root: bumpversion 2024.10 (#11865)

release: 2024.10.0

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.8.3
+current_version = 2024.10.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.8.3"
+__version__ = "2024.10.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.8.3 Blueprint schema",
+    "title": "authentik 2024.10.0 Blueprint schema",
     "required": [
         "version",
         "entries"

blueprints/system/sources-kerberos.yaml

@@ -38,7 +38,7 @@ entries:
       name: "authentik default Kerberos User Mapping: Ignore system principals"
       expression: |
         localpart, realm = principal.rsplit("@", 1)
-        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/"]
+        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/", "kiprop/", "changepw/"]
         for prefix in denied_prefixes:
             if localpart.lower().startswith(prefix.lower()):
                 raise SkipObject

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
     restart: unless-stopped
     command: worker
     environment:

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.8.3"
+const VERSION = "2024.10.0"

lifecycle/ak

@@ -54,7 +54,9 @@ function cleanup {
 }
 
 function prepare_debug {
-    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server
+    export DEBIAN_FRONTEND=noninteractive
+    apt-get update
+    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
     VIRTUAL_ENV=/ak-root/venv poetry install --no-ansi --no-interaction
     touch /unittest.xml
     chown authentik:authentik /unittest.xml

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.8.3",
+    "version": "2024.10.0",
     "private": true
 }

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.8.3"
+version = "2024.10.0"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.8.3
+  version: 2024.10.0
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

web/src/admin/applications/wizard/methods/ldap/ak-application-wizard-authentication-by-ldap.ts

@@ -97,7 +97,7 @@ export class ApplicationWizardApplicationDetails extends WithBrandConfig(BasePro
                 </ak-radio-input>
 
                 <ak-switch-input
-                    name="openInNewTab"
+                    name="mfaSupport"
                     label=${msg("Code-based MFA Support")}
                     ?checked=${provider?.mfaSupport ?? true}
                     help=${mfaSupportHelp}

web/src/admin/providers/rac/RACProviderViewPage.ts

@@ -129,11 +129,7 @@ export class RACProviderViewPage extends AKElement {
         if (!this.provider) {
             return html``;
         }
-        return html`<div slot="header" class="pf-c-banner pf-m-info">
-                ${msg("RAC is in preview.")}
-                <a href="mailto:hello+feature/rac@goauthentik.io">${msg("Send us feedback!")}</a>
-            </div>
-            ${this.provider?.assignedApplicationName
+        return html`${this.provider?.assignedApplicationName
                 ? html``
                 : html`<div slot="header" class="pf-c-banner pf-m-warning">
                       ${msg("Warning: Provider is not used by an Application.")}

web/src/admin/rbac/ObjectPermissionModal.ts

@@ -7,7 +7,6 @@ import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 
-import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
@@ -53,17 +52,13 @@ export class ObjectPermissionModal extends AKElement {
     objectPk?: string | number;
 
     static get styles(): CSSResult[] {
-        return [PFBase, PFButton, PFBanner];
+        return [PFBase, PFButton];
     }
 
     render(): TemplateResult {
         return html`
             <ak-forms-modal .showSubmitButton=${false} cancelText=${msg("Close")}>
                 <span slot="header"> ${msg("Update Permissions")} </span>
-                <div class="pf-c-banner pf-m-info" slot="above-form">
-                    ${msg("RBAC is in preview.")}
-                    <a href="mailto:hello@goauthentik.io">${msg("Send us feedback!")}</a>
-                </div>
                 <ak-rbac-object-permission-modal-form
                     slot="form"
                     .model=${this.model}

web/src/admin/rbac/ObjectPermissionsPage.ts

@@ -11,7 +11,6 @@ import { msg } from "@lit/localize";
 import { html, nothing } from "lit";
 import { customElement, property } from "lit/decorators.js";
 
