root: bumpversion 2024.10 (#11865 )

release: 2024.10.0
web/admin: fix code-based MFA toggle not working in wizard (cherry-pick #11854 ) (#11855 )
2024-10-30 22:45:48 +01:00 · 2024-10-29 20:19:54 +01:00 · 2024-10-29 17:31:32 +01:00 · 2024-10-28 17:27:59 +01:00 · 2024-10-28 13:21:02 +01:00 · 2024-10-28 13:20:38 +01:00
40 changed files with 2170 additions and 153 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.8.3
+current_version = 2024.10.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.8.3"
+__version__ = "2024.10.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.8.3 Blueprint schema",
+    "title": "authentik 2024.10.0 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/blueprints/system/sources-kerberos.yaml
+++ b/blueprints/system/sources-kerberos.yaml
@ -38,7 +38,7 @@ entries:
      name: "authentik default Kerberos User Mapping: Ignore system principals"
      expression: |
        localpart, realm = principal.rsplit("@", 1)
-        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/"]
+        denied_prefixes = ["kadmin/", "krbtgt/", "K/M", "WELLKNOWN/", "kiprop/", "changepw/"]
        for prefix in denied_prefixes:
            if localpart.lower().startswith(prefix.lower()):
                raise SkipObject
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - postgresql
      - redis
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
    restart: unless-stopped
    command: worker
    environment:
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2024.8.3"
+const VERSION = "2024.10.0"
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -54,7 +54,9 @@ function cleanup {
 }

 function prepare_debug {
-    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server
+    export DEBIAN_FRONTEND=noninteractive
+    apt-get update
+    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
    VIRTUAL_ENV=/ak-root/venv poetry install --no-ansi --no-interaction
    touch /unittest.xml
    chown authentik:authentik /unittest.xml
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.8.3",
+    "version": "2024.10.0",
    "private": true
 }
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.8.3"
+version = "2024.10.0"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]

--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2024.8.3
+  version: 2024.10.0
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/web/src/admin/applications/wizard/methods/ldap/ak-application-wizard-authentication-by-ldap.ts
+++ b/web/src/admin/applications/wizard/methods/ldap/ak-application-wizard-authentication-by-ldap.ts
@ -97,7 +97,7 @@ export class ApplicationWizardApplicationDetails extends WithBrandConfig(BasePro
                </ak-radio-input>

                <ak-switch-input
-                    name="openInNewTab"
+                    name="mfaSupport"
                    label=${msg("Code-based MFA Support")}
                    ?checked=${provider?.mfaSupport ?? true}
                    help=${mfaSupportHelp}
--- a/web/src/admin/providers/rac/RACProviderViewPage.ts
+++ b/web/src/admin/providers/rac/RACProviderViewPage.ts
@ -129,11 +129,7 @@ export class RACProviderViewPage extends AKElement {
        if (!this.provider) {
            return html``;
        }
-        return html`<div slot="header" class="pf-c-banner pf-m-info">
-                ${msg("RAC is in preview.")}
-                <a href="mailto:hello+feature/rac@goauthentik.io">${msg("Send us feedback!")}</a>
-            </div>
-            ${this.provider?.assignedApplicationName
+        return html`${this.provider?.assignedApplicationName
                ? html``
                : html`<div slot="header" class="pf-c-banner pf-m-warning">
                      ${msg("Warning: Provider is not used by an Application.")}
--- a/web/src/admin/rbac/ObjectPermissionModal.ts
+++ b/web/src/admin/rbac/ObjectPermissionModal.ts
@ -7,7 +7,6 @@ import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";

-import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";

@ -53,17 +52,13 @@ export class ObjectPermissionModal extends AKElement {
    objectPk?: string | number;

    static get styles(): CSSResult[] {
-        return [PFBase, PFButton, PFBanner];
+        return [PFBase, PFButton];
    }

    render(): TemplateResult {
        return html`
            <ak-forms-modal .showSubmitButton=${false} cancelText=${msg("Close")}>
                <span slot="header"> ${msg("Update Permissions")} </span>
-                <div class="pf-c-banner pf-m-info" slot="above-form">
-                    ${msg("RBAC is in preview.")}
-                    <a href="mailto:hello@goauthentik.io">${msg("Send us feedback!")}</a>
-                </div>
                <ak-rbac-object-permission-modal-form
                    slot="form"
                    .model=${this.model}
--- a/web/src/admin/rbac/ObjectPermissionsPage.ts
+++ b/web/src/admin/rbac/ObjectPermissionsPage.ts
@ -11,7 +11,6 @@ import { msg } from "@lit/localize";
 import { html, nothing } from "lit";
 import { customElement, property } from "lit/decorators.js";

