# Table of Contents - [Search the documentation | authentik](#search-the-documentation-authentik) - [One doc tagged with "backchannel" | authentik](#one-doc-tagged-with-backchannel-authentik) - [One doc tagged with "apple" | authentik](#one-doc-tagged-with-apple-authentik) - [One doc tagged with "backend" | authentik](#one-doc-tagged-with-backend-authentik) - [2 docs tagged with "contributor" | authentik](#2-docs-tagged-with-contributor-authentik) - [Tags | authentik](#tags-authentik) - [3 docs tagged with "azure" | authentik](#3-docs-tagged-with-azure-authentik) - [One doc tagged with "discord" | authentik](#one-doc-tagged-with-discord-authentik) - [2 docs tagged with "docker" | authentik](#2-docs-tagged-with-docker-authentik) - [3 docs tagged with "entra" | authentik](#3-docs-tagged-with-entra-authentik) - [2 docs tagged with "development" | authentik](#2-docs-tagged-with-development-authentik) - [One doc tagged with "enterprise" | authentik](#one-doc-tagged-with-enterprise-authentik) - [2 docs tagged with "frontend" | authentik](#2-docs-tagged-with-frontend-authentik) - [One doc tagged with "facebook" | authentik](#one-doc-tagged-with-facebook-authentik) - [2 docs tagged with "google cloud" | authentik](#2-docs-tagged-with-google-cloud-authentik) - [One doc tagged with "github" | authentik](#one-doc-tagged-with-github-authentik) - [2 docs tagged with "google workspace" | authentik](#2-docs-tagged-with-google-workspace-authentik) - [3 docs tagged with "google" | authentik](#3-docs-tagged-with-google-authentik) - [One doc tagged with "mailcow" | authentik](#one-doc-tagged-with-mailcow-authentik) - [One doc tagged with "meta" | authentik](#one-doc-tagged-with-meta-authentik) - [4 docs tagged with "oauth" | authentik](#4-docs-tagged-with-oauth-authentik) - [One doc tagged with "oidc" | authentik](#one-doc-tagged-with-oidc-authentik) - [One doc tagged with "plex" | authentik](#one-doc-tagged-with-plex-authentik) - [One doc tagged with "password" | authentik](#one-doc-tagged-with-password-authentik) - [One doc tagged with "policy" | authentik](#one-doc-tagged-with-policy-authentik) - [3 docs tagged with "saml" | authentik](#3-docs-tagged-with-saml-authentik) - [One doc tagged with "provider" | authentik](#one-doc-tagged-with-provider-authentik) - [2 docs tagged with "scim" | authentik](#2-docs-tagged-with-scim-authentik) - [One doc tagged with "security" | authentik](#one-doc-tagged-with-security-authentik) - [One doc tagged with "twitch" | authentik](#one-doc-tagged-with-twitch-authentik) - [One doc tagged with "twitter" | authentik](#one-doc-tagged-with-twitter-authentik) - [14 docs tagged with "source" | authentik](#14-docs-tagged-with-source-authentik) - [One doc tagged with "x" | authentik](#one-doc-tagged-with-x-authentik) - [Manage applications | authentik](#manage-applications-authentik) - [Applications | authentik](#applications-authentik) - [Bindings | authentik](#bindings-authentik) - [Flows | authentik](#flows-authentik) - [Work with bindings | authentik](#work-with-bindings-authentik) - [Example policy snippets for flows | authentik](#example-policy-snippets-for-flows-authentik) - [Default flows | authentik](#default-flows-authentik) - [Headless | authentik](#headless-authentik) - [Flow Context | authentik](#flow-context-authentik) - [Example flows | authentik](#example-flows-authentik) - [Default | authentik](#default-authentik) - [Flow Inspector | authentik](#flow-inspector-authentik) - [User settings | authentik](#user-settings-authentik) - [Simplified flow executor | authentik](#simplified-flow-executor-authentik) - [Stages | authentik](#stages-authentik) - [Email Authenticator Setup stage | authentik](#email-authenticator-setup-stage-authentik) - [Duo Authenticator Setup stage | authentik](#duo-authenticator-setup-stage-authentik) - [Google Chrome Device Trust Authenticator Stage | authentik](#google-chrome-device-trust-authenticator-stage-authentik) - [Static Authenticator Setup stage | authentik](#static-authenticator-setup-stage-authentik) - [TOTP Authenticator Setup stage | authentik](#totp-authenticator-setup-stage-authentik) - [SMS Authenticator Setup stage | authentik](#sms-authenticator-setup-stage-authentik) - [Authenticator Validation stage | authentik](#authenticator-validation-stage-authentik) - [WebAuthn / FIDO2 / Passkeys Authenticator setup stage | authentik](#webauthn-fido2-passkeys-authenticator-setup-stage-authentik) - [Deny stage | authentik](#deny-stage-authentik) - [Captcha stage | authentik](#captcha-stage-authentik) - [Identification stage | authentik](#identification-stage-authentik) - [Kubernetes | authentik](#kubernetes-authentik) - [Invitation stage | authentik](#invitation-stage-authentik) - [Email stage | authentik](#email-stage-authentik) - [Docker | authentik](#docker-authentik) - [Mutual TLS stage | authentik](#mutual-tls-stage-authentik) - [Upgrading an Outpost | authentik](#upgrading-an-outpost-authentik) - [Embedded Outpost | authentik](#embedded-outpost-authentik) - [Redirect stage | authentik](#redirect-stage-authentik) - [Manual Outpost deployment in Docker Compose | authentik](#manual-outpost-deployment-in-docker-compose-authentik) - [Password stage | authentik](#password-stage-authentik) - [Prompt stage | authentik](#prompt-stage-authentik) - [Outposts | authentik](#outposts-authentik) - [Manual Outpost deployment on Kubernetes | authentik](#manual-outpost-deployment-on-kubernetes-authentik) - [User Delete stage | authentik](#user-delete-stage-authentik) - [Source stage | authentik](#source-stage-authentik) - [User Write stage | authentik](#user-write-stage-authentik) - [User Login stage | authentik](#user-login-stage-authentik) - [User Logout stage | authentik](#user-logout-stage-authentik) - [Microsoft Entra ID provider | authentik](#microsoft-entra-id-provider-authentik) - [Configure Entra ID | authentik](#configure-entra-id-authentik) - [Create an Entra ID provider | authentik](#create-an-entra-id-provider-authentik) - [Create a Google Workspace provider | authentik](#create-a-google-workspace-provider-authentik) - [Configure Google Workspace | authentik](#configure-google-workspace-authentik) - [Create an OAuth2 provider | authentik](#create-an-oauth2-provider-authentik) - [Google Workspace provider | authentik](#google-workspace-provider-authentik) - [Create an LDAP provider | authentik](#create-an-ldap-provider-authentik) - [Provider property mappings | authentik](#provider-property-mappings-authentik) - [LDAP Provider | authentik](#ldap-provider-authentik) - [OAuth 2.0 provider | authentik](#oauth-2-0-provider-authentik) - [Device code flow | authentik](#device-code-flow-authentik) - [OAuth2/OpenID Connect front-channel and back-channel logout | authentik](#oauth2-openid-connect-front-channel-and-back-channel-logout-authentik) - [GitHub compatibility | authentik](#github-compatibility-authentik) - [Custom headers | authentik](#custom-headers-authentik) - [Machine-to-Machine (M2M) authentication | authentik](#machine-to-machine-m2m-authentication-authentik) - [WebFinger support | authentik](#webfinger-support-authentik) - [Proxy Provider | authentik](#proxy-provider-authentik) - [Header authentication | authentik](#header-authentication-authentik) - [Forward auth | authentik](#forward-auth-authentik) - [Architecture | authentik](#architecture-authentik) - [Markdown template: conceptual | authentik](#markdown-template-conceptual-authentik) - [Caddy | authentik](#caddy-authentik) - [Branding | authentik](#branding-authentik) - [Customize your instance | authentik](#customize-your-instance-authentik) - [Traefik | authentik](#traefik-authentik) - [Create a SAML provider | authentik](#create-a-saml-provider-authentik) - [Markdown template: combo | authentik](#markdown-template-combo-authentik) - [Expressions | authentik](#expressions-authentik) - [Brands | authentik](#brands-authentik) - [Markdown template: procedural | authentik](#markdown-template-procedural-authentik) - [RAC Credentials Prompt | authentik](#rac-credentials-prompt-authentik) - [Envoy | authentik](#envoy-authentik) - [Markdown template: reference | authentik](#markdown-template-reference-authentik) - [RADIUS Provider | authentik](#radius-provider-authentik) - [Export configurations to blueprints | authentik](#export-configurations-to-blueprints-authentik) - [RAC SSH Public Key Authentication | authentik](#rac-ssh-public-key-authentication-authentik) - [Shared Signals Framework (SSF) Provider | authentik](#shared-signals-framework-ssf-provider-authentik) - [Create a Remote Access Control (RAC) provider | authentik](#create-a-remote-access-control-rac-provider-authentik) - [Blueprints | authentik](#blueprints-authentik) - [Customize the Admin interface | authentik](#customize-the-admin-interface-authentik) - [Hackathon 2023 | authentik](#hackathon-2023-authentik) - [Single Logout (SLO) | authentik](#single-logout-slo-authentik) - [SCIM Provider | authentik](#scim-provider-authentik) - [Configure an SSF provider | authentik](#configure-an-ssf-provider-authentik) - [SAML Provider | authentik](#saml-provider-authentik) - [Working with blueprints | authentik](#working-with-blueprints-authentik) - [Meta models | authentik](#meta-models-authentik) - [File structure | authentik](#file-structure-authentik) - [nginx | authentik](#nginx-authentik) - [SAML Single Logout | authentik](#saml-single-logout-authentik) - [Background tasks | authentik](#background-tasks-authentik) - [Example | authentik](#example-authentik) - [Customize a flow | authentik](#customize-a-flow-authentik) - [Policies | authentik](#policies-authentik) - [Customize the User interface | authentik](#customize-the-user-interface-authentik) - [Models | authentik](#models-authentik) - [Remote Access Control (RAC) Provider | authentik](#remote-access-control-rac-provider-authentik) - [Developer Documentation | authentik](#developer-documentation-authentik) - [Ensure unique email addresses | authentik](#ensure-unique-email-addresses-authentik) - [Managing flow context keys | authentik](#managing-flow-context-keys-authentik) - [Switch which source is used based on email address | authentik](#switch-which-source-is-used-based-on-email-address-authentik) - [Whitelist email domains | authentik](#whitelist-email-domains-authentik) - [Password Uniqueness Policy | authentik](#password-uniqueness-policy-authentik) - [Working with policies | authentik](#working-with-policies-authentik) - [YAML Tags | authentik](#yaml-tags-authentik) - [Templates | authentik](#templates-authentik) - [Contributing to authentik | authentik](#contributing-to-authentik-authentik) - [Combination topic (most common) | authentik](#combination-topic-most-common-authentik) - [Conceptual topic | authentik](#conceptual-topic-authentik) - [Welcome to authentik Enterprise | authentik](#welcome-to-authentik-enterprise-authentik) - [Support | authentik](#support-authentik) - [Development environment | authentik](#development-environment-authentik) - [Translations | authentik](#translations-authentik) - [Procedural topic | authentik](#procedural-topic-authentik) - [Reference topic | authentik](#reference-topic-authentik) - [Releasing authentik | authentik](#releasing-authentik-authentik) - [Expression Policies | authentik](#expression-policies-authentik) - [Get started | authentik](#get-started-authentik) - [Installation and Configuration | authentik](#installation-and-configuration-authentik) - [Debugging authentik | authentik](#debugging-authentik-authentik) - [Style Guide | authentik](#style-guide-authentik) - [Manage your Enterprise account | authentik](#manage-your-enterprise-account-authentik) - [Frontend development environment | authentik](#frontend-development-environment-authentik) - [Writing documentation | authentik](#writing-documentation-authentik) - [Air-gapped environments | authentik](#air-gapped-environments-authentik) - [Automated install | authentik](#automated-install-authentik) - [Releases | authentik](#releases-authentik) - [AWS installation | authentik](#aws-installation-authentik) - [Reverse-proxy | authentik](#reverse-proxy-authentik) - [Beta and release candidate versions | authentik](#beta-and-release-candidate-versions-authentik) - [High availability | authentik](#high-availability-authentik) - [Full development environment | authentik](#full-development-environment-authentik) - [Kubernetes installation | authentik](#kubernetes-installation-authentik) - [Email | authentik](#email-authentik) - [Docker Compose installation | authentik](#docker-compose-installation-authentik) - [Upgrade authentik | authentik](#upgrade-authentik-authentik) - [Configuration | authentik](#configuration-authentik) - [Providers | authentik](#providers-authentik) - [Security | authentik](#security-authentik) - [2023-06 Cure53 Code audit | authentik](#2023-06-cure53-code-audit-authentik) - [CVE-2022-46145 | authentik](#cve-2022-46145-authentik) - [CVE-2022-23555 | authentik](#cve-2022-23555-authentik) - [2024-11 Cobalt pentest | authentik](#2024-11-cobalt-pentest-authentik) - [CVE-2023-36456 | authentik](#cve-2023-36456-authentik) - [CVE-2022-46172 | authentik](#cve-2022-46172-authentik) - [Release 2025.6 | authentik](#release-2025-6-authentik) - [CVE-2023-26481 | authentik](#cve-2023-26481-authentik) - [CVE-2023-39522 | authentik](#cve-2023-39522-authentik) - [CVE-2023-48228 | authentik](#cve-2023-48228-authentik) - [CVE-2025-52553 | authentik](#cve-2025-52553-authentik) - [CVE-2025-29928 | authentik](#cve-2025-29928-authentik) - [Release 0.11 | authentik](#release-0-11-authentik) - [CVE-2024-21637 | authentik](#cve-2024-21637-authentik) - [CVE-2024-23647 | authentik](#cve-2024-23647-authentik) - [CVE-2025-53942 | authentik](#cve-2025-53942-authentik) - [CVE-2024-42490 | authentik](#cve-2024-42490-authentik) - [CVE-2024-37905 | authentik](#cve-2024-37905-authentik) - [Release 2025.10 | authentik](#release-2025-10-authentik) - [CVE-2024-47070 | authentik](#cve-2024-47070-authentik) - [CVE-2024-38371 | authentik](#cve-2024-38371-authentik) - [CVE-2025-64708 | authentik](#cve-2025-64708-authentik) - [CVE-2025-64521 | authentik](#cve-2025-64521-authentik) - [GHSA-rjvp-29xq-f62w | authentik](#ghsa-rjvp-29xq-f62w-authentik) - [Release 0.12 | authentik](#release-0-12-authentik) - [Release 0.13 (passbook -> authentik) | authentik](#release-0-13-passbook-authentik-authentik) - [Release 0.14 | authentik](#release-0-14-authentik) - [Release 0.10 | authentik](#release-0-10-authentik) - [Release 0.9 | authentik](#release-0-9-authentik) - [CVE-2024-52287 | authentik](#cve-2024-52287-authentik) - [CVE-2024-52289 | authentik](#cve-2024-52289-authentik) - [CVE-2024-47077 | authentik](#cve-2024-47077-authentik) - [CVE-2024-52307 | authentik](#cve-2024-52307-authentik) - [Release 2021.3 | authentik](#release-2021-3-authentik) - [Release 2021.2 | authentik](#release-2021-2-authentik) - [Release 2021.1 | authentik](#release-2021-1-authentik) - [Release 2021.7 | authentik](#release-2021-7-authentik) - [Release 2021.10 | authentik](#release-2021-10-authentik) - [Release 2021.5 | authentik](#release-2021-5-authentik) - [Release 2021.4 | authentik](#release-2021-4-authentik) - [Release 2021.6 | authentik](#release-2021-6-authentik) - [Release 2021.12 | authentik](#release-2021-12-authentik) - [Release 2021.8 | authentik](#release-2021-8-authentik) - [Release 2022.1 | authentik](#release-2022-1-authentik) - [Release 2022.4 | authentik](#release-2022-4-authentik) - [Release 2022.6 | authentik](#release-2022-6-authentik) - [Release 2022.2 | authentik](#release-2022-2-authentik) - [Release 2021.9 | authentik](#release-2021-9-authentik) - [Release 2022.3 | authentik](#release-2022-3-authentik) - [Release 2022.9 | authentik](#release-2022-9-authentik) - [Release 2022.7 | authentik](#release-2022-7-authentik) - [Release 2022.8 | authentik](#release-2022-8-authentik) - [Release 2022.5 | authentik](#release-2022-5-authentik) - [Terminology | authentik](#terminology-authentik) - [Upgrading PostgreSQL on Kubernetes | authentik](#upgrading-postgresql-on-kubernetes-authentik) - [About users | authentik](#about-users-authentik) - [About access control | authentik](#about-access-control-authentik) - [Troubleshooting | authentik](#troubleshooting-authentik) - [Upgrade PostgreSQL on Docker Compose | authentik](#upgrade-postgresql-on-docker-compose-authentik) - [Initial permissions | authentik](#initial-permissions-authentik) - [Worker | authentik](#worker-authentik) - [Active Directory | authentik](#active-directory-authentik) - [Source property mappings | authentik](#source-property-mappings-authentik) - [Certificates | authentik](#certificates-authentik) - [Notification rules | authentik](#notification-rules-authentik) - [Sources | authentik](#sources-authentik) - [Manage users | authentik](#manage-users-authentik) - [Forward auth troubleshooting | authentik](#forward-auth-troubleshooting-authentik) - [About groups | authentik](#about-groups-authentik) - [About roles | authentik](#about-roles-authentik) - [User properties and attributes | authentik](#user-properties-and-attributes-authentik) - [About permissions | authentik](#about-permissions-authentik) - [I can't access an application | authentik](#i-can-t-access-an-application-authentik) --- # Search the documentation | authentik [Skip to main content](https://docs.goauthentik.io/search/#__docusaurus_skipToContent_fallback) Search the documentation ======================== [](https://www.algolia.com/) --- # One doc tagged with "backchannel" | authentik [Skip to main content](https://docs.goauthentik.io/tags/backchannel/#__docusaurus_skipToContent_fallback) [Configure an SSF provider\ -------------------------](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/) The workflow to implement an SSF provider as a backchannel provider for an application/provider pair is as follows: --- # One doc tagged with "apple" | authentik [Skip to main content](https://docs.goauthentik.io/tags/apple/#__docusaurus_skipToContent_fallback) [Apple\ -----](https://docs.goauthentik.io/users-sources/sources/social-logins/apple/) Allows users to authenticate using their Apple ID credentials by configuring Apple as a federated identity provider via OAuth2. --- # One doc tagged with "backend" | authentik [Skip to main content](https://docs.goauthentik.io/tags/backend/#__docusaurus_skipToContent_fallback) [Full development environment\ ----------------------------](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/) Prerequisites --- # 2 docs tagged with "contributor" | authentik [Skip to main content](https://docs.goauthentik.io/tags/contributor/#__docusaurus_skipToContent_fallback) [Frontend development environment\ --------------------------------](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/) If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend. [Full development environment\ ----------------------------](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/) Prerequisites --- # Tags | authentik [Skip to main content](https://docs.goauthentik.io/tags/#__docusaurus_skipToContent_fallback) Tags ==== A[​](https://docs.goauthentik.io/tags/#A "Direct link to A") ------------------------------------------------------------- * [apple1](https://docs.goauthentik.io/tags/apple/) * [azure3](https://docs.goauthentik.io/tags/azure/) * * * B[​](https://docs.goauthentik.io/tags/#B "Direct link to B") ------------------------------------------------------------- * [backchannel1](https://docs.goauthentik.io/tags/backchannel/) * [backend1](https://docs.goauthentik.io/tags/backend/) * * * C[​](https://docs.goauthentik.io/tags/#C "Direct link to C") ------------------------------------------------------------- * [contributor2](https://docs.goauthentik.io/tags/contributor/) * * * D[​](https://docs.goauthentik.io/tags/#D "Direct link to D") ------------------------------------------------------------- * [development2](https://docs.goauthentik.io/tags/development/) * [discord1](https://docs.goauthentik.io/tags/discord/) * [docker2](https://docs.goauthentik.io/tags/docker/) * * * E[​](https://docs.goauthentik.io/tags/#E "Direct link to E") ------------------------------------------------------------- * [enterprise1](https://docs.goauthentik.io/tags/enterprise/) * [entra3](https://docs.goauthentik.io/tags/entra/) * * * F[​](https://docs.goauthentik.io/tags/#F "Direct link to F") ------------------------------------------------------------- * [facebook1](https://docs.goauthentik.io/tags/facebook/) * [frontend2](https://docs.goauthentik.io/tags/frontend/) * * * G[​](https://docs.goauthentik.io/tags/#G "Direct link to G") ------------------------------------------------------------- * [github1](https://docs.goauthentik.io/tags/github/) * [google3](https://docs.goauthentik.io/tags/google/) * [google cloud2](https://docs.goauthentik.io/tags/google-cloud/) * [google workspace2](https://docs.goauthentik.io/tags/google-workspace/) * * * M[​](https://docs.goauthentik.io/tags/#M "Direct link to M") ------------------------------------------------------------- * [mailcow1](https://docs.goauthentik.io/tags/mailcow/) * [meta1](https://docs.goauthentik.io/tags/meta/) * * * O[​](https://docs.goauthentik.io/tags/#O "Direct link to O") ------------------------------------------------------------- * [oauth4](https://docs.goauthentik.io/tags/oauth/) * [oidc1](https://docs.goauthentik.io/tags/oidc/) * * * P[​](https://docs.goauthentik.io/tags/#P "Direct link to P") ------------------------------------------------------------- * [password1](https://docs.goauthentik.io/tags/password/) * [plex1](https://docs.goauthentik.io/tags/plex/) * [policy1](https://docs.goauthentik.io/tags/policy/) * [provider1](https://docs.goauthentik.io/tags/provider/) * * * S[​](https://docs.goauthentik.io/tags/#S "Direct link to S") ------------------------------------------------------------- * [saml3](https://docs.goauthentik.io/tags/saml/) * [scim2](https://docs.goauthentik.io/tags/scim/) * [security1](https://docs.goauthentik.io/tags/security/) * [source14](https://docs.goauthentik.io/tags/source/) * * * T[​](https://docs.goauthentik.io/tags/#T "Direct link to T") ------------------------------------------------------------- * [twitch1](https://docs.goauthentik.io/tags/twitch/) * [twitter1](https://docs.goauthentik.io/tags/twitter/) * * * X[​](https://docs.goauthentik.io/tags/#X "Direct link to X") ------------------------------------------------------------- * [x1](https://docs.goauthentik.io/tags/x/) * * * --- # 3 docs tagged with "azure" | authentik [Skip to main content](https://docs.goauthentik.io/tags/azure/#__docusaurus_skipToContent_fallback) [Entra ID\ --------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/) There are several ways that Entra ID can be integrated with authentik to allow for user and group provisioning and authentication with Entra ID user credentials. [Entra ID OAuth authentication\ -----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/oauth/) Authenticating to authentik with Entra ID credentials via the OAuth 2.0 protocol [Entra ID SCIM user and group provisioning\ -----------------------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/scim/) Provisioning users and groups from Entra ID to authentik via SCIM protocol --- # One doc tagged with "discord" | authentik [Skip to main content](https://docs.goauthentik.io/tags/discord/#__docusaurus_skipToContent_fallback) [Discord\ -------](https://docs.goauthentik.io/users-sources/sources/social-logins/discord/) Allows users to authenticate using their Discord credentials by configuring Discord as a federated identity provider via OAuth2. --- # 2 docs tagged with "docker" | authentik [Skip to main content](https://docs.goauthentik.io/tags/docker/#__docusaurus_skipToContent_fallback) [Frontend development environment\ --------------------------------](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/) If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend. [Full development environment\ ----------------------------](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/) Prerequisites --- # 3 docs tagged with "entra" | authentik [Skip to main content](https://docs.goauthentik.io/tags/entra/#__docusaurus_skipToContent_fallback) [Entra ID\ --------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/) There are several ways that Entra ID can be integrated with authentik to allow for user and group provisioning and authentication with Entra ID user credentials. [Entra ID OAuth authentication\ -----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/oauth/) Authenticating to authentik with Entra ID credentials via the OAuth 2.0 protocol [Entra ID SCIM user and group provisioning\ -----------------------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/scim/) Provisioning users and groups from Entra ID to authentik via SCIM protocol --- # 2 docs tagged with "development" | authentik [Skip to main content](https://docs.goauthentik.io/tags/development/#__docusaurus_skipToContent_fallback) [Frontend development environment\ --------------------------------](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/) If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend. [Full development environment\ ----------------------------](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/) Prerequisites --- # One doc tagged with "enterprise" | authentik [Skip to main content](https://docs.goauthentik.io/tags/enterprise/#__docusaurus_skipToContent_fallback) [Password Uniqueness Policy\ --------------------------](https://docs.goauthentik.io/customize/policies/unique_password/) The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below. --- # 2 docs tagged with "frontend" | authentik [Skip to main content](https://docs.goauthentik.io/tags/frontend/#__docusaurus_skipToContent_fallback) [Frontend development environment\ --------------------------------](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/) If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend. [Full development environment\ ----------------------------](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/) Prerequisites --- # One doc tagged with "facebook" | authentik [Skip to main content](https://docs.goauthentik.io/tags/facebook/#__docusaurus_skipToContent_fallback) [Facebook\ --------](https://docs.goauthentik.io/users-sources/sources/social-logins/facebook/) Allows users to authenticate using their Facebook credentials by configuring Facebook as a federated identity provider via OAuth2. --- # 2 docs tagged with "google cloud" | authentik [Skip to main content](https://docs.goauthentik.io/tags/google-cloud/#__docusaurus_skipToContent_fallback) [Google Cloud (with OAuth)\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/cloud/) Allows users to authenticate using their Google credentials by configuring Google Cloud as a federated identity provider via OAuth2. [Google Identity Providers\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/) There are several ways that Google services can be integrated with authentik to allow for authentication with Google user credentials. --- # One doc tagged with "github" | authentik [Skip to main content](https://docs.goauthentik.io/tags/github/#__docusaurus_skipToContent_fallback) [Github\ ------](https://docs.goauthentik.io/users-sources/sources/social-logins/github/) Allows users to authenticate using their Github credentials by configuring GitHub as a federated identity provider via OAuth2. --- # 2 docs tagged with "google workspace" | authentik [Skip to main content](https://docs.goauthentik.io/tags/google-workspace/#__docusaurus_skipToContent_fallback) [Google Identity Providers\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/) There are several ways that Google services can be integrated with authentik to allow for authentication with Google user credentials. [Google Workspace (with SAML)\ ----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/workspace/) Allows users to authenticate using their Google Workspace credentials by configuring Google Workspace as a federated identity provider via SAML. --- # 3 docs tagged with "google" | authentik [Skip to main content](https://docs.goauthentik.io/tags/google/#__docusaurus_skipToContent_fallback) [Google Cloud (with OAuth)\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/cloud/) Allows users to authenticate using their Google credentials by configuring Google Cloud as a federated identity provider via OAuth2. [Google Identity Providers\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/) There are several ways that Google services can be integrated with authentik to allow for authentication with Google user credentials. [Google Workspace (with SAML)\ ----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/workspace/) Allows users to authenticate using their Google Workspace credentials by configuring Google Workspace as a federated identity provider via SAML. --- # One doc tagged with "mailcow" | authentik [Skip to main content](https://docs.goauthentik.io/tags/mailcow/#__docusaurus_skipToContent_fallback) [Mailcow\ -------](https://docs.goauthentik.io/users-sources/sources/social-logins/mailcow/) Allows users to authenticate using their Mailcow credentials by configuring Mailcow as a federated identity provider via OAuth2. --- # One doc tagged with "meta" | authentik [Skip to main content](https://docs.goauthentik.io/tags/meta/#__docusaurus_skipToContent_fallback) [Facebook\ --------](https://docs.goauthentik.io/users-sources/sources/social-logins/facebook/) Allows users to authenticate using their Facebook credentials by configuring Facebook as a federated identity provider via OAuth2. --- # 4 docs tagged with "oauth" | authentik [Skip to main content](https://docs.goauthentik.io/tags/oauth/#__docusaurus_skipToContent_fallback) [Entra ID\ --------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/) There are several ways that Entra ID can be integrated with authentik to allow for user and group provisioning and authentication with Entra ID user credentials. [Entra ID OAuth authentication\ -----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/oauth/) Authenticating to authentik with Entra ID credentials via the OAuth 2.0 protocol [Federated Identity Providers\ ----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/) Configuring authentik with a federated identity provider allows users to authenticate with their existing credentials, such as social logins or enterprise identity providers. [Google Cloud (with OAuth)\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/cloud/) Allows users to authenticate using their Google credentials by configuring Google Cloud as a federated identity provider via OAuth2. --- # One doc tagged with "oidc" | authentik [Skip to main content](https://docs.goauthentik.io/tags/oidc/#__docusaurus_skipToContent_fallback) [Google Identity Providers\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/) There are several ways that Google services can be integrated with authentik to allow for authentication with Google user credentials. --- # One doc tagged with "plex" | authentik [Skip to main content](https://docs.goauthentik.io/tags/plex/#__docusaurus_skipToContent_fallback) [Plex\ ----](https://docs.goauthentik.io/users-sources/sources/social-logins/plex/) Allows users to authenticate using their Plex credentials by configuring Plex as a federated identity provider via OAuth2. --- # One doc tagged with "password" | authentik [Skip to main content](https://docs.goauthentik.io/tags/password/#__docusaurus_skipToContent_fallback) [Password Uniqueness Policy\ --------------------------](https://docs.goauthentik.io/customize/policies/unique_password/) The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below. --- # One doc tagged with "policy" | authentik [Skip to main content](https://docs.goauthentik.io/tags/policy/#__docusaurus_skipToContent_fallback) [Password Uniqueness Policy\ --------------------------](https://docs.goauthentik.io/customize/policies/unique_password/) The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below. --- # 3 docs tagged with "saml" | authentik [Skip to main content](https://docs.goauthentik.io/tags/saml/#__docusaurus_skipToContent_fallback) [Federated Identity Providers\ ----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/) Configuring authentik with a federated identity provider allows users to authenticate with their existing credentials, such as social logins or enterprise identity providers. [Google Identity Providers\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/) There are several ways that Google services can be integrated with authentik to allow for authentication with Google user credentials. [Google Workspace (with SAML)\ ----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/workspace/) Allows users to authenticate using their Google Workspace credentials by configuring Google Workspace as a federated identity provider via SAML. --- # One doc tagged with "provider" | authentik [Skip to main content](https://docs.goauthentik.io/tags/provider/#__docusaurus_skipToContent_fallback) [Configure an SSF provider\ -------------------------](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/) The workflow to implement an SSF provider as a backchannel provider for an application/provider pair is as follows: --- # 2 docs tagged with "scim" | authentik [Skip to main content](https://docs.goauthentik.io/tags/scim/#__docusaurus_skipToContent_fallback) [Entra ID\ --------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/) There are several ways that Entra ID can be integrated with authentik to allow for user and group provisioning and authentication with Entra ID user credentials. [Entra ID SCIM user and group provisioning\ -----------------------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/scim/) Provisioning users and groups from Entra ID to authentik via SCIM protocol --- # One doc tagged with "security" | authentik [Skip to main content](https://docs.goauthentik.io/tags/security/#__docusaurus_skipToContent_fallback) [Password Uniqueness Policy\ --------------------------](https://docs.goauthentik.io/customize/policies/unique_password/) The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below. --- # One doc tagged with "twitch" | authentik [Skip to main content](https://docs.goauthentik.io/tags/twitch/#__docusaurus_skipToContent_fallback) [Twitch\ ------](https://docs.goauthentik.io/users-sources/sources/social-logins/twitch/) Allows users to authenticate using their Twitch credentials by configuring Twitch as a federated identity provider via OAuth2. --- # One doc tagged with "twitter" | authentik [Skip to main content](https://docs.goauthentik.io/tags/twitter/#__docusaurus_skipToContent_fallback) [X (Twitter)\ -----------](https://docs.goauthentik.io/users-sources/sources/social-logins/twitter/) Allows users to authenticate using their X credentials by configuring X as a federated identity provider via OAuth2. --- # 14 docs tagged with "source" | authentik [Skip to main content](https://docs.goauthentik.io/tags/source/#__docusaurus_skipToContent_fallback) [Apple\ -----](https://docs.goauthentik.io/users-sources/sources/social-logins/apple/) Allows users to authenticate using their Apple ID credentials by configuring Apple as a federated identity provider via OAuth2. [Discord\ -------](https://docs.goauthentik.io/users-sources/sources/social-logins/discord/) Allows users to authenticate using their Discord credentials by configuring Discord as a federated identity provider via OAuth2. [Entra ID\ --------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/) There are several ways that Entra ID can be integrated with authentik to allow for user and group provisioning and authentication with Entra ID user credentials. [Entra ID OAuth authentication\ -----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/oauth/) Authenticating to authentik with Entra ID credentials via the OAuth 2.0 protocol [Entra ID SCIM user and group provisioning\ -----------------------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/scim/) Provisioning users and groups from Entra ID to authentik via SCIM protocol [Facebook\ --------](https://docs.goauthentik.io/users-sources/sources/social-logins/facebook/) Allows users to authenticate using their Facebook credentials by configuring Facebook as a federated identity provider via OAuth2. [Github\ ------](https://docs.goauthentik.io/users-sources/sources/social-logins/github/) Allows users to authenticate using their Github credentials by configuring GitHub as a federated identity provider via OAuth2. [Google Cloud (with OAuth)\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/cloud/) Allows users to authenticate using their Google credentials by configuring Google Cloud as a federated identity provider via OAuth2. [Google Identity Providers\ -------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/) There are several ways that Google services can be integrated with authentik to allow for authentication with Google user credentials. [Google Workspace (with SAML)\ ----------------------------](https://docs.goauthentik.io/users-sources/sources/social-logins/google/workspace/) Allows users to authenticate using their Google Workspace credentials by configuring Google Workspace as a federated identity provider via SAML. [Mailcow\ -------](https://docs.goauthentik.io/users-sources/sources/social-logins/mailcow/) Allows users to authenticate using their Mailcow credentials by configuring Mailcow as a federated identity provider via OAuth2. [Plex\ ----](https://docs.goauthentik.io/users-sources/sources/social-logins/plex/) Allows users to authenticate using their Plex credentials by configuring Plex as a federated identity provider via OAuth2. [Twitch\ ------](https://docs.goauthentik.io/users-sources/sources/social-logins/twitch/) Allows users to authenticate using their Twitch credentials by configuring Twitch as a federated identity provider via OAuth2. [X (Twitter)\ -----------](https://docs.goauthentik.io/users-sources/sources/social-logins/twitter/) Allows users to authenticate using their X credentials by configuring X as a federated identity provider via OAuth2. --- # One doc tagged with "x" | authentik [Skip to main content](https://docs.goauthentik.io/tags/x/#__docusaurus_skipToContent_fallback) [X (Twitter)\ -----------](https://docs.goauthentik.io/users-sources/sources/social-logins/twitter/) Allows users to authenticate using their X credentials by configuring X as a federated identity provider via OAuth2. --- # Manage applications | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#__docusaurus_skipToContent_fallback) On this page Managing the applications that your team uses involves several tasks, from initially adding the application and provider, to controlling access and visibility of the application, to providing access URLs. ### Create an application and provider pair[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-and-provider-pair "Direct link to Create an application and provider pair") To add an application to authentik and have it display on users' **My applications** page, follow these steps: 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications > Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create.)