-import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 import PFCard from "@patternfly/patternfly/components/Card/card.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
@@ -31,66 +30,60 @@ export class ObjectPermissionPage extends AKElement {
     embedded = false;
 
     static get styles() {
-        return [PFBase, PFGrid, PFPage, PFCard, PFBanner];
+        return [PFBase, PFGrid, PFPage, PFCard];
     }
 
     render() {
-        return html`${!this.embedded
-                ? html`<div class="pf-c-banner pf-m-info">
-                      ${msg("RBAC is in preview.")}
-                      <a href="mailto:hello@goauthentik.io">${msg("Send us feedback!")}</a>
-                  </div>`
+        return html` <ak-tabs pageIdentifier="permissionPage" ?vertical=${!this.embedded}>
+            ${this.model === RbacPermissionsAssignedByUsersListModelEnum.CoreUser
+                ? this.renderCoreUser()
                 : nothing}
-            <ak-tabs pageIdentifier="permissionPage" ?vertical=${!this.embedded}>
-                ${this.model === RbacPermissionsAssignedByUsersListModelEnum.CoreUser
-                    ? this.renderCoreUser()
-                    : nothing}
-                ${this.model === RbacPermissionsAssignedByUsersListModelEnum.RbacRole
-                    ? this.renderRbacRole()
-                    : nothing}
-                <section
-                    slot="page-object-user"
-                    data-tab-title="${msg("User Object Permissions")}"
-                    class="pf-c-page__main-section pf-m-no-padding-mobile"
-                >
-                    <div class="pf-l-grid pf-m-gutter">
-                        <div class="pf-c-card pf-l-grid__item pf-m-12-col">
-                            <div class="pf-c-card__title">${msg("User Object Permissions")}</div>
-                            <div class="pf-c-card__body">
-                                ${msg("Permissions set on users which affect this object.")}
-                            </div>
-                            <div class="pf-c-card__body">
-                                <ak-rbac-user-object-permission-table
-                                    .model=${this.model}
-                                    .objectPk=${this.objectPk}
-                                >
-                                </ak-rbac-user-object-permission-table>
-                            </div>
+            ${this.model === RbacPermissionsAssignedByUsersListModelEnum.RbacRole
+                ? this.renderRbacRole()
+                : nothing}
+            <section
+                slot="page-object-user"
+                data-tab-title="${msg("User Object Permissions")}"
+                class="pf-c-page__main-section pf-m-no-padding-mobile"
+            >
+                <div class="pf-l-grid pf-m-gutter">
+                    <div class="pf-c-card pf-l-grid__item pf-m-12-col">
+                        <div class="pf-c-card__title">${msg("User Object Permissions")}</div>
+                        <div class="pf-c-card__body">
+                            ${msg("Permissions set on users which affect this object.")}
+                        </div>
+                        <div class="pf-c-card__body">
+                            <ak-rbac-user-object-permission-table
+                                .model=${this.model}
+                                .objectPk=${this.objectPk}
+                            >
+                            </ak-rbac-user-object-permission-table>
                         </div>
                     </div>
-                </section>
-                <section
-                    slot="page-object-role"
-                    data-tab-title="${msg("Role Object Permissions")}"
-                    class="pf-c-page__main-section pf-m-no-padding-mobile"
-                >
-                    <div class="pf-l-grid pf-m-gutter">
-                        <div class="pf-c-card pf-l-grid__item pf-m-12-col">
-                            <div class="pf-c-card__title">${msg("Role Object Permissions")}</div>
-                            <div class="pf-c-card__body">
-                                ${msg("Permissions set on roles which affect this object.")}
-                            </div>
-                            <div class="pf-c-card__body">
-                                <ak-rbac-role-object-permission-table
-                                    .model=${this.model}
-                                    .objectPk=${this.objectPk}
-                                >
-                                </ak-rbac-role-object-permission-table>
-                            </div>
+                </div>
+            </section>
+            <section
+                slot="page-object-role"
+                data-tab-title="${msg("Role Object Permissions")}"
+                class="pf-c-page__main-section pf-m-no-padding-mobile"
+            >
+                <div class="pf-l-grid pf-m-gutter">
+                    <div class="pf-c-card pf-l-grid__item pf-m-12-col">
+                        <div class="pf-c-card__title">${msg("Role Object Permissions")}</div>
+                        <div class="pf-c-card__body">
+                            ${msg("Permissions set on roles which affect this object.")}
+                        </div>
+                        <div class="pf-c-card__body">
+                            <ak-rbac-role-object-permission-table
+                                .model=${this.model}
+                                .objectPk=${this.objectPk}
+                            >
+                            </ak-rbac-role-object-permission-table>
                         </div>
                     </div>
-                </section>
-            </ak-tabs>`;
+                </div>
+            </section>
+        </ak-tabs>`;
     }
 
