Compare commits
16 Commits
patch-1
...
version/20
| Author | SHA1 | Date | |
|---|---|---|---|
| 22412729e2 | |||
| a02868a27d | |||
| bfbb4a8ebc | |||
| 6c0e827677 | |||
| 29884cbf81 | |||
| 0f02985b0c | |||
| 2244e026c2 | |||
| 429c03021c | |||
| f47e8d9d72 | |||
| 3e7d2587c4 | |||
| 55a38d4a36 | |||
| 6021bb932d | |||
| 54a5d95717 | |||
| a0a1275452 | |||
| 919aa5df59 | |||
| cedf7cf683 |
12
.github/workflows/ci-main.yml
vendored
12
.github/workflows/ci-main.yml
vendored
@ -70,18 +70,22 @@ jobs:
|
||||
- name: checkout stable
|
||||
run: |
|
||||
# Copy current, latest config to local
|
||||
# Temporarly comment the .github backup while migrating to uv
|
||||
cp authentik/lib/default.yml local.env.yml
|
||||
cp -R .github ..
|
||||
# cp -R .github ..
|
||||
cp -R scripts ..
|
||||
git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
|
||||
rm -rf .github/ scripts/
|
||||
mv ../.github ../scripts .
|
||||
# rm -rf .github/ scripts/
|
||||
# mv ../.github ../scripts .
|
||||
rm -rf scripts/
|
||||
mv ../scripts .
|
||||
- name: Setup authentik env (stable)
|
||||
uses: ./.github/actions/setup
|
||||
with:
|
||||
postgresql_version: ${{ matrix.psql }}
|
||||
continue-on-error: true
|
||||
- name: run migrations to stable
|
||||
run: uv run python -m lifecycle.migrate
|
||||
run: poetry run python -m lifecycle.migrate
|
||||
- name: checkout current code
|
||||
run: |
|
||||
set -x
|
||||
|
||||
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
|
||||
/bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
|
||||
|
||||
# Stage 5: Download uv
|
||||
FROM ghcr.io/astral-sh/uv:0.7.0 AS uv
|
||||
FROM ghcr.io/astral-sh/uv:0.6.16 AS uv
|
||||
# Stage 6: Base python image
|
||||
FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
|
||||
|
||||
|
||||
@ -16,7 +16,7 @@ def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
|
||||
if not path.exists():
|
||||
return
|
||||
css = path.read_text()
|
||||
Brand.objects.using(db_alias).all().update(branding_custom_css=css)
|
||||
Brand.objects.using(db_alias).update(branding_custom_css=css)
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
Binary file not shown.
Binary file not shown.
8
web/package-lock.json
generated
8
web/package-lock.json
generated
@ -24,7 +24,7 @@
|
||||
"@floating-ui/dom": "^1.6.11",
|
||||
"@formatjs/intl-listformat": "^7.5.7",
|
||||
"@fortawesome/fontawesome-free": "^6.6.0",
|
||||
"@goauthentik/api": "^2025.4.0-1746018955",
|
||||
"@goauthentik/api": "^2025.2.4-1745519715",
|
||||
"@lit-labs/ssr": "3.2.2",
|
||||
"@lit/context": "^1.1.2",
|
||||
"@lit/localize": "^0.12.2",
|
||||
@ -1583,9 +1583,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@goauthentik/api": {
|
||||
"version": "2025.4.0-1746018955",
|
||||
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.4.0-1746018955.tgz",
|
||||
"integrity": "sha512-e+X3L+UYzQtAmBAdxKV9rHO6KsJBJ754IKc1Q9eT0lxS/zbvcNIEb0Fck9Sj/TzjqWlWkXNiCgrT4CdlaTFwxg=="
|
||||
"version": "2025.2.4-1745519715",
|
||||
"resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.2.4-1745519715.tgz",
|
||||
"integrity": "sha512-R8uNdIKx3mTPT8Qp9a3SIJ47l79nbkzUOcP2bbxf1uMlTqezV6ACCAI3Iu4PKEJuVMzIdsOAQ5W8NRQsk/ifXA=="
|
||||
},
|
||||
"node_modules/@goauthentik/esbuild-plugin-live-reload": {
|
||||
"resolved": "packages/esbuild-plugin-live-reload",
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
"@floating-ui/dom": "^1.6.11",
|
||||
"@formatjs/intl-listformat": "^7.5.7",
|
||||
"@fortawesome/fontawesome-free": "^6.6.0",
|
||||
"@goauthentik/api": "^2025.4.0-1746018955",
|
||||
"@goauthentik/api": "^2025.2.4-1745519715",
|
||||
"@lit-labs/ssr": "3.2.2",
|
||||
"@lit/context": "^1.1.2",
|
||||
"@lit/localize": "^0.12.2",
|
||||
|
||||
@ -1,11 +1,10 @@
|
||||
import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
|
||||
import { globalAK } from "@goauthentik/common/global";
|