** 3. In the **New application** box, define the application details, the provider type and configuration settings, and bindings for the application. * **Application**: provide a name, an optional group for the type of application, the policy engine mode, and optional UI settings. * **Choose a Provider**: select the provider types for this application. * **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any additional required configurations. * **Configure Bindings**: to manage the listing and access to applications on a user's **My applications** page, you can optionally create a [binding](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [authorization](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#policy-driven-authorization) and [hiding an application](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#hide-applications) . 4. On the **Review and Submit Application** panel, review the configuration for the new application and its provider, and then click **Submit**. Policy-driven authorization[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#policy-driven-authorization "Direct link to Policy-driven authorization") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To use a [policy](https://docs.goauthentik.io/customize/policies/) to control which users or groups can access an application, click on an application in the applications list and then select the **Policy/Group/User Bindings** tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. Binding a policy restricts access to specific Users or Groups, or by other custom policies such as restriction to a set time-of-day or a geographic region. By default, all users can access applications when no policies are bound. When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either: * Require users to pass all bindings/be member of all groups (ALL), or * Require users to pass either binding/be member of either group (ANY) Application Entitlements[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#application-entitlements "Direct link to Application Entitlements") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- authentik: 2024.12.0+ Preview Application entitlements can be used through authentik to manage authorization within an application (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements. An authentik admin can create an entitlement [in the Admin interface](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-entitlement) or using the [authentik API](https://api.goauthentik.io/) . Because entitlements exist within an application, names of entitlements must be unique within an application. This also means that entitlements are deleted when an application is deleted. ### Using entitlements[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#using-entitlements "Direct link to Using entitlements") Entitlements to which a user has access can be retrieved using the `user.app_entitlements()` function in property mappings/policies. This function needs to be passed the specific application for which to get the entitlements. For example: entitlements = [entitlement.name for entitlement in request.user.app_entitlements(provider.application)]return { "entitlements": entitlements,} ### Attributes[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#attributes "Direct link to Attributes") Each entitlement can store attributes similar to user and group attributes. These attributes can be accessed in property mappings and passed to applications via `user.app_entitlements_attributes`. For example: attrs = request.user.app_entitlements_attributes(provider.application)return { "my_attr": attrs.get("my_attr")} ### Create an application entitlement[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-entitlement "Direct link to Create an application entitlement") 1. Open the Admin interface and navigate to **Applications > Applications**. 2. Click the name of the application for which you want to create an entitlement. 3. Click the **Application entitlements** tab at the top of the page, and then click **Create entitlement**. Provide a name for the entitlement, enter any optional **Attributes**, and then click **Create**. 4. In the list locate the entitlement to which you want to bind a user or group, and then **click the caret (>) to expand the entitlement details.** 5. In the expanded area, click **Bind existing Group/User**. 6. In the **Create Binding** box, select either the tab for **Group** or **User**, and then in the drop-down list, select the group or user. 7. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the box. Hide applications[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#hide-applications "Direct link to Hide applications") ------------------------------------------------------------------------------------------------------------------------------------------------- To hide an application without modifying its policy settings or removing it, you can simply set the _Launch URL_ to `blank://blank`, which will hide the application from users. Keep in mind that users still have access, so they can still authorize access when the login process is started from the application. Launch URLs[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#launch-urls "Direct link to Launch URLs") ------------------------------------------------------------------------------------------------------------------------------- To give users direct links to applications, you can now use a URL like `https://authentik.company/application/launch//`. If the user is already logged in, they will be redirected to the application automatically. Otherwise, they'll be sent to the authentication flow and, if successful, forwarded to the application. Backchannel providers[​](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#backchannel-providers "Direct link to Backchannel providers") ------------------------------------------------------------------------------------------------------------------------------------------------------------- Backchannel providers can augment the functionality of applications by using additional protocols. The main provider of an application provides the SSO protocol that is used for logging into the application. Then, additional backchannel providers can be used for protocols such as [SCIM](https://docs.goauthentik.io/add-secure-apps/providers/scim/) and [LDAP](https://docs.goauthentik.io/add-secure-apps/providers/ldap/) to provide directory syncing. Note that any access restrictions that are configured on an application apply to all of its backchannel providers. To create a backchannel provider and then add it to an existing application, follow these instructions: 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click **Create**. * **Choose a Provider type**: The protocol for a backchannel provider must be [SCIM](https://docs.goauthentik.io/add-secure-apps/providers/scim/) , [LDAP](https://docs.goauthentik.io/add-secure-apps/providers/ldap/) , [Google Workspace (GWS)](https://docs.goauthentik.io/add-secure-apps/providers/gws/) , [Microsoft Entra ID](https://docs.goauthentik.io/add-secure-apps/providers/entra/) , or [Shared Signals Framework (SSF)](https://docs.goauthentik.io/add-secure-apps/providers/ssf/) . * **Configure the Provider**: Enter any required configurations. 3. Click **Finish** to save the provider. 4. Edit the application by going to **Applications** > **Applications**, and clicking the edit icon beside the application that you want to edit. 5. In the **Backchannel Providers** field, click the Add icon (**+**), select the backchannel provider that you just created, and click **Add**. 6. Click **Update**. * [Create an application and provider pair](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-and-provider-pair) * [Policy-driven authorization](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#policy-driven-authorization) * [Application Entitlements](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#application-entitlements) * [Using entitlements](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#using-entitlements) * [Attributes](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#attributes) * [Create an application entitlement](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-entitlement) * [Hide applications](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#hide-applications) * [Launch URLs](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#launch-urls) * [Backchannel providers](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#backchannel-providers) --- # Applications | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/applications/#__docusaurus_skipToContent_fallback) On this page Applications, as defined in authentik, are used to configure and separate the authorization/access control and the appearance of a specific software application in the **My applications** page. When a user logs into authentik, they see a list of the applications for which authentik is configured to provide authentication and authorization (the applications that they are authorized to use). Applications are the "other half" of providers. They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application. Applications can, however, use specific, additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#backchannel-providers) . Furthermore, the [RAC (Remote Access Control)](https://docs.goauthentik.io/add-secure-apps/providers/rac/) feature uses a single application and a single provider, but multiple "endpoints". An endpoint defines each remote machine. info For information about creating and managing applications, refer to [Manage applications](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/) . Appearance[​](https://docs.goauthentik.io/add-secure-apps/applications/#appearance "Direct link to Appearance") ---------------------------------------------------------------------------------------------------------------- Applications are displayed to users when: * The user has access defined via policies (or the application has no policies bound) * A valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https:// The following options can be configured: * _Name_: This is the name shown for the application card * _Launch URL_: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider You can use placeholders in the launch url to build them dynamically based on the logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username. For a reference of all fields available, see [the API schema for the User object](https://api.goauthentik.io/reference/core-users-retrieve/) . Only applications whose launch URL starts with `http://` or `https://` or are relative URLs are shown on the users' **My applications** page. This can also be used to hide applications that shouldn't be visible on the **My applications** page but are still accessible by users, by setting the _Launch URL_ to `blank://blank`. * _Icon (URL)_: Optionally configure an Icon for the application If the authentik server does not have a volume mounted under `/media`, you'll get a text input. This accepts absolute URLs. If you've mounted single files into the container, you can reference them using `https://authentik.company/media/my-file.png`. If there is a mount under `/media` or if [S3 storage](https://docs.goauthentik.io/sys-mgmt/ops/storage-s3/) is configured, you'll instead see a field to upload a file. * _Publisher_: Text shown in the application card's expandable kebab menu (⋮) * _Description_: Text shown in the application card's expandable kebab menu (⋮) * [Appearance](https://docs.goauthentik.io/add-secure-apps/applications/#appearance) --- # Bindings | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/#__docusaurus_skipToContent_fallback) A binding is, simply put, a connection between two components (a flow, stage, policy, user, or group). The use of a binding adds additional functionality to one those existing components; for example, a policy binding can cause a new stage to be presented within a flow to a specific user or group. info For information about creating and managing bindings, refer to [Working with bindings](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/work_with_bindings/) . Bindings are an important part of authentik; the majority of configuration options are set in bindings. Bindings are analyzed by authentik's Flow Plan, which starts with the flow, then assesses all of the bound policies, and then runs them in order to build out the plan. The three most common types of bindings in authentik are: * stage bindings * policy bindings * user and group bindings A _stage binding_ connects a stage to a flow. The "additional content" (i.e. the content in the stage) is now added to the flow. A _policy binding_ connects a specific policy to a flow or to a stage. With the binding, the flow (or stage) will now have additional content (i.e. the policy rules). You can also bind groups and users to another component (a policy, a stage, a flow, etc.). For example, you can create a binding for a specific group, and then [bind that to a stage binding](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-users-and-groups-to-a-flows-stage-binding) , with the result that everyone in that group now will see that stage (and any policies bound to that stage) as part of their flow. Or more specifically, and going one step deeper, you can also _bind a binding to a binding_. Bindings are also used for [Application Entitlements](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#application-entitlements) , where you can bind specific users or groups to an application as a way to manage who has access to the application. It's important to remember that bindings are instantiated objects themselves, and conceptually can be considered as a "connector" between two components. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the second binding. info Be aware that some stages and flows do not allow user or group bindings, because in certain scenarios (authentication or enrollment), the flow plan doesn't yet know who the user or group is. --- # Flows | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#__docusaurus_skipToContent_fallback) On this page Flows are a major component in authentik. In conjunction with stages and [policies](https://docs.goauthentik.io/customize/policies/) , flows are at the heart of our system of building blocks, used to define and execute the workflows of authentication, authorization, enrollment, and user settings. There are over a dozen default, out-of-the box flows available in authentik. Users can decide if they already have everything they need with the [default flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/default_flows/) or if they want to [create](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#create-a-custom-flow) their own custom flow, using the Admin interface, Terraform, or via the API. A flow is a method of describing a sequence of stages. A stage represents a single verification or logic step. By connecting a series of stages within a flow (and optionally attaching policies as needed) you can build a highly flexible process for authenticating users, enrolling them, and more. For example a standard login flow would consist of the following stages: * **Identification stage**: user identifies themselves via a username or email address * **Password stage**: the user's password is checked against the hash in the database * **Login stage**: this stage attaches a currently pending user to the current session When these stages are successfully completed, authentik logs in the user. ![](https://docs.goauthentik.io/assets/images/simple_stages-4992cc293c88fe0a001304826e35d7c1.png) By default, policies are evaluated dynamically, right before the stage (to which a policy is bound) is presented to the user. This flexibility allows the login process to continue, change, or stop, based on the success or failure of each policy. This default behaviour can be altered by enabling the **Evaluate when flow is planned** option on the stage binding. With this setting a _flow plan_ containing all stages is generated upon flow execution. This means that all attached policies are evaluated upon execution. For more information about flow plans, read our [flow context documentation](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/) . Policies and permissions[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#policies-and-permissions "Direct link to Policies and permissions") --------------------------------------------------------------------------------------------------------------------------------------------------------------- Flows can have [policies](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/) assigned to them. These policies determine if the current user is allowed to see and use this flow. Keep in mind that in certain circumstances, policies cannot match against users and groups as there is no authenticated user yet. Import or export a flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#import-or-export-a-flow "Direct link to Import or export a flow") ------------------------------------------------------------------------------------------------------------------------------------------------------------ Flows can be imported and exported (as [blueprints](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/) ) to share with other people, the community, and for troubleshooting. Flows can be imported to add new functionality to existing flows, or to add a new custom flow. You can download our [Example flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/) and then import them into your authentik instance, or create a new flow. Starting with authentik 2022.8, flows are exported as YAML, but legacy JSON-based flows can still be imported. Create a custom flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#create-a-custom-flow "Direct link to Create a custom flow") --------------------------------------------------------------------------------------------------------------------------------------------------- To create a flow, follow these steps: 1. Log in to authentik as an administrator and open the Admin interface. 2. In the Admin interface, navigate to **Flows and Stages > Flows**. 3. Click **Create**, define the flow using the [configuration settings](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#flow-configuration-options) described below, and then click **Finish**. After creating the flow, you can then [bind specific stages](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-a-stage-to-a-flow) to the flow and [bind policies](https://docs.goauthentik.io/customize/policies/working_with_policies/) to the flow to further customize the user's log in and authentication process. To determine which flow should be used, authentik will first check which default authentication flow is configured in the active [**Brand**](https://docs.goauthentik.io/brands/) . If no default is configured there, the policies in all flows with the matching designation are checked, and the first flow with matching policies sorted by `slug` will be used. Flow configuration options[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#flow-configuration-options "Direct link to Flow configuration options") --------------------------------------------------------------------------------------------------------------------------------------------------------------------- When creating or editing a flow in the UI of the Admin interface, you can set the following configuration options. ![](https://docs.goauthentik.io/assets/images/create-flow-46ef4ed854ea468b8d5845ce57f6cbdf.png) **Name**: Enter a descriptive name. This is the name that will appear on the list of flows in the Admin interface. **Title**: This is the title that will appear on the flow as the end-user logs in and encounters the flow. **Slug**: The slug will be used, and appear, in the URL when the flow is in use. **Designation**: Flows are designated for a single purpose. This designation changes when a flow is used. The following designations are available: * **Authentication**: this option designates a flow to be used for authentication. The authentication flow should always contain a [**User Login**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/) stage, which attaches the staged user to the current session. * **Authorization**: designates a flow to be used for authorization of an application. Can be used to add additional verification steps before the user is allowed to access an application. This flow is defined per provider, when the provider is created, to state whether implicit or explicit authorization is required. * **Enrollment**: designates a flow for enrollment. This flow can contain any amount of verification stages, such as [**Email**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) or **Captcha**. At the end, to create the user, you can use the [**User Write**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/) stage, which either updates the currently staged user, or if none exists, creates a new one. * **Invalidation**: designates a default flow to be used to invalidate a session. Use `default-invalidation-flow` for invalidation from authentik itself, or use `default-provider-invalidation-flow` to invalidate when the session of an application ends. When you use the `default-invalidation-flow` as a global invalidation flow, it should contain a [**User Logout**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/) stage. When you use the `default-provider-invalidation-flow` (supported with OIDC, SAML, Proxy, and RAC providers), you can configure this default flow to present users log-off options such as "log out of the app but remain logged in to authentik" or "return to the **My Applications** page", or "log out completely". (Alternatively, you can create a custom invalidation flow, with a branded background image.) * **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) or [**CAPTCHA**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/) . Afterwards, use the [**Prompt**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/) stage to ask the user for a new password and the [**User Write**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/) stage to update the password. * **Stage configuration**: designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure authenticators, like change a password and set up TOTP. * **Unenrollment**: designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [**email**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) or [**Captcha**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/) . As a final stage, to delete the account, use the [**user\_delete**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_delete/) stage. **Authentication**: Using this option, you can configure whether the the flow requires initial authentication or not, whether the user must be a superuser, if the flow can only be started after being redirected by a [Redirect stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/) , or if the flow requires an outpost. **Behavior settings**: * **Compatibility mode**: Toggle this option on to increase compatibility with password managers and mobile devices. Password managers like [1Password](https://1password.com/) , for example, don't need this setting to be enabled, when accessing the flow from a desktop browser. However accessing the flow from a mobile device might necessitate this setting to be enabled. The technical reasons for this settings' existence is due to the JavaScript libraries we're using for the default flow interface. These interfaces are implemented using [Lit](https://lit.dev/) , which is a modern web development library. It uses a web standard called ["Shadow DOMs"](https://developer.mozilla.org/en-US/docs/Web/API/Web_components/Using_shadow_DOM) , which makes encapsulating styles simpler. Due to differences in Browser APIs, many password managers are not compatible with this technology. When the compatibility mode is enabled, authentik uses a polyfill which emulates the Shadow DOM APIs without actually using the feature, and instead a traditional DOM is rendered. This increases support for password managers, especially on mobile devices. * **Denied action**: Configure what happens when access to a flow is denied by a policy. By default, authentik will redirect to a `?next` parameter if set, and otherwise show an error message. * `MESSAGE_CONTINUE`: Show a message if no `?next` parameter is set, otherwise redirect. * `MESSAGE`: Always show error message. * `CONTINUE`: Always redirect, either to `?next` if set, otherwise to the default interface. * **Policy engine mode**: Configure the flow to succeed in _any_ policy passes, or only if _all_ policies pass. **Appearance Settings**: * **Layout**: select how the UI displays the flow when it is executed; with stacked elements, content left or right, and sidebar left or right. * **Background**: optionally, select a background image for the UI presentation of the flow. This overrides any default background image configured in the [Branding settings](https://docs.goauthentik.io/brands/#branding-settings) . Edit or delete a flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#edit-or-delete-a-flow "Direct link to Edit or delete a flow") ------------------------------------------------------------------------------------------------------------------------------------------------------ * To edit a flow, navigate to **Flows and Stages > Flows** in the Admin interface, and then click **Edit** for the flow that you want to modify. * To delete a flow, navigate to **Flows and Stages > Flows** in the Admin interface, select the checkbox in front of the flow that you want to delete, and then click **Delete**. You can retrieve and re-apply that flow by following the steps above to create a new flow. * [Policies and permissions](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#policies-and-permissions) * [Import or export a flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#import-or-export-a-flow) * [Create a custom flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#create-a-custom-flow) * [Flow configuration options](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#flow-configuration-options) * [Edit or delete a flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#edit-or-delete-a-flow) --- # Work with bindings | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/work_with_bindings/#__docusaurus_skipToContent_fallback) As covered in the [overview](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/) , bindings interact with many other components. For instructions to create a binding, refer to the documentation for the specific components: * [Bind a stage to a flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-a-stage-to-a-flow) * [Bind a policy to a flow or stage](https://docs.goauthentik.io/customize/policies/working_with_policies/#bind-a-policy-to-a-flow-or-stage) * [Bind users or groups to a specific application with an Application Entitlement](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#application-entitlements) * [Bind a policy to a specific application when you create a new application and provider](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-and-provider-pair) * [Bind users and groups to a stage binding, to define whether or not that stage is shown](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-users-and-groups-to-a-flows-stage-binding) --- # Example policy snippets for flows | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/snippets/#__docusaurus_skipToContent_fallback) On this page ### Redirect current flow to another URL[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/snippets/#redirect-current-flow-to-another-url "Direct link to Redirect current flow to another URL") plan = request.context.get("flow_plan")if not plan: return Falseplan.redirect("https://foo.bar")return False This policy should be bound to the stage after your redirect should happen. For example, if you have an identification and a password stage, and you want to redirect after identification, bind the policy to the password stage. Make sure the stage binding's option _Evaluate when stage is run_ is enabled. ### Deny flow when user is authenticated[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/snippets/#deny-flow-when-user-is-authenticated "Direct link to Deny flow when user is authenticated") return not request.user.is_authenticated When used with authentik 2022.7 or later, set the flow _Denied action_ to _CONTINUE_. This will redirect already authenticated users to the default interface if they try to use the respective flow. * [Redirect current flow to another URL](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/snippets/#redirect-current-flow-to-another-url) * [Deny flow when user is authenticated](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/snippets/#deny-flow-when-user-is-authenticated) --- # Default flows | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/default_flows/#__docusaurus_skipToContent_fallback) When you create a new provider, you can select certain default flows that will be used with the provider and its associated application. For example, you can [create a custom flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#create-a-custom-flow) that override the defaults configured on the brand. If no default flow is selected when the provider is created, to determine which flow should be used authentik will first check if there is a default flow configured in the active [**Brand**](https://docs.goauthentik.io/brands/) . If no default is configured there, authentik will go through all flows with the matching designation, sorted by `slug` and evaluate policies bound directly to the flows, and the first flow whose policies allow access will be picked. * **Authentication**: this option designates a flow to be used for authentication. The authentication flow should always contain a [**User Login**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/) stage, which attaches the staged user to the current session. * **Authorization**: designates a flow to be used for authorization of an application. Can be used to add additional verification steps before the user is allowed to access an application. This flow is defined per provider, when the provider is created, to state whether implicit or explicit authorization is required. * **Enrollment**: designates a flow for enrollment. This flow can contain any amount of verification stages, such as [**Email**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) or **Captcha**. At the end, to create the user, you can use the [**User Write**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/) stage, which either updates the currently staged user, or if none exists, creates a new one. * **Invalidation**: designates a default flow to be used to invalidate a session. Use `default-invalidation-flow` for invalidation from authentik itself, or use `default-provider-invalidation-flow` to invalidate when the session of an application ends. When you use the `default-invalidation-flow` as a global invalidation flow, it should contain a [**User Logout**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/) stage. When you use the `default-provider-invalidation-flow` (supported with OIDC, SAML, Proxy, and RAC providers), you can configure this default flow to present users log-off options such as "log out of the app but remain logged in to authentik" or "return to the **My Applications** page", or "log out completely". (Alternatively, you can create a custom invalidation flow, with a branded background image.) * **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) or [**CAPTCHA**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/) . Afterwards, use the [**Prompt**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/) stage to ask the user for a new password and the [**User Write**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/) stage to update the password. * **Stage configuration**: designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure authenticators, like change a password and set up TOTP. * **Unenrollment**: designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [**email**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) or [**Captcha**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/) . As a final stage, to delete the account, use the [**user\_delete**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_delete/) stage. --- # Headless | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/headless/#__docusaurus_skipToContent_fallback) The headless flow executor is used by clients that don't have access to the web interface. It is currently used by the LDAP and Radius outposts to authenticate users. The following stages are supported: * [**Identification stage**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/) * [**Password stage**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/) * [**Authenticator Validation Stage**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) --- # Flow Context | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#__docusaurus_skipToContent_fallback) On this page Each flow execution has an independent _context_. This context holds all of the arbitrary data about that specific flow, data which can then be used and transformed by stages and policies. Managing data in a flow context[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#managing-data-in-a-flow-context "Direct link to Managing data in a flow context") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You create and manage the data for a context by configuring policies, stages, and bindings. As you plan your flow, and set up the required stages, etc. you are creating the context data for that flow. For example, in the Identification Stage (part of the default login flow), you can define whether users will be prompted to enter an email address, a username, or both. All such information about the flow's configuration makes up the context. Any data can be stored in the flow context, however there are some reserved keys in the context dictionary that are used by authentik stages. To manage flow context on a more granular level, see [Setting flow context keys](https://docs.goauthentik.io/customize/policies/expression/managing_flow_context_keys/) . Context dictionary and reserved keys[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#context-dictionary-and-reserved-keys "Direct link to Context dictionary and reserved keys") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This section describes the data (the context) that are used in authentik, and provides a list of keys, what they are used for and when they are set. warning Keys prefixed with `goauthentik.io` are used internally by authentik and are subject to change without notice, and should not be modified in policies in most cases. ### Common keys[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#common-keys "Direct link to Common keys") #### `pending_user` ([User object](https://docs.goauthentik.io/users-sources/user/user_ref/#object-properties) )[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#pending_user-user-object "Direct link to pending_user-user-object") `pending_user` is used by multiple stages. In the context of most flow executions, it represents the data of the user that is executing the flow. This value is not set automatically, it is set via the [Identification stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/) . Stages that require a user, such as the [Password stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/) , the [Authenticator validation stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) and others will use this value if it is set, and fallback to the request's users when possible. #### `prompt_data` (Dictionary)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#prompt_data-dictionary "Direct link to prompt_data-dictionary") `prompt_data` is primarily used by the [Prompt stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/) . The value of any field within a prompt stage is written to the `prompt_data` dictionary. For example, given a field with the _Field key_ `email` that was submitted with the value `[[email protected]](https://docs.goauthentik.io/cdn-cgi/l/email-protection) ` will result in the following context: { "prompt_data": { "email": "[email protected]" }} This data can be modified with policies. The data is also used by stages like [User write](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/) , which takes data in `prompt_data` and writes it to `pending_user`. #### `redirect` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#redirect-string "Direct link to redirect-string") Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully. This is set when an un-authenticated user attempts to access a secured application, and when a user authenticates/enrolls with an external source. #### `pending_user_identifier` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#pending_user_identifier-string "Direct link to pending_user_identifier-string") If _Show matched user_ is disabled, this key will hold the user identifier entered by the user in the identification stage. Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully. This is set when an un-authenticated user attempts to access a secured application, and when a user authenticates/enrolls with an external source. #### `application` (Application object)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#application-application-object "Direct link to application-application-object") When an unauthenticated user attempts to access a secured resource, they are redirected to an authentication flow. The application they attempted to access will be stored in the key attached to this object. For example: `application.github`, with `application` being the key and `github` the value. #### `source` (Source object)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#source-source-object "Direct link to source-source-object") When a user authenticates/enrolls via an external source, this will be set to the source they are using. #### `outpost` (dictionary)authentik: 2024.10.