     renderCoreUser() {

web/src/admin/roles/RoleListPage.ts

@@ -9,12 +9,10 @@ import { TablePage } from "@goauthentik/elements/table/TablePage";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
 import { msg } from "@lit/localize";
-import { CSSResult, TemplateResult, html } from "lit";
+import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
-import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
-
 import { RbacApi, Role } from "@goauthentik/api";
 
 @customElement("ak-role-list")
@@ -37,10 +35,6 @@ export class RoleListPage extends TablePage<Role> {
     @property()
     order = "name";
 
-    static get styles(): CSSResult[] {
-        return [...super.styles, PFBanner];
-    }
-
     async apiEndpoint(): Promise<PaginatedResponse<Role>> {
         return new RbacApi(DEFAULT_CONFIG).rbacRolesList(await this.defaultEndpointConfig());
     }
@@ -78,10 +72,6 @@ export class RoleListPage extends TablePage<Role> {
                 description=${ifDefined(this.pageDescription())}
             >
             </ak-page-header>
-            <div class="pf-c-banner pf-m-info">
-                ${msg("RBAC is in preview.")}
-                <a href="mailto:hello@goauthentik.io">${msg("Send us feedback!")}</a>
-            </div>
             <section class="pf-c-page__main-section pf-m-no-padding-mobile">
                 <div class="pf-c-card">${this.renderTable()}</div>
             </section>`;

web/src/admin/sources/kerberos/KerberosSourceViewPage.ts

@@ -18,6 +18,7 @@ import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 
+import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFCard from "@patternfly/patternfly/components/Card/card.css";
 import PFContent from "@patternfly/patternfly/components/Content/content.css";
@@ -54,7 +55,17 @@ export class KerberosSourceViewPage extends AKElement {
     syncState?: SyncStatus;
 
     static get styles(): CSSResult[] {
-        return [PFBase, PFPage, PFButton, PFGrid, PFContent, PFCard, PFDescriptionList, PFList];
+        return [
+            PFBase,
+            PFPage,
+            PFButton,
+            PFGrid,
+            PFContent,
+            PFCard,
+            PFDescriptionList,
+            PFBanner,
+            PFList,
+        ];
     }
 
     constructor() {
@@ -121,6 +132,12 @@ export class KerberosSourceViewPage extends AKElement {
                     this.load();
                 }}
             >
+                <div slot="header" class="pf-c-banner pf-m-info">
+                    ${msg("Kerberos Source is in preview.")}
+                    <a href="mailto:hello+feature/kerberos-source@goauthentik.io"
+                        >${msg("Send us feedback!")}</a
+                    >
+                </div>
                 <div class="pf-l-grid pf-m-gutter">
                     <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                         <div class="pf-c-card__body">

web/src/admin/stages/authenticator_endpoint_gdtc/AuthenticatorEndpointGDTCStageForm.ts

@@ -10,6 +10,8 @@ import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";
 
+import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
+
 import { AuthenticatorEndpointGDTCStage, StagesApi } from "@goauthentik/api";
 
 @customElement("ak-stage-authenticator-endpoint-gdtc-form")
@@ -33,8 +35,16 @@ export class AuthenticatorEndpointGDTCStageForm extends BaseStageForm<Authentica
         }
     }
 