-import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 import PFCard from "@patternfly/patternfly/components/Card/card.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
@ -31,17 +30,11 @@ export class ObjectPermissionPage extends AKElement {
    embedded = false;

    static get styles() {
-        return [PFBase, PFGrid, PFPage, PFCard, PFBanner];
+        return [PFBase, PFGrid, PFPage, PFCard];
    }

    render() {
-        return html`${!this.embedded
-                ? html`<div class="pf-c-banner pf-m-info">
-                      ${msg("RBAC is in preview.")}
-                      <a href="mailto:hello@goauthentik.io">${msg("Send us feedback!")}</a>
-                  </div>`
-                : nothing}
-            <ak-tabs pageIdentifier="permissionPage" ?vertical=${!this.embedded}>
+        return html` <ak-tabs pageIdentifier="permissionPage" ?vertical=${!this.embedded}>
            ${this.model === RbacPermissionsAssignedByUsersListModelEnum.CoreUser
                ? this.renderCoreUser()
                : nothing}
--- a/web/src/admin/roles/RoleListPage.ts
+++ b/web/src/admin/roles/RoleListPage.ts
@ -9,12 +9,10 @@ import { TablePage } from "@goauthentik/elements/table/TablePage";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";

 import { msg } from "@lit/localize";
-import { CSSResult, TemplateResult, html } from "lit";
+import { TemplateResult, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";

-import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
-
 import { RbacApi, Role } from "@goauthentik/api";

@customElement("ak-role-list")
@ -37,10 +35,6 @@ export class RoleListPage extends TablePage<Role> {
    @property()
    order = "name";

-    static get styles(): CSSResult[] {
-        return [...super.styles, PFBanner];
-    }
-
    async apiEndpoint(): Promise<PaginatedResponse<Role>> {
        return new RbacApi(DEFAULT_CONFIG).rbacRolesList(await this.defaultEndpointConfig());
    }
@ -78,10 +72,6 @@ export class RoleListPage extends TablePage<Role> {
                description=${ifDefined(this.pageDescription())}
            >
            </ak-page-header>
-            <div class="pf-c-banner pf-m-info">
-                ${msg("RBAC is in preview.")}
-                <a href="mailto:hello@goauthentik.io">${msg("Send us feedback!")}</a>
-            </div>
            <section class="pf-c-page__main-section pf-m-no-padding-mobile">
                <div class="pf-c-card">${this.renderTable()}</div>
            </section>`;
--- a/web/src/admin/sources/kerberos/KerberosSourceViewPage.ts
+++ b/web/src/admin/sources/kerberos/KerberosSourceViewPage.ts
@ -18,6 +18,7 @@ import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";

+import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFCard from "@patternfly/patternfly/components/Card/card.css";
 import PFContent from "@patternfly/patternfly/components/Content/content.css";
@ -54,7 +55,17 @@ export class KerberosSourceViewPage extends AKElement {
    syncState?: SyncStatus;

    static get styles(): CSSResult[] {
-        return [PFBase, PFPage, PFButton, PFGrid, PFContent, PFCard, PFDescriptionList, PFList];
+        return [
+            PFBase,
+            PFPage,
+            PFButton,
+            PFGrid,
+            PFContent,
+            PFCard,
+            PFDescriptionList,
+            PFBanner,
+            PFList,
+        ];
    }

    constructor() {
@ -121,6 +132,12 @@ export class KerberosSourceViewPage extends AKElement {
                    this.load();
                }}
            >
+                <div slot="header" class="pf-c-banner pf-m-info">
+                    ${msg("Kerberos Source is in preview.")}
+                    <a href="mailto:hello+feature/kerberos-source@goauthentik.io"
+                        >${msg("Send us feedback!")}</a
+                    >
+                </div>
                <div class="pf-l-grid pf-m-gutter">
                    <div class="pf-c-card pf-l-grid__item pf-m-12-col">
                        <div class="pf-c-card__body">
--- a/web/src/admin/stages/authenticator_endpoint_gdtc/AuthenticatorEndpointGDTCStageForm.ts
+++ b/web/src/admin/stages/authenticator_endpoint_gdtc/AuthenticatorEndpointGDTCStageForm.ts
@ -10,6 +10,8 @@ import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";