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#outpost-dictionary "Direct link to outpost-dictionary") When a flow is executed by an Outpost (for example the [LDAP](https://docs.goauthentik.io/add-secure-apps/providers/ldap/) or [RADIUS](https://docs.goauthentik.io/add-secure-apps/providers/radius/) ), this will be set to a dictionary containing the Outpost instance under the key `"instance"`. ### Scenario-specific keys[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#scenario-specific-keys "Direct link to Scenario-specific keys") #### `is_sso` (boolean)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#is_sso-boolean "Direct link to is_sso-boolean") This key is set to `True` when the flow is executed from an "SSO" context. For example, this is set when a flow is used during the authentication or enrollment via an external source, and if a flow is executed to authorize access to an application. #### `is_restored` (Token object)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#is_restored-token-object "Direct link to is_restored-token-object") This key is set when a flow execution is continued from a token. This happens for example when an [Email stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution. This field is also used by the [Source stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/) when returning back to the initial flow the Source stage was run on. #### `is_redirected` (Flow object)authentik: 2024.12.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#is_redirected-flow-object "Direct link to is_redirected-flow-object") This key is set when the current flow was reached through a [Redirect stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/) in Flow mode. ### Stage-specific keys[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#stage-specific-keys "Direct link to Stage-specific keys") #### Autosubmit stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#autosubmit-stage "Direct link to Autosubmit stage") The autosubmit stage is an internal stage type that is not configurable via the API/Web interface. It is used in certain situations, where a POST request is sent from the browser, such as with SAML POST bindings. This works by using an HTML form that is submitted automatically. ##### `title` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#title-string "Direct link to title-string") Optional title of the form shown to the user. Automatically set when this stage is used by the backend. ##### `url` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#url-string "Direct link to url-string") URL that the form will be submitted to. ##### `attrs` (dictionary)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#attrs-dictionary "Direct link to attrs-dictionary") Key-value pairs of the data that is included in the form and will be submitted to `url`. #### Captcha stageauthentik: 2024.6.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#captcha-stage "Direct link to captcha-stage") ##### `captcha` (dictionary)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#captcha-dictionary "Direct link to captcha-dictionary") When `error_on_invalid_score` (TODO) is set to false on a captcha stage, after the execution of the captcha stage, this object will be set in the flow context. It contains two keys, `response` which is the raw response from the specified captcha verification URL, and `stage`, which is a reference to the captcha stage that executed the test. #### Consent stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#consent-stage "Direct link to Consent stage") ##### `consent_header` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#consent_header-string "Direct link to consent_header-string") The title of the consent prompt shown. Set automatically when the consent stage is used with a OAuth2, Proxy or SAML provider. ##### `consent_permissions` (List of PermissionDict)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#consent_permissions-list-of-permissiondict "Direct link to consent_permissions-list-of-permissiondict") An optional list of all permissions that will be given to the application by granting consent. Not supported with SAML. When used with an OAuth2 or Proxy provider, this will be set based on the configured scopes. #### Deny stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#deny-stage "Direct link to Deny stage") ##### `deny_message` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#deny_message-string "Direct link to deny_message-string") Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage. #### User write stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#user-write-stage "Direct link to User write stage") ##### `groups` (List of [Group objects](https://docs.goauthentik.io/users-sources/groups/) )[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#groups-list-of-group-objects "Direct link to groups-list-of-group-objects") See [Group](https://docs.goauthentik.io/users-sources/groups/) . If set in the flow context, the `pending_user` will be added to all the groups in this list. If set, this must be a list of group objects and not group names. ##### `user_path` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#user_path-string "Direct link to user_path-string") Path the `pending_user` will be written to. If not set in the flow, falls back to the value set in the user\_write stage, and otherwise to the `users` path. ##### `user_type` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#user_type-string "Direct link to user_type-string") Type the `pending_user` will be created as. Must be one of `internal`, `external` or `service_account`. #### Password stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#password-stage "Direct link to Password stage") ##### `user_backend` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#user_backend-string "Direct link to user_backend-string") Set by the [Password stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/) after successfully authenticating in the user. Contains a dot-notation to the authentication backend that was used to successfully authenticate the user. ##### `auth_method` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#auth_method-string "Direct link to auth_method-string") Set by the [Password stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/) , the [Authenticator validation stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) , the [OAuth2 Provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/) , and the API authentication depending on which method was used to authenticate. Possible options: * `password` (Authenticated via the password in authentik's database) * `token` (Authenticated via API token) * `ldap` (Authenticated via LDAP bind from an LDAP source) * `auth_mfa` (Authentication via MFA device without password) * `auth_webauthn_pwl` (Passwordless authentication via WebAuthn with Passkeys) * `jwt` ([M2M](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/) authentication via an existing JWT) * `mtls` (Authentication via Certificate, see [Mutual TLS Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/) ) ##### `auth_method_args` (dictionary)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#auth_method_args-dictionary "Direct link to auth_method_args-dictionary") Additional arguments used during the authentication. Value varies depending on `auth_method`. Example: { // List of the MFA device objects used during authentication // applies for `auth_method` `auth_mfa` "mfa_devices": [], // MFA device used for passwordless authentication, applies to // `auth_method` `auth_webauthn_pwl` "device": null, // the token identifier when `auth_method` `token` was used "identifier": "", // JWT information when `auth_method` `jwt` was used "jwt": {}, "source": null, "provider": null, // Certificate used for authentication // applies for `auth_method` `mtls` "certificate": {}} #### Email stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#email-stage "Direct link to Email stage") ##### `email_sent` (boolean)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#email_sent-boolean "Direct link to email_sent-boolean") Boolean set to true after the email form the email stage has been sent. ##### `email` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#email-string "Direct link to email-string") Optionally override the email address that the email will be sent to. If not set, defaults to the email of `pending_user`. #### Identification stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#identification-stage "Direct link to Identification stage") ##### `pending_user_identifier` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#pending_user_identifier-string-1 "Direct link to pending_user_identifier-string-1") If _Show matched user_ is disabled, this key will be set to the user identifier entered by the user in the identification stage. #### Invitation stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#invitation-stage "Direct link to Invitation stage") ##### `invitation` (Invitation object)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#invitation-invitation-object "Direct link to invitation-invitation-object") The invitation used with the invitation stage. When **Continue flow without invitation** is enabled, this may be unset. If the invitation was single-use, this object may hold a reference to an invitation that no longer exists in the database. ##### `invitation_in_effect` (boolean)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#invitation_in_effect-boolean "Direct link to invitation_in_effect-boolean") A boolean value that is `True` when an invitation has been used. ##### `token` (string)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#token-string "Direct link to token-string") This value can be set either via [Prompt data](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#prompt_data-dictionary) or via policy to interactively/programmatically choose an invitation. #### Redirect stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#redirect-stage "Direct link to Redirect stage") ##### `redirect_stage_target` (string)authentik: 2024.12.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#redirect_stage_target-string "Direct link to redirect_stage_target-string") [Set this key](https://docs.goauthentik.io/customize/policies/expression/managing_flow_context_keys/) in an Expression Policy to override [Redirect stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/) to force it to redirect to a certain URL or flow. This is useful when a flow requires that the redirection target be decided dynamically. Use the format `ak-flow://{slug}` to use the Redirect stage in Flow mode. Any other format will result in the Redirect stage running in Static mode. #### Mutual TLS Stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#mutual-tls-stage "Direct link to Mutual TLS Stage") ##### `certificate` (dictionary)authentik: 2025.6.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#certificate-dictionary "Direct link to certificate-dictionary") This key is set by the Mutual TLS Stage during enrollment and contains data about the certificate supplied by the browser. Example: { "serial_number": "1234", "subject": "CN=client", "issuer": "CN=authentik Test CA, O=authentik, OU=Self-signed", "fingerprint_sha256": "08:D4:A4:79:25:CA:C3:51:28:88:BB:30:C2:96:C3:44:5A:EB:18:07:84:CA:B4:75:27:74:61:19:8A:6A:AF:FC", "fingerprint_sha1": "5D:14:0D:5F:A2:7E:14:B0:F1:1D:6F:CD:E3:4B:81:68:71:24:1A:70", "raw": "-----BEGIN CERTIFICATE-----...."} * [Managing data in a flow context](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#managing-data-in-a-flow-context) * [Context dictionary and reserved keys](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#context-dictionary-and-reserved-keys) * [Common keys](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#common-keys) * [`pending_user` (User object)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#pending_user-user-object) * [`prompt_data` (Dictionary)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#prompt_data-dictionary) * [`redirect` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#redirect-string) * [`pending_user_identifier` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#pending_user_identifier-string) * [`application` (Application object)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#application-application-object) * [`source` (Source object)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#source-source-object) * [`outpost` (dictionary)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#outpost-dictionary) * [Scenario-specific keys](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#scenario-specific-keys) * [`is_sso` (boolean)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#is_sso-boolean) * [`is_restored` (Token object)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#is_restored-token-object) * [`is_redirected` (Flow object)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#is_redirected-flow-object) * [Stage-specific keys](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#stage-specific-keys) * [Autosubmit stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#autosubmit-stage) * [`title` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#title-string) * [`url` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#url-string) * [`attrs` (dictionary)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#attrs-dictionary) * [Captcha stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#captcha-stage) * [`captcha` (dictionary)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#captcha-dictionary) * [Consent stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#consent-stage) * [`consent_header` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#consent_header-string) * [`consent_permissions` (List of PermissionDict)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#consent_permissions-list-of-permissiondict) * [Deny stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#deny-stage) * [`deny_message` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#deny_message-string) * [User write stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#user-write-stage) * [`groups` (List of Group objects)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#groups-list-of-group-objects) * [`user_path` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#user_path-string) * [`user_type` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#user_type-string) * [Password stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#password-stage) * [`user_backend` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#user_backend-string) * [`auth_method` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#auth_method-string) * [`auth_method_args` (dictionary)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#auth_method_args-dictionary) * [Email stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#email-stage) * [`email_sent` (boolean)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#email_sent-boolean) * [`email` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#email-string) * [Identification stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#identification-stage) * [`pending_user_identifier` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#pending_user_identifier-string-1) * [Invitation stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#invitation-stage) * [`invitation` (Invitation object)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#invitation-invitation-object) * [`invitation_in_effect` (boolean)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#invitation_in_effect-boolean) * [`token` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#token-string) * [Redirect stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#redirect-stage) * [`redirect_stage_target` (string)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#redirect_stage_target-string) * [Mutual TLS Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#mutual-tls-stage) * [`certificate` (dictionary)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#certificate-dictionary) --- # Example flows | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#__docusaurus_skipToContent_fallback) On this page info You can apply these flows multiple times to stay updated, however this will discard all changes you've made. info The example flows provided below will **override** the default flows, please review the contents of the example flow before importing and consider exporting the affected existing flows first. Enrollment (2 Stage)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#enrollment-2-stage "Direct link to Enrollment (2 Stage)") ---------------------------------------------------------------------------------------------------------------------------------------------------------------- Flow: right-click [here](https://docs.goauthentik.io/assets/files/flows-enrollment-2-stage-11d645d45ab0c1b157aa2f5a9907af4e.yaml/) and save the file. Sign-up flow for new users, which prompts them for their username, email, password and name. No verification is done. Users are also immediately logged on after this flow. Enrollment with email verification[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#enrollment-with-email-verification "Direct link to Enrollment with email verification") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Flow: right-click [here](https://docs.goauthentik.io/assets/files/flows-enrollment-email-verification-b43f5fea64c06aea244469f7b08eae85.yaml/) and save the file. Same flow as above, with an extra email verification stage. You'll probably have to adjust the Email stage and set your connection details. Two-factor Login[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#two-factor-login "Direct link to Two-factor Login") ------------------------------------------------------------------------------------------------------------------------------------------------------ Flow: right-click [here](https://docs.goauthentik.io/assets/files/flows-login-2fa-228289db8b878d7922c6a114d8414388.yaml/) and save the file. Login flow which follows the default pattern (username/email, then password), but also checks for the user's OTP token, if they have one configured. You can force two-factor authentication by editing the _Not configured action_ in the Authenticator Validation Stage. Login with conditional Captcha[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#login-with-conditional-captcha "Direct link to Login with conditional Captcha") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Flow: right-click [here](https://docs.goauthentik.io/assets/files/flows-login-conditional-captcha-b39eb0bd9fc5fe53452d9c84e84c6458.yaml/) and save the file. Login flow which conditionally shows the users a captcha, based on the reputation of their IP and Username. By default, the captcha test keys are used. You can get a proper key [here](https://www.google.com/recaptcha/intro/v3.html) . Recovery with email verification[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#recovery-with-email-verification "Direct link to Recovery with email verification") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Flow: right-click [here](https://docs.goauthentik.io/assets/files/flows-recovery-email-verification-194c87d5ef361a07f696860223b7aa1a.yaml/) and save the file. Recovery flow, the user is sent an email after they've identified themselves. After they click on the link in the email, they are prompted for a new password and immediately logged on. User deletion[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#user-deletion "Direct link to User deletion") --------------------------------------------------------------------------------------------------------------------------------------------- Flow: right-click [here](https://docs.goauthentik.io/assets/files/flows-unenrollment-7a90ebae106a5e04da35b9fad2479b2e.yaml/) and save the file. Flow for users to delete their account. warning This is done without any warning. * [Enrollment (2 Stage)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#enrollment-2-stage) * [Enrollment with email verification](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#enrollment-with-email-verification) * [Two-factor Login](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#two-factor-login) * [Login with conditional Captcha](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#login-with-conditional-captcha) * [Recovery with email verification](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#recovery-with-email-verification) * [User deletion](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#user-deletion) --- # Default | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#__docusaurus_skipToContent_fallback) On this page This is the default, web-based environment that flows are executed in. All stages are compatible with this environment and no limitations are imposed. info All flow executors use the same [API](https://api.goauthentik.io/docs/flow-executor) , which allows for the implementation of custom flow executors. Layouts[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#layouts "Direct link to Layouts") ------------------------------------------------------------------------------------------------------------------------------ Starting with authentik 2022.5, the layout of the default flow executor can be changed. Below are examples for the available options: ### Stacked (default)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#stacked-default "Direct link to Stacked (default)") ![](https://docs.goauthentik.io/assets/images/stacked-d5ccce7802ab5f451ffb8af8ece11156.png) ### Content besides logo (left)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#content-besides-logo-left "Direct link to Content besides logo (left)") ![](https://docs.goauthentik.io/assets/images/content_left-9bfdb9f8bfcbbaac71bcb93b40b4430e.png) ### Content besides logo (right)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#content-besides-logo-right "Direct link to Content besides logo (right)") ![](https://docs.goauthentik.io/assets/images/content_right-64f6c04fcb776cd656791bbd803d9e00.png) ### Sidebar (left)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#sidebar-left "Direct link to Sidebar (left)") ![](https://docs.goauthentik.io/assets/images/sidebar_left-8512f2c6270552620230a40113a00158.png) ### Sidebar (right)[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#sidebar-right "Direct link to Sidebar (right)") ![](https://docs.goauthentik.io/assets/images/sidebar_right-73f8439c6a0b86cffba54677a22f9fb4.png) * [Layouts](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#layouts) * [Stacked (default)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#stacked-default) * [Content besides logo (left)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#content-besides-logo-left) * [Content besides logo (right)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#content-besides-logo-right) * [Sidebar (left)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#sidebar-left) * [Sidebar (right)](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/#sidebar-right) --- # Flow Inspector | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#__docusaurus_skipToContent_fallback) On this page The flow inspector, introduced in 2021.10, allows administrators to visually determine how custom flows work, inspect the current [flow context](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/) , and investigate issues. As shown in the screenshot below, the flow inspector displays next to the selected flow (in this case, "Change Password"), with [information](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#flow-inspector-details) about that specific flow and flow context. ![](https://docs.goauthentik.io/assets/images/flow-inspector-1da61c7939c0c7418107d68b5c3bcae3.png) Access the Flow Inspector[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#access-the-flow-inspector "Direct link to Access the Flow Inspector") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- info Be aware that when running a flow with the inspector enabled, the flow is still executed normally. This means that for example, a [User write](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/) stage _will_ write user data. The inspector is accessible to users that have been granted the [permission](https://docs.goauthentik.io/users-sources/access-control/permissions/) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions. When developing authentik with the debug mode enabled, the inspector is enabled by default and can be accessed by both unauthenticated users and standard users. However the debug mode should only be used for the development of authentik. So unless you are a developer and need the more verbose error information, the best practice for using the flow inspector is to assign the permission, not use debug mode. Starting with authentik 2025.2, for users with appropriate permissions to access the inspector a button is shown in the top right of the [default flow executor](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/) which opens the flow inspector. ### Manually running a flow with the inspector[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#manually-running-a-flow-with-the-inspector "Direct link to Manually running a flow with the inspector") 1. To access the inspector, open the Admin interface and navigate to **Flows and Stages > Flows**. 2. Select the specific flow that you want to inspect by clicking its name in the list. 3. On the Flow's detail page, on the left side under **Execute Flow**, click **with inspector**. 4. The selected flow will launch in a new browser tab, with the flow inspector displayed to the right. Alternatively, a user with the correct permission can launch the inspector by adding the query parameter `?inspector` to the URL when the URL opens on a flow. info Troubleshooting: * If the flow inspector does not launch and a "Bad request" error displays, this is likely either because you selected a flow that has a policy bound directly to it that prevents access (so the inspector won't open because the flow can't be executed) or because you do not have view permission on that specific flow. ### Flow Inspector Details[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#flow-inspector-details "Direct link to Flow Inspector Details") The following information is shown in the inspector: #### Next stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#next-stage "Direct link to Next stage") This is the currently planned next stage. If you have stage bindings configured to `Evaluate when flow is planned`\_`, then you will see the result here. If, however, you have them configured to re-evaluate (`Evaluate when stage is run\`), then this will not show up here, since the results will vary based on your input. Shown is the name and kind of the stage, as well as the unique ID. #### Plan history[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#plan-history "Direct link to Plan history") Here you can see an overview of which stages have run, which is currently active, and which is planned to come next. Same caveats as above apply. #### Current plan context[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#current-plan-context "Direct link to Current plan context") This shows you the current context. This will contain fields depending on the same, after an identification stage for example you would see "pending\_user" defined. This data is not cleaned, so if your flow involves inputting a password, it will be shown here too. #### Session ID[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#session-id "Direct link to Session ID") The unique ID for the currently used session. This can be used to debug issues with flows restarting/losing state. * [Access the Flow Inspector](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#access-the-flow-inspector) * [Manually running a flow with the inspector](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#manually-running-a-flow-with-the-inspector) * [Flow Inspector Details](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/inspector/#flow-inspector-details) --- # User settings | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/user-settings/#__docusaurus_skipToContent_fallback) The user interface (/if/user/) uses a specialized flow executor to allow individual users to customize their profile. A user's profile consists of key/value fields, so this executor only supports Prompt or User Write stages. If the configured flow contains another stage, a button will be shown to open the default executor. Because the stages in a flow can change during its execution, be aware that configuring this executor to use any stage type other than Prompt or User Write will automatically trigger a redirect to the standard executor. An admin can customize which fields can be changed by the user by updating the default-user-settings-flow, or copying it to create a new flow with a Prompt Stage and a User Write Stage. Different variants of your flow can be applied to different [Brands](https://docs.goauthentik.io/brands/) on the same authentik instance. --- # Simplified flow executor | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/sfe/#__docusaurus_skipToContent_fallback) A simplified web-based flow executor that authentik automatically uses for older browsers that do not support modern web technologies. Currently this flow executor is automatically used for the following browsers: * Internet Explorer * Microsoft Edge (up to and including version 18) The following stages are supported: * [**Identification stage**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/) info Only user identifier and user identifier + password stage configurations are supported; sources and passwordless configurations are not supported. * [**Password stage**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/) * [**Authenticator Validation Stage**](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) Compared to the [default flow executor](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/executors/if-flow/) , this flow executor does _not_ support the following features: * Localization * Theming (Dark / light themes) * Theming (Custom CSS) * Stages not listed above * Flow inspector --- # Stages | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#__docusaurus_skipToContent_fallback) On this page Stages are one of the fundamental building blocks in authentik, along with [flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/) and [policies](https://docs.goauthentik.io/customize/policies/) . A stage represents a single verification or logic step within a flow. You can bind one or more stages to a flow to create a customized, flexible login and authentication process. In the following diagram of the `default-authentication-flow`, you see multiple stages, or steps, in the authentication process for a user. Policies are bound to some stages; this provides for dynamic application of a specific stage _if_ the policy criteria is met. Create a Stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#create-a-stage "Direct link to Create a Stage") ----------------------------------------------------------------------------------------------------------------------------------- To create a stage, follow these steps: 1. Log in as an admin to authentik, and go to the Admin interface. 2. In the Admin interface, navigate to **Flows and Stages > Stages**. 3. Click **Create**, define the stage using the configuration settings, and then click **Finish**. After creating the stage, you can then [bind the stage to a flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-a-stage-to-a-flow) or [bind a policy to the stage](https://docs.goauthentik.io/customize/policies/working_with_policies/) (the policy determines whether or not the stage will be implemented in the flow). Bind a stage to a flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-a-stage-to-a-flow "Direct link to Bind a stage to a flow") ----------------------------------------------------------------------------------------------------------------------------------------------------------- To bind a stage to a flow, follow these steps: 1. Log in as an admin to authentik, and go to the Admin interface. 2. In the Admin interface, navigate to **Flows and Stages > Flows**. 3. In the list of flows, click the name of the flow to which you want to bind one or more stages. 4. On the Flow page, click the **Stage Bindings** tab at the top. 5. Here, you can decide if you want to create a new stage and bind it to the flow (**Create and bind Stage**), or if you want to select an existing stage and bind it to the flow (**Bind existing stage**). Bind users and groups to a flow's stage binding[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-users-and-groups-to-a-flows-stage-binding "Direct link to Bind users and groups to a flow's stage binding") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You can use bindings to determine whether or not a stage is presented to a single user or any users within a group. You do this by binding the user or group to a stage binding within a specific flow. For example, if you have a flow that contains a stage that prompts the user for multi-factor authentication, but you only want certain users to see this stage (and fulfill the MFA prompt), then you would bind the appropriate group (or single user) to the stage binding for that flow. To bind a user or a group to a stage binding for a specific flow, follow these steps: 1. Log in as an admin to authentik, and go to the Admin interface. 2. In the Admin interface, navigate to **Flows and Stages > Flows**. 3. In the list of flows, click the name of the flow to which you want to bind one or more stages. 4. On the Flow page, click the **Stage Bindings** tab at the top. 5. Locate the stage binding to which you want to bind a user or group, and then **click the caret (>) to expand the stage binding details.** ![](https://docs.goauthentik.io/assets/images/edit_stage_binding-396a9d11ffeb883e9ba46a40672c29b3.png) 6. In the expanded area, click **Bind existing policy/group/user**. 7. In the **Create Binding** box, select either the tab for **Group** or **User**. 8. In the drop-down list, select the group or user. 9. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the box. Learn more about [bindings](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/) and [working with them](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/work_with_bindings/) . * [Create a Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#create-a-stage) * [Bind a stage to a flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-a-stage-to-a-flow) * [Bind users and groups to a flow's stage binding](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#bind-users-and-groups-to-a-flows-stage-binding) --- # Email Authenticator Setup stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_email/#__docusaurus_skipToContent_fallback) On this page This stage configures an email-based authenticator that sends a one-time code to a user's email address for authentication. When a user goes through a flow that includes this stage, they are prompted for their email address (if not already set). The user then receives an email with a one-time code, which they enter into the authentik Login panel. The email address will be saved and can be used with the [Authenticator validation](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) stage for future authentications. Flow integration[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_email/#flow-integration "Direct link to Flow integration") ------------------------------------------------------------------------------------------------------------------------------------------------------------- To use the Email Authenticator Setup stage in a flow, follow these steps: 1. [Create](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#create-a-custom-flow) a new flow or edit an existing one. 2. On the flow's **Stage Bindings** tab, click **Create and bind stage** to create and add the Email Authenticator Setup stage. (If the stage already exists, click **Bind existing stage**.) 3. Configure the stage settings as described below. * **Name**: provide a descriptive name, such as Email Authenticator Setup. * **Authenticator type name**: define the display name for this stage. * **Use global connection settings**: the stage can be configured in two ways: global settings or stage-specific settings. * Enable (toggle on) the **Use global connection settings** option to use authentik's global email configuration. Note that you must already have configured your environment variables to use the global settings. See instructions for [Docker Compose](https://docs.goauthentik.io/install-config/install/docker-compose/#email-configuration-optional-but-recommended) and for [Kubernetes](https://docs.goauthentik.io/install-config/install/kubernetes/#email-configuration-optional-but-recommended) . * If you need different email settings for this stage, disable (toggle off) **Use global connection settings** and configure the following options: * **Connection settings**: * **SMTP Host**: SMTP server hostname (default: localhost) * **SMTP Port**: SMTP server port number(default: 25) * **SMTP Username**: SMTP authentication username (optional) * **SMTP Password**: SMTP authentication password (optional) * **Use TLS**: Enable TLS encryption * **Use SSL**: Enable SSL encryption * **Timeout**: Connection timeout in seconds (default: 10) * **From Address**: Email address that messages are sent from (default: [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#65161c16110008250410110d000b110c0e4b090a060409) ) * **Stage-specific settings**: * **Subject**: Email subject line (default: "authentik Sign-in code") * **Token Expiration**: Time in minutes that the sent token is valid (default: 30) * **Configuration flow**: select the flow to which you are binding this stage. 4. Click **Update** to complete the creation and binding of the stage to the flow. The new Email Authenticator Setup stage now appears on the **Stage Bindings** tab for the flow. * [Flow integration](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_email/#flow-integration) --- # Duo Authenticator Setup stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_duo/#__docusaurus_skipToContent_fallback) On this page This stage configures a Duo authenticator. To get the API Credentials for this stage, open your Duo Admin dashboard. Go to Applications, click on Protect an Application and search for "Auth API". Click on Protect. Copy all of the integration key, secret key and API hostname, and paste them in the Stage form. Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed. Importing users[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_duo/#importing-users "Direct link to Importing users") -------------------------------------------------------------------------------------------------------------------------------------------------------- info Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active. To import a device, open the Stages list in the authentik Admin interface. On the right next to the import button you'll see an import button, with which you can import Duo devices to authentik users. The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device. ### Older versions[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_duo/#older-versions "Direct link to Older versions") You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/) ) using the following parameters: * `duo_user_id`: The Duo User's ID. This can be found in the Duo Admin Portal, navigating to the user list and clicking on a single user. Their ID is shown in th URL. * `username`: The authentik user's username to assign the device to. Additionally, you need to pass `stage_uuid` which is the `authenticator_duo` stage, in which you entered your API credentials. * [Importing users](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_duo/#importing-users) * [Older versions](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_duo/#older-versions) --- # Google Chrome Device Trust Authenticator Stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#__docusaurus_skipToContent_fallback) On this page With this stage, authentik can validate users' Chrome browsers and ensure that users' devices are compliant and up-to-date. Support for the Chrome Enterprise Device Trust connector allows organizations to integrate Chrome browsers and ChromeOS devices with authentik as the Identity Provider (IdP), to strengthen their overall security posture. Device Trust is particularly important in environments with many different device types that are used by a large, remote workforce that might have a BYOD (Bring Your Own Device) policy, or have large teams of of contractors, temporary workers, or volunteers. With Device Trust you can enable "context-aware" access policies; for example a policy might require that a device has all security patches installed. info This stage only works with Google Chrome, as it relies on the [Chrome Verified Access API](https://developers.google.com/chrome/verified-access) . Configuration[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#configuration "Direct link to Configuration") ------------------------------------------------------------------------------------------------------------------------------------------------------------ The main steps to set up your Google workspace are as follows: * [Configuration](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#configuration) * [Create a Google cloud project](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-a-google-cloud-project) * [Create a service account](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-a-service-account) * [Set credentials for the service account](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#set-credentials-for-the-service-account) * [Create the stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-the-stage) For detailed instructions, refer to Google documentation. ### Create a Google cloud project[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-a-google-cloud-project "Direct link to Create a Google cloud project") 1. Open the Google Cloud Console ([https://cloud.google.com/cloud-console](https://cloud.google.com/cloud-console) ). 2. In upper left, click the drop-down box to open the **Select a project** box, and then select **New Project**. 3. Create a new project and give it a name like "authentik GWS". 4. Use the search bar at the top of your new project page to search for "API Library". 5. On the **API Library** page, use the search bar again to find "Chrome Verified Access API". 6. On the **Chrome Verified Access API** page, click **Enable**. ### Create a service account[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-a-service-account "Direct link to Create a service account") 1. After the new Chrome Verified Access API is enabled (it might take a few minutes), return to the Google Cloud console home page (click on **Google Cloud** in upper left). 2. Use the search bar to find and navigate to the **IAM** page. 3. On the **IAM** page, click **Service Accounts** in the left navigation pane. 4. At the top of the **Service Accounts** page, click **Create Service Account**. * Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**. * Under **Grant this service account access to project** you do not need to define a role, so click **Continue**. * Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account. ### Set credentials for the service account[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#set-credentials-for-the-service-account "Direct link to Set credentials for the service account") 1. On the **Service accounts** page, click the account that you just created. 2. Click the **Keys** tab at top of the page, the click **Add Key > Create new key**. 3. In the Create box, select JSON as the key type, and then click **Create**. A pop-up displays with the private key, and the key is saved to your computer as a JSON file. Later, when you create the stage in authentik, you will add this key in the **Credentials** field. 4. On the service account page, click the **Details** tab, and expand the **Advanced settings** area. 5. Log in to the Admin Console, and then navigate to **Chrome browser > Connectors**. 6. Click on **New Provider Configuration**. 7. Under Universal Device Trust, click "Set up". 8. Enter a name. 9. Enter the URL: [https://authentik.company/endpoint/gdtc/chrome/](https://authentik.company/endpoint/gdtc/chrome/) 10. Under Service accounts, enter the full name of the service account created above, for example `authentik-gdtc-docs@authentik-enterprise-dev.iam.gserviceaccount.com`. ### Create the stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-the-stage "Direct link to Create the stage") 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows > Stages**. 3. Click **Create**, and select **Endpoint Authenticator Google Device Trust Connector Stage**, and in the **New stage** box, define the following fields: * **Name**: define a descriptive name, such as "chrome-device-trust". * **Google Verified Access API** * **Credentials**: paste the contents of the JSON file (the key) that you downloaded earlier. 4. Click **Finish**. After creating the stage, it can be used in any flow. Compared to other Authenticator stages, this stage does not require enrollment. Instead of adding an [Authenticator Validation Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) , this stage only verifies the users' browser. * [Configuration](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#configuration) * [Create a Google cloud project](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-a-google-cloud-project) * [Create a service account](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-a-service-account) * [Set credentials for the service account](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#set-credentials-for-the-service-account) * [Create the stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/#create-the-stage) --- # Static Authenticator Setup stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_static/#__docusaurus_skipToContent_fallback) This stage configures static Tokens, which can be used as a backup method to time-based OTP tokens. You can configure how many tokens are shown to the user. --- # TOTP Authenticator Setup stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_totp/#__docusaurus_skipToContent_fallback) This stage configures a time-based OTP Device, such as Google Authenticator or Authy. You can configure how many digits should be used for the OTP Token. The Config URL's Issuer is set based on the currently active brand's branding title. The default setup can cause issues if the same username is used on multiple authentik issues within the same authenticator app, so changing the brand title is recommended. --- # SMS Authenticator Setup stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#__docusaurus_skipToContent_fallback) On this page This stage configures an SMS-based authenticator using either Twilio, or a generic HTTP endpoint. Providers[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#providers "Direct link to Providers") -------------------------------------------------------------------------------------------------------------------------------------- ### Twilio[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#twilio "Direct link to Twilio") Navigate to [https://console.twilio.com/](https://console.twilio.com/) , and log in to your existing account, or create a new one. In the sidebar, navigate to _Explore Products_, then _Messaging_, and _Services_ below that. Click on _Create Messaging Service_ to create a new set of API credentials. Give the service a Name, and select _Verify users_ as a use-case. In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs) . The other two steps can be skipped using the _Skip setup_ button. Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the _Twilio Auth Token_ field in authentik. Copy the value of **Account SID**. This is the value for the _Twilio Account SID_ field in authentik. #### Custom SMS message authentik: 2025.8.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#custom-sms-message- "Direct link to custom-sms-message-") Using a property mapping, it is possible to customize the SMS message sent via Twilio. The mapping should return a dictionary with the `message` key, which will be sent to the user. For example: return { "message": f"This is a custom message for {request.http_request.brand.branding_title} SMS authentication. The code is {token}".} Variables related to different objects can be used within the message: * The end user device, for example: `device.phone_number` * The stage sending the message, for example: `stage.from_number` * The request this verification code is being sent from, for example: `request.http_request.brand` ### Generic[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#generic "Direct link to Generic") For the generic provider, a POST request will be sent to the URL you have specified in the _External API URL_ field. The request payload looks like this { "From": "", "To": "", "Body": ",} Authentication can either be done as HTTP Basic, or via a Bearer Token. Any response with status 400 or above is counted as failed, and will prevent the user from proceeding. #### Custom SMS message[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#custom-sms-message "Direct link to Custom SMS message") A custom webhook mapping can be used to customize the SMS message sent to users. For example: return { "from": stage.from_number, "to": device.phone_number, "body": f"foo bar baz {token}".} Verify only[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#verify-only "Direct link to Verify only") -------------------------------------------------------------------------------------------------------------------------------------------- To only verify the validity of a users' phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) stage. Limiting phone numbers[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#limiting-phone-numbers "Direct link to Limiting phone numbers") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To limit phone numbers (for example to a specific region code), you can create an expression policy to validate the phone number, and use a prompt stage for input. ### Expression policy[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#expression-policy "Direct link to Expression policy") Create an expression policy to check the phone number: # Trim all whitespace in and around the user inputphone_number = regex_replace(request.context["prompt_data"]["phone"], r'\s+', '')# Only allow a specific region codeif phone_number.startswith("+1234"): return Trueak_message("Invalid phone number or missing region code")return False ### Prompt stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#prompt-stage "Direct link to Prompt stage") Create a text prompt field with the _field key_ set to `phone`. Make sure it is selected as a required field. Create a prompt stage with the phone field you created above, and select the expression policy created above as validation policy. ### Flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#flow "Direct link to Flow") Create a new flow to enroll SMS devices. Bind the prompt stage created above as first stage, and create/bind a _SMS Authenticator Setup Stage_, and bind it to the flow as second stage. This stage will see the `phone` field in the flow's context's `prompt_data`, and not prompt the user for a phone number. * [Providers](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#providers) * [Twilio](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#twilio) * [Generic](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#generic) * [Verify only](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#verify-only) * [Limiting phone numbers](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#limiting-phone-numbers) * [Expression policy](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#expression-policy) * [Prompt stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#prompt-stage) * [Flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/#flow) --- # Authenticator Validation stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#__docusaurus_skipToContent_fallback) On this page This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages: * [Duo authenticator stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_duo/) * [Email authenticator stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_email/) * [SMS authenticator stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_sms/) * [Static authenticator stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_static/) * [TOTP authenticator stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_totp/) * [WebAuthn authenticator stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_webauthn/) You can select which type of device classes are allowed. Using the `Not configured action`, you can choose what happens when a user does not have any matching devices. * Skip: Validation is skipped and the flow continues * Deny: Access is denied, the flow execution ends * Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow. By default, authenticator validation is required every time the flow containing this stage is executed. To only change this behavior, set _Last validation threshold_ to a non-zero value. (Requires authentik 2022.5) Keep in mind that when using Code-based devices (TOTP, Static and SMS), values lower than `seconds=30` cannot be used, as with the way TOTP devices are saved, there is no exact timestamp. ### Options[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#options "Direct link to Options") #### Less-frequent validation[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#less-frequent-validation "Direct link to Less-frequent validation") You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked. #### Passwordless authentication[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#passwordless-authentication "Direct link to Passwordless authentication") caution Firefox has some known issues regarding TouchID (see [https://bugzilla.mozilla.org/show\_bug.cgi?id=1536482](https://bugzilla.mozilla.org/show_bug.cgi?id=1536482) ) Passwordless authentication currently only supports WebAuthn devices, which provides for the use of passkeys, security keys and biometrics. For an alternate passwordless setup, see [Password stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/#passwordless-login) , which supports other types. To configure passwordless authentication, create a new Flow with the designation set to _Authentication_. As first stage, add an _Authenticator validation_ stage, with the WebAuthn device class allowed. After this stage you can bind any additional verification stages. As final stage, bind a _User login_ stage. Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow. #### Logging[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#logging "Direct link to Logging") Logins which used Passwordless authentication have the _auth\_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example: { "auth_method": "auth_webauthn_pwl", "http_request": { "args": { "query": "" }, "path": "/api/v3/flows/executor/test/", "method": "GET" }, "auth_method_args": { "device": { "pk": 1, "app": "authentik_stages_authenticator_webauthn", "name": "test device", "model_name": "webauthndevice" } }} #### WebAuthn Device type restrictionsauthentik: 2024.4.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#webauthn-device-type-restrictions "Direct link to webauthn-device-type-restrictions") Optionally restrict which WebAuthn device types can be used to authenticate. When no restriction is set, all WebAuthn devices a user has registered are allowed. These restrictions only apply to WebAuthn devices created with authentik 2024.4 or later. #### Automatic device selection[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#automatic-device-selection "Direct link to Automatic device selection") If the user has more than one device, the user is prompted to select which device they want to use for validation. After the user successfully authenticates with a certain device, that device is marked as "last used". In subsequent prompts by the Authenticator validation stage, the last used device is automatically selected for the user. Should they wish to use another device, the user can return to the device selection screen. * [Options](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#options) --- # WebAuthn / FIDO2 / Passkeys Authenticator setup stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_webauthn/#__docusaurus_skipToContent_fallback) On this page This stage configures an authenticator stage for using WebAuthn, FIDO2, Passkeys. This stage supports: * **Security Keys**: Physical devices like YubiKey, Google Titan, etc. * **Platform Authenticators**: Built-in authenticators like Windows Hello, Touch ID, Face ID * **Mobile Devices**: Using device biometrics or security keys via mobile browsers ### Options[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_webauthn/#options "Direct link to Options") #### User verification[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_webauthn/#user-verification "Direct link to User verification") Configure if authentik should require, prefer or discourage user verification for the authenticator. For example when using a virtual authenticator like Windows Hello, this setting controls if a PIN is required. #### Resident key requirement[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_webauthn/#resident-key-requirement "Direct link to Resident key requirement") Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#passwordless-flow) , this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication. #### Authenticator Attachment[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_webauthn/#authenticator-attachment "Direct link to Authenticator Attachment") Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement. #### Device type restrictionsauthentik: 2024.4.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_webauthn/#device-type-restrictions "Direct link to device-type-restrictions") Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example. When no restrictions are selected, all device types are allowed. As authentik does not know of all possible device types, it is possible to select the special option `authentik: Unknown devices` to allow unknown devices. * [Options](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_webauthn/#options) --- # Deny stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/deny/#__docusaurus_skipToContent_fallback) This stage stops the execution of a flow. This can be used to conditionally deny users access to a flow, even if they are not signed in (and permissions can't be checked via groups). caution To effectively use this stage, make sure _Evaluate when flow is planned_ is **disable** on the Stage binding. --- # Captcha stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#__docusaurus_skipToContent_fallback) On this page This stage adds a form of verification using [Google's reCAPTCHA](https://www.google.com/recaptcha/intro/v3.html) or compatible services. Currently supported implementations: * [Google reCAPTCHA](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#google-recaptcha) * [hCaptcha](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#hcaptcha) * [Cloudflare Turnstile](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#cloudflare-turnstile) Captcha provider configuration[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#captcha-provider-configuration "Direct link to Captcha provider configuration") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Google reCAPTCHA[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#google-recaptcha "Direct link to Google reCAPTCHA") This stage has two required fields: Public key and private key. These can both be acquired at [https://www.google.com/recaptcha/admin](https://www.google.com/recaptcha/admin) . ![](https://docs.goauthentik.io/assets/images/captcha-admin-216c406df72910e36386aaa7fcbf26c0.png) #### Configuration options[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#configuration-options "Direct link to Configuration options") * Interactive: Enabled when using reCAPTCHA v3 * Score minimum threshold: `0.5` * Score maximum threshold: `1` * JS URL: `https://www.recaptcha.net/recaptcha/api.js` * API URL: `https://www.recaptcha.net/recaptcha/api/siteverify` ### hCaptcha[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#hcaptcha "Direct link to hCaptcha") See [https://docs.hcaptcha.com/switch](https://docs.hcaptcha.com/switch) #### Configuration options[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#configuration-options-1 "Direct link to Configuration options") * Interactive: Enabled * JS URL: `https://js.hcaptcha.com/1/api.js` * API URL: `https://api.hcaptcha.com/siteverify` **Score options only apply to hCaptcha Enterprise** * Score minimum threshold: `0` * Score maximum threshold: `0.5` ### Cloudflare Turnstile[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#cloudflare-turnstile "Direct link to Cloudflare Turnstile") See [https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha](https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha) . #### Configuration options[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#configuration-options-2 "Direct link to Configuration options") 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows and Stages** > **Stages** and click **Create**. 3. Select **Captcha Stage** and click **Next**. 4. Provide a descriptive name for the stage (e.g. `authentication-captcha`) and configure the following required settings based on the values of your [Cloudflare Turnstile Widget](https://developers.cloudflare.com/turnstile/concepts/widget/) : * Under **Stage-specific settings**: * **Public Key**: set to the **Turnstile Site Key** value from the widget. * **Private Key**: set to the **Turnstile Secret Key** value from the widget. * **Enable Interactive**: Enable this option if the Turnstile instance is configured as **Invisible** or **Managed**. * Leave both score thresholds at their default, as they are not supported for Turnstile. * JS URL: `https://challenges.cloudflare.com/turnstile/v0/api.js` * API URL: `https://challenges.cloudflare.com/turnstile/v0/siteverify` **Score options do not apply when using with turnstile** * [Captcha provider configuration](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#captcha-provider-configuration) * [Google reCAPTCHA](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#google-recaptcha) * [hCaptcha](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#hcaptcha) * [Cloudflare Turnstile](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/captcha/#cloudflare-turnstile) --- # Identification stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#__docusaurus_skipToContent_fallback) On this page This stage provides a ready-to-go form for users to identify themselves. User Fields[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#user-fields "Direct link to User Fields") ----------------------------------------------------------------------------------------------------------------------------------------- Select which fields the user can use to identify themselves. Multiple fields can be selected. If no fields are selected, only sources will be shown. * Username * Email * UPN UPN will attempt to identify the user based on the `upn` attribute, which can be imported with an [LDAP Source](https://docs.goauthentik.io/users-sources/sources/protocols/ldap/) Password stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#password-stage "Direct link to Password stage") -------------------------------------------------------------------------------------------------------------------------------------------------- To prompt users for their password on the same step as identifying themselves, a Password stage can be selected here. If a Password stage is selected in the Identification stage, the Password stage should not be bound to the flow. CAPTCHA stage[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#captcha-stage "Direct link to CAPTCHA stage") ----------------------------------------------------------------------------------------------------------------------------------------------- warning The CAPTCHA stage you use must be configured to use the "Invisible" mode, otherwise the widget will be rendered incorrectly. To run a CAPTCHA process in the background while the user is entering their identification, a CAPTCHA stage can be selected here. If a CAPTCHA stage is selected in the Identification stage, the CAPTCHA stage should not be bound to the flow. Enrollment/Recovery Flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#enrollmentrecovery-flow "Direct link to Enrollment/Recovery Flow") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- These fields specify if and which flows are linked on the form. The enrollment flow is linked as `Need an account? Sign up.`, and the recovery flow is linked as `Forgot username or password?`. Pretend user existsauthentik: 2024.2.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#pretend-user-exists "Direct link to pretend-user-exists") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/) and [Email stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) are aware of this "pretend" user and will behave the same as if the user would exist. Enable "Remember me on this device"authentik: 2025.4.0+[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#enable-remember-me-on-this-device "Direct link to enable-remember-me-on-this-device") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When enabled, users will be given the option at login of having their username stored on the device. If selected, on future logins this stage will automatically fill in the username and fast-forward to the password field. Users will still have the options of clicking "Not you?" and going back to provide a different username or disable this feature. Source settings[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#source-settings "Direct link to Source settings") ----------------------------------------------------------------------------------------------------------------------------------------------------- Some sources (like the [OAuth Source](https://docs.goauthentik.io/users-sources/sources/protocols/oauth/) and [SAML Source](https://docs.goauthentik.io/users-sources/sources/protocols/saml/) ) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#user-fields) . By default, sources are only shown with their icon, which can be changed with the _Show sources' labels_ option. Furthermore, it is also possible to deselect any [user field option](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#user-fields) for an Identification stage, which will result in users only being able to use currently configured sources. info Starting with authentik 2023.5, when no user fields are selected and only one source is selected, authentik will automatically redirect the user to that source. This only applies when the **Passwordless flow** option is _not_ configured. Flow settings[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#flow-settings "Direct link to Flow settings") ----------------------------------------------------------------------------------------------------------------------------------------------- ### Passwordless flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#passwordless-flow "Direct link to Passwordless flow") See [Passwordless authentication](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#passwordless-authentication) . ### Enrollment flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#enrollment-flow "Direct link to Enrollment flow") Optionally can be set to a flow with the designation of _Enrollment_, which will allow users to sign up. ### Recovery flow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#recovery-flow "Direct link to Recovery flow") Optionally can be set to a flow with the designation of _Recovery_, which will allow users to recover their credentials. * [User Fields](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#user-fields) * [Password stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#password-stage) * [CAPTCHA stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#captcha-stage) * [Enrollment/Recovery Flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#enrollmentrecovery-flow) * [Pretend user exists](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#pretend-user-exists) * [Enable "Remember me on this device"](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#enable-remember-me-on-this-device) * [Source settings](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#source-settings) * [Flow settings](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#flow-settings) * [Passwordless flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#passwordless-flow) * [Enrollment flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#enrollment-flow) * [Recovery flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#recovery-flow) --- # Kubernetes | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/kubernetes/#__docusaurus_skipToContent_fallback) On this page The kubernetes integration will automatically deploy outposts on any Kubernetes Cluster. This integration has the advantage over manual deployments of automatic updates (whenever authentik is updated, it updates the outposts), and authentik can (in a future version) automatically rotate the token that the outpost uses to communicate with the core authentik server. This integration creates the following objects: * Deployment for the outpost container * Service * Secret to store the token * Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster) * Ingress (only Proxy outposts) * HTTPRoute (only Proxy outposts, when the Gateway API resources are installed in the target cluster, and the `kubernetes_httproute_parent_refs` setting is set, see below) * Traefik Middleware (only Proxy outposts with forward auth enabled) The following outpost settings are used: * `object_naming_template`: Configures how the container is called * `container_image`: Optionally overwrites the standard container image (see [Configuration](https://docs.goauthentik.io/install-config/configuration/) to configure the global default) * `kubernetes_replicas`: Replica count for the deployment of the outpost * `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available) * `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager * `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections, can be empty to disable TLS config * `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0 * `kubernetes_httproute_parent_refs`: Define which Gateways the HTTPRoute wants to be attached to. * `kubernetes_httproute_annotations`: Any additional annotations to add to the HTTPRoute object * `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example * `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of * 'secret' * 'deployment' * 'service' * 'prometheus servicemonitor' * 'ingress' * 'traefik middleware' * 'httproute' * `kubernetes_image_pull_secrets`: If the above docker image is in a private repository, use these secrets to pull. (NOTE: The secret must be created manually in the namespace first.) * `kubernetes_json_patches`: Applies an RFC 6902 compliant JSON patch to the Kubernetes objects. Permissions[​](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/kubernetes/#permissions "Direct link to Permissions") --------------------------------------------------------------------------------------------------------------------------------------- The permissions required for this integration are documented in the helm chart. See [Cluster-level](https://github.com/goauthentik/helm/blob/main/charts/authentik-remote-cluster/templates/clusterrolebinding.yaml) and [Namespace-level](https://github.com/goauthentik/helm/blob/main/charts/authentik-remote-cluster/templates/rolebinding.yaml) . Remote clusters[​](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/kubernetes/#remote-clusters "Direct link to Remote clusters") --------------------------------------------------------------------------------------------------------------------------------------------------- To add a remote cluster, you can simply install this helm chart in the target cluster and namespace: [https://artifacthub.io/packages/helm/goauthentik/authentik-remote-cluster](https://artifacthub.io/packages/helm/goauthentik/authentik-remote-cluster) After installation, the helm chart outputs an example kubeconfig file, that you can enter in authentik to connect to the cluster. * [Permissions](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/kubernetes/#permissions) * [Remote clusters](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/kubernetes/#remote-clusters) --- # Invitation stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/invitation/#__docusaurus_skipToContent_fallback) This stage can be used to invite users. You can use this to enroll users with preset values. If the option `Continue Flow without Invitation` is enabled, this stage will continue even when no invitation token is present. To check if a user has used an invitation within a policy, you can check `request.context.get("invitation_in_effect", False)`. To use an invitation, use the URL `https://authentik.tld/if/flow/your-enrollment-flow/?itoken=invitation-token`. You can also prompt the user for an invite by using the [_Prompt stage_](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/) by using a field with a field key of `token`. --- # Email stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#__docusaurus_skipToContent_fallback) On this page This stage can be used for email verification. authentik's background worker will send an email using the specified connection details. When an email can't be delivered, authentik automatically retries periodically. You can also configure rate-limiting for emails requested by users. See the [configure rate limiting](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#configure-rate-limiting-for-emails) section for more information. For information about creating a stage, refer to our [documentation](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/#create-a-stage) . Behaviour[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#behaviour "Direct link to Behaviour") -------------------------------------------------------------------------------------------------------------------------- By default, the email is sent to the currently pending user. To override this, you can set `email` in the plan's context to another email address, which will override the user's email address (the user won't be changed). For example, create this [expression policy](https://docs.goauthentik.io/customize/policies/expression/) and bind it to the email stage: request.context["flow_plan"].context["email"] = "[email protected]"# Or get it from a prompt# request.context["flow_plan"].context["email"] = request.context["prompt_data"]["email"]# Or another user attribute# request.context["flow_plan"].context["email"] = request.context["pending_user"].attributes.get("otherEmail")return True Configure rate limiting for emails[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#configure-rate-limiting-for-emails "Direct link to Configure rate limiting for emails") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You can configure the Email stage with _a maximum number of emails_ that can be sent within _a specified time period_. To configure the rate limiting for recovery emails use these two fields when you create or edit an Email stage: * **Account Recovery Max Attempts**: set the maximum number of emails to send. * **Account Recovery Cache Timeout**: specify the time window used to count recent recovery emails sent to the user (account recovery attempts). Custom Templates[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#custom-templates "Direct link to Custom Templates") ----------------------------------------------------------------------------------------------------------------------------------------------- You can also use custom email templates, to use your own design or layout. info Starting with authentik 2024.2, it is possible to create `.txt` files with the same name as the `.html` template. If a matching `.txt` file exists, the email sent will be a multipart email with both the text and HTML template. * Docker Compose * Kubernetes Place any custom templates in the `custom-templates` Folder, which is in the same folder as your Compose file. Afterwards, you'll be able to select the template when creating/editing an Email stage. Create a ConfigMap with your email templates: apiVersion: v1kind: ConfigMapmetadata: name: authentik-templates namespace: authentikdata: my-template.html: | ... Then, in the helm chart add this to your `values.yaml` file: volumes: - name: email-templates configMap: name: authentik-templatesvolumeMounts: - name: email-templates mountPath: /templates info If you have added the line and created a file, and can't see it, check the worker logs using `docker compose logs -f worker` or `kubectl logs -f deployment/authentik-worker`. ![](https://docs.goauthentik.io/assets/images/custom_template-bf431915eeba58c0700fba60d7c36da8.png) ### Example template[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#example-template "Direct link to Example template") Templates are rendered using Django's templating engine. The following variables can be used: * `url`: The full URL for the user to click on * `user`: The pending user object. * `expires`: The timestamp when the token expires. {# This is how you can write comments which aren't rendered. #}{# Extend this template from the base email template, which includes base layout and CSS. #}{% extends "email/base.html" %}{# Load the internationalization module to translate strings, and humanize to show date-time #}{% load i18n %}{% load humanize %}{# The email/base.html template uses a single "content" block #}{% block content %} {% blocktrans with username=user.username %} Hi {{ username }}, {% endblocktrans %}
{% trans 'You recently requested to change your password for you authentik account. Use the button below to set a new password.' %}