||||
import { AKElement } from "@goauthentik/elements/Base";
|
||||
import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
|
||||
import { themeImage } from "@goauthentik/elements/utils/images";
|
||||
|
||||
import { msg } from "@lit/localize";
|
||||
import { CSSResult, TemplateResult, css, html, nothing } from "lit";
|
||||
import { CSSResult, TemplateResult, css, html } from "lit";
|
||||
import { customElement } from "lit/decorators.js";
|
||||
|
||||
import PFButton from "@patternfly/patternfly/components/Button/button.css";
|
||||
@ -71,10 +70,7 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
|
||||
}
|
||||
|
||||
render(): TemplateResult {
|
||||
const logoUrl =
|
||||
globalAK().brand.brandingLogo || this.brand?.brandingLogo || DefaultBrand.brandingLogo;
|
||||
|
||||
return html`${window.innerWidth <= MIN_WIDTH
|
||||
return html` ${window.innerWidth <= MIN_WIDTH
|
||||
? html`
|
||||
<button
|
||||
class="sidebar-trigger pf-c-button"
|
||||
@ -90,10 +86,14 @@ export class SidebarBrand extends WithBrandConfig(AKElement) {
|
||||
<i class="fas fa-bars"></i>
|
||||
</button>
|
||||
`
|
||||
: nothing}
|
||||
: html``}
|
||||
<a href="#/" class="pf-c-page__header-brand-link">
|
||||
<div class="pf-c-brand ak-brand">
|
||||
<img src=${themeImage(logoUrl)} alt="${msg("authentik Logo")}" loading="lazy" />
|
||||
<img
|
||||
src=${themeImage(this.brand?.brandingLogo ?? DefaultBrand.brandingLogo)}
|
||||
alt="${msg("authentik Logo")}"
|
||||
loading="lazy"
|
||||
/>
|
||||
</div>
|
||||
</a>`;
|
||||
}
|
||||
|
||||
@ -13,7 +13,6 @@ This integration creates the following objects:
|
||||
- Secret to store the token
|
||||
- Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster)
|
||||
- Ingress (only Proxy outposts)
|
||||
- HTTPRoute (only Proxy outposts, when the Gateway API resources are installed in the target cluster, and the `kubernetes_httproute_parent_refs` setting is set, see below)
|
||||
- Traefik Middleware (only Proxy outposts with forward auth enabled)
|
||||
|
||||
The following outpost settings are used:
|
||||
@ -25,8 +24,6 @@ The following outpost settings are used:
|
||||
- `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
|
||||
- `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections, can be empty to disable TLS config
|
||||
- `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
|
||||
- `kubernetes_httproute_parent_refs`: Define which Gateways the HTTPRoute wants to be attached to.
|
||||
- `kubernetes_httproute_annotations`: Any additional annotations to add to the HTTPRoute object
|
||||
- `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
|
||||
- `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
|
||||
- 'secret'
|
||||
@ -35,7 +32,6 @@ The following outpost settings are used:
|
||||
- 'prometheus servicemonitor'
|
||||
- 'ingress'
|
||||
- 'traefik middleware'
|
||||
- 'httproute'
|
||||
- `kubernetes_image_pull_secrets`: If the above docker image is in a private repository, use these secrets to pull. (NOTE: The secret must be created manually in the namespace first.)
|
||||
- `kubernetes_json_patches`: Applies an RFC 6902 compliant JSON patch to the Kubernetes objects.
|
||||
|
||||
|
||||
@ -1,18 +1,18 @@
|
||||
# Device code flow
|
||||
|
||||
The device code flow is also known as _device flow_ or _device authorization grant flow_. This type of authentication flow is useful for devices with limited input capabilities and/or devices without browsers. The Request for Comments (RFC) 8628) abstract for this flow states:
|
||||
(Also known as device flow and [RFC 8628](https://datatracker.ietf.org/doc/html/rfc8628))
|
||||
|
||||
> The OAuth 2.0 device authorization grant is designed for Internet-connected devices that either lack a browser to perform a user-agent-based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device.