+import PFBanner from "@patternfly/patternfly/components/Banner/banner.css";
+
 import { AuthenticatorEndpointGDTCStage, StagesApi } from "@goauthentik/api";

@customElement("ak-stage-authenticator-endpoint-gdtc-form")
@ -33,8 +35,16 @@ export class AuthenticatorEndpointGDTCStageForm extends BaseStageForm<Authentica
        }
    }

+    static get styles() {
+        return super.styles.concat(PFBanner);
+    }
+
    renderForm(): TemplateResult {
-        return html` <span>
+        return html`<div class="pf-c-banner pf-m-info">
+                ${msg("Endpoint Google Chrome Device Trust is in preview.")}
+                <a href="mailto:hello+feature/gdtc@goauthentik.io">${msg("Send us feedback!")}</a>
+            </div>
+            <span>
                ${msg(
                    "Stage used to verify users' browsers using Google Chrome Device Trust. This stage can be used in authentication/authorization flows.",
                )}
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.8.3";
+export const VERSION = "2024.10.0";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/website/docs/add-secure-apps/flows-stages/flow/context/index.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/context/index.md
@ -112,7 +112,7 @@ An optional list of all permissions that will be given to the application by gra

 #### Deny stage

-##### `deny_message` (string) <span class="badge badge--version">authentik 2023.10+</span>
+##### `deny_message` (string) <span class="badge badge--version">authentik 2023.10+</span>

 Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage.

@ -128,7 +128,7 @@ If set, this must be a list of group objects and not group names.

 Path the `pending_user` will be written to. If not set in the flow, falls back to the value set in the user_write stage, and otherwise to the `users` path.

-##### `user_type` (string) <span class="badge badge--version">authentik 2023.10+</span>
+##### `user_type` (string) <span class="badge badge--version">authentik 2023.10+</span>

 Type the `pending_user` will be created as. Must be one of `internal`, `external` or `service_account`.

--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.md
@ -10,7 +10,7 @@ Copy all of the integration key, secret key and API hostname, and paste them in

 Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed.

-## Importing users <span class="badge badge--version">authentik 2022.9+</span>
+## Importing users <span class="badge badge--version">authentik 2022.9+</span>

 :::info
 Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
@ -20,7 +20,7 @@ To import a device, open the Stages list in the authentik Admin interface. On th

 The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device.

-### Older versions <span class="badge badge--version">authentik 2021.9.1+</span>
+### Older versions <span class="badge badge--version">authentik 2021.9.1+</span>

 You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:

--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md
@ -3,6 +3,7 @@ title: Endpoint Authenticator Google Device Trust Connector Stage
 ---

 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>
 <span class="badge badge--version">authentik 2024.10+</span>

 ---
--- a/website/docs/add-secure-apps/providers/entra/add-entra-provider.md
+++ b/website/docs/add-secure-apps/providers/entra/add-entra-provider.md
@ -3,15 +3,12 @@ title: Add an Entra ID provider
 ---

 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>

 ---

 For more information about using an Entra ID provider, see the [Overview](./index.md) documentation.

-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 ## Prerequisites

 To create an Entra ID provider provider in authentik, you must have already [configured Entra ID](./setup-entra.md) to integrate with authentik. You will need to obtain from Entra three values: the Application (client) ID, the Directory (tenant) ID, and the Client secret. When adding an Entra ID provider in authentik, you must provide these values.
--- a/website/docs/add-secure-apps/providers/entra/index.md
+++ b/website/docs/add-secure-apps/providers/entra/index.md
@ -3,13 +3,10 @@ title: Microsoft Entra ID provider
 ---

 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>

 ---

-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.