{% blocktrans with expires=expires|naturaltime %} If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}. {% endblocktrans %}
{% endblock %} * [Behaviour](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#behaviour) * [Configure rate limiting for emails](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#configure-rate-limiting-for-emails) * [Custom Templates](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#custom-templates) * [Example template](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#example-template) --- # Docker | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#__docusaurus_skipToContent_fallback) On this page The Docker integration automatically deploys and manages outpost containers using the Docker HTTP API. This integration has the advantage over manual deployments of automatic updates that whenever authentik is upgraded to a later version, it also upgrades the outposts. The following outpost settings are used: * `object_naming_template`: Configures how the container is called. * `container_image`: Optionally overwrites the standard container image (see [Configuration](https://docs.goauthentik.io/install-config/configuration/#authentik_outposts) to configure the global default). * `docker_network`: The Docker network the container should be added to. This needs to be modified if you plan to connect to authentik using the internal hostname. * `docker_map_ports`: Enable/disable the mapping of ports. When using a proxy outpost with Traefik for example, you might not want to bind ports as they are routed through Traefik. * `docker_labels`: Optional additional labels that can be applied to the container. The container is created with the following hardcoded properties: * Labels * `io.goauthentik.outpost-uuid`: Used by authentik to identify the container, and to allow for name changes. Additionally, the proxy outposts have the following extra labels to add themselves into Traefik automatically. * `traefik.enable`: "true" * `traefik.http.routers.ak-outpost--router.rule`: `Host(...)` * `traefik.http.routers.ak-outpost--router.service`: `ak-outpost--service` * `traefik.http.routers.ak-outpost--router.tls`: "true" * `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.path`: "/outpost.goauthentik.io/ping" * `traefik.http.services.ak-outpost--service.loadbalancer.healthcheck.port`: "9300" * `traefik.http.services.ak-outpost--service.loadbalancer.server.port`: "9000" Permissions[​](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#permissions "Direct link to Permissions") ----------------------------------------------------------------------------------------------------------------------------------- authentik requires the following permissions from the Docker API: * Images/Pull: authentik tries to pre-pull the custom image if one is configured, otherwise falling back to the default image. * Containers/Read: Gather infos about currently running container * Containers/Create: Create new containers * Containers/Kill: Cleanup during upgrades * Containers/Remove: Removal of outposts * System/Info: Gather information about the version of Docker running Docker Socket Proxy[​](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#docker-socket-proxy "Direct link to Docker Socket Proxy") ----------------------------------------------------------------------------------------------------------------------------------------------------------- Mounting the Docker socket to a container comes with some inherent security risks. Applications inside these containers have unfettered access to the full Docker API, which can be used to gain unauthorized access to sensitive Docker functions. It can also result in possible root escalation on the host system. To prevent this, many people use projects like [docker-socket-proxy](https://docs.linuxserver.io/images/docker-socket-proxy/) , which limit access to the Docker socket by filtering and restricting API calls that these applications can make. See [permissions](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#permissions) for the list of APIs that authentik needs access to. warning Connections from authentik to Docker socket proxy must be made over HTTP, not TCP, e.g. `http://:`. Remote hosts (TLS)[​](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#remote-hosts-tls "Direct link to Remote hosts (TLS)") ------------------------------------------------------------------------------------------------------------------------------------------------------ To connect remote hosts, follow this guide from Docker [Use TLS (HTTPS) to protect the Docker daemon socket](https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket) to configure Docker. Afterwards, create two certificate-keypairs in authentik: * `Docker CA`, with the contents of `~/.docker/ca.pem` as Certificate * `Docker Cert`, with the contents of `~/.docker/cert.pem` as the certificate and `~/.docker/key.pem` as the private key. Create an integration with `Docker CA` as _TLS Verification Certificate_ and `Docker Cert` as _TLS Authentication Certificate_. Remote hosts (SSH)[​](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#remote-hosts-ssh "Direct link to Remote hosts (SSH)") ------------------------------------------------------------------------------------------------------------------------------------------------------ authentik can connect to remote Docker hosts using SSH. To configure this, create a new SSH keypair using these commands: # Generate the keypair itself, using RSA keys in the PEM formatssh-keygen -t rsa -f authentik -N "" -m pem# Generate a certificate from the private key, required by authentik.# The values that openssl prompts you for are not relevantopenssl req -x509 -sha256 -nodes -days 365 -out certificate.pem -key authentik You'll end up with three files: * `authentik.pub` is the public key, this should be added to the `~/.ssh/authorized_keys` file on the target host and user. * `authentik` is the private key, which should be imported into a Keypair in authentik. * `certificate.pem` is the matching certificate for the keypair above. Modify/create a new Docker integration, and set your _Docker URL_ to `ssh://hostname`, and select the keypair you created above as _TLS Authentication Certificate/SSH Keypair_. The _Docker URL_ field include a user, if none is specified authentik connects with the user `authentik`. #### Advanced SSH config[​](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#advanced-ssh-config "Direct link to Advanced SSH config") With the above configuration, authentik will create and manage an `~/.ssh/config` file. If you need advanced configuration, for example SSH Certificates, you can mount a custom SSH Config file. Mount the config file into `/authentik/.ssh/config`, and mount any other relevant files into a directory under `/opt`. Afterwards, create an integration using `ssh://hostname`, and don't select a keypair. * [Permissions](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#permissions) * [Docker Socket Proxy](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#docker-socket-proxy) * [Remote hosts (TLS)](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#remote-hosts-tls) * [Remote hosts (SSH)](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#remote-hosts-ssh) --- # Mutual TLS stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#__docusaurus_skipToContent_fallback) On this page The Mutual TLS stage enables authentik to use client certificates to enroll and authenticate users. These certificates can be local to the device or available via PIV Smart Cards, Yubikeys, etc. Use of trusted Certificate Authority For mTLS, note that you should NOT use a globally known CA. Using private PKI certificates that are trusted by the end-device is best practise. For example, using a Verisign certificate as a "known CA" means that ANYONE who has a certificate signed by them can authenticate via mTLS, and in addition you should implement [custom validation](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#auth_method-string) to prevent unauthorized access. Reverse-proxy configuration[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#reverse-proxy-configuration "Direct link to Reverse-proxy configuration") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Using the Mutual TLS stage requires special configuration of any reverse proxy that is used in front of authentik, because the reverse-proxy interacts directly with the browser. * nginx * [Standalone nginx](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#nginx-standalone) * [nginx kubernetes ingress](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#nginx-ingress) * Traefik * [Standalone Traefik](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#traefik-standalone) * [Traefik kubernetes ingress](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#traefik-ingress) * [envoy](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#envoy) * [No reverse proxy](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#no-reverse-proxy) #### nginx Standalone[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#nginx-standalone "Direct link to nginx Standalone") Add this configuration snippet in your authentik virtual host: # server { ssl_client_certificate /etc/ssl/path-to-my-ca.pem; ssl_verify_client on; # location / { proxy_set_header ssl-client-cert $ssl_client_escaped_cert; # }# } See [nginx documentation](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate) for reference. #### nginx Ingress[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#nginx-ingress "Direct link to nginx Ingress") Add these annotations to your authentik ingress object: nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"# This secret needs to contain `ca.crt` which is the certificate authority to validate against.nginx.ingress.kubernetes.io/auth-tls-secret: namespace/secretName See [ingress-nginx documentation](https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/) for reference. #### Traefik Standalone[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#traefik-standalone "Direct link to Traefik Standalone") Add this snippet to your traefik configuration: tls: options: default: clientAuth: # in PEM format. each file can contain multiple CAs. caFiles: - tests/clientca1.crt - tests/clientca2.crt clientAuthType: RequireAndVerifyClientCert See the [Traefik mTLS documentation](https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls) for reference. #### Traefik Ingress[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#traefik-ingress "Direct link to Traefik Ingress") Create a middleware object with these options: apiVersion: traefik.io/v1alpha1kind: Middlewaremetadata: name: test-passtlsclientcertspec: passTLSClientCert: pem: true See the [Traefik PassTLSClientCert documentation](https://doc.traefik.io/traefik/middlewares/http/passtlsclientcert/) for reference. #### Envoy[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#envoy "Direct link to Envoy") See the [Envoy mTLS documentation](https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/securing#use-mutual-tls-mtls-to-enforce-client-certificate-authentication) and [Envoy header documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert) for configuration. #### No reverse proxy[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#no-reverse-proxy "Direct link to No reverse proxy") When using authentik without a reverse proxy, select the certificate authorities in the corresponding [brand](https://docs.goauthentik.io/brands/#client-certificates) for the domain, under **Other global settings**. Stage configuration[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#stage-configuration "Direct link to Stage configuration") ------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **System** > **Certificates**, and either generate or add the certificate you’ll use as a certificate authority. 3. Then, navigate to **Flows and Stages** > **Stages** and click **Create**. Select **Mutual TLS Stage**, click **Next**, and set the following fields: * **Name**: provide a descriptive name, such as "chrome-device-trust". * **Stage-specific settings**: * **Mode**: Configure the mode this stage operates in. * **Certificate optional**: When no certificate is provided by the user or the reverse proxy, the flow will continue to the next stage. * **Certificate required**: When no certificate is provided, the flow ends with an error message. * **Certificate authorities**: Select the certificate authorities used to sign client certificates. * **Certificate attribute**: Select the attribute of the certificate to be used to find a user for authentication. * **User attribute**: Select the attribute of the user the certificate should be compared against. 4. Click **Finish**. * [Reverse-proxy configuration](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#reverse-proxy-configuration) * [nginx Standalone](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#nginx-standalone) * [nginx Ingress](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#nginx-ingress) * [Traefik Standalone](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#traefik-standalone) * [Traefik Ingress](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#traefik-ingress) * [Envoy](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#envoy) * [No reverse proxy](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#no-reverse-proxy) * [Stage configuration](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/#stage-configuration) --- # Upgrading an Outpost | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/outposts/upgrading/#__docusaurus_skipToContent_fallback) Outposts deployed using the [Docker](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/) or [Kubernetes](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/kubernetes/) integrations are managed by authentik and are upgraded automatically. Outposts deployed manually via [Docker](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/) or [Kubernetes](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-kubernetes/) must be upgraded by updating the outpost's image tag to the new version. To check if any outposts are out-of-date, navigate to **Applications** > **Outposts** and look for a message in the **Health and Version** column. A red warning message will be shown on any outposts running outdated versions: ![](https://docs.goauthentik.io/assets/images/outpost-upgrade-298a75702226b4828804b5232b3fcc3a.png) An up-to-date outpost will show a green message indicating the last successful connection with authentik: ![](https://docs.goauthentik.io/assets/images/outpost-upgrade2-e97e99812e17d401a19f2a292942bb2d.png) --- # Embedded Outpost | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/outposts/embedded/#__docusaurus_skipToContent_fallback) On this page Starting with 2021.8.1, authentik comes with an embedded outpost. This has been added to simplify deployment for users using the Proxy provider. The embedded outpost runs in the main `server` container, and is managed by authentik itself. The embedded outpost authenticates itself via the secret key. You can access the embedded outpost on the same ports as authentik itself, 9000 and 9443. If the embedded outpost doesn't make sense for your deployment, you can simply ignore it. ### Configuration[​](https://docs.goauthentik.io/add-secure-apps/outposts/embedded/#configuration "Direct link to Configuration") Since authentik doesn't know it's own "primary" URL, there might be some configuration required. By default, when opening the admin dashboard on a fresh install, authentik will automatically configure the outpost to use the same URL as was used to access authentik. If this isn't correct, or needs to be changed, click the edit button on the right of the outpost, and set the value of `authentik_host` to the URL you want to login with. Make sure to set it to full URL, only configuring a hostname or FQDN will not work. Additionally, most of the other configuration options can be used as with any other outpost, except from items which are marked as "non-embedded" # Log level that the outpost will set# Allowed levels: trace, debug, info, warning, error# Applies to: non-embeddedlog_level: debug# Interval at which the outpost will refresh the providers# from authentik. For caching outposts (such as LDAP), the# cache will also be invalidated at that interval.# (Format: hours=1;minutes=2;seconds=3).refresh_interval: minutes=5######################################### The settings below are only relevant when using a managed outpost######################################### URL that the outpost uses to connect back to authentikauthentik_host: https://authentik.tld/# Disable SSL Validation for the authentik connectionauthentik_host_insecure: false# Optionally specify a different URL used for user-facing interactions# Applies to: proxy outpostsauthentik_host_browser:# Template used for objects created (deployments/containers, services, secrets, etc)object_naming_template: ak-outpost-%(name)s# Use a specific docker image for this outpost rather than the default. This also applies to Kubernetes# outposts.# Applies to: non-embeddedcontainer_image:######################################### Docker outpost specific settings######################################### Network the outpost container should be connected to# Applies to: non-embeddeddocker_network: null# Optionally disable mapping of ports to outpost container, may be useful when using docker networks# (Available with 2021.9.4+)# Applies to: non-embeddeddocker_map_ports: true# Optionally additional labels for docker containers# (Available with 2022.1.2)# Applies to: non-embeddeddocker_labels: null######################################### Kubernetes outpost specific settings######################################### Replica count for the deployment of the outpost# Applies to: non-embeddedkubernetes_replicas: 1# Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)kubernetes_namespace: authentik# Any additional annotations to add to the ingress object, for example cert-managerkubernetes_ingress_annotations: {}# Name of the secret that is used for TLS connections, leave empty to disable TLSkubernetes_ingress_secret_name: authentik-outpost-tls# pathType to use on routes. Defaults to `Prefix`. Some ingress-nginx deployments need this to be set to `ImplementationSpecific`.# Service kind created, can be set to LoadBalancer for LDAP outposts for examplekubernetes_service_type: ClusterIP# Disable any components of the kubernetes integration, can be any of# - 'secret'# - 'deployment'# - 'service'# - 'prometheus servicemonitor'# - 'ingress'# - 'traefik middleware'kubernetes_disabled_components: []# If the above docker image is in a private repository, use these secrets to pull.# NOTE: The secret must be created manually in the namespace first.# Applies to: non-embeddedkubernetes_image_pull_secrets: []# Optionally configure an ingress class name. If not set, the ingress will use the cluster's# default ingress class# (Available with 2022.11.0+)# Applies to: proxy outpostskubernetes_ingress_class_name: null# Optionally apply an RFC 6902 compliant patch to the Kubernetes objects.# For an understanding of how this works, refer to the link below:# https://github.com/kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md## This value expects a mapping where the key represents# the Kubernetes component that shall be patched.# It can be any of the same values supported by `kubernetes_disabled_components`.## For example use this patch to add custom resource requests and limits# to the outpost deployment:## deployment:# - op: add# path: "/spec/template/spec/containers/0/resources"# value:# requests:# cpu: 2000m# memory: 2000Mi# limits:# cpu: 4000m# memory: 8000Mikubernetes_json_patches: null ### Routing[​](https://docs.goauthentik.io/add-secure-apps/outposts/embedded/#routing "Direct link to Routing") Routing is handled like this: 1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files. 2. Paths starting with `/outpost.goauthentik.io` are sent to the embedded outpost. 3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost. 4. Everything remaining is sent to the authentik backend server. ### Differences[​](https://docs.goauthentik.io/add-secure-apps/outposts/embedded/#differences "Direct link to Differences") There are a few more differences between managed outposts and the embedded outpost, mainly due to the fact that authentik can't fully manage the containers. 1. (Docker-only) No automatic traefik labels are added to the server container. When you deploy a managed outpost on docker, the container has several labels to automatically configure traefik. This is not done for the embedded outpost. 2. (Kubernetes-only) An additional service is created. Since authentik does not know what the normal authentik Service is called, another one is created with a common set of labels that is always set. * [Configuration](https://docs.goauthentik.io/add-secure-apps/outposts/embedded/#configuration) * [Routing](https://docs.goauthentik.io/add-secure-apps/outposts/embedded/#routing) * [Differences](https://docs.goauthentik.io/add-secure-apps/outposts/embedded/#differences) --- # Redirect stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/#__docusaurus_skipToContent_fallback) On this page This stage's main purpose is to redirect the user to a new Flow while keeping flow context. For convenience, it can also redirect the user to a static URL. Redirect stage modes[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/#redirect-stage-modes "Direct link to Redirect stage modes") -------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Static mode[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/#static-mode "Direct link to Static mode") When the user reaches this stage, they are redirected to a static URL. ### Flow mode[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/#flow-mode "Direct link to Flow mode") When the user reaches this stage, they are redirected to a specified flow, retaining all [flow context](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/) . Optionally, untoggle the "Keep flow context" switch. If this is untoggled, all flow context is cleared with the exception of the [is\_redirected](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#is_redirected-flow-object) key. * [Redirect stage modes](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/#redirect-stage-modes) * [Static mode](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/#static-mode) * [Flow mode](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/redirect/#flow-mode) --- # Manual Outpost deployment in Docker Compose | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#__docusaurus_skipToContent_fallback) On this page To deploy an outpost with Docker Compose, use the appropriate snippet from the options below and add it to your Compose file. You can also run the outpost in a separate Compose project, you just have to ensure that the outpost container can reach your application container. ### Proxy outpost[​](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#proxy-outpost "Direct link to Proxy outpost") services: authentik_proxy: image: ghcr.io/goauthentik/proxy # Optionally specify the container's network, which must be able to reach the core authentik server. # networks: # - foo ports: - 9000:9000 - 9443:9443 environment: AUTHENTIK_HOST: https://authentik.company AUTHENTIK_INSECURE: "false" AUTHENTIK_TOKEN: token-generated-by-authentik # Optional setting to be used when `authentik_host` for internal communication doesn't match the public URL. # AUTHENTIK_HOST_BROWSER: https://external-domain.tld ### LDAP outpost[​](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#ldap-outpost "Direct link to LDAP outpost") services: authentik_ldap: image: ghcr.io/goauthentik/ldap # Optionally specify the container's network, which must be able to reach the core authentik server. # networks: # - foo ports: - 389:3389 - 636:6636 environment: AUTHENTIK_HOST: https://authentik.company AUTHENTIK_INSECURE: "false" AUTHENTIK_TOKEN: token-generated-by-authentik ### RAC outpost[​](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#rac-outpost "Direct link to RAC outpost") services: rac_outpost: image: ghcr.io/goauthentik/rac # Optionally specify the container's network, which must be able to reach the core authentik server. # networks: # - foo environment: AUTHENTIK_HOST: https://authentik.company AUTHENTIK_INSECURE: "false" AUTHENTIK_TOKEN: token-generated-by-authentik ### RADIUS outpost[​](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#radius-outpost "Direct link to RADIUS outpost") services: radius_outpost: image: ghcr.io/goauthentik/radius # Optionally specify the container's network, which must be able to reach the core authentik server. # networks: # - foo ports: - 1812:1812/udp environment: AUTHENTIK_HOST: https://authentik.company AUTHENTIK_INSECURE: "false" AUTHENTIK_TOKEN: token-generated-by-authentik * [Proxy outpost](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#proxy-outpost) * [LDAP outpost](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#ldap-outpost) * [RAC outpost](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#rac-outpost) * [RADIUS outpost](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/#radius-outpost) --- # Password stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/#__docusaurus_skipToContent_fallback) On this page This is a generic password prompt which authenticates the current `pending_user`. This stage allows the selection of the source the user is authenticated against. Passwordless login[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/#passwordless-login "Direct link to Passwordless login") -------------------------------------------------------------------------------------------------------------------------------------------------------- There are two different ways to configure passwordless authentication; you can follow the instructions [here](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/#passwordless-authentication) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here. Depending on what kind of device you want to require the user to have: #### WebAuthn[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/#webauthn "Direct link to WebAuthn") from authentik.stages.authenticator_webauthn.models import WebAuthnDevicereturn WebAuthnDevice.objects.filter(user=request.context['pending_user'], confirmed=True).exists() #### Duo[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/#duo "Direct link to Duo") from authentik.stages.authenticator_duo.models import DuoDevicereturn DuoDevice.objects.filter(user=request.context['pending_user'], confirmed=True).exists() Afterwards, bind the policy you've created to the stage binding of the password stage. Make sure to uncheck _Evaluate when flow is planned_ and check _Evaluate when stage is run_, otherwise an invalid result will be cached. * [Passwordless login](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/#passwordless-login) --- # Prompt stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#__docusaurus_skipToContent_fallback) On this page This stage is used to show the user arbitrary prompts. Prompt[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#prompt "Direct link to Prompt") ------------------------------------------------------------------------------------------------------------------ The prompt can be any of the following types: | Type | Description | | --- | --- | | Text | Arbitrary text. No client-side validation is done. | | Text (Read only) | Same as above, but cannot be edited. | | Text Area | Arbitrary multiline text. No client-side validation is done. | | Text Area (Read only) | Same as above, but cannot be edited. | | Username | Same as text, except the username is validated to be unique. | | Email | Text input, ensures the value is an email address (validation is only done client-side). | | Password | Same as text, shown as a password field client-side, and custom validation (see below). | | Number | Numerical textbox. | | Checkbox | Simple checkbox. | | Radio Button Group | Similar to checkboxes, but allows selecting a value from a set of predefined values. | | Dropdown | A simple dropdown menu filled with predefined values. | | Date | Same as text, except the client renders a date-picker | | Date-time | Same as text, except the client renders a date-time-picker | | File | Allow users to upload a file, which will be available as base64-encoded data in the flow . | | Separator | Passive element to group surrounding elements | | Hidden | Hidden input field. Allows for the pre-setting of default values. | | Static | Display arbitrary value as is | | authentik: Locale | Display a list of all locales authentik supports. | info `TextArea`, `TextArea (Read only)`, `Radio Button Group` and `Dropdown` options require authentik 2023.4+ Some types have special behaviors: * _Username_: Input is validated against other usernames to ensure a unique value is provided. * _Password_: All prompts with the type password within the same stage are compared and must be equal. If they are not equal, an error is shown * _Hidden_ and _Static_: Their initial values are defaults and are not user-changeable. * _Radio Button Group_ and _Dropdown_: Only allow the user to select one of a set of predefined values. A prompt has the following attributes: ### `field_key`[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#field_key "Direct link to field_key") The field name used for the prompt. This key is also used to later retrieve the data in expression policies: request.context.get('prompt_data').get('') ### `label`[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#label "Direct link to label") The label used to describe the field. Depending on the selected template, this may not be shown. ### `required`[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#required "Direct link to required") A flag which decides whether or not this field is required. ### `placeholder`[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#placeholder "Direct link to placeholder") A field placeholder, shown within the input field. By default, the placeholder is interpreted as-is. If you enable _Interpret placeholder as expression_, the placeholder will be evaluated as a Python expression. This happens in the same environment as [_Policies_](https://docs.goauthentik.io/customize/policies/expression/) . For `Radio Button Group` and `Dropdown` prompts, this field defines the available choices. When used as a plain string, it represents a single allowed value (the placeholder). When used as an expression, it can return a list of choices. For example, `return ["first option", 42, {"label": "another option", "value": "some value"}]` defines three possible values. A choice can be a string (or any primitive that will be converted to a string) or an object with `value` and/or `label` properties. For example, `return ["Option 1"]` is equivalent to `return [{"label": "Option 1", "value": "Option 1"}]`. You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data. For `Radio Button Group` and `Dropdown` prompts, if a key with the same name as the prompt's `field_key` and a suffix of `__choices` (`__choices`) is present in the `prompt_context` dictionary, its value will be returned directly, even if _Interpret placeholder as expression_ is enabled. ### `initial_value`[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#initial_value "Direct link to initial_value") The prompt's initial value. It can also be left empty, in which case the field will not have a pre-filled value. With the `hidden` prompt, the initial value will also be the actual value, because the field is hidden to the user. By default, the initial value is interpreted as-is. If you enable _Interpret initial value as expression_, the initial value will be evaluated as a Python expression. This happens in the same environment as [_Policies_](https://docs.goauthentik.io/customize/policies/expression/) . In the case of `Radio Button Group` and `Dropdown` prompts, this field defines the default choice. When interpreted as-is, the default choice will be the initial value string. When interpreted as expression, the default choice will be the returned value. For example, `return 42` defines `42` as the default choice. When a choice is defined as an object `{"label": "Option", "value": "internal-value"}`, the initial value needs to be set to the value string `internal-value` in this case. info The default choice defined for any fixed choice field **must** be one of the valid choices specified in the prompt's placeholder. You can access both the HTTP request and the user as with a mapping. Additionally, you can access `prompt_context`, which is a dictionary of the current state of the prompt stage's data. If a key with the same name as the prompt's `field_key` is present in the `prompt_context` dictionary, its value will be returned directly, even if _Interpret initial value as expression_ is enabled. ### `order`[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#order "Direct link to order") The numerical index of the prompt. This applies to all stages which this prompt is a part of. Validation ========== Further validation of prompts can be done using policies. To validate that two password fields are identical, create the following expression policy: if request.context.get('prompt_data').get('password') == request.context.get('prompt_data').get('password_repeat'): return Trueak_message("Passwords don't match.")return False This policy expects you to have two password fields with `field_key` set to `password` and `password_repeat`. Afterwards, bind this policy to the prompt stage you want to validate. Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid. * [Prompt](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#prompt) * [`field_key`](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#field_key) * [`label`](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#label) * [`required`](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#required) * [`placeholder`](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#placeholder) * [`initial_value`](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#initial_value) * [`order`](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/#order) --- # Outposts | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/outposts/#__docusaurus_skipToContent_fallback) On this page An outpost is a single deployment of an authentik component, essentially a service, that can be deployed anywhere that allows for a connection to the authentik API. An outpost is required if you use any of the following types of providers with your application: * [LDAP Provider](https://docs.goauthentik.io/add-secure-apps/providers/ldap/) * [Proxy Provider](https://docs.goauthentik.io/add-secure-apps/providers/proxy/) * [RADIUS Provider](https://docs.goauthentik.io/add-secure-apps/providers/radius/) * [RAC Provider](https://docs.goauthentik.io/add-secure-apps/providers/rac/) These types of providers use an outpost for increased flexibility and speed. Instead of the provider logic being implemented in authentik Core, these providers use an outpost to handle the logic, which provides improved performance. An additional advantage of using an outpost is that outposts, like authentik itself, do not require access to the wider internet. Transactions between the application, the provider, and the outpost occur via the authentik API, and support single sign-on operations in firewalled or airgapped deployments and offline connections to remote machines that are not on the internet. An outpost is given permissions to access the authentik API using a service account and token, both of which are auto-generated when you create a new outpost. The outpost is granted rights to only the application/provider pairs configured (and other necessary related objects such as certificates). Any change made to the outpost's associated app or provider immediately triggers an event to update the configuration data stored on the outpost, via websockets. Websockets are used also by the outpost to send healthchecks to the authentik Core. Create and configure an outpost[​](https://docs.goauthentik.io/add-secure-apps/outposts/#create-and-configure-an-outpost "Direct link to Create and configure an outpost") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Outposts** and then click **Create**. ![](https://docs.goauthentik.io/assets/images/outpost-create-5a4a0d5ac9d31a2dfa3c2446eae4761f.png) 3. Set the following values: * **Name**: define a name for the outpost. * **Type**: select the outpost type (Proxy, LDAP, Radius, RAC). * **Integration**: select either Docker or Kubernetes, or optionally select `----` and [manually deploy the outpost](https://docs.goauthentik.io/add-secure-apps/outposts/#outpost-integrations) . * **Applications**: select the applications that you want the outpost to serve. * **Advanced settings (optional)**: for further optional configuration settings, refer to [Configuration](https://docs.goauthentik.io/add-secure-apps/outposts/#configuration) below. 