|
||||
This type of authentication flow is useful for devices with limited input abilities and/or devices without browsers.
|
||||
|
||||
### Requirements
|
||||
|
||||
This device flow is only possible if the active [brand](../../../sys-mgmt/brands.md) has a device code flow configured. This flow is run _after_ the user logs in, and before the user authenticates.
|
||||
This device flow is only possible if the active brand has a device code flow setup. This device code flow is run _after_ the user logs in, and before the user authenticates.
|
||||
|
||||
authentik does not include a default flow for this use case, so it is necessary to create a new one with a **Designation** of `Stage Configuration`.
|
||||
authentik doesn't ship with a default flow for this usecase, so it is recommended to create a new flow for this usecase with the designation of _Stage configuration_
|
||||
|
||||
### Device flow initiation
|
||||
### Device-side
|
||||
|
||||
The flow is initiated by sending a POST request to the device authorization endpoint, `/application/o/device/`, with the following contents:
|
||||
The flow is initiated by sending a POST request to the device authorization endpoint, `/application/o/device/` with the following contents:
|
||||
|
||||
```http
|
||||
POST /application/o/device/ HTTP/1.1
|
||||
@ -32,6 +32,8 @@ The response contains the following fields:
|
||||
- `expires_in`: The total seconds after which this token will expire
|
||||
- `interval`: The interval in seconds for how often the device should check the token status
|
||||
|
||||
---
|
||||
|
||||
With this response, the device can start checking the status of the token by sending requests to the token endpoint like this:
|
||||
|
||||
```http
|
||||
@ -47,17 +49,3 @@ device_code=device_code_from_above
|
||||
If the user has not opened the link above yet, or has not finished the authentication and authorization yet, the response will contain an `error` element set to `authorization_pending`. The device should re-send the request in the interval set above.
|
||||
|
||||
If the user _has_ finished the authentication and authorization, the response will be similar to any other generic OAuth2 Token request, containing `access_token` and `id_token`.
|
||||
|
||||
### Create and apply a device code flow
|
||||
|
||||
1. Log in to authentik as an admin, and open the authentik Admin interface.
|
||||
2. Navigate to **Flows and Stages** > **Flows** and click **Create**.
|
||||
3. Set the following required configurations:
|
||||
- **Name**: provide a name (e.g. `default-device-code-flow`)
|
||||
- **Title**: provide a title (e.g. `Device code flow`)
|
||||
- **Slug**: provide a slug (e.g `default-device-code-flow`)
|
||||
- **Designation**: `Stage Configuration`
|
||||
- **Authentication**: `Require authentication`
|
||||
4. Click **Create**.
|
||||
5. Navigate to **System** > **Brands** and click the **Edit** icon on the default brand.
|
||||
6. Set **Default code flow** to the newly created device code flow and click **Update**.
|
||||
|
||||
@ -64,7 +64,7 @@ When using an OAuth 2.0 provider in authentik, the OP must validate the provided
|
||||
|
||||
When you create a new OAuth 2.0 provider and app in authentik and you leave the **Redirect URI** field empty, then the first time a user opens that app, authentik uses that URL as the saved redirect URL.
|
||||
|
||||
For advanced use cases, an authentik admin can use regular expressions (regex) instead of a redirect URL. For example, if you want to list ten different applications, instead of listing them all individually, you can create an expression with wildcards. When using regex, be aware that authentik uses a dot as a separator in the URL, but in regex a dot means "one of any character", a wildcard. You should therefore escape the dot with `\.` to prevent its interpretation as a wildcard.
|
||||
For advanced use cases, an authentik admin can use regular expressions (regex) instead of a redirect URL. For example, if you want to list 10 diff applications, instead of listing all ten you can create an expression with wildcards. Be aware, when using regex, that authetnik uses a dot as a separator in the URL, but in regex a dot means "one of any character", a wildcard. So you should escape the dot to prevent its interpration as a wildcard.
|
||||
|
||||
## OAuth 2.0 flows and grant types
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ Always include cross-references to related content. If a concept is referenced e
|
||||
|
||||
### Relative vs. absolute paths
|
||||
|
||||
Use relative paths when linking to other documentation files. This will ensure links are automatically updated if file paths change in the future. If you are linking between another authentik resource that is not in the same repository and our regular technical docs, then use an absolute path.