 -   For instructions to configure your Entra ID tenant to integrate with authentik, refer to [Configure Entra ID](./setup-entra.md).
--- a/website/docs/add-secure-apps/providers/gws/add-gws-provider.md
+++ b/website/docs/add-secure-apps/providers/gws/add-gws-provider.md
@ -3,13 +3,10 @@ title: Create a Google Workspace provider
 ---

 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>

 ---

-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 For more information about using a Google Workspace provider, see the [Overview](./index.md) documentation.

 ## Prerequisites
--- a/website/docs/add-secure-apps/providers/gws/index.md
+++ b/website/docs/add-secure-apps/providers/gws/index.md
@ -3,13 +3,10 @@ title: Google Workspace provider
 ---

 <span class="badge badge--primary">Enterprise</span>
+<span class="badge badge--preview">Preview</span>

 ---

-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.

 -   For instructions to configure your Google Workspace to integrate with authentik, refer to [Configure Google Workspace](./setup-gws.md).
--- a/website/docs/add-secure-apps/providers/proxy/server_caddy.mdx
+++ b/website/docs/add-secure-apps/providers/proxy/server_caddy.mdx
@ -1,7 +1,12 @@
+---
+title: Caddy
+hide_title: true
+---
+
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";

-# Caddy <span class="badge badge--version">authentik 2022.8+</span>
+# Caddy <span class="badge badge--version">authentik 2022.8+</span>

 The configuration template shown below apply to both single-application and domain-level forward auth.

--- a/website/docs/add-secure-apps/providers/proxy/server_envoy.mdx
+++ b/website/docs/add-secure-apps/providers/proxy/server_envoy.mdx
@ -1,7 +1,12 @@
+---
+title: Envoy
+hide_title: true
+---
+
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";

-# Envoy <span class="badge badge--version">authentik 2022.6+</span>
+# Envoy <span class="badge badge--version">authentik 2022.6+</span>

 The configuration template shown below apply to both single-application and domain-level forward auth.

--- a/website/docs/add-secure-apps/providers/rac/how-to-rac.md
+++ b/website/docs/add-secure-apps/providers/rac/how-to-rac.md
@ -2,17 +2,13 @@
 title: Create a Remote Access Control (RAC) provider
 ---

-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 The RAC provider is a highly flexible feature for accessing remote machines. This document provides instructions for the basic creation and configuration of a RAC provider within a defined scenario.

 Fow more information about using a RAC provider, see the [Overview](./index.md) documentation. You can also view our video on YouTube for setting up RAC.

 <iframe width="560" height="315" src="https://www.youtube.com/embed/9wahIBRV6Ts;start=22" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

-## Prereqisites
+## Prerequisites

 The RAC provider requires the deployment of the [RAC Outpost](../../outposts/index.mdx).

--- a/website/docs/add-secure-apps/providers/rac/index.md
+++ b/website/docs/add-secure-apps/providers/rac/index.md
@ -6,10 +6,6 @@ title: Remote Access Control (RAC) Provider

 ---

-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
-
 :::info
 This provider requires the deployment of the [RAC Outpost](../../outposts/index.mdx).
 :::
--- a/website/docs/customize/blueprints/index.md
+++ b/website/docs/customize/blueprints/index.md
@ -2,7 +2,7 @@
 title: Blueprints
 ---

-<span class="badge badge--version">authentik 2022.8+</span>
+<span class="badge badge--version">authentik 2022.8+</span>

 ---

--- a/website/docs/customize/blueprints/v1/models.md
+++ b/website/docs/customize/blueprints/v1/models.md
@ -26,7 +26,7 @@ For example:

 ## `authentik_core.user`

-### `password` <span class="badge badge--version">authentik 2023.6+</span>
+### `password` <span class="badge badge--version">authentik 2023.6+</span>

 Via the standard API, a user's password can only be set via the separate `/api/v3/core/users/<id>/set_password/` endpoint. In blueprints, the password of a user can be set using the `password` field.