4. Click **Create**. Upon creation, a service account and a token is generated. The service account only has permissions to read the outpost and provider configuration. This token is used by the outpost to connect to authentik. Outpost integrations[​](https://docs.goauthentik.io/add-secure-apps/outposts/#outpost-integrations "Direct link to Outpost integrations") ------------------------------------------------------------------------------------------------------------------------------------------ authentik can manage the deployment, updating, and general lifecycle of an outpost. To communicate with the underlying platforms on which the outpost is deployed, authentik has several built-in integrations. * If you've deployed authentik on Docker Compose, authentik automatically creates an integration for the local docker socket (See [Docker](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/) ). * If you've deployed authentik on Kubernetes, with `kubernetesIntegration` set to true (default), authentik automatically creates an integrations for the local Kubernetes Cluster (see [Kubernetes](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/kubernetes/) ). To deploy an outpost with these integrations, select them during the creation of an outpost. A background task is started, which creates the container/deployment. The outpost deployment can be monitored from the **Dashboards > System Tasks** page in the Admin interface. To deploy an outpost manually, see: * [Kubernetes](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-kubernetes/) * [Docker Compose](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/) Configuration[​](https://docs.goauthentik.io/add-secure-apps/outposts/#configuration "Direct link to Configuration") --------------------------------------------------------------------------------------------------------------------- Outposts fetch their configuration from authentik. Below are all the options you can set, and how they influence the outpost. # Log level that the outpost will set# Allowed levels: trace, debug, info, warning, error# Applies to: non-embeddedlog_level: debug# Interval at which the outpost will refresh the providers# from authentik. For caching outposts (such as LDAP), the# cache will also be invalidated at that interval.# (Format: hours=1;minutes=2;seconds=3).refresh_interval: minutes=5######################################### The settings below are only relevant when using a managed outpost######################################### URL that the outpost uses to connect back to authentikauthentik_host: https://authentik.tld/# Disable SSL Validation for the authentik connectionauthentik_host_insecure: false# Optionally specify a different URL used for user-facing interactions# Applies to: proxy outpostsauthentik_host_browser:# Template used for objects created (deployments/containers, services, secrets, etc)object_naming_template: ak-outpost-%(name)s# Use a specific docker image for this outpost rather than the default. This also applies to Kubernetes# outposts.# Applies to: non-embeddedcontainer_image:######################################### Docker outpost specific settings######################################### Network the outpost container should be connected to# Applies to: non-embeddeddocker_network: null# Optionally disable mapping of ports to outpost container, may be useful when using docker networks# (Available with 2021.9.4+)# Applies to: non-embeddeddocker_map_ports: true# Optionally additional labels for docker containers# (Available with 2022.1.2)# Applies to: non-embeddeddocker_labels: null######################################### Kubernetes outpost specific settings######################################### Replica count for the deployment of the outpost# Applies to: non-embeddedkubernetes_replicas: 1# Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)kubernetes_namespace: authentik# Any additional annotations to add to the ingress object, for example cert-managerkubernetes_ingress_annotations: {}# Name of the secret that is used for TLS connections, leave empty to disable TLSkubernetes_ingress_secret_name: authentik-outpost-tls# pathType to use on routes. Defaults to `Prefix`. Some ingress-nginx deployments need this to be set to `ImplementationSpecific`.# Service kind created, can be set to LoadBalancer for LDAP outposts for examplekubernetes_service_type: ClusterIP# Disable any components of the kubernetes integration, can be any of# - 'secret'# - 'deployment'# - 'service'# - 'prometheus servicemonitor'# - 'ingress'# - 'traefik middleware'kubernetes_disabled_components: []# If the above docker image is in a private repository, use these secrets to pull.# NOTE: The secret must be created manually in the namespace first.# Applies to: non-embeddedkubernetes_image_pull_secrets: []# Optionally configure an ingress class name. If not set, the ingress will use the cluster's# default ingress class# (Available with 2022.11.0+)# Applies to: proxy outpostskubernetes_ingress_class_name: null# Optionally apply an RFC 6902 compliant patch to the Kubernetes objects.# For an understanding of how this works, refer to the link below:# https://github.com/kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md## This value expects a mapping where the key represents# the Kubernetes component that shall be patched.# It can be any of the same values supported by `kubernetes_disabled_components`.## For example use this patch to add custom resource requests and limits# to the outpost deployment:## deployment:# - op: add# path: "/spec/template/spec/containers/0/resources"# value:# requests:# cpu: 2000m# memory: 2000Mi# limits:# cpu: 4000m# memory: 8000Mikubernetes_json_patches: null Prometheus Metrics[​](https://docs.goauthentik.io/add-secure-apps/outposts/#prometheus-metrics "Direct link to Prometheus Metrics") ------------------------------------------------------------------------------------------------------------------------------------ Each authentik outpost has a Prometheus metrics endpoint accessible under port `:9300/metrics`. This endpoint is not mapped via Docker, as the endpoint doesn't have any authentication. For the embedded outpost, the metrics of the outpost and the metrics of the core authentik server are both returned under the same endpoint. * [Create and configure an outpost](https://docs.goauthentik.io/add-secure-apps/outposts/#create-and-configure-an-outpost) * [Outpost integrations](https://docs.goauthentik.io/add-secure-apps/outposts/#outpost-integrations) * [Configuration](https://docs.goauthentik.io/add-secure-apps/outposts/#configuration) * [Prometheus Metrics](https://docs.goauthentik.io/add-secure-apps/outposts/#prometheus-metrics) --- # Manual Outpost deployment on Kubernetes | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-kubernetes/#__docusaurus_skipToContent_fallback) Use the following manifest, replacing all values surrounded with `__`. Afterwards, configure the proxy provider to connect to `..svc.cluster.local`, and update your Ingress to connect to the `authentik-outpost` service. apiVersion: v1kind: Secretmetadata: labels: app.kubernetes.io/instance: __OUTPOST_NAME__ app.kubernetes.io/name: authentik-outpost name: authentik-outpost-apitype: OpaquestringData: AUTHENTIK_HOST: "__AUTHENTIK_URL__" AUTHENTIK_INSECURE: "true" AUTHENTIK_TOKEN: "__AUTHENTIK_TOKEN__"---apiVersion: v1kind: Servicemetadata: labels: app.kubernetes.io/instance: __OUTPOST_NAME__ app.kubernetes.io/name: authentik-outpost name: authentik-outpostspec: ports: - name: http port: 9000 protocol: TCP targetPort: http - name: https port: 9443 protocol: TCP targetPort: https type: ClusterIP selector: app.kubernetes.io/instance: __OUTPOST_NAME__ app.kubernetes.io/name: authentik-outpost---apiVersion: apps/v1kind: Deploymentmetadata: labels: app.kubernetes.io/instance: __OUTPOST_NAME__ app.kubernetes.io/name: authentik-outpost name: authentik-outpostspec: selector: matchLabels: app.kubernetes.io/instance: __OUTPOST_NAME__ app.kubernetes.io/name: authentik-outpost template: metadata: labels: app.kubernetes.io/instance: __OUTPOST_NAME__ app.kubernetes.io/name: authentik-outpost spec: containers: - image: ghcr.io/goauthentik/proxy name: proxy ports: - containerPort: 9000 name: http protocol: TCP - containerPort: 9443 name: https protocol: TCP envFrom: - secretRef: name: authentik-outpost-api---apiVersion: networking.k8s.io/v1kind: Ingressmetadata: annotations: # This example includes annotations for common ingress controllers, # remove annotations not used nginx.ingress.kubernetes.io/affinity: cookie nginx.ingress.kubernetes.io/proxy-buffer-size: 16k nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 32k, nginx.ingress.kubernetes.io/proxy-buffers-number: "4" traefik.ingress.kubernetes.io/affinity: "true" labels: app.kubernetes.io/instance: __OUTPOST_NAME__ app.kubernetes.io/name: authentik-outpost name: authentik-outpostspec: ingressClassName: nginx rules: - host: __EXTERNAL_HOSTNAME__ http: paths: - path: / pathType: Prefix backend: service: name: authentik-outpost port: name: http --- # User Delete stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_delete/#__docusaurus_skipToContent_fallback) danger This stage deletes the `pending_user` without any confirmation. You have to make sure the user is aware of this. The User Delete stage is intended for an unenrollment flow. It deletes the currently pending user. The pending user is also removed from the current session. --- # Source stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#__docusaurus_skipToContent_fallback) On this page The source stage embeds an [OAuth](https://docs.goauthentik.io/users-sources/sources/protocols/oauth/) or [SAML](https://docs.goauthentik.io/users-sources/sources/protocols/saml/) source into the flow execution. This allows for additional user verification, or to dynamically access different sources for different user identifiers (username, email address, etc). ### Example use case[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#example-use-case "Direct link to Example use case") This stage can be used to leverage an external OAuth/SAML identity provider. For example, you can authenticate users by routing them through a custom device-health solution. Another use case is to route users to authenticate with your legacy (Okta, etc) IdP and then use the returned identity and attributes within authentik as part of an authorization flow, for example as part of an IdP migration. For authentication/enrollment this is also possible with an [OAuth](https://docs.goauthentik.io/users-sources/sources/protocols/oauth/) /[SAML](https://docs.goauthentik.io/users-sources/sources/protocols/saml/) source by itself. ### Considerations[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#considerations "Direct link to Considerations") It is very important that the configured source's authentication and enrollment flows (when set; they can be left unselected to prevent authentication or enrollment with the source) do **not** have a [User login stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/) bound to them. This is because the Source stage works by appending a [dynamic in-memory](https://docs.goauthentik.io/terminology/#dynamic-in-memory-stage) stage to the source's flow, so having a [User login stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/) bound will cause the source's flow to not resume the original flow it was started from, and instead directly authenticating the pending user. Source stage workflow[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#source-stage-workflow "Direct link to Source stage workflow") --------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Options[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#options "Direct link to Options") #### Source[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#source "Direct link to Source") The source the user is redirected to. Must be a web-based source, such as [OAuth](https://docs.goauthentik.io/users-sources/sources/protocols/oauth/) or [SAML](https://docs.goauthentik.io/users-sources/sources/protocols/saml/) . Sources like [LDAP](https://docs.goauthentik.io/users-sources/sources/protocols/ldap/) are _not_ compatible. #### Resume timeout[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#resume-timeout "Direct link to Resume timeout") Because the execution of the current flow is suspended before the user is redirected to the configured source, this option configures how long the suspended flow is saved. If this timeout is exceeded, upon return from the configured source, the suspended flow will restart from the beginning. * [Example use case](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#example-use-case) * [Considerations](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#considerations) * [Source stage workflow](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#source-stage-workflow) * [Options](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/source/#options) --- # User Write stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/#__docusaurus_skipToContent_fallback) On this page The User Write stage writes data from the current flow context to a user. Newly created users can be created as inactive and can be assigned to a selected group. ### Dynamic groups[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/#dynamic-groups "Direct link to Dynamic groups") To add users to dynamic groups, set `groups` in the flow plan context before this stage is run. For example: from authentik.core.models import Groupgroup, _ = Group.objects.get_or_create(name="some-group")# ["groups"] *must* be set to an array of Group objects, names alone are not enough.request.context["flow_plan"].context["groups"] = [group]return True ### User creation[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/#user-creation "Direct link to User creation") By default, this stage will create a new user when none is present in the flow context. To prevent users from creating new accounts without authorization, you can configure the User Write stage to not automatically create new users. Alternatively, you can configure the stage to explicitly allow user creation, forbid it, or force user creation. * [Dynamic groups](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/#dynamic-groups) * [User creation](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/#user-creation) --- # User Login stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#__docusaurus_skipToContent_fallback) On this page The User Login stage attaches a currently pending user to the current session. It can be used after `user_write` during an enrollment flow, or after a `password` stage during an authentication flow. User login stage configuration options[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#user-login-stage-configuration-options "Direct link to User login stage configuration options") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When creating or editing this stage in the Admin interface, you can define configuration options using the following fields. #### Session duration[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#session-duration "Direct link to Session duration") By default, the authentik session expires when you close your browser (_seconds=0_). Use the **Session duration** field to define a custom session length. warning Different browsers handle session cookies differently, and might not remove them even when the browser is closed. See [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate) for more info. You can set the session to expire after any duration using the syntax of `hours=1,minutes=2,seconds=3`. The following keys are allowed: * Microseconds * Milliseconds * Seconds * Minutes * Hours * Days * Weeks All values accept floating-point values. #### Stay signed in offset[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#stay-signed-in-offset "Direct link to Stay signed in offset") When the value in **Stay signed in offset** is set to a higher value than the default _seconds=0_, the user logging in is shown a prompt, allowing the user to choose if their session should be extended or not. The same syntax as for **Session duration** applies. ![](https://docs.goauthentik.io/assets/images/stay_signed_in-90d16fcaac7bd80f07c4326375adac93.png) #### Remember device[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#remember-device "Direct link to Remember device") If set to a duration above 0, a cookie is stored for the duration specified that informs authentik whether the user is signing in from a known or unknown (new) device. If there's an existing authenticated user session for the user with the same IP address, authentik also classifies this as a known device. See [here](https://docs.goauthentik.io/sys-mgmt/events/notification_rule_expression_policies/#trigger-alert-when-user-logs-in-from-unknown-device) for an example of how an alert can be configured for logins from unknown devices. #### Network binding and GeoIP binding[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#network-binding-and-geoip-binding "Direct link to Network binding and GeoIP binding") When configured, all sessions authenticated by this stage will be bound to the selected network and/or GeoIP criteria. Sessions that break this binding will be terminated. The created [`logout`](https://docs.goauthentik.io/sys-mgmt/events/event-actions/#logout) event will contain additional data related to what caused the binding to be broken: { "asn": { "asn": 6805, "as_org": "Telefonica Germany", "network": "5.4.0.0/14" }, "geo": { "lat": 51.2993, "city": "", "long": 9.491, "country": "DE", "continent": "EU" }, "binding": { "reason": "network.missing", "new_value": { "asn": 6805, "as_org": "Telefonica Germany", "network": "5.4.0.0/14" }, "previous_value": {} }, "ip": { "previous": "1.2.3.4", "new": "5.6.7.8" }, "http_request": { "args": {}, "path": "/if/admin/", "method": "GET", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" }, "logout_reason": "Session binding broken"} #### Terminate other sessions[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#terminate-other-sessions "Direct link to Terminate other sessions") When enabled, previous sessions of the same user are revoked. This has no affect on OAuth refresh tokens. * [User login stage configuration options](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#user-login-stage-configuration-options) * [Session duration](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#session-duration) * [Stay signed in offset](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#stay-signed-in-offset) * [Remember device](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#remember-device) * [Network binding and GeoIP binding](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#network-binding-and-geoip-binding) * [Terminate other sessions](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/#terminate-other-sessions) --- # User Logout stage | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/#__docusaurus_skipToContent_fallback) On this page The User Logout stage ends the user's session in authentik and, if configured, triggers [Single Logout (SLO)](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/) for [SAML](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/) and [OIDC](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/) providers. Logout flow injection[​](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/#logout-flow-injection "Direct link to Logout flow injection") -------------------------------------------------------------------------------------------------------------------------------------------------------------------- authentik dynamically injects logout stages into the user's current logout flow when provider sessions configured for Single Logout are detected: 1. The `flow_pre_user_logout` signal is triggered before the user is logged out 2. authentik queries for active provider sessions matching the user's authenticated session: * **SAML providers**: Queries active SAML sessions for providers with an SLS URL and logout method configured * **OIDC providers**: Queries for providers with front-channel or back-channel logout enabled 3. For each logout method with active sessions, the appropriate logout stage is injected: * **iframe logout stage**: Injected at index 1 (immediately after the logout stage) for front-channel iframe logout * **Native logout stage**: Injected at index 2 (after the iframe logout, if present) for front-channel native logout * **Back-channel logout**: Executed server-side without injecting additional stages 4. The user progresses through these injected stages before logout completes This approach ensures that single logout happens automatically without requiring explicit flow configuration. * [Logout flow injection](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/#logout-flow-injection) --- # Microsoft Entra ID provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/entra/#__docusaurus_skipToContent_fallback) On this page The Entra ID provider allows you to integrate with your Entra ID tenant. It supports syncing users and groups from authentik to Entra ID, allowing authentik to act as a source of truth for all users and groups. * For instructions on configuring your Entra ID tenant in prepation for creating an Entra ID provider, refer to [Configure Entra ID](https://docs.goauthentik.io/add-secure-apps/providers/entra/configure-entra/) . * For instructions on creating an Entra ID provider, refer to [Create an Entra ID provider](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/) . Discovery[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/#discovery "Direct link to Discovery") ---------------------------------------------------------------------------------------------------------------- Upon creating the Entra ID provider, it will run a discovery task to query your Entra ID tenant for all users and groups, and attempt to match them with their respective counterparts in authentik. Users are matched on their email address. Groups are matched based on their names. This discovery also takes into consideration any **User filtering** options configured in the provider, such as only linking to authentik users in a specific group or excluding service accounts. This discovery process occurs each time a [full sync](https://docs.goauthentik.io/add-secure-apps/providers/entra/#full-sync) is initiated. Synchronization[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/#synchronization "Direct link to Synchronization") ---------------------------------------------------------------------------------------------------------------------------------- There are two types of synchronization: direct sync and full sync. ### Direct sync[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/#direct-sync "Direct link to Direct sync") A direct sync occurs when a user or group is created, updated or deleted in authentik, or when a user is added to or removed from a group. When any of these events occur, the direct sync automatically syncs those changes to Entra ID. ### Full sync[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/#full-sync "Direct link to Full sync") A full sync occurs when the provider is initially created and when it is saved. During a full sync, all users and groups that match the **User filtering** settings are processed and created or updated in Entra ID. After the initial sync, authentik automatically performs a full sync every four hours by default to maintain consistency between users and groups. During the full sync, if a user or group exists in both authentik and Entra ID, authentik will automatically link them. Additionally, any users or groups present in authentik but absent in Entra ID will be created and linked. Error handling[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/#error-handling "Direct link to Error handling") ------------------------------------------------------------------------------------------------------------------------------- When a property mapping has an invalid expression, it will cause a sync to stop to prevent excessive error messages. To handle network interruptions, authentik detects transient request failures and retries sync tasks. Property mapping[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/#property-mapping "Direct link to Property mapping") ------------------------------------------------------------------------------------------------------------------------------------- There are several considerations regarding how authentik data is mapped to Entra ID user and group data. ### Users[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/#users "Direct link to Users") For users, authentik only saves the full display name, not separate first and family names. By default, authentik maps a user's email address, name, and whether the user is active. Refer to the Entra ID documentation for further details on which attributes can be mapped: [Microsoft Graph - Create User](https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#request-body) ### Groups[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/#groups "Direct link to Groups") By default, authentik only maps a group's name, `mail_enabled` status, `security_enabled` status and `mail_nickname` (equivalent to name). Refer to the Entra ID documentation for further details on these attributes and which attributes can be mapped: [Microsoft Graph - Create Group](https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#request-body) * [Discovery](https://docs.goauthentik.io/add-secure-apps/providers/entra/#discovery) * [Synchronization](https://docs.goauthentik.io/add-secure-apps/providers/entra/#synchronization) * [Direct sync](https://docs.goauthentik.io/add-secure-apps/providers/entra/#direct-sync) * [Full sync](https://docs.goauthentik.io/add-secure-apps/providers/entra/#full-sync) * [Error handling](https://docs.goauthentik.io/add-secure-apps/providers/entra/#error-handling) * [Property mapping](https://docs.goauthentik.io/add-secure-apps/providers/entra/#property-mapping) * [Users](https://docs.goauthentik.io/add-secure-apps/providers/entra/#users) * [Groups](https://docs.goauthentik.io/add-secure-apps/providers/entra/#groups) --- # Configure Entra ID | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/entra/configure-entra/#__docusaurus_skipToContent_fallback) On this page For more information about using an Entra ID provider, see the [Entra ID Overview](https://docs.goauthentik.io/add-secure-apps/providers/entra/) documentation. Your Entra ID tenant must be configured before you [create a Entra ID provider](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/) . This involves creating an app registration, generating a secret, and configuring the required API permissions. Configuring you Entra ID tenant[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/configure-entra/#configuring-you-entra-id-tenant "Direct link to Configuring you Entra ID tenant") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to the [Entra ID admin center](https://entra.microsoft.com/) . 2. Navigate to **App registrations**, click **New registration**, and set the following configurations: * Provide a **Name** for the app registration (e.g. `authentik Entra Provider`) * Under **Supported account types**, select **Accounts in this organizational directory only** * Leave **Redirect URI** empty 3. Click **Register**. 4. On the app detail page, take note of the **Application (client) ID** and **Directory (tenant) ID**. These values will be required when you [create the Entra ID provider](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/) in authentik. 5. Next, in the near-left navigation pane, click on **Certificates and Secrets**. 6. On the **Client secrets** tab, click **New client secret** and set the following configuration: * Provide a **Description** for the client secret * Set an expiry period for the secret. Please note that you will need to rotate the secret value in Entra ID and authentik upon expiry. 7. Click **Add**. 8. The **Value** of the client secret is shown only once. Take note of the value as it will be required when you [create the Entra ID provider](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/) in authentik. 9. Next, in the near-left navigation pane, click on **API permissions**. 10. Click **Add a permission** and select **Microsoft Graph** as the API. 11. Select **Application permissions** as the permission type and assign the following permissions: * `Group.Create` * `Group.ReadWrite.All` * `GroupMember.ReadWrite.All` * `User.Read` * `User.ReadWrite.All` 12. Click **Add permissions**. 13. Under **Configured permissions**, click **Grant admin consent for default directory**. Now that you have configured your Entra ID tenant, you are ready to [create an Entra ID provider](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/) . * [Configuring you Entra ID tenant](https://docs.goauthentik.io/add-secure-apps/providers/entra/configure-entra/#configuring-you-entra-id-tenant) --- # Create an Entra ID provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/#__docusaurus_skipToContent_fallback) On this page For more information about using an Entra ID provider, see the [Overview](https://docs.goauthentik.io/add-secure-apps/providers/entra/) documentation. Prerequisites[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/#prerequisites "Direct link to Prerequisites") -------------------------------------------------------------------------------------------------------------------------------------------------- To create an Entra ID provider in authentik, you must have already [configured Entra ID](https://docs.goauthentik.io/add-secure-apps/providers/entra/configure-entra/) . Create an Entra ID provider in authentik[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/#create-an-entra-id-provider-in-authentik "Direct link to Create an Entra ID provider in authentik") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click **Create**. 3. Select **Microsoft Entra Provider** as the provider type, then click **Next**. 4. On the **Create Microsoft Entra Provider** page, set the following configurations: * **Name**: provide a descriptive name (e.g. `Entra ID provider`) * Under **Protocol settings**: * **Client ID**: the Client ID that you copied when [configuring Entra ID](https://docs.goauthentik.io/add-secure-apps/providers/entra/configure-entra/) * **Client Secret**: the secret from Entra ID * **Tenant ID**: the Tenant ID from Entra ID * **User deletion action**: determines what authentik will do when a user is deleted from authentik * **Group deletion action**: determines what authentik will do when a group is deleted from authentik * Under **User filtering**: * **Exclude service accounts**: choose whether to include or exclude service accounts * **Group**: select a group and only users within that group will be synced to Entra ID * Under **Attribute mapping**: * **User Property Mappings**: select any property mappings, or use the default * **Group Property Mappings**: select any property mappings, or use the default Skipping certain users or groups The `SkipObject` exception can be used within a property mapping to prevent specific objects from being synced. Refer to the [Provider property mappings documentation](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#skip-objects-during-synchronization) for more details. 5. Click **Finish**. ### Create an Entra ID application in authentik[​](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/#create-an-entra-id-application-in-authentik "Direct link to Create an Entra ID application in authentik") 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications**, click **Create**, and set the following configurations: * **Name**: provide a name for the application (e.g. `Entra ID`) * **Slug**: enter the name that you want to appear in the URL * **Provider**: this field should be left empty * **Backchannel Providers**: this field is required for Entra ID. Select the name of the Entra ID provider that you created in the previous section. * **UI settings**: leave these fields empty for Entra ID. 3. Click **Create**. * [Prerequisites](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/#prerequisites) * [Create an Entra ID provider in authentik](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/#create-an-entra-id-provider-in-authentik) * [Create an Entra ID application in authentik](https://docs.goauthentik.io/add-secure-apps/providers/entra/create-entra-provider/#create-an-entra-id-application-in-authentik) --- # Create a Google Workspace provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/#__docusaurus_skipToContent_fallback) On this page For more information about using a Google Workspace provider, see the [Overview](https://docs.goauthentik.io/add-secure-apps/providers/gws/) documentation. Prerequisites[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/#prerequisites "Direct link to Prerequisites") ------------------------------------------------------------------------------------------------------------------------------------------- To create a Google Workspace provider in authentik, you must have already [configured Google Workspace](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/) to integrate with authentik. info When adding the Google Workspace provider in authentik, you must define the **Backchannel provider** using the name of the Google Workspace provider that you created in authentik. If you have also configured Google Workspace to log in using authentik following [these](https://integrations.goauthentik.io/services/google/) , then this configuration can be done on the same app. ### Create the Google Workspace provider in authentik[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/#create-the-google-workspace-provider-in-authentik "Direct link to Create the Google Workspace provider in authentik") 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications > Providers**. 3. Click **Create**, and select **Google Workspace Provider**, and in the **New provider** box, define the following fields: * **Name**: define a descriptive name, such as "GWS provider". * **Protocol settings** * **Credentials**: paste the contents of the JSON file you downloaded earlier. * **Delegated Subject**: enter the email address of the user all of authentik's actions should be delegated to * **Default group email domain**: enter a default domain which will be used to generate the domain for groups synced from authentik. * **User deletion action**: determines what authentik will do when a user is deleted from authentik. * **Group deletion action**: determines what authentik will do when a group is deleted from authentik. * **User filtering** * **Exclude service accounts**: set whether to include or exclude service accounts. * **Group**: select any specific groups to enforce that filtering (for all actions) is done only for the selected groups. * **Attribute mapping** * **User Property Mappings**: select any applicable mappings, or use the default. * **Group Property Mappings**: select any applicable mappings, or use the default. Skipping certain users or groups The `SkipObject` exception can be used within a property mapping to prevent specific objects from being synced. Refer to the [Provider property mappings documentation](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#skip-objects-during-synchronization) for more information. 4. Click **Finish**. ### Create a Google Workspace application in authentik[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/#create-a-google-workspace-application-in-authentik "Direct link to Create a Google Workspace application in authentik") 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications > Applications**. info If you have also configured Google Workspace to log in using authentik following this [integration guide](https://integrations.goauthentik.io/cloud-providers/google) , then this configuration can be done on the same app by adding this new provider as a backchannel provider on the existing app instead of creating a new app. 3. Click **Create**, and in the **New provider** box, and define the following fields: * **Slug**: enter the name of the app as you want it to appear in the URL. * **Provider**: when _not_ used in conjunction with the Google SAML configuration should be left empty. * **Backchannel Providers**: this field is required for Google Workspace. Select the name of the Google Workspace provider that you created in the steps above. * **UI settings**: leave these fields empty for Google Workspace. 4. Click **Finish**. * [Prerequisites](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/#prerequisites) * [Create the Google Workspace provider in authentik](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/#create-the-google-workspace-provider-in-authentik) * [Create a Google Workspace application in authentik](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/#create-a-google-workspace-application-in-authentik) --- # Configure Google Workspace | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#__docusaurus_skipToContent_fallback) On this page The configuration and set up of your Google Workspace must be completed before you [add the new provider](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/) in authentik. Overview of steps[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#overview-of-steps "Direct link to Overview of steps") ------------------------------------------------------------------------------------------------------------------------------------------------ The main steps to set up your Google workspace are as follows: 1. [Create your Google Cloud Project](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#create-a-google-cloud-project) 2. [Create a service account](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#create-a-service-account) 3. [Set credentials for the service account](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#set-credentials-for-the-service-account) 4. [Define access and scope in the Admin Console](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#set-credentials-for-the-service-account) 5. [Select email address for the Delegated Subject](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#select-email-address-for-the-delegated-subject) For detailed instructions, refer to Google documentation. ### Create a Google cloud project[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#create-a-google-cloud-project "Direct link to Create a Google cloud project") 1. Open the Google Cloud Console ([https://cloud.google.com/cloud-console](https://cloud.google.com/cloud-console) ). 