|
||||
Use relative paths when linking to other documentation files. This will ensure links are automatically updated if file paths change in the future. If you are linking between our Integration Guides and our regular technical docs, then use an absolute path.
|
||||
|
||||
### Markdown file type
|
||||
|
||||
@ -52,19 +52,16 @@ Try to write procedural (How To) docs generically enough that it does not endors
|
||||
|
||||
## Terminology
|
||||
|
||||
### authentik product name and terms
|
||||
### authentik product naming conventions
|
||||
|
||||
- The product name **authentik** should always be written with a lowercase "a" and a "k" at the end, even if it begins a sentence. This consistent style should be followed throughout the documentation.
|
||||
|
||||
- The company name is **Authentik Security, Inc.**, but for non-legal documentation, you may shorten it to **Authentik Security**.
|
||||
|
||||
- When referring to the authentik Admin interface, capitalize "Admin" like it is in the UI, but do not bold the phrase "Admin interface" unless in a sentence that explicitly says "Click on **Admin interface**". However, if you are referring to a user or role that is an administrator, or has administrative rights, then do not capitalize it and spell out the full word "administrator" or "administrative".
|
||||
|
||||
### Industry terms and technology names
|
||||
|
||||
- When referring to external tools or industry terms, always use the exact capitalization and naming conventions that the product or company uses. Refer to their website or official documentation for the proper formatting. For example, use "OAuth", "SAML", or "Docker" as per the official conventions.
|
||||
- Avoid abbreviations unless they are well-known and widely recognized (e.g., SSO, MFA, RBAC).
|
||||
- If an acronym is used less frequently, spell out its full meaning when first mentioned, followed by the acronym in parentheses. For instance, "Security Assertion Markup Language (SAML)". In some cases the acronym can come first, followed by the full term in parentheses.
|
||||
- If an acronym is used less frequently, spell out its full meaning when first mentioned, followed by the acronym in parentheses. For instance, "Security Assertion Markup Language (SAML)".
|
||||
|
||||
## Writing style
|
||||
|
||||
@ -76,6 +73,10 @@ The tone of the authentik documentation should be friendly but professional. It
|
||||
|
||||
The documentation uses **American English** spelling conventions (e.g., "customize" instead of "customise").
|
||||
|
||||
### Punctuation
|
||||
|
||||
For Ken's sake, and many others, try to not use too many commas (avoid commaitis). Use a comma when needed to separate clauses, or for "slowing the pace" or clarity. Please **do** use the Oxford comma.
|
||||
|
||||
### Voice
|
||||
|
||||
Use **active voice** and **present tense** for clear, direct communication.
|
||||
@ -90,20 +91,6 @@ Avoid phrasing that blames the user. Be subjective and polite when providing ins
|
||||
- **DON'T:** "Never modify the default file."
|
||||
- **DO:** "We recommend that you do not modify the default file, as doing so may result in unexpected issues."
|
||||
|
||||
### Punctuation
|
||||
|
||||
For Ken's sake, and many others, try to not use too many commas (avoid commaitis). Use a comma when needed to separate clauses, or for "slowing the pace" or clarity. Please **do** use the Oxford comma.
|
||||
|
||||
### Capitalization
|
||||
|
||||
#### Titles and headers
|
||||
|
||||
Titles and headers (H1, H2, H3, etc.) should follow **sentence case capitalization**, meaning only the first word is capitalized, except for proper nouns or product names.For more information, see [below](#titles-and-headers)
|
||||
|
||||
#### Following a colon
|
||||
|
||||
Whether to capitalize after a colon depends on the context. Typically, we do not capitalize the first word after a colon _unless_ it's a proper noun or if it is the start of a complete sentence. If the colon introduces a list, do not capitalize the first word unless it's a proper noun. In headings and titles, capitalize the first word after the colon.
|
||||
|
||||
## Word choices
|
||||
|
||||
### "May" versus "Might" versus "Can"
|
||||
@ -148,7 +135,7 @@ When writing out steps in a procedural topic, avoid starting with "Once...". Ins
|
||||
|
||||
### Fonts and font styling
|
||||
|
||||
- When referring to internal components in authentik, like the policy engine, or blueprints, do not use any special formatting, and do not capitalize. Link to the relevant documentation when possible.
|
||||
- When referring to internal components in authentik, like the policy engine, or blueprints, do not use any special formatting. Link to the relevant documentation when possible.