@ -45,7 +45,7 @@ For example:
      password: this-should-be-a-long-value
 ```

-### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
+### `permissions` <span class="badge badge--version">authentik 2024.8+</span>

 The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints.

@ -63,7 +63,7 @@ For example:

 ## `authentik_core.application`

-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>

 Application icons can be directly set to URLs with the `icon` field.

@ -81,7 +81,7 @@ For example:

 ## `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`

-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>

 Source icons can be directly set to URLs with the `icon` field.

@ -99,7 +99,7 @@ For example:

 ## `authentik_flows.flow`

-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>

 Flow backgrounds can be directly set to URLs with the `background` field.

@ -119,7 +119,7 @@ For example:

 ## `authentik_rbac.role`

-### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
+### `permissions` <span class="badge badge--version">authentik 2024.8+</span>

 The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints.

--- a/website/docs/expressions/_functions.md
+++ b/website/docs/expressions/_functions.md
@ -29,7 +29,7 @@ user = list_flatten(["foo"])
 # user = "foo"
 ```

-### `ak_call_policy(name: str, **kwargs) -> PolicyResult` <span class="badge badge--version">authentik 2021.12+</span>
+### `ak_call_policy(name: str, **kwargs) -> PolicyResult` <span class="badge badge--version">authentik 2021.12+</span>

 Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
 can be used to modify the request's context.
@ -70,7 +70,7 @@ Example:
 other_user = ak_user_by(username="other_user")
 ```

-### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` <span class="badge badge--version">authentik 2022.9+</span>
+### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` <span class="badge badge--version">authentik 2022.9+</span>

 Check if a user has any authenticator devices. Only fully validated devices are counted.

@ -87,7 +87,7 @@ Example:
 return ak_user_has_authenticator(request.user)
 ```

-### `ak_create_event(action: str, **kwargs) -> None` <span class="badge badge--version">authentik 2022.9+</span>
+### `ak_create_event(action: str, **kwargs) -> None` <span class="badge badge--version">authentik 2022.9+</span>

 Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called.