2. In upper left, click the drop-down box to open the **Select a project** box, and then select **New Project**. 3. Create a new project and give it a name like "authentik GWS" 4. Use the search bar at the top of your new project page to search for "API Library". 5. On the **API Library** page, use the search bar again to find "Admin SDK API". 6. On the **Admin SDK API** page, click **Enable**. ### Create a service account[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#create-a-service-account "Direct link to Create a service account") 1. After the new Admin SDK API is enabled (it might take a few minutes), return to the Google Cloud console home page (click on **Google Cloud** in upper left). 2. Use the search bar to find and navigate to the **IAM** page. 3. On the **IAM** page, click **Service Accounts** in the left navigation pane. 4. At the top of the **Service Accounts** page, click **Create Service Account**. * Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**. * Under **Grant this service account access to project** you do not need to define a role, so click **Continue**. * Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account. ### Set credentials for the service account[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#set-credentials-for-the-service-account "Direct link to Set credentials for the service account") 1. On the **Service accounts** page, click the account that you just created. 2. Click the **Keys** tab at top of the page, the click **Add Key > Create new key**. 3. In the Create box, select JSON as the key type, and then click **Create**. A pop-up displays with the private key, and the key is saved to your computer as a JSON file. Later, when you create your authentik provider for Google Workspace, you will add this key in the **Credentials** field. 4. On the service account page, click the **Details** tab, and expand the **Advanced settings** area. 5. Copy the **Client ID** (under **Domain-wide delegation**), and then click **View Google Workspace Admin Console**. 6. Log in to the Admin Console, and then navigate to **Security > Access and data control > API controls**. 7. On the **API controls** page, click **Manage Domain Wide Delegation**. 8. On the **Domain Wide Delegation** page, click **Add new**. 9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents: * `https://www.googleapis.com/auth/admin.directory.user` * `https://www.googleapis.com/auth/admin.directory.group` * `https://www.googleapis.com/auth/admin.directory.group.member` * `https://www.googleapis.com/auth/admin.directory.domain.readonly` ### Select email address for the Delegated Subject[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#select-email-address-for-the-delegated-subject "Direct link to Select email address for the Delegated Subject") The Delegated Subject email address is a required field when creating the provider in authentik. 1. Open to the main Admin console page, and navigate to **Directory > Users**. 2. You can either select an existing user's email address or **Add new user** and define the user and email address to use as the Delegated Subject. 3. Save this email address to enter into authentik when you are creating the Google Workspace provider. Now that you have configured your Google Workspace, you are ready to [add it as a provider in authentik](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/) . * [Overview of steps](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#overview-of-steps) * [Create a Google cloud project](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#create-a-google-cloud-project) * [Create a service account](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#create-a-service-account) * [Set credentials for the service account](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#set-credentials-for-the-service-account) * [Select email address for the Delegated Subject](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/#select-email-address-for-the-delegated-subject) --- # Create an OAuth2 provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/create-oauth2-provider/#__docusaurus_skipToContent_fallback) To create a provider along with the corresponding application that uses it for authentication, navigate to **Applications** > **Applications** and click **Create with provider**. We recommend this combined approach for most common use cases. Alternatively, you can use the legacy method to solely create the provider by navigating to **Applications** > **Providers** and clicking **Create**. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications > Applications** and click **Create with provider** to create an application and provider pair. 3. On the **New application** page, define the application settings, and then click **Next**. 4. Select **OAuth2/OIDC** as the **Provider Type**, and then click **Next**. 5. On the **Configure OAuth2/OpenId Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider. info Optionally, configure the provider with the `offline_access` scope mapping. By default, applications only receive an access token. To receive a refresh token, applications and authentik must be configured to request the `offline_access` scope. Do this in the Scope mapping area on the **Configure OAuth2/OpenId Provider** page. --- # Google Workspace provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/gws/#__docusaurus_skipToContent_fallback) On this page With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail. * For instructions to configure your Google Workspace to integrate with authentik, refer to [Configure Google Workspace](https://docs.goauthentik.io/add-secure-apps/providers/gws/setup-gws/) . * For instructions to add Google Workspace as a provider, refer to [Create a Google Workspace provider](https://docs.goauthentik.io/add-secure-apps/providers/gws/add-gws-provider/) . About using Google Workspace with authentik[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/#about-using-google-workspace-with-authentik "Direct link to About using Google Workspace with authentik") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The following sections discuss how Google Workspace operates with authentik. ### Discovery[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/#discovery "Direct link to Discovery") When first creating the provider and setting it up correctly, the provider will run a discovery and query your google workspace for all users and groups, and attempt to match them with their respective counterparts in authentik. This matching is done by email address for users as google uses that as their primary identifier, and using group names for groups. This discovery also takes into consideration any **User filtering** options configured in the provider, such as only linking to authentik users in a specific group or excluding service accounts. This discovery happens every time before a full sync is started. ### Synchronization[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/#synchronization "Direct link to Synchronization") There are two types of synchronization: a direct sync and a full sync. A _direct sync_ happens when a user or group is created, updated or deleted in authentik, or when a user is added to or removed from a group. When one of these events happens, the direct sync automatically forwards those changes to Google Workspace. The _full sync_ happens when the provider is initially created and when it is saved. The full sync goes through all users and groups matching the **User filtering** options set and will create/update them in Google Workspace. After the initial sync, authentik will run a full sync every four hours to ensure the consistency of users and groups. During the full sync, if a user or group was created in authentik and a matching user/group exists in Google Workspace, authentik will automatically link them together. Furthermore, users and groups present in authentik but not in Google Workspace will be created and and linked. When a property mapping has an invalid expression, it will cause the sync to stop to prevent errors from being spammed. To handle any kind of network interruptions, authentik will detect transient request failures and retry any sync tasks. ### Customization for data mapping[​](https://docs.goauthentik.io/add-secure-apps/providers/gws/#customization-for-data-mapping "Direct link to Customization for data mapping") There are a couple of considerations in regard to how authentik data is mapped to google workspace user/group data by default. * For users, authentik only saves the full display name, while Google requires given/family name separately, and as such authentik attempts to separate the full name automatically with the default User property mapping. * For groups, Google groups require an email address. Thus in authentik the provider configuration has an option **Default group email domain**, which will be used in conjunction with the group’s name to generate an email address. This can be customized with a property mapping. * By default, authentik maps a user’s email, a user’s name, and their active status. For groups, the name is synced. Refer to Google documentation for further details on which fields data can be mapped to: * [https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User](https://developers.google.com/admin-sdk/directory/reference/rest/v1/users#User) * [https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group](https://developers.google.com/admin-sdk/directory/reference/rest/v1/groups#Group) * [About using Google Workspace with authentik](https://docs.goauthentik.io/add-secure-apps/providers/gws/#about-using-google-workspace-with-authentik) * [Discovery](https://docs.goauthentik.io/add-secure-apps/providers/gws/#discovery) * [Synchronization](https://docs.goauthentik.io/add-secure-apps/providers/gws/#synchronization) * [Customization for data mapping](https://docs.goauthentik.io/add-secure-apps/providers/gws/#customization-for-data-mapping) --- # Create an LDAP provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#__docusaurus_skipToContent_fallback) On this page ### Create Service account[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-service-account "Direct link to Create Service account") 1. Create a new user account to bind with under **Directory > Users > Create**, in this example called `ldapservice`. Note the DN of this user will be `cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io` info Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices and WebAuthn (which enables passkey-based authentication) devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Application & Provider](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-ldap-application--provider) ### LDAP Flow[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#ldap-flow "Direct link to LDAP Flow") #### Create Custom Stages[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-custom-stages "Direct link to Create Custom Stages") 1. Create a new identification stage. **Flows & Stages > Stages > Create** ![](https://docs.goauthentik.io/assets/images/general_setup1-6a4765eef994774721784482056f6de8.png) 2. Name it `ldap-identification-stage`. Select User fields Username and Email (and UPN if it is relevant to your setup). ![](https://docs.goauthentik.io/assets/images/general_setup2-7a0f39e452493f8da843afcee8cc521d.png) 3. Create a new password stage. **Flows & Stages > Stages > Create** ![](https://docs.goauthentik.io/assets/images/general_setup3-4d6c33d273fd7fdf9ec3fc8e2b1300ad.png) 4. Name it `ldap-authentication-password`. Leave the defaults for Backends. ![](https://docs.goauthentik.io/assets/images/general_setup4-7443cadc53986b4b459dbd44e2191b24.png) 5. Create a new user login stage. **Flows & Stages > Stages > Create** ![](https://docs.goauthentik.io/assets/images/general_setup5-3024ba57c35956d5bf0a907d7c8cf3ca.png) 6. Name it `ldap-authentication-login`. ![](https://docs.goauthentik.io/assets/images/general_setup6-82db94b4bf96da352cc7f93cd79188a0.png) #### Create Custom Flow[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-custom-flow "Direct link to Create Custom Flow") 1. Create a new authentication flow under **Flows & Stages > Flows > Create**, and name it `ldap-authentication-flow` ![](https://docs.goauthentik.io/assets/images/general_setup7-0edd1fc2ae1223b5f632b63c5cd45d3e.png) 2. Click the newly created flow and choose _Stage Bindings_. ![](https://docs.goauthentik.io/assets/images/general_setup8-5c7c990a05e58ac27f488b13f9e9b1b7.png) 3. Click `Bind Stage` choose `ldap-identification-stage` and set the order to `10`. ![](https://docs.goauthentik.io/assets/images/general_setup9-6a8235fef93fb4a7611374ab2f126e2e.png) 4. Click `Bind Stage` choose `ldap-authentication-login` and set the order to `30`. ![](https://docs.goauthentik.io/assets/images/general_setup11-bfccce0366a41f8dd6687db5b647d165.png) 5. Edit the `ldap-identification-stage`. ![](https://docs.goauthentik.io/assets/images/general_setup12-84f6e034efdfe7428c610144d00516e1.png) 6. Change the Password stage to `ldap-authentication-password`. ![](https://docs.goauthentik.io/assets/images/general_setup13-19ebc2ac6b1f8fb29f9ad9f40e5c4349.png) ### Create LDAP Application & Provider[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-ldap-application--provider "Direct link to Create LDAP Application & Provider") 1. Create the LDAP Application under **Applications > Applications > Create With provider** and name it `LDAP`. ![](https://docs.goauthentik.io/assets/images/general_setup14-52ebe98b2e1208bfd820ab76e4d6e0c2.png) ![](https://docs.goauthentik.io/assets/images/general_setup15-b9a6ea5dd223f96959429a38e12e7f57.png) ### Assign LDAP permissions[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#assign-ldap-permissions "Direct link to Assign LDAP permissions") 1. Navigate to the LDAP Provider under **Applications > Providers** > `Provider for LDAP`. 2. Switch to the _Permissions_ tab. 3. Click the _Assign to new user_ button to select a user to assign the full directory search permission to. 4. Select the `ldapservice` user typing in its username. Select the _Search full LDAP directory_ permission and click _Assign_ ### Create LDAP Outpost[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-ldap-outpost "Direct link to Create LDAP Outpost") 1. Create (or update) the LDAP Outpost under **Applications > Outposts > Create**. Set the Type to `LDAP` and choose the `LDAP` application created in the previous step. ![](https://docs.goauthentik.io/assets/images/general_setup16-8b1e1c642a84232f10abd7595e590104.png) info The LDAP Outpost selects different providers based on their Base DN. Adding multiple providers with the same Base DN will result in inconsistent access ### ldapsearch Test[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#ldapsearch-test "Direct link to ldapsearch Test") Test connectivity by using ldapsearch. info ldapsearch can be installed on Linux system with these commands sudo apt-get install ldap-utils -y # Debian-based systemssudo yum install openldap-clients -y # CentOS-based systems ldapsearch \ -x \ -H ldap://: \ # In production it is recommended to use SSL, which also requires `ldaps://` as the protocol and the SSL port -D 'cn=ldapservice,ou=users,DC=ldap,DC=goauthentik,DC=io' \ -w '' \ -b 'DC=ldap,DC=goauthentik,DC=io' \ '(objectClass=user)' info This query will log the first successful attempt in an event in the **Events > Logs** area, further successful logins from the same user are not logged as they are cached in the outpost. * [Create Service account](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-service-account) * [LDAP Flow](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#ldap-flow) * [Create LDAP Application & Provider](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-ldap-application--provider) * [Assign LDAP permissions](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#assign-ldap-permissions) * [Create LDAP Outpost](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#create-ldap-outpost) * [ldapsearch Test](https://docs.goauthentik.io/add-secure-apps/providers/ldap/generic_setup/#ldapsearch-test) --- # Provider property mappings | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#__docusaurus_skipToContent_fallback) On this page Property mappings allow you to pass information to external applications. For example, pass the current user's groups as a SAML parameter. SAML property mappings[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#saml-property-mappings "Direct link to SAML property mappings") ------------------------------------------------------------------------------------------------------------------------------------------------------------------- SAML property mappings allow you embed information into the SAML authentication request. This information can then be used by the application to, for example, assign permissions to the object. Scope mappings with OAuth2[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#scope-mappings-with-oauth2 "Direct link to Scope mappings with OAuth2") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Scope mappings are used by the OAuth2 provider to map information from authentik to OAuth2/OIDC claims. Values returned by a scope mapping are added as custom claims to access and ID tokens. Default value for `email_verified` By default, authentik sets the `email_verified` claim to `False`, since it has no way to confirm whether a user's email is verified. Setting this claim to `True` by default could introduce unintended security risks. Be aware that some applications might require this claim to be true to successfully authenticate users. In this case you should create a custom email scope mapping that returns `email_verified` as `True`, using the following expression: return { "email": user.email, "email_verified": True,} Skip objects during synchronization[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#skip-objects-during-synchronization "Direct link to Skip objects during synchronization") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To skip synchronization for a specific object, you can create a property mapping with an expression that triggers the `SkipObject` exception. This functionality is supported by the following providers: [**Google Workspace**](https://docs.goauthentik.io/add-secure-apps/providers/gws/) , [**Microsoft Entra ID**](https://docs.goauthentik.io/add-secure-apps/providers/entra/) , and [**SCIM**](https://docs.goauthentik.io/add-secure-apps/providers/scim/) . **Example:** if request.user.username == "example_username": raise SkipObject * [SAML property mappings](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#saml-property-mappings) * [Scope mappings with OAuth2](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#scope-mappings-with-oauth2) * [Skip objects during synchronization](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#skip-objects-during-synchronization) --- # LDAP Provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#__docusaurus_skipToContent_fallback) On this page You can configure an LDAP Provider for applications that don't support any newer protocols or require LDAP. info Note: This provider requires the deployment of the [LDAP Outpost](https://docs.goauthentik.io/add-secure-apps/outposts/) All users and groups in authentik's database are searchable. Currently, there is limited support for filters (you can only search for objectClass), but this will be expanded in further releases. Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. For more info, see [Bind modes](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#binding--bind-modes) . You can configure under which base DN the information should be available. For this documentation we'll use the default of `DC=ldap,DC=goauthentik,DC=io`. Users are available under `ou=users,` and groups under `ou=groups,`. To aid compatibility, each user belongs to its own "virtual" group, as is standard on most Unix-like systems. This group does not exist in the authentik database, and is generated on the fly. These virtual groups are under the `ou=virtual-groups,` DN. info Note: Every LDAP provider needs to have a unique base DN. You can achieve this by prepending an application-specific OU or DC. e.g. `OU=appname,DC=ldap,DC=goauthentik,DC=io` The following fields are currently sent for users: * `cn`: User's username * `uid`: Unique user identifier * `uidNumber`: A unique numeric identifier for the user * `name`: User's name * `displayName`: User's name * `mail`: User's email address * `objectClass`: A list of these strings: * "user" * "organizationalPerson" * "goauthentik.io/ldap/user" * `memberOf`: A list of all DNs that the user is a member of * `homeDirectory`: A default home directory path for the user, by default `/home/$username`. Can be overwritten by setting `homeDirectory` as an attribute on users or groups. * `ak-active`: "true" if the account is active, otherwise "false" * `ak-superuser`: "true" if the account is part of a group with superuser permissions, otherwise "false" The following fields are currently set for groups: * `cn`: The group's name * `uid`: Unique group identifier * `gidNumber`: A unique numeric identifier for the group * `member`: A list of all DNs of the group's members, including groups which have this group as their parent group * `memberOf`: The DN of the parent group if this group has a parent group * `objectClass`: A list of these strings: * "group" * "goauthentik.io/ldap/group" A virtual group is also created for each user, they have the same fields as groups but have an additional objectClass: `goauthentik.io/ldap/virtual-group`. The virtual groups gidNumber is equal to the uidNumber of the user. **Additionally**, for both users and (non-virtual) groups, any attributes you set are also present as LDAP Attributes. info Starting with 2021.9.1, custom attributes will override the inbuilt attributes. info Starting with 2023.3, periods and slashes in custom attributes will be sanitized. SSL / StartTLS[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#ssl--starttls "Direct link to SSL / StartTLS") ----------------------------------------------------------------------------------------------------------------------------- You can also configure SSL for your LDAP Providers by selecting a certificate and a server name in the provider settings. Starting with authentik 2023.6, StartTLS is supported, and the provider will pick the correct certificate based on the configured _TLS Server name_ field. The certificate is not picked based on the Bind DN, as the StartTLS operation should happen before the bind request to ensure bind credentials are transmitted over TLS. This enables you to bind on port 636 using LDAPS. Integrations[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#integrations "Direct link to Integrations") ------------------------------------------------------------------------------------------------------------------------ See the integration guide for [sssd](https://integrations.goauthentik.io/services/sssd/) for an example guide. Binding & Bind Modes[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#binding--bind-modes "Direct link to Binding & Bind Modes") ----------------------------------------------------------------------------------------------------------------------------------------------- All bind modes rely on flows. The following stages are supported: * [Identification](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/) * [Password](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/) * [Authenticator validation](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) Note: Authenticator validation currently only supports DUO, TOTP and static authenticators. Starting with authentik 2023.6, code-based authenticators are only supported when _Code-based MFA Support_ is enabled in the provider. When enabled, all users that will bind to the LDAP provider should have a TOTP device configured, as otherwise a password might be incorrectly rejected when semicolons are used in the password. For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. For example for the password `example-password` and the code `123456`, the input must be `example-password;123456`. SMS-based authenticators are not supported as they require a code to be sent from authentik, which is not possible during the bind. * [User Logout](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/) * [User Login](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/) * [Deny](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/deny/) #### Direct bind[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#direct-bind "Direct link to Direct bind") In this mode, the outpost will always execute the configured flow when a new bind request is received. #### Cached bind[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#cached-bind "Direct link to Cached bind") This mode uses the same logic as direct bind, however the result is cached for the entered credentials, and saved in memory for the standard session duration. Sessions are saved independently, meaning that revoking sessions does _not_ remove them from the outpost, and neither will changing a users credentials. Searching & Search Modes[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#searching--search-modes "Direct link to Searching & Search Modes") ----------------------------------------------------------------------------------------------------------------------------------------------------------- Any user that is authorized to access the LDAP provider's application can execute search the LDAP directory. Without explicit permissions to do broader searches, a user's search request will return information about themselves, including user info, group info, and group membership. [Users](https://docs.goauthentik.io/users-sources/user/) and [roles](https://docs.goauthentik.io/users-sources/roles/) can be assigned the permission "Search full LDAP directory" to allow them to search the full LDAP directory and retrieve information about all users in the authentik instance. info Up to authentik version 2024.8 this was managed using the "Search group" attribute in the LDAP Provider, where users could be added to a group to grant them this permission. With authentik 2024.8 this is automatically migrated to the "Search full LDAP directory" permission, which can be assigned more flexibly. #### Direct search[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#direct-search "Direct link to Direct search") Every LDAP search request will trigger one or more requests to the authentik core API. This will always return the latest data, however also has a performance hit due all the layers the backend requests have to go through, etc. #### Cached search[​](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#cached-search "Direct link to Cached search") In this mode, the outpost will periodically fetch all users and groups from the backend, hold them in memory, and respond to search queries directly. This means greatly improved performance but potentially returning old/invalid data. * [SSL / StartTLS](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#ssl--starttls) * [Integrations](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#integrations) * [Binding & Bind Modes](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#binding--bind-modes) * [Searching & Search Modes](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#searching--search-modes) --- # OAuth 2.0 provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#__docusaurus_skipToContent_fallback) On this page In authentik, you can [create](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/create-oauth2-provider/) an [OAuth 2.0](https://oauth.net/2/) provider that authentik uses to authenticate the user to the associated application. This provider supports both generic OAuth2 as well as OpenID Connect (OIDC). authentik and OAuth 2.0[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#authentik-and-oauth-20 "Direct link to authentik and OAuth 2.0") ---------------------------------------------------------------------------------------------------------------------------------------------------------- It's important to understand how authentik works with and supports the OAuth 2.0 protocol, so before taking a [closer look at OAuth 2.0 protocol](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#about-oauth-20-and-oidc) itself, let's cover a bit about authentik. authentik can act either as the OP, (OpenID Provider, with authentik as the IdP), or as the RP (Relying Party, or the application that uses OAuth 2.0 to authenticate). If you want to configure authentik as an OP, then you create a provider, then use the OAuth 2.0 provider. If you want authentik to serve as the RP, then configure a [source](https://docs.goauthentik.io/users-sources/sources/) . Of course, authentik can serve as both the RP and OP, if you want to use the authentik OAuth provider and also use sources. All standard OAuth 2.0 flows (authorization code, client\_credentials, implicit, hybrid, device code) and grant types are supported in authentik, and we follow the [OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html) . OAuth 2.0 in authentik supports OAuth, PKCE, [Github compatibility](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/github-compatibility/) and the RP receives data from our scope mapping system. The authentik OAuth 2.0 provider comes with all the standard functionality and features of OAuth 2.0, including the OAuth 2.0 security principles such as no cleartext storage of credentials, configurable encryption, configurable short expiration times, and the configuration of automatic rotation of refresh tokens. In short, our OAuth 2.0 protocol support provides full coverage. About OAuth 2.0 and OIDC[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#about-oauth-20-and-oidc "Direct link to About OAuth 2.0 and OIDC") ------------------------------------------------------------------------------------------------------------------------------------------------------------- OAuth 2.0 is an authorization protocol that allows an application (the RP) to delegate authorization to an OP. OIDC is an authentication protocol built on top of OAuth2, which provides identity credentials and other data on top of OAuth2. **OAuth 2.0** typically requires two requests (unlike the previous "three-legged" OAuth 1.0). The two "legs", or requests, for OAuth 2.0 are: 1. An authorization request is prepared by the RP and contains parameters for its implementation of OAuth and which data it requires, and then the User's browser is redirected to that URL. 2. The RP sends a request to authentik in the background to exchange the access code for an access token (and optionally a refresh token). In detail, with OAuth2 when a user accesses the application (the RP) via their browser, the RP then prepares a URL with parameters for the OpenID Provider (OP), which the users's browser is redirected to. The OP authenticates the user and generates an authorization code. The OP then redirects the client (the user's browser) back to the RP, along with that authorization code. In the background, the RP then sends that same authorization code in a request authenticated by the `client_id` and `client_secret` to the OP. Finally, the OP responds by sending an Access Token saying this user has been authorised (the RP is recommended to validate this token using cryptography) and optionally a Refresh Token. The image below shows a typical authorization code flow. OAuth2 endpoints and bindings[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#oauth2-endpoints-and-bindings "Direct link to OAuth2 endpoints and bindings") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Endpoint | URL | | --- | --- | | Authorization | `/application/o/authorize/` | | Token | `/application/o/token/` | | User Info | `/application/o/userinfo/` | | Token Revoke | `/application/o/revoke/` | | Token Introspection | `/application/o/introspect/` | | Device Authorization | `/application/o/device/` | | End Session | `/application/o//end-session/` | | JWKS | `/application/o//jwks/` | | OpenID Configuration | `/application/o//.well-known/openid-configuration` | Reserved application slugs Due to how the OAuth2 provider endpoints are structured, you cannot create applications that use the slugs `authorize`, `token`, `device`, `userinfo`, `introspect`, or `revoke` as these would conflict with the global OAuth2 endpoints. ### Additional configuration options with Redirect URIs[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#additional-configuration-options-with-redirect-uris "Direct link to Additional configuration options with Redirect URIs") When using an OAuth 2.0 provider in authentik, the OP must validate the provided redirect URI by the RP. An authentik admin can configure a list in the **Redirect URI** field on the Provider. When you create a new OAuth 2.0 provider and app in authentik and you leave the **Redirect URI** field empty, then the first time a user opens that app, authentik uses that URL as the saved redirect URL. For advanced use cases, an authentik admin can use regular expressions (regex) instead of a redirect URL. For example, if you want to list ten different applications, instead of listing them all individually, you can create an expression with wildcards. When using regex, be aware that authentik uses a dot as a separator in the URL, but in regex a dot means "one of any character", a wildcard. You should therefore escape the dot with `\.