+    static get styles() {
+        return super.styles.concat(PFBanner);
+    }
+
     renderForm(): TemplateResult {
-        return html` <span>
+        return html`<div class="pf-c-banner pf-m-info">
+                ${msg("Endpoint Google Chrome Device Trust is in preview.")}
+                <a href="mailto:hello+feature/gdtc@goauthentik.io">${msg("Send us feedback!")}</a>
+            </div>
+            <span>
                 ${msg(
                     "Stage used to verify users' browsers using Google Chrome Device Trust. This stage can be used in authentication/authorization flows.",
                 )}

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.8.3";
+export const VERSION = "2024.10.0";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

website/docs/add-secure-apps/flows-stages/flow/context/index.md

@@ -112,7 +112,7 @@ An optional list of all permissions that will be given to the application by gra
 
 #### Deny stage
 
-##### `deny_message` (string) <span class="badge badge--version">authentik 2023.10+</span>
+##### `deny_message` (string) <span class="badge badge--version">authentik 2023.10+</span>
 
 Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage.
 
@@ -128,7 +128,7 @@ If set, this must be a list of group objects and not group names.
 
 Path the `pending_user` will be written to. If not set in the flow, falls back to the value set in the user_write stage, and otherwise to the `users` path.
 
-##### `user_type` (string) <span class="badge badge--version">authentik 2023.10+</span>
+##### `user_type` (string) <span class="badge badge--version">authentik 2023.10+</span>
 
 Type the `pending_user` will be created as. Must be one of `internal`, `external` or `service_account`.
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.md

@@ -10,7 +10,7 @@ Copy all of the integration key, secret key and API hostname, and paste them in
 
 Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed.
 
-## Importing users <span class="badge badge--version">authentik 2022.9+</span>
+## Importing users <span class="badge badge--version">authentik 2022.9+</span>
 
 :::info
 Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
@@ -20,7 +20,7 @@ To import a device, open the Stages list in the authentik Admin interface. On th
 
 The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device.
 
-### Older versions <span class="badge badge--version">authentik 2021.9.1+</span>
+### Older versions <span class="badge badge--version">authentik 2021.9.1+</span>
 
 You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md

@@ -3,6 +3,7 @@ title: Endpoint Authenticator Google Device Trust Connector Stage
 ---
 
 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>
 <span class="badge badge--version">authentik 2024.10+</span>
 
 ---

website/docs/add-secure-apps/providers/entra/add-entra-provider.md

@@ -3,15 +3,12 @@ title: Add an Entra ID provider
 ---
 
 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>
 
 ---
 
 For more information about using an Entra ID provider, see the [Overview](./index.md) documentation.
 
-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 ## Prerequisites
 
 To create an Entra ID provider provider in authentik, you must have already [configured Entra ID](./setup-entra.md) to integrate with authentik. You will need to obtain from Entra three values: the Application (client) ID, the Directory (tenant) ID, and the Client secret. When adding an Entra ID provider in authentik, you must provide these values.

website/docs/add-secure-apps/providers/entra/index.md

@@ -3,13 +3,10 @@ title: Microsoft Entra ID provider
 ---
 
 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>
 
 ---
 
-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.
 
 -   For instructions to configure your Entra ID tenant to integrate with authentik, refer to [Configure Entra ID](./setup-entra.md).

website/docs/add-secure-apps/providers/gws/add-gws-provider.md

@@ -3,13 +3,10 @@ title: Create a Google Workspace provider
 ---
 
 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>
 
 ---
 
-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 For more information about using a Google Workspace provider, see the [Overview](./index.md) documentation.
 
 ## Prerequisites

website/docs/add-secure-apps/providers/gws/index.md

@@ -3,13 +3,10 @@ title: Google Workspace provider
 ---
 
 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>
 
 ---
 
-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.
 
 -   For instructions to configure your Google Workspace to integrate with authentik, refer to [Configure Google Workspace](./setup-gws.md).

website/docs/add-secure-apps/providers/proxy/server_caddy.mdx

@@ -1,7 +1,12 @@
+---
+title: Caddy
+hide_title: true
+---
+
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
 
-# Caddy <span class="badge badge--version">authentik 2022.8+</span>
+# Caddy <span class="badge badge--version">authentik 2022.8+</span>
 
 The configuration template shown below apply to both single-application and domain-level forward auth.
 

website/docs/add-secure-apps/providers/proxy/server_envoy.mdx

@@ -1,7 +1,12 @@
+---
+title: Envoy
+hide_title: true
+---
+
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
 
-# Envoy <span class="badge badge--version">authentik 2022.6+</span>
+# Envoy <span class="badge badge--version">authentik 2022.6+</span>
 
 The configuration template shown below apply to both single-application and domain-level forward auth.
 

website/docs/add-secure-apps/providers/rac/how-to-rac.md

@@ -2,17 +2,13 @@
 title: Create a Remote Access Control (RAC) provider
 ---
 
-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 The RAC provider is a highly flexible feature for accessing remote machines. This document provides instructions for the basic creation and configuration of a RAC provider within a defined scenario.
 
 Fow more information about using a RAC provider, see the [Overview](./index.md) documentation. You can also view our video on YouTube for setting up RAC.
 
 <iframe width="560" height="315" src="https://www.youtube.com/embed/9wahIBRV6Ts;start=22" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
 
-## Prereqisites
+## Prerequisites
 
 The RAC provider requires the deployment of the [RAC Outpost](../../outposts/index.mdx).
 

website/docs/add-secure-apps/providers/rac/index.md

@@ -6,10 +6,6 @@ title: Remote Access Control (RAC) Provider
 
 ---
 
-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 :::info
 This provider requires the deployment of the [RAC Outpost](../../outposts/index.mdx).
 :::

website/docs/customize/blueprints/index.md

@@ -2,7 +2,7 @@
 title: Blueprints
 ---
 
-<span class="badge badge--version">authentik 2022.8+</span>
+<span class="badge badge--version">authentik 2022.8+</span>
 
 ---
 

website/docs/customize/blueprints/v1/models.md

@@ -26,7 +26,7 @@ For example:
 
 ## `authentik_core.user`
 
-### `password` <span class="badge badge--version">authentik 2023.6+</span>
+### `password` <span class="badge badge--version">authentik 2023.6+</span>
 
 Via the standard API, a user's password can only be set via the separate `/api/v3/core/users/<id>/set_password/` endpoint. In blueprints, the password of a user can be set using the `password` field.
 
@@ -45,7 +45,7 @@ For example:
       password: this-should-be-a-long-value
 ```
 
-### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
+### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
 
 The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints.
 
@@ -63,7 +63,7 @@ For example:
 
 ## `authentik_core.application`
 
-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>
 
 Application icons can be directly set to URLs with the `icon` field.
 
@@ -81,7 +81,7 @@ For example:
 
 ## `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`
 
-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>
 
 Source icons can be directly set to URLs with the `icon` field.
 
@@ -99,7 +99,7 @@ For example:
 
 ## `authentik_flows.flow`
 
-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>
 
 Flow backgrounds can be directly set to URLs with the `background` field.
 
@@ -119,7 +119,7 @@ For example:
 
 ## `authentik_rbac.role`
 
-### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
+### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
 
 The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints.
 

website/docs/expressions/_functions.md

@@ -29,7 +29,7 @@ user = list_flatten(["foo"])
 # user = "foo"
 ```
 
-### `ak_call_policy(name: str, **kwargs) -> PolicyResult` <span class="badge badge--version">authentik 2021.12+</span>
+### `ak_call_policy(name: str, **kwargs) -> PolicyResult` <span class="badge badge--version">authentik 2021.12+</span>
 
 Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
 can be used to modify the request's context.
@@ -70,7 +70,7 @@ Example:
 other_user = ak_user_by(username="other_user")
 ```
 
-### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` <span class="badge badge--version">authentik 2022.9+</span>
+### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` <span class="badge badge--version">authentik 2022.9+</span>
 
 Check if a user has any authenticator devices. Only fully validated devices are counted.
 
@@ -87,7 +87,7 @@ Example:
 return ak_user_has_authenticator(request.user)
 ```
 
-### `ak_create_event(action: str, **kwargs) -> None` <span class="badge badge--version">authentik 2022.9+</span>
+### `ak_create_event(action: str, **kwargs) -> None` <span class="badge badge--version">authentik 2022.9+</span>
 
 Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called.
 