@ -112,7 +112,7 @@ ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
 # evaluates to True
 ```

-## DNS resolution and reverse DNS lookups <span class="badge badge--version">authentik 2023.3+</span>
+## DNS resolution and reverse DNS lookups <span class="badge badge--version">authentik 2023.3+</span>

 To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`.

--- a/website/docs/install-config/automated-install.md
+++ b/website/docs/install-config/automated-install.md
@ -8,11 +8,11 @@ To install authentik automatically (skipping the Out-of-box experience), you can

 Configure the default password for the `akadmin` user. Only read on the first startup. Can be used for any flow executor.

-### `AUTHENTIK_BOOTSTRAP_TOKEN` <span class="badge badge--version">authentik 2021.8+</span>
+### `AUTHENTIK_BOOTSTRAP_TOKEN` <span class="badge badge--version">authentik 2021.8+</span>

 Create a token for the default `akadmin` user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API.

-### `AUTHENTIK_BOOTSTRAP_EMAIL` <span class="badge badge--version">authentik 2023.3+</span>
+### `AUTHENTIK_BOOTSTRAP_EMAIL` <span class="badge badge--version">authentik 2023.3+</span>

 Set the email address for the default `akadmin` user.

--- a/website/docs/install-config/configuration/configuration.mdx
+++ b/website/docs/install-config/configuration/configuration.mdx
@ -299,47 +299,47 @@ Disable the inbuilt update-checker. Defaults to `false`.
    -   Kubeconfig
    -   Existence of a docker socket

-### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS` <span class="badge badge--version">authentik 2023.1+</span>
+### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS` <span class="badge badge--version">authentik 2023.1+</span>

 Timeout in hours for LDAP synchronization tasks.

 Defaults to `2`.

-### `AUTHENTIK_LDAP__PAGE_SIZE` <span class="badge badge--version">authentik 2023.6.1+</span>
+### `AUTHENTIK_LDAP__PAGE_SIZE` <span class="badge badge--version">authentik 2023.6.1+</span>

 Page size for LDAP synchronization. Controls the number of objects created in a single task.

 Defaults to `50`.

-### `AUTHENTIK_LDAP__TLS__CIPHERS` <span class="badge badge--version">authentik 2022.7+</span>
+### `AUTHENTIK_LDAP__TLS__CIPHERS` <span class="badge badge--version">authentik 2022.7+</span>

 Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.

 Defaults to `null`.

-### `AUTHENTIK_REPUTATION__EXPIRY` <span class="badge badge--version">authentik 2023.8.2+</span>
+### `AUTHENTIK_REPUTATION__EXPIRY` <span class="badge badge--version">authentik 2023.8.2+</span>

 Configure how long reputation scores should be saved for in seconds. Note that this is different than [`AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`](#redis-settings), as reputation is saved to the database every 5 minutes.

 Defaults to `86400`.

-### `AUTHENTIK_SESSION_STORAGE` <span class="badge badge--version">authentik 2024.4+</span>
+### `AUTHENTIK_SESSION_STORAGE` <span class="badge badge--version">authentik 2024.4+</span>

 Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.

-### `AUTHENTIK_WEB__WORKERS` <span class="badge badge--version">authentik 2022.9+</span>
+### `AUTHENTIK_WEB__WORKERS` <span class="badge badge--version">authentik 2022.9+</span>

 Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).

 Defaults to 2. A value below 2 workers is not recommended. In environments where scaling with multiple replicas of the authentik server is not possible, this number can be increased to handle higher loads.

-### `AUTHENTIK_WEB__THREADS` <span class="badge badge--version">authentik 2022.9+</span>
+### `AUTHENTIK_WEB__THREADS` <span class="badge badge--version">authentik 2022.9+</span>

 Configure how many gunicorn threads a worker processes should have (see https://docs.gunicorn.org/en/stable/design.html).

 Defaults to 4.

-### `AUTHENTIK_WORKER__CONCURRENCY` <span class="badge badge--version">authentik 2023.9+</span>
+### `AUTHENTIK_WORKER__CONCURRENCY` <span class="badge badge--version">authentik 2023.9+</span>

 Configure Celery worker concurrency for authentik worker (see https://docs.celeryq.dev/en/latest/userguide/configuration.html#worker-concurrency). This essentially defines the number of worker processes spawned for a single worker.

--- a/website/docs/releases/2024/v2024.10.md
+++ b/website/docs/releases/2024/v2024.10.md
--- a/website/docs/users-sources/sources/protocols/kerberos/index.md
+++ b/website/docs/users-sources/sources/protocols/kerberos/index.md
@ -2,6 +2,11 @@
 title: Kerberos
 ---

+<span class="badge badge--preview">Preview</span>
+<span class="badge badge--version">authentik 2024.10+</span>
+
+---
+
 This source allows users to enroll themselves with an existing Kerberos identity.

 ## Preparation
--- a/website/docs/users-sources/sources/protocols/scim/index.md
+++ b/website/docs/users-sources/sources/protocols/scim/index.md
@ -2,9 +2,9 @@
 title: SCIM Source
 ---

-:::info
-This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues).
-:::
+<span class="badge badge--preview">Preview</span>
+
+---