` to prevent its interpretation as a wildcard. ### OAuth2/OpenID Connect back-channel logout[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#oauth2openid-connect-back-channel-logout "Direct link to OAuth2/OpenID Connect back-channel logout") Using back-channel logout (a server-to-server notification mechanism) allows an identity provider to notify connected OAuth2/OpenID clients whenever a user's session is terminated. For more information, see our [OAuth2/OpenID Connect front-channel and back-channel logout](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/) documentation. OAuth 2.0 flows and grant types[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#oauth-20-flows-and-grant-types "Direct link to OAuth 2.0 flows and grant types") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- There are three general flows of OAuth 2.0: 1. Web-based application authorization (Authorization code, Implicit, Refresh token) 2. Client credentials (Machine-to-machine) 3. Device code Additionally, the [Refresh token](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#refresh-token-grant) (grant type) is optionally used with any of the above flows, as well as the client credentials and device code flows. ### 1: Web-based application authorization[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#1-web-based-application-authorization "Direct link to 1: Web-based application authorization") The flows and grant types used in this case are those used for a typical authorization process, with a user and an application: * _Authorization code_ grant type * _Implicit_ grant type (legacy) * _Hybrid_ grant type #### Authorization code[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#authorization-code "Direct link to Authorization code") The authorization code is for environments with both a Client and a application server, where the back and forth happens between the client and an app server (the logic lives on app server). The RP needs to authorise itself to the OP. Client ID (public, identifies which app is talking to it) and client secret (the password) that the RP uses to authenticate. If you configure authentik to use "Offline access" then during the initial auth the OP sends two tokens, an access token (short-lived, hours, can be customised) and a refresh token (typically longer validity, days or infinite). The RP (the app) saves both tokens. When the access token is about to expire, the RP sends the saved refresh token back to the OP, and requests a new access token. When the refresh token itself is about to expire, the RP can also ask for a new refresh token. This can all happen without user interaction if you configured the offline access. info Starting with authentik 2024.2, applications only receive an access token. To receive a refresh token, both applications and authentik must be configured to request the `offline_access` scope. In authentik this can be done by selecting the `offline_access` Scope mapping in the provider settings. The authorization code grant type is used to convert an authorization code to an access token (and optionally a refresh token). The authorization code is retrieved through the authentik [Authorization flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/) , can only be used once, and expires quickly. #### Implicit[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#implicit "Direct link to Implicit") info The OAuth 2.0 [Security Best Current Practice document](https://tools.ietf.org/html/draft-ietf-oauth-security-topics) recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the authorization code flow with PKCE instead. ([source](https://oauth.net/2/grant-types/implicit/) ) This flow is for more modern single page-applications, or ones you download, that are all client-side (all JS, no backend logic, etc) and have no server to make tokens. Because the secret cannot be stored on the client machine, the implicit flow is required in these architectures. With the implicit flow, the flow skips the second part of the two requests seen in the authorization flow; after the initial author request, the implicit flow receives a token, and then with cryptocracy and with PKCE, it can validate that it is the correct client, and that is safe to send a token. The RP (still called that with this implicit flow) can use cryptography to validate the token. #### Hybrid[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#hybrid "Direct link to Hybrid") The Hybrid Flow is an OpenID Connect flow that incorporates traits of both the Implicit flow and the Authorization Code flow. It provides an application instant access to an ID token while ensuring secure and safe retrieval of access tokens and refresh tokens. This can be useful in situations where the application needs to quickly access information about the user, while in the background doing further processing to get additional tokens before gaining access to additional resources. ### 2\. Client credentials[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#2-client-credentials "Direct link to 2. Client credentials") The client credentials flow and grant types are typically implemented for server-to-server scenarios, when code in a web application invokes a web API. For more information, see [Machine-to-machine authentication](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/) . ### 3\. Device code[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#3-device-code "Direct link to 3. Device code") The device code flow is used in situations where there is no browser and limited options for text or data input from a client ("input-constrained devices"). For example, using a subscription TV program on a television, where you use a website on your mobile device to input a code displayed on the TV, authenticate, and then you are logged in to the TV. For more information, see [Device code flow](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/device_code/) . #### Refresh token grant[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#refresh-token-grant "Direct link to Refresh token grant") Refresh tokens can be used as long-lived tokens to access user data, and further renew the refresh token down the road. info Starting with authentik 2024.2, the refresh token grant type requires the `offline_access` scope. Scope mappings[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#scope-mappings "Direct link to Scope mappings") -------------------------------------------------------------------------------------------------------------------------------- Scopes can be configured using scope mappings, a type of [property mapping](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#scope-mappings-with-oauth2) . Scope authorization[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#scope-authorization "Direct link to Scope authorization") ----------------------------------------------------------------------------------------------------------------------------------------------- By default, every user that has access to an application can request any of the configured scopes. Starting with authentik 2022.4, you can do additional checks for the scope in an expression policy (bound to the application): # There are additional fields set in the context, use `ak_logger.debug(request.context)` to see them.if "my-admin-scope" in request.context["oauth_scopes"]: return ak_is_group_member(request.user, name="my-admin-group")return True Default & special scopes[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#default--special-scopes "Direct link to Default & special scopes") ------------------------------------------------------------------------------------------------------------------------------------------------------------- When a client does not request any scopes, authentik will treat the request as if all configured scopes were requested. Depending on the configured authorization flow, consent still needs to be given, and all scopes are listed there. This does _not_ apply to special scopes, as those are not configurable in the provider. ### Default[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#default "Direct link to Default") * `openid`: A scope required by the OpenID Connect spec to specify that an OAuth interaction is OpenID Connect. Does not add any data to the token. * `profile`: Include basic profile information, such as username, name and group membership. * `email`: Include the users' email address. * `entitlements`: Include application entitlement data. * `offline_access`: An OAuth 2.0 scope which indicates that the application is requesting a refresh token. ### authentik[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#authentik "Direct link to authentik") * `goauthentik.io/api`: This scope grants the refresh token access to the authentik API on behalf of the user ### GitHub compatibility[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#github-compatibility "Direct link to GitHub compatibility") * `user`: No-op, is accepted for compatibility but does not give access to any resources * `read:user`: Same as above * `user:email`: Allows read-only access to `/user`, including email address * `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams. Signing & Encryption[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#signing--encryption "Direct link to Signing & Encryption") ------------------------------------------------------------------------------------------------------------------------------------------------- [JWTs](https://jwt.io/introduction) created by authentik will always be signed. When a _Signing Key_ is selected in the provider, the JWT will be signed asymmetrically with the private key of the selected certificate, and can be verified using the public key of the certificate. The public key data of the signing key can be retrieved via the JWKS endpoint listed on the provider page. When no _Signing Key_ is selected, the JWT will be signed symmetrically with the _Client secret_ of the provider, which can be seen in the provider settings. ### Encryptionauthentik: 2024.10.0+[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#encryption "Direct link to encryption") authentik can also encrypt JWTs (turning them into JWEs) it issues by selecting an _Encryption Key_ in the provider. When selected, all JWTs will be encrypted symmetrically using the selected certificate. authentik uses the `RSA-OAEP-256` algorithm with the `A256CBC-HS512` encryption method. * [authentik and OAuth 2.0](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#authentik-and-oauth-20) * [About OAuth 2.0 and OIDC](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#about-oauth-20-and-oidc) * [OAuth2 endpoints and bindings](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#oauth2-endpoints-and-bindings) * [Additional configuration options with Redirect URIs](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#additional-configuration-options-with-redirect-uris) * [OAuth2/OpenID Connect back-channel logout](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#oauth2openid-connect-back-channel-logout) * [OAuth 2.0 flows and grant types](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#oauth-20-flows-and-grant-types) * [1: Web-based application authorization](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#1-web-based-application-authorization) * [2\. Client credentials](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#2-client-credentials) * [3\. Device code](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#3-device-code) * [Scope mappings](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#scope-mappings) * [Scope authorization](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#scope-authorization) * [Default & special scopes](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#default--special-scopes) * [Default](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#default) * [authentik](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#authentik) * [GitHub compatibility](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#github-compatibility) * [Signing & Encryption](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#signing--encryption) * [Encryption](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/#encryption) --- # Device code flow | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/device_code/#__docusaurus_skipToContent_fallback) On this page The device code flow is also known as _device flow_ or _device authorization grant flow_. This type of authentication flow is useful for devices with limited input capabilities and/or devices without browsers. The Request for Comments (RFC) 8628) abstract for this flow states: > The OAuth 2.0 device authorization grant is designed for Internet-connected devices that either lack a browser to perform a user-agent-based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device. ### Requirements[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/device_code/#requirements "Direct link to Requirements") This device flow is only possible if the active [brand](https://docs.goauthentik.io/brands/) has a device code flow configured. This flow is run _after_ the user logs in, and before the user authenticates. authentik does not include a default flow for this use case, so it is necessary to create a new one with a **Designation** of `Stage Configuration`. ### Device flow initiation[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/device_code/#device-flow-initiation "Direct link to Device flow initiation") The flow is initiated by sending a POST request to the device authorization endpoint, `/application/o/device/`, with the following contents: POST /application/o/device/ HTTP/1.1client_id=application_client_id&scope=openid email my-other-scope The response contains the following fields: * `device_code`: Device code, which is the code kept on the device * `verification_uri`: The URL to be shown to the enduser to input the code * `verification_uri_complete`: The same URL as above except the code will be prefilled * `user_code`: The raw code for the enduser to input * `expires_in`: The total seconds after which this token will expire * `interval`: The interval in seconds for how often the device should check the token status With this response, the device can start checking the status of the token by sending requests to the token endpoint like this: POST /application/o/token/ HTTP/1.1grant_type=urn:ietf:params:oauth:grant-type:device_code&client_id=application_client_id&device_code=device_code_from_above If the user has not opened the link above yet, or has not finished the authentication and authorization yet, the response will contain an `error` element set to `authorization_pending`. The device should re-send the request in the interval set above. If the user _has_ finished the authentication and authorization, the response will be similar to any other generic OAuth2 Token request, containing `access_token` and `id_token`. ### Create and apply a device code flow[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/device_code/#create-and-apply-a-device-code-flow "Direct link to Create and apply a device code flow") 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows and Stages** > **Flows** and click **Create**. 3. Set the following required configurations: * **Name**: provide a name (e.g. `default-device-code-flow`) * **Title**: provide a title (e.g. `Device code flow`) * **Slug**: provide a slug (e.g `default-device-code-flow`) * **Designation**: `Stage Configuration` * **Authentication**: `Require authentication` 4. Click **Create**. 5. Navigate to **System** > **Brands** and click the **Edit** icon on the default brand. 6. Set **Default code flow** to the newly created device code flow and click **Update**. * [Requirements](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/device_code/#requirements) * [Device flow initiation](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/device_code/#device-flow-initiation) * [Create and apply a device code flow](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/device_code/#create-and-apply-a-device-code-flow) --- # OAuth2/OpenID Connect front-channel and back-channel logout | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#__docusaurus_skipToContent_fallback) On this page Overview[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#overview "Direct link to Overview") -------------------------------------------------------------------------------------------------------------------------------------------------- OAuth2/OIDC logout is a security feature defined in the OpenID Connect specification. It allows an OIDC Provider (OP), such as authentik, to notify Relying Parties (RPs) when a user session ends. This ensures that all associated applications can properly terminate the user's session. For more information about single logout across all providers, see the [Single Logout (SLO) Overview](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/) . warning Your OAuth application (Relying Party) must explicitly support OpenID Connect front-channel logout or back-channel logout to properly handle logout requests. Not all OAuth applications support these features, so compatibility should be verified. Requirements[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#requirements "Direct link to Requirements") -------------------------------------------------------------------------------------------------------------------------------------------------------------- Your OAuth application (Relying Party) must: * **HTTPS**: Use HTTPS in production. * **Accessible**: Be reachable from authentik. * **Logout endpoint**: Have a defined endpoint to handle OP logout requests (front-channel, back-channel, or both). Configuration[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#configuration "Direct link to Configuration") ----------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Set up single logout[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#set-up-single-logout "Direct link to Set up single logout") 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers**. 3. Edit or create an OAuth2 provider. 4. In the **Logout URI** field, enter the logout endpoint provided by your RP, if supported. 5. Select the **Logout Method** to choose **Front-channel** or **Back-channel** based on RP support. 6. Click **Finish** to save your changes. info Back-channel logout is the only way to ensure that users are logged out of the provider when their session is administratively terminated (e.g., when a user is deactivated or their session is deleted). ### Logout URI format[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#logout-uri-format "Direct link to Logout URI format") The **Logout URI** should be a single URL provided by your Relying Party application, for example: #### Back-channel[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#back-channel "Direct link to Back-channel") https://app.example.com/oauth/backchannel-logouthttps://api.service.com/logout/backchannelhttps://client.example.org/backchannel-logout #### Front-channel[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#front-channel "Direct link to Front-channel") https://app.example.com/oauth/logouthttps://api.service.com/logout How OpenID Connect single logout works[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#how-openid-connect-single-logout-works "Direct link to How OpenID Connect single logout works") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Back-channel logout[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#back-channel-logout "Direct link to Back-channel logout") With back-channel logout, authentik sends logout requests directly from the server to the RP’s logout endpoint via HTTP POST. The logout request includes a signed JWT logout token that contains the following JWT claims: * `iss` (issuer): The authentik issuer URL * `sub` (subject): The user's unique identifier * `aud` (audience): The client ID * `iat` (issued at): Token creation timestamp * `jti` (JWT ID): Unique token identifier * `events`: Logout event claim * `sid` (session ID): The session identifier (if available) Example back-channel logout request: POST /backchannel-logout HTTP/1.1logout_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... Back-channel logout is triggered when: * A user logs out through a logout flow * An administrator deletes a user's session * A user account is deactivated * A session expires or is revoked ### Front-channel logout[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#front-channel-logout "Direct link to Front-channel logout") With front-channel logout, authentik injects an iframe logout stage into the logout flow. This stage loads the RP's (relying party) front-channel logout URL in a hidden iframe within the user's browser. The logout URL includes session information as query parameters, such as: * `iss`: The authentik issuer URL * `sid`: The session identifier Example front-channel logout iframe: The RP processes the logout request and terminates the user's session. After all iframes complete their requests, the user continues through the authentik logout flow. info Front-channel logout only works for user-initiated logouts through a logout flow. It cannot be used for administrative session termination since it requires an active browser session. Resources[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#resources "Direct link to Resources") ----------------------------------------------------------------------------------------------------------------------------------------------------- * [Single Logout (SLO) Overview](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/) * [User Logout Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/) * [OAuth2 Provider Configuration](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/) * [OpenID Connect Back-Channel Logout 1.0 Specification](https://openid.net/specs/openid-connect-backchannel-1_0.html) * [OpenID Connect Front-Channel Logout 1.0 Specification](https://openid.net/specs/openid-connect-frontchannel-1_0.html) * [Overview](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#overview) * [Requirements](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#requirements) * [Configuration](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#configuration) * [Set up single logout](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#set-up-single-logout) * [Logout URI format](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#logout-uri-format) * [How OpenID Connect single logout works](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#how-openid-connect-single-logout-works) * [Back-channel logout](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#back-channel-logout) * [Front-channel logout](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#front-channel-logout) * [Resources](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/#resources) --- # GitHub compatibility | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/github-compatibility/#__docusaurus_skipToContent_fallback) On this page The OAuth2 provider also exposes a GitHub-compatible endpoint. This endpoint can be used by applications, which support authenticating against GitHub Enterprise, but not generic OpenID Connect. To use any of the GitHub Compatibility scopes, you have to use the GitHub Compatibility Endpoints. | Endpoint | URL | | --- | --- | | Authorization | `/login/oauth/authorize` | | Token | `/login/oauth/access_token` | | User Info | `/user` | | User Teams Info | `/user/teams` | To access the user's email address, a scope of `user:email` is required. To access their groups, `read:org` is required. Because these scopes are handled by a different endpoint, they are not customisable as a Scope Mapping. Special scopes for GitHub compatibility[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/github-compatibility/#special-scopes-for-github-compatibility "Direct link to Special scopes for GitHub compatibility") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `user`: No-op, is accepted for compatibility but does not give access to any resources * `read:user`: Same as above * `user:email`: Allows read-only access to `/user`, including email address * `read:org`: Allows read-only access to `/user/teams`, listing all the user's groups as teams. * [Special scopes for GitHub compatibility](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/github-compatibility/#special-scopes-for-github-compatibility) --- # Custom headers | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/proxy/custom_headers/#__docusaurus_skipToContent_fallback) On this page The proxy can send custom headers to your upstream application. These can be configured in one of two ways: * Group attributes; this allows for inheritance, but only allows static values * Property mappings; this allows for dynamic values Group attributes[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/custom_headers/#group-attributes "Direct link to Group attributes") ---------------------------------------------------------------------------------------------------------------------------------------------------- Edit the group or user you wish the header to be set for, and set these attributes: additionalHeaders: X-My-Header: value You can the add users to this group or override the field in users. Property Mappings[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/custom_headers/#property-mappings "Direct link to Property Mappings") ------------------------------------------------------------------------------------------------------------------------------------------------------- For dynamic Header values (for example, your application requires X-App-User to contain the username), property mappings can be used. Create a new Scope mapping with a name and scope of your choice, and use an expression like this: return { "ak_proxy": { "user_attributes": { "additionalHeaders": { "X-App-User": request.user.username } } }} After you've created this Scope mapping, make sure to edit the proxy provider and select the mapping. As you can see by the similar structure, this just overrides any static attributes, so both of these methods can be combined. * [Group attributes](https://docs.goauthentik.io/add-secure-apps/providers/proxy/custom_headers/#group-attributes) * [Property Mappings](https://docs.goauthentik.io/add-secure-apps/providers/proxy/custom_headers/#property-mappings) --- # Machine-to-Machine (M2M) authentication | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#__docusaurus_skipToContent_fallback) On this page The OAuth 2.0 specification includes the client credentials grant which allows machine-to-machine (M2M) communication authentication, bypassing user involvement. In authentik, machine clients do not authenticate using the typical `client_id` + `client_secret`. This is due to OAuth providers only being able to have a single secret at any given time. Hence identification is based on a username, and authentication is based on app password tokens. Static authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#static-authentication "Direct link to Static authentication") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ All user account types; internal, external and service account, can be used for authentication. These can be created manually beforehand or [automatically during authentication](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#automatic-service-account-creation) . authentik treats a grant type of `password` the same as `client_credentials` to support applications which rely on a password grant. Scopes, if required, must be defined in the request, and follow the same behaviour as other OAuth requests. ### Example request[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#example-request "Direct link to Example request") An example request: POST /application/o/token/ HTTP/1.1grant_type=client_credentials&client_id=&username=&password=&scope=profile This will return a JSON response with an `access_token`, which is a signed JWT token. This token can be sent along with requests to other hosts, which can then validate the JWT based on the signing key configured in authentik. ### Base64 encoded username and app password[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#base64-encoded-username-and-app-password "Direct link to Base64 encoded username and app password") It's also possible to encode the username and app password of the user to authenticate with, separated with a colon, into a base64 string and pass it as `client_secret` value, for example: POST /application/o/token/ HTTP/1.1grant_type=client_credentials&client_id=&client_secret=&scope=profile ### Automatic service account creation[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#automatic-service-account-creation "Direct link to Automatic service account creation") Alternatively, it's possible to pass the configured `client_secret` value of an OAuth provider, in which case authentik will automatically generate a service account for which the JWT token will be issued, for example: POST /application/o/token/ HTTP/1.1grant_type=client_credentials&client_id=&client_secret=&scope=profile The automatically generated service account will follow this naming scheme: `ak--client_credentials`. Currently the service account creation settings can not be altered. JWT authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#jwt-authentication "Direct link to JWT authentication") --------------------------------------------------------------------------------------------------------------------------------------------------------------- For both externally and authentik issued JWTs, authentik will create a service account which is based on the provider name and the subject claim of the token that authentik is given. You may end up with multiple service accounts depending on the tokens that are provided to authentik. These service accounts will expire and be deleted based on the expiry claim (if set) of the token that authentik is given. ### Externally issued JWTs[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#externally-issued-jwts "Direct link to Externally issued JWTs") You can authenticate and get a token using an existing JWT. For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT. To configure this, define a JWKS URL/raw JWKS data in OAuth Sources. If a JWKS URL is specified, authentik will fetch the data and store it in the source, and then select the source in the OAuth2 Provider that will be authenticated against. With this configuration, any JWT issued by the configured sources' certificates can be used to authenticate: POST /application/o/token/ HTTP/1.1grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=&client_id= Alternatively, you can set the `client_secret` parameter to ``, for applications that can set the password from a file but not other parameters. Input JWTs are checked to verify that they are signed by any of the selected _Federated OIDC Sources_, and that their `exp` attribute is not set as now or in the past. To dynamically limit access based on the claims of the tokens, you can use [Expression policies](https://docs.goauthentik.io/customize/policies/expression/) , for example: return request.context["oauth_jwt"]["iss"] == "https://my.issuer" Other information that's available in the policy expression context: * `request.context["oauth_scopes"]` - list of scope names requested * `request.context["oauth_grant_type"]` - the grant type * `request.context["oauth_code_verifier"]` - a string or none If you're authorizing with a JWT, then `request.context["oauth_jwt"]` is available which is the parsed JWT as a dictionary. ### authentik-issued JWTsauthentik: 2024.12.0+[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#authentik-issued-jwts "Direct link to authentik-issued-jwts") To allow federation between providers, modify the provider settings of the application (whose token will be used for authentication) to select the provider of the application to which you want to federate. With this configuration, any JWT issued by the configured providers can be used to authenticate: POST /application/o/token/ HTTP/1.1grant_type=client_credentials&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=&client_id= Alternatively, you can set the `client_secret` parameter to ``, for applications which can set the password from a file but not other parameters. Input JWTs must be valid access tokens issued by any of the configured _Federated OIDC Providers_, they must not have been revoked and must not have expired. To dynamically limit access based on the claims of the tokens, you can use [Expression policies](https://docs.goauthentik.io/customize/policies/expression/) , for example: return request.context["oauth_jwt"]["iss"] == "https://my.issuer" Other information that's available in the policy expression context: * `request.context["oauth_scopes"]` - list of scope names requested * `request.context["oauth_grant_type"]` - the grant type * `request.context["oauth_code_verifier"]` - a string or none If you're authorizing with a JWT, then `request.context["oauth_jwt"]` is available which is the parsed JWT as a dictionary. Troubleshooting[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#troubleshooting "Direct link to Troubleshooting") ------------------------------------------------------------------------------------------------------------------------------------------------------ ### More detailed error information[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#more-detailed-error-information "Direct link to More detailed error information") If you receive any error response from authentik it will only be a generic error, error description, and the `request_id`. However, more detailed error information can be obtained from the [authentik server container logs](https://docs.goauthentik.io/troubleshooting/logs/) by searching for the `request_id` that you're experiencing issues with. ### OAuth introspection endpoint[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#oauth-introspection-endpoint "Direct link to OAuth introspection endpoint") To use the OAuth introspection endpoint to obtain more information on a token, you must first authenticate to it. You are only able to introspect a token from the same provider that was used to authenticate, or you must exchange the token for a token from the provider as described above. ### Event logging[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#event-logging "Direct link to Event logging") All of these authentication methods will create a login event in the event logs, rather than an authorization event. The event logs will contain different information depending on the scenario: | Scenario | Authentication Method | Authentication Arguments | | --- | --- | --- | | [Static authentication using credentials](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#static-authentication) | `token` | Dictionary containing the token identifier | | [Static authentication and automatically generating the service account](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#automatic-service-account-creation) | `oauth_client_secret` | N/A | | [JWT authentication](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#jwt-authentication) | `JWT` | Parsed JWT + reference to source or provider | * [Static authentication](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#static-authentication) * [Example request](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#example-request) * [Base64 encoded username and app password](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#base64-encoded-username-and-app-password) * [Automatic service account creation](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#automatic-service-account-creation) * [JWT authentication](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#jwt-authentication) * [Externally issued JWTs](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#externally-issued-jwts) * [authentik-issued JWTs](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#authentik-issued-jwts) * [Troubleshooting](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#troubleshooting) * [More detailed error information](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#more-detailed-error-information) * [OAuth introspection endpoint](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#oauth-introspection-endpoint) * [Event logging](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/#event-logging) --- # WebFinger support | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/webfinger_support/#__docusaurus_skipToContent_fallback) On this page About WebFinger[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/webfinger_support/#about-webfinger "Direct link to About WebFinger") ----------------------------------------------------------------------------------------------------------------------------------------------------- The [WebFinger protocol](https://webfinger.net/) allows for the discovery of information about individuals or entities on the Internet through standard HTTP methods. It enables the retrieval of information associated with a URI that might not be directly usable as a locator, such as those for accounts or email addresses. authentik WebFinger support[​](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/webfinger_support/#authentik-webfinger-support "Direct link to authentik WebFinger support") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- authentik provides a WebFinger endpoint when the **Default application** setting uses an OIDC provider. Instructions on how to set a **Default application** can be found in the [authentik Branding documentation](https://docs.goauthentik.io/brands/#external-user-settings) . The WebFinger endpoint is available at: `https://authentik.company/.well-known/webfinger` (where authentik.company is the FQDN of your authentik instance) * [About WebFinger](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/webfinger_support/#about-webfinger) * [authentik WebFinger support](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/webfinger_support/#authentik-webfinger-support) --- # Proxy Provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#__docusaurus_skipToContent_fallback) On this page Headers[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#headers "Direct link to Headers") ---------------------------------------------------------------------------------------------------------- The proxy outpost sets the following user-specific headers: ### `X-authentik-username`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-username "Direct link to x-authentik-username") Example value: `akadmin` The username of the currently logged in user ### `X-authentik-groups`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-groups "Direct link to x-authentik-groups") Example value: `foo|bar|baz` The groups the user is member of, separated by a pipe ### `X-authentik-entitlements`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-entitlements "Direct link to x-authentik-entitlements") Example value: `foo|bar|baz` The entitlements on the application this user has access to, separated by a pipe ### `X-authentik-email`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-email "Direct link to x-authentik-email") Example value: `root@localhost` The email address of the currently logged in user ### `X-authentik-name`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-name "Direct link to x-authentik-name") Example value: `authentik Default Admin` Full name of the current user ### `X-authentik-uid`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-uid "Direct link to x-authentik-uid") Example value: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb` The hashed identifier of the currently logged in user. Besides these user-specific headers, some application specific headers are also set: ### `X-authentik-meta-outpost`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-meta-outpost "Direct link to x-authentik-meta-outpost") Example value: `authentik Embedded Outpost` The authentik outpost's name. ### `X-authentik-meta-provider`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-meta-provider "Direct link to x-authentik-meta-provider") Example value: `test` The authentik provider's name. ### `X-authentik-meta-app`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-meta-app "Direct link to x-authentik-meta-app") Example value: `test` The authentik application's slug. ### `X-authentik-meta-version`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-meta-version "Direct link to x-authentik-meta-version") Example value: `goauthentik.io/outpost/1.2.3` The authentik outpost's version. ### `X-Forwarded-Host`[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-forwarded-host "Direct link to x-forwarded-host") info Only set in proxy mode The original Host header sent by the client. This is set as the `Host` header is set to the host of the configured backend. ### Additional headers[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#additional-headers "Direct link to Additional headers") Additionally, you can set `additionalHeaders` attribute on groups or users to set additional headers: additionalHeaders: X-test-header: test-value HTTPS[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#https "Direct link to HTTPS") ---------------------------------------------------------------------------------------------------- The outpost listens on both 9000 for HTTP and 9443 for HTTPS. info If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too. Logging out[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#logging-out "Direct link to Logging out") ---------------------------------------------------------------------------------------------------------------------- Login is done automatically when you visit the domain without a valid cookie. When using single-application mode, navigate to `app.domain.tld/outpost.goauthentik.io/sign_out`. When using domain-level mode, navigate to `auth.domain.tld/outpost.goauthentik.io/sign_out`, where auth.domain.tld is the external host configured for the provider. To log out, navigate to `/outpost.goauthentik.io/sign_out`. Starting with authentik 2023.2, when logging out of a provider, all the users sessions within the respective outpost are invalidated. Allowing unauthenticated requests[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#allowing-unauthenticated-requests "Direct link to Allowing unauthenticated requests") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To allow un-authenticated requests to certain paths/URLs, you can use the _Unauthenticated URLs_ / _Unauthenticated Paths_ field. Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser. The behaviour of this field changes depending on which mode you're in. ### Proxy and Forward auth (single application)[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#proxy-and-forward-auth-single-application "Direct link to Proxy and Forward auth (single application)") In this mode, the regular expressions are matched against the Request's Path. ### Forward auth (domain level)[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#forward-auth-domain-level "Direct link to Forward auth (domain level)") In this mode, the regular expressions are matched against the Request's full URL. Dynamic backend selection[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#dynamic-backend-selection "Direct link to Dynamic backend selection") ---------------------------------------------------------------------------------------------------------------------------------------------------------------- You can configure the backend the proxy should access dynamically via scope mappings. