_providers_rac.racprovider` - RAC Provider - * `authentik_providers_rac.endpoint` - RAC Endpoint - * `authentik_providers_rac.racpropertymapping` - RAC Property Mapping - * `authentik_stages_source.sourcestage` - Source Stage - * `authentik_events.event` - Event - * `authentik_events.notificationtransport` - Notification Transport - * `authentik_events.notification` - Notification - * `authentik_events.notificationrule` - Notification Rule - * `authentik_events.notificationwebhookmapping` - Webhook Mapping + description: Match events created by selected model. When left empty, all + models are matched. When an app is selected, all the application's models + are matched. PatchedEventRequest: type: object description: Event Serializer @@ -39098,16 +37834,8 @@ components: designation: allOf: - $ref: '#/components/schemas/FlowDesignationEnum' - description: |- - Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. - - * `authentication` - Authentication - * `authorization` - Authorization - * `invalidation` - Invalidation - * `enrollment` - Enrollment - * `unenrollment` - Unrenollment - * `recovery` - Recovery - * `stage_configuration` - Stage Configuration + description: Decides what this Flow is used for. For example, the Authentication + flow is redirect to when an un-authenticated user visits authentik. policy_engine_mode: $ref: '#/components/schemas/PolicyEngineMode' compatibility_mode: @@ -39119,23 +37847,13 @@ components: denied_action: allOf: - $ref: '#/components/schemas/DeniedActionEnum' - description: |- - Configure what should happen when a flow denies access to a user. - - * `message_continue` - Message Continue - * `message` - Message - * `continue` - Continue + description: Configure what should happen when a flow denies access to a + user. authentication: allOf: - $ref: '#/components/schemas/AuthenticationEnum' - description: |- - Required level of authentication and authorization to access a flow. - - * `none` - None - * `require_authenticated` - Require Authenticated - * `require_unauthenticated` - Require Unauthenticated - * `require_superuser` - Require Superuser - * `require_outpost` - Require Outpost + description: Required level of authentication and authorization to access + a flow. PatchedFlowStageBindingRequest: type: object description: FlowStageBinding Serializer @@ -39161,12 +37879,10 @@ components: invalid_response_action: allOf: - $ref: '#/components/schemas/InvalidResponseActionEnum' - description: |- - Configure how the flow executor should handle an invalid response to a challenge. RETRY returns the error message and a similar challenge to the executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT restarts the flow while keeping the current context. - - * `retry` - Retry - * `restart` - Restart - * `restart_with_context` - Restart With Context + description: Configure how the flow executor should handle an invalid response + to a challenge. RETRY returns the error message and a similar challenge + to the executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT + restarts the flow while keeping the current context. PatchedGroupRequest: type: object description: Group Serializer @@ -39428,14 +38144,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -39553,12 +38263,8 @@ components: severity: allOf: - $ref: '#/components/schemas/SeverityEnum' - description: |- - Controls which severity level the created notifications will have. - - * `notice` - Notice - * `warning` - Warning - * `alert` - Alert + description: Controls which severity level the created notifications will + have. group: type: string format: uuid @@ -39620,11 +38326,8 @@ components: client_type: allOf: - $ref: '#/components/schemas/ClientTypeEnum' - description: |- - Confidential clients are capable of maintaining the confidentiality of their credentials. Public clients are incapable - - * `confidential` - Confidential - * `public` - Public + description: Confidential clients are capable of maintaining the confidentiality + of their credentials. Public clients are incapable client_id: type: string minLength: 1 @@ -39663,23 +38366,12 @@ components: sub_mode: allOf: - $ref: '#/components/schemas/SubModeEnum' - description: |- - Configure what data should be used as unique User Identifier. For most cases, the default should be fine. - - * `hashed_user_id` - Based on the Hashed User ID - * `user_id` - Based on user ID - * `user_uuid` - Based on user UUID - * `user_username` - Based on the username - * `user_email` - Based on the User's Email. This is recommended over the UPN method. - * `user_upn` - Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains. + description: Configure what data should be used as unique User Identifier. + For most cases, the default should be fine. issuer_mode: allOf: - $ref: '#/components/schemas/IssuerModeEnum' - description: |- - Configure how the issuer field of the ID Token should be filled. - - * `global` - Same identifier is used for all providers - * `per_provider` - Each provider has a different issuer, based on the application slug. + description: Configure how the issuer field of the ID Token should be filled. jwks_sources: type: array items: @@ -39719,14 +38411,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -39960,14 +38646,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -40145,12 +38825,8 @@ components: mode: allOf: - $ref: '#/components/schemas/ProxyMode' - description: |- - Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host. - - * `proxy` - Proxy - * `forward_single` - Forward Single - * `forward_domain` - Forward Domain + description: Enable support for forwardAuth in traefik and nginx auth_request. + Exclusive with internal_host. intercept_header_auth: type: boolean description: When enabled, this provider will intercept the authorization @@ -40397,11 +39073,8 @@ components: allOf: - $ref: '#/components/schemas/SpBindingEnum' title: Service Provider Binding - description: |- - This determines how authentik sends the response back to the Service Provider. - - * `redirect` - Redirect - * `post` - Post + description: This determines how authentik sends the response back to the + Service Provider. default_relay_state: type: string description: Default relay_state value for IDP-initiated logins @@ -40436,14 +39109,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -40473,14 +39140,8 @@ components: name_id_policy: allOf: - $ref: '#/components/schemas/NameIdPolicyEnum' - description: |- - NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent. - - * `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` - Email - * `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` - Persistent - * `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName` - X509 - * `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName` - Windows - * `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` - Transient + description: NameID Policy sent to the IdP. Can be unset, in which case + no Policy is sent. binding_type: $ref: '#/components/schemas/BindingTypeEnum' verification_kp: @@ -40744,23 +39405,12 @@ components: network_binding: allOf: - $ref: '#/components/schemas/NetworkBindingEnum' - description: |- - Bind sessions created by this stage to the configured network - - * `no_binding` - No Binding - * `bind_asn` - Bind Asn - * `bind_asn_network` - Bind Asn Network - * `bind_asn_network_ip` - Bind Asn Network Ip + description: Bind sessions created by this stage to the configured network geoip_binding: allOf: - $ref: '#/components/schemas/GeoipBindingEnum' - description: |- - Bind sessions created by this stage to the configured GeoIP location - - * `no_binding` - No Binding - * `bind_continent` - Bind Continent - * `bind_continent_country` - Bind Continent Country - * `bind_continent_country_city` - Bind Continent Country City + description: Bind sessions created by this stage to the configured GeoIP + location PatchedUserLogoutStageRequest: type: object description: UserLogoutStage Serializer @@ -41001,14 +39651,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. managed: type: string nullable: true @@ -41122,14 +39766,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -41309,9 +39947,6 @@ components: - all - any type: string - description: |- - * `all` - all, all policies must pass - * `any` - any, any policy must pass PolicyRequest: type: object description: Policy Serializer @@ -41582,25 +40217,6 @@ components: - static - ak-locale type: string - description: |- - * `text` - Text: Simple Text input - * `text_area` - Text area: Multiline Text Input. - * `text_read_only` - Text (read-only): Simple Text input, but cannot be edited. - * `text_area_read_only` - Text area (read-only): Multiline Text input, but cannot be edited. - * `username` - Username: Same as Text input, but checks for and prevents duplicate usernames. - * `email` - Email: Text field with Email type. - * `password` - Password: Masked input, multiple inputs of this type on the same prompt need to be identical. - * `number` - Number - * `checkbox` - Checkbox - * `radio-button-group` - Fixed choice field rendered as a group of radio buttons. - * `dropdown` - Fixed choice field rendered as a dropdown. - * `date` - Date - * `date-time` - Date Time - * `file` - File: File upload for arbitrary files. File content will be available in flow context as data-URI - * `separator` - Separator: Static Separator Line - * `hidden` - Hidden: Hidden field, can be used to insert data into form. - * `static` - Static: Static value, displayed as-is. - * `ak-locale` - authentik: Selection of locales authentik supports PropertyMapping: type: object description: PropertyMapping Serializer @@ -41676,10 +40292,6 @@ components: - vnc - ssh type: string - description: |- - * `rdp` - Rdp - * `vnc` - Vnc - * `ssh` - Ssh Provider: type: object description: Provider Serializer @@ -41754,9 +40366,6 @@ components: - twilio - generic type: string - description: |- - * `twilio` - Twilio - * `generic` - Generic ProviderModelEnum: enum: - authentik_providers_ldap.ldapprovider @@ -41767,14 +40376,6 @@ components: - authentik_providers_saml.samlprovider - authentik_providers_scim.scimprovider type: string - description: |- - * `authentik_providers_ldap.ldapprovider` - authentik_providers_ldap.ldapprovider - * `authentik_providers_oauth2.oauth2provider` - authentik_providers_oauth2.oauth2provider - * `authentik_providers_proxy.proxyprovider` - authentik_providers_proxy.proxyprovider - * `authentik_providers_rac.racprovider` - authentik_providers_rac.racprovider - * `authentik_providers_radius.radiusprovider` - authentik_providers_radius.radiusprovider - * `authentik_providers_saml.samlprovider` - authentik_providers_saml.samlprovider - * `authentik_providers_scim.scimprovider` - authentik_providers_scim.scimprovider ProviderRequest: type: object description: Provider Serializer @@ -41817,31 +40418,12 @@ components: - twitch - twitter type: string - description: |- - * `apple` - Apple - * `openidconnect` - OpenID Connect - * `azuread` - Azure AD - * `discord` - Discord - * `facebook` - Facebook - * `github` - GitHub - * `gitlab` - GitLab - * `google` - Google - * `mailcow` - Mailcow - * `okta` - Okta - * `patreon` - Patreon - * `reddit` - Reddit - * `twitch` - Twitch - * `twitter` - Twitter ProxyMode: enum: - proxy - forward_single - forward_domain type: string - description: |- - * `proxy` - Proxy - * `forward_single` - Forward Single - * `forward_domain` - Forward Domain ProxyOutpostConfig: type: object description: Proxy provider serializer for outposts @@ -41899,12 +40481,8 @@ components: mode: allOf: - $ref: '#/components/schemas/ProxyMode' - description: |- - Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host. - - * `proxy` - Proxy - * `forward_single` - Forward Single - * `forward_domain` - Forward Domain + description: Enable support for forwardAuth in traefik and nginx auth_request. + Exclusive with internal_host. cookie_domain: type: string access_token_validity: @@ -42037,12 +40615,8 @@ components: mode: allOf: - $ref: '#/components/schemas/ProxyMode' - description: |- - Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host. - - * `proxy` - Proxy - * `forward_single` - Forward Single - * `forward_domain` - Forward Domain + description: Enable support for forwardAuth in traefik and nginx auth_request. + Exclusive with internal_host. intercept_header_auth: type: boolean description: When enabled, this provider will intercept the authorization @@ -42147,12 +40721,8 @@ components: mode: allOf: - $ref: '#/components/schemas/ProxyMode' - description: |- - Enable support for forwardAuth in traefik and nginx auth_request. Exclusive with internal_host. - - * `proxy` - Proxy - * `forward_single` - Forward Single - * `forward_domain` - Forward Domain + description: Enable support for forwardAuth in traefik and nginx auth_request. + Exclusive with internal_host. intercept_header_auth: type: boolean description: When enabled, this provider will intercept the authorization @@ -42663,10 +41233,6 @@ components: - preferred - required type: string - description: |- - * `discouraged` - Discouraged - * `preferred` - Preferred - * `required` - Required Role: type: object description: Role serializer @@ -42943,11 +41509,8 @@ components: allOf: - $ref: '#/components/schemas/SpBindingEnum' title: Service Provider Binding - description: |- - This determines how authentik sends the response back to the Service Provider. - - * `redirect` - Redirect - * `post` - Post + description: This determines how authentik sends the response back to the + Service Provider. default_relay_state: type: string description: Default relay_state value for IDP-initiated logins @@ -43090,11 +41653,8 @@ components: allOf: - $ref: '#/components/schemas/SpBindingEnum' title: Service Provider Binding - description: |- - This determines how authentik sends the response back to the Service Provider. - - * `redirect` - Redirect - * `post` - Post + description: This determines how authentik sends the response back to the + Service Provider. default_relay_state: type: string description: Default relay_state value for IDP-initiated logins @@ -43152,14 +41712,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. managed: type: string nullable: true @@ -43203,14 +41757,8 @@ components: name_id_policy: allOf: - $ref: '#/components/schemas/NameIdPolicyEnum' - description: |- - NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent. - - * `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` - Email - * `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` - Persistent - * `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName` - X509 - * `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName` - Windows - * `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` - Transient + description: NameID Policy sent to the IdP. Can be unset, in which case + no Policy is sent. binding_type: $ref: '#/components/schemas/BindingTypeEnum' verification_kp: @@ -43280,14 +41828,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -43317,14 +41859,8 @@ components: name_id_policy: allOf: - $ref: '#/components/schemas/NameIdPolicyEnum' - description: |- - NameID Policy sent to the IdP. Can be unset, in which case no Policy is sent. - - * `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` - Email - * `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` - Persistent - * `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName` - X509 - * `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName` - Windows - * `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` - Transient + description: NameID Policy sent to the IdP. Can be unset, in which case + no Policy is sent. binding_type: $ref: '#/components/schemas/BindingTypeEnum' verification_kp: @@ -43817,10 +42353,6 @@ components: - warning - alert type: string - description: |- - * `notice` - Notice - * `warning` - Warning - * `alert` - Alert ShellChallenge: type: object description: challenge type to render HTML as-is @@ -43851,12 +42383,6 @@ components: - http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 - http://www.w3.org/2000/09/xmldsig#dsa-sha1 type: string - description: |- - * `http://www.w3.org/2000/09/xmldsig#rsa-sha1` - RSA-SHA1 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha256` - RSA-SHA256 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384` - RSA-SHA384 - * `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512` - RSA-SHA512 - * `http://www.w3.org/2000/09/xmldsig#dsa-sha1` - DSA-SHA1 Source: type: object description: Source Serializer @@ -43907,14 +42433,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. managed: type: string nullable: true @@ -43974,14 +42494,8 @@ components: user_matching_mode: allOf: - $ref: '#/components/schemas/UserMatchingModeEnum' - description: |- - How the source determines if an existing user should be authenticated or a new user enrolled. - - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. + description: How the source determines if an existing user should be authenticated + or a new user enrolled. user_path_template: type: string minLength: 1 @@ -44105,9 +42619,6 @@ components: - redirect - post type: string - description: |- - * `redirect` - Redirect - * `post` - Post Stage: type: object description: Stage Serializer @@ -44254,13 +42765,6 @@ components: - user_email - user_upn type: string - description: |- - * `hashed_user_id` - Based on the Hashed User ID - * `user_id` - Based on user ID - * `user_uuid` - Based on user UUID - * `user_username` - Based on the username - * `user_email` - Based on the User's Email. This is recommended over the UPN method. - * `user_upn` - Based on the User's UPN, only works if user has a 'upn' attribute set. Use this method only if you have different UPN and Mail domains. SystemInfo: type: object description: Get system information. @@ -44382,11 +42886,6 @@ components: - warning - error type: string - description: |- - * `unknown` - UNKNOWN - * `successful` - SUCCESSFUL - * `warning` - WARNING - * `error` - ERROR TOTPDevice: type: object description: Serializer for totp authenticator devices @@ -44658,10 +43157,6 @@ components: - light - dark type: string - description: |- - * `automatic` - Automatic - * `light` - Light - * `dark` - Dark UsedBy: type: object description: A list of all objects referencing the queried object @@ -44689,11 +43184,6 @@ components: - set_null - set_default type: string - description: |- - * `cascade` - CASCADE - * `cascade_many` - CASCADE_MANY - * `set_null` - SET_NULL - * `set_default` - SET_DEFAULT User: type: object description: User Serializer @@ -44850,10 +43340,6 @@ components: - create_when_required - always_create type: string - description: |- - * `never_create` - Never Create - * `create_when_required` - Create When Required - * `always_create` - Always Create UserDeleteStage: type: object description: UserDeleteStage Serializer @@ -44911,10 +43397,6 @@ components: - username - upn type: string - description: |- - * `email` - E Mail - * `username` - Username - * `upn` - Upn UserGroup: type: object description: Simplified Group Serializer for user's groups @@ -44941,6 +43423,7 @@ components: parent_name: type: string readOnly: true + nullable: true attributes: type: object additionalProperties: {} @@ -45052,23 +43535,12 @@ components: network_binding: allOf: - $ref: '#/components/schemas/NetworkBindingEnum' - description: |- - Bind sessions created by this stage to the configured network - - * `no_binding` - No Binding - * `bind_asn` - Bind Asn - * `bind_asn_network` - Bind Asn Network - * `bind_asn_network_ip` - Bind Asn Network Ip + description: Bind sessions created by this stage to the configured network geoip_binding: allOf: - $ref: '#/components/schemas/GeoipBindingEnum' - description: |- - Bind sessions created by this stage to the configured GeoIP location - - * `no_binding` - No Binding - * `bind_continent` - Bind Continent - * `bind_continent_country` - Bind Continent Country - * `bind_continent_country_city` - Bind Continent Country City + description: Bind sessions created by this stage to the configured GeoIP + location required: - component - meta_model_name @@ -45104,23 +43576,12 @@ components: network_binding: allOf: - $ref: '#/components/schemas/NetworkBindingEnum' - description: |- - Bind sessions created by this stage to the configured network - - * `no_binding` - No Binding - * `bind_asn` - Bind Asn - * `bind_asn_network` - Bind Asn Network - * `bind_asn_network_ip` - Bind Asn Network Ip + description: Bind sessions created by this stage to the configured network geoip_binding: allOf: - $ref: '#/components/schemas/GeoipBindingEnum' - description: |- - Bind sessions created by this stage to the configured GeoIP location - - * `no_binding` - No Binding - * `bind_continent` - Bind Continent - * `bind_continent_country` - Bind Continent Country - * `bind_continent_country_city` - Bind Continent Country City + description: Bind sessions created by this stage to the configured GeoIP + location required: - name UserLogoutStage: @@ -45182,12 +43643,6 @@ components: - username_link - username_deny type: string - description: |- - * `identifier` - Use the source-specific identifier - * `email_link` - Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses. - * `email_deny` - Use the user's email address, but deny enrollment when the email address already exists. - * `username_link` - Link to a user with identical username. Can have security implications when a username is used with another source. - * `username_deny` - Use the user's username, but deny enrollment when the username already exists. UserMetrics: type: object description: User Metrics @@ -45537,21 +43992,12 @@ components: - service_account - internal_service_account type: string - description: |- - * `internal` - Internal - * `external` - External - * `service_account` - Service Account - * `internal_service_account` - Internal Service Account UserVerificationEnum: enum: - required - preferred - discouraged type: string - description: |- - * `required` - Required - * `preferred` - Preferred - * `discouraged` - Discouraged UserWriteStage: type: object description: UserWriteStage Serializer diff --git a/scripts/api-py-config.yaml b/scripts/api-py-config.yaml new file mode 100644 index 0000000000..95dcf5597b --- /dev/null +++ b/scripts/api-py-config.yaml @@ -0,0 +1,4 @@ +additionalProperties: + packageName: authentik_client + projectName: authentik-client + infoName: authentik Team