 The SCIM source allows other applications to directly create users and groups within authentik. SCIM provides predefined schema for users and groups, with a RESTful API, to enable automatic user provisioning and deprovisioning, SCIM is supported by applications such as Microsoft Entra ID, Google Workspace, and Okta.

--- a/website/docs/users-sources/sources/social-logins/github/index.md
+++ b/website/docs/users-sources/sources/social-logins/github/index.md
@ -20,8 +20,8 @@ The following placeholders will be used:
 ![Register OAuth App](./githubdeveloper1.png)

 2. **Application Name:** Choose a name users will recognize ie: authentik
-3. **Homepage URL**:: www.my.company
-4. **Authorization callback URL**: https://authentik.company/source/oauth/callback/github
+3. **Homepage URL:** www.my.company
+4. **Authorization callback URL:**: https://authentik.company/source/oauth/callback/github
 5. Click **Register Application**

 Example screenshot
@ -35,8 +35,8 @@ Example screenshot

 8. Under _Directory -> Federation & Social login_ Click **Create Github OAuth Source**

-9. **Name**: Choose a name (For the example I use Github)
-10. **Slug**: github (If you choose a different slug the URLs will need to be updated to reflect the change)
+9. **Name:** Choose a name (For the example I use Github)
+10. **Slug:** github (If you choose a different slug the URLs will need to be updated to reflect the change)
 11. **Consumer Key:** Client ID from step 6
 12. **Consumer Secret:** Client Secret from step 7

--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -2,13 +2,14 @@ import { generateVersionDropdown } from "./src/utils.js";
 import apiReference from "./docs/developer-docs/api/reference/sidebar";

 const releases = [
+    "releases/2024/v2024.10",
    "releases/2024/v2024.8",
    "releases/2024/v2024.6",
-    "releases/2024/v2024.4",
    {
        type: "category",
        label: "Previous versions",
        items: [
+            "releases/2024/v2024.4",
            "releases/2024/v2024.2",
            "releases/2023/v2023.10",
            "releases/2023/v2023.8",
--- a/website/src/css/custom.css
+++ b/website/src/css/custom.css
@ -125,3 +125,11 @@ body {
    font-size: 0.75rem;
    vertical-align: middle;
 }
+
+.badge--preview {
+    --ifm-badge-background-color: rgb(115, 188, 247);
+    color: var(--ifm-color-primary-contrast-foreground);
+    --ifm-badge-border-color: var(--ifm-badge-background-color);
+    font-size: 0.75rem;
+    vertical-align: middle;
+}
Author	SHA1	Message	Date
Simonyi Gergő	6ce33ab912	root: `bumpversion` 2024.10 (#11865 ) release: 2024.10.0	2024-10-30 22:45:48 +01:00
gcp-cherry-pick-bot[bot]	d96b577abd	web/admin: fix code-based MFA toggle not working in wizard (cherry-pick #11854 ) (#11855 ) web/admin: fix code-based MFA toggle not working in wizard (#11854) closes #11834 Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-10-29 20:19:54 +01:00
gcp-cherry-pick-bot[bot]	8c547589f6	sources/kerberos: add kiprop to ignored system principals (cherry-pick #11852 ) (#11853 ) sources/kerberos: add kiprop to ignored system principals (#11852) Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-10-29 17:31:32 +01:00
gcp-cherry-pick-bot[bot]	3775e5b84f	website: 2024.10 Release Notes (cherry-pick #11839 ) (#11840 ) website: 2024.10 Release Notes (#11839) * generate diffs and changelog * add 2024.10 release notes * reorder release note highlights * lint website * reorder release note new features * reword Kerberos * extend JWE description --------- Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-10-28 17:27:59 +01:00
gcp-cherry-pick-bot[bot]	fa30339f65	website/docs: remove � (cherry-pick #11823 ) (#11835 ) website/docs: remove � (#11823) remove Signed-off-by: Tobias <5702338+T0biii@users.noreply.github.com> Co-authored-by: Tobias <5702338+T0biii@users.noreply.github.com>	2024-10-28 13:21:02 +01:00
gcp-cherry-pick-bot[bot]	e825eda106	website/docs: Update social-logins github (cherry-pick #11822 ) (#11836 ) website/docs: Update social-logins github (#11822) Update index.md Signed-off-by: Tobias <5702338+T0biii@users.noreply.github.com> Co-authored-by: Tobias <5702338+T0biii@users.noreply.github.com>	2024-10-28 13:20:38 +01:00
gcp-cherry-pick-bot[bot]	246cae3dfa	lifecycle: fix kdc5-config missing (cherry-pick #11826 ) (#11829 ) lifecycle: fix kdc5-config missing (#11826) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-10-28 01:15:50 +01:00
gcp-cherry-pick-bot[bot]	6cfd2bd1af	website/docs: update preview status of different features (cherry-pick #11817 ) (#11818 ) website/docs: update preview status of different features (#11817) * remove preview from RAC * add preview page instead of info box * remove preview from rbac * add preview to gdtc * add preview to kerberos source --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-10-25 21:42:45 +02:00
gcp-cherry-pick-bot[bot]	f0e4f93fe6	lifecycle: fix missing krb5 deps for full testing in image (cherry-pick #11815 ) (#11816 ) lifecycle: fix missing krb5 deps for full testing in image (#11815) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@goauthentik.io>	2024-10-25 18:46:55 +02:00
Simonyi Gergő	434aa57ba7	release: 2024.10.0-rc1	2024-10-25 17:26:39 +02:00