|
||||
|
||||
- When referring to authentik functionality and features, such as flows, stages, sources, or policies, do not capitalize and do not use bold or italic text. When possible link to the corresponding documentation.
|
||||
|
||||
@ -185,7 +172,7 @@ When writing out steps in a procedural topic, avoid starting with "Once...". Ins
|
||||
|
||||
- Ensure titles and headers are descriptive and clearly convey the purpose of the section. Avoid vague titles like "Overview." Instead, opt for something more specific, like "About authentik policies."
|
||||
|
||||
- Use the **imperative verb form** in procedural topics, not gerunds. For example, use "Configure your instance" instead of "Configuring your instance."
|
||||
- Use the **imperative verb form** in procedural topics. For example, use "Configure your instance" instead of "Configuring your instance."
|
||||
|
||||
### Examples
|
||||
|
||||
|
||||
@ -17,7 +17,7 @@ slug: "/releases/2025.4"
|
||||
|
||||
## Breaking changes
|
||||
|
||||
- **Reputation score limit**: The default values for the new upper and lower limits on Reputation score are `-5` and `5`. This could break custom policies that rely on the reputation scores decreasing or increasing beyond these limits. You can set your custom limits under **System > Settings**.
|
||||
- **Reputation score limit**: The default value for the new limits on Reputation score is between `-5` and `5`. This might break some current setups which count on the possibility of scores decreasing or increasing beyond these limits. You can set your custom limits under **System > Settings**.
|
||||
|
||||
- **Deprecated and frozen `:latest` container image tag after 2025.2**
|
||||
|
||||
@ -25,7 +25,7 @@ slug: "/releases/2025.4"
|
||||
|
||||
The tag will not be removed, however it will also not be updated past 2025.2.
|
||||
|
||||
We strongly recommended the use of a specific version tag for authentik instances' container images, such as `:2025.4`.
|
||||
We strongly recommended the use of a specific version tag for authentik instances' container images like `:2025.4`.
|
||||
|
||||
- **Helm chart dependencies update**: Following [Bitnami's changes to only publish latest version of containers](https://github.com/bitnami/containers/issues/75671), the Helm chart dependencies (PostgreSQL and Redis) will now be updated with each release.
|
||||
|
||||
@ -72,10 +72,6 @@ Previously, sessions were stored by default in the cache. Now, they are stored i
|
||||
|
||||
- **Source Sync Dry Run**: See [description](#highlights) under Highlights.
|
||||
|
||||
- **Gateway API support** :ak-preview
|
||||
|
||||
For Kubernetes users, authentik now supports the Gateway API. The Helm chart supports HTTPRoute. The Kubernetes outpost integrations supports creating HTTPRoute objects for Proxy providers. Refer to our [documentation](../../add-secure-apps/outposts/integrations/kubernetes.md).
|
||||
|
||||
## New integration guides
|
||||
|
||||
An integration is a how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.
|
||||
|
||||
@ -9,7 +9,7 @@ Initial permissions automatically assigns [object-level permissions](./permissio
|
||||
|
||||
The purpose of initial permissions is to assign a specific user (or role) a set of pre-selected permissions that are required for them to accomplish their tasks.
|
||||
|
||||
An authentik administrator creates an initial permissions object (a set of selected permissions) and then associates it with either: 1) an individual user 2) a role - in which case everyone in a group with that role will have the same initial permissions.
|
||||
An authentik Admin creates an initial permissions object (a set of selected permissions) and then associates it with either: 1. An individual user. 2. A role - in which case everyone in a group with that role will have the same initial permissions.
|
||||
|
||||
## Common use cases
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ Add the following environment variables to your Homarr configuration. Make sure
|
||||
AUTH_PROVIDERS="oidc,credentials"
|
||||
AUTH_OIDC_CLIENT_ID=<Client ID from authentik>
|
||||
AUTH_OIDC_CLIENT_SECRET=<Client secret from authentik>
|
||||
AUTH_OIDC_ISSUER=https://authentik.company/application/o/<slug from authentik>/
|
||||
AUTH_OIDC_ISSUER=https://authentik.company/application/o/<slug from authentik>
|
||||
AUTH_OIDC_URI=https://authentik.company/application/o/authorize
|
||||
AUTH_OIDC_CLIENT_NAME=authentik
|
||||
OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING=true
|
||||
|
||||
Reference in New Issue
Block a user