@@ -112,7 +112,7 @@ ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
 # evaluates to True
 ```
 
-## DNS resolution and reverse DNS lookups <span class="badge badge--version">authentik 2023.3+</span>
+## DNS resolution and reverse DNS lookups <span class="badge badge--version">authentik 2023.3+</span>
 
 To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`.
 

website/docs/install-config/automated-install.md

@@ -8,11 +8,11 @@ To install authentik automatically (skipping the Out-of-box experience), you can
 
 Configure the default password for the `akadmin` user. Only read on the first startup. Can be used for any flow executor.
 
-### `AUTHENTIK_BOOTSTRAP_TOKEN` <span class="badge badge--version">authentik 2021.8+</span>
+### `AUTHENTIK_BOOTSTRAP_TOKEN` <span class="badge badge--version">authentik 2021.8+</span>
 
 Create a token for the default `akadmin` user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API.
 
-### `AUTHENTIK_BOOTSTRAP_EMAIL` <span class="badge badge--version">authentik 2023.3+</span>
+### `AUTHENTIK_BOOTSTRAP_EMAIL` <span class="badge badge--version">authentik 2023.3+</span>
 
 Set the email address for the default `akadmin` user.
 

website/docs/install-config/configuration/configuration.mdx

@@ -299,47 +299,47 @@ Disable the inbuilt update-checker. Defaults to `false`.
     -   Kubeconfig
     -   Existence of a docker socket
 
-### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS` <span class="badge badge--version">authentik 2023.1+</span>
+### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS` <span class="badge badge--version">authentik 2023.1+</span>
 
 Timeout in hours for LDAP synchronization tasks.
 
 Defaults to `2`.
 
-### `AUTHENTIK_LDAP__PAGE_SIZE` <span class="badge badge--version">authentik 2023.6.1+</span>
+### `AUTHENTIK_LDAP__PAGE_SIZE` <span class="badge badge--version">authentik 2023.6.1+</span>
 
 Page size for LDAP synchronization. Controls the number of objects created in a single task.
 
 Defaults to `50`.
 
-### `AUTHENTIK_LDAP__TLS__CIPHERS` <span class="badge badge--version">authentik 2022.7+</span>
+### `AUTHENTIK_LDAP__TLS__CIPHERS` <span class="badge badge--version">authentik 2022.7+</span>
 
 Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.
 
 Defaults to `null`.
 
-### `AUTHENTIK_REPUTATION__EXPIRY` <span class="badge badge--version">authentik 2023.8.2+</span>
+### `AUTHENTIK_REPUTATION__EXPIRY` <span class="badge badge--version">authentik 2023.8.2+</span>
 
 Configure how long reputation scores should be saved for in seconds. Note that this is different than [`AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`](#redis-settings), as reputation is saved to the database every 5 minutes.
 
 Defaults to `86400`.
 
-### `AUTHENTIK_SESSION_STORAGE` <span class="badge badge--version">authentik 2024.4+</span>
+### `AUTHENTIK_SESSION_STORAGE` <span class="badge badge--version">authentik 2024.4+</span>
 
 Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
 
-### `AUTHENTIK_WEB__WORKERS` <span class="badge badge--version">authentik 2022.9+</span>
+### `AUTHENTIK_WEB__WORKERS` <span class="badge badge--version">authentik 2022.9+</span>
 
 Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).
 
 Defaults to 2. A value below 2 workers is not recommended. In environments where scaling with multiple replicas of the authentik server is not possible, this number can be increased to handle higher loads.
 
-### `AUTHENTIK_WEB__THREADS` <span class="badge badge--version">authentik 2022.9+</span>
+### `AUTHENTIK_WEB__THREADS` <span class="badge badge--version">authentik 2022.9+</span>
 
 Configure how many gunicorn threads a worker processes should have (see https://docs.gunicorn.org/en/stable/design.html).
 
 Defaults to 4.
 
-### `AUTHENTIK_WORKER__CONCURRENCY` <span class="badge badge--version">authentik 2023.9+</span>
+### `AUTHENTIK_WORKER__CONCURRENCY` <span class="badge badge--version">authentik 2023.9+</span>
 
 Configure Celery worker concurrency for authentik worker (see https://docs.celeryq.dev/en/latest/userguide/configuration.html#worker-concurrency). This essentially defines the number of worker processes spawned for a single worker.
 

website/docs/users-sources/sources/protocols/kerberos/index.md

@@ -2,6 +2,11 @@
 title: Kerberos
 ---
 
+<span class="badge badge--preview">Preview</span>
+<span class="badge badge--version">authentik 2024.10+</span>
+
+---
+
 This source allows users to enroll themselves with an existing Kerberos identity.
 
 ## Preparation

website/docs/users-sources/sources/protocols/scim/index.md

@@ -2,9 +2,9 @@
 title: SCIM Source
 ---
 
-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
+<span class="badge badge--preview">Preview</span>
+
+---
 
 The SCIM source allows other applications to directly create users and groups within authentik. SCIM provides predefined schema for users and groups, with a RESTful API, to enable automatic user provisioning and deprovisioning, SCIM is supported by applications such as Microsoft Entra ID, Google Workspace, and Okta.
 

website/docs/users-sources/sources/social-logins/github/index.md

@@ -20,8 +20,8 @@ The following placeholders will be used:
 ![Register OAuth App](./githubdeveloper1.png)
 
 2. **Application Name:** Choose a name users will recognize ie: authentik
-3. **Homepage URL**:: www.my.company
-4. **Authorization callback URL**: https://authentik.company/source/oauth/callback/github
+3. **Homepage URL:** www.my.company
+4. **Authorization callback URL:**: https://authentik.company/source/oauth/callback/github
 5. Click **Register Application**
 
 Example screenshot
@@ -35,8 +35,8 @@ Example screenshot
 
 8. Under _Directory -> Federation & Social login_ Click **Create Github OAuth Source**
 
-9. **Name**: Choose a name (For the example I use Github)
-10. **Slug**: github (If you choose a different slug the URLs will need to be updated to reflect the change)
+9. **Name:** Choose a name (For the example I use Github)
+10. **Slug:** github (If you choose a different slug the URLs will need to be updated to reflect the change)
 11. **Consumer Key:** Client ID from step 6
 12. **Consumer Secret:** Client Secret from step 7
 

website/sidebars.js

@@ -2,13 +2,14 @@ import { generateVersionDropdown } from "./src/utils.js";
 import apiReference from "./docs/developer-docs/api/reference/sidebar";
 
 const releases = [
+    "releases/2024/v2024.10",
     "releases/2024/v2024.8",
     "releases/2024/v2024.6",
-    "releases/2024/v2024.4",
     {
         type: "category",
         label: "Previous versions",
         items: [
+            "releases/2024/v2024.4",
             "releases/2024/v2024.2",
             "releases/2023/v2023.10",
             "releases/2023/v2023.8",

website/src/css/custom.css

@@ -125,3 +125,11 @@ body {
     font-size: 0.75rem;
     vertical-align: middle;
 }
+
+.badge--preview {
+    --ifm-badge-background-color: rgb(115, 188, 247);
+    color: var(--ifm-color-primary-contrast-foreground);
+    --ifm-badge-border-color: var(--ifm-badge-background-color);
+    font-size: 0.75rem;
+    vertical-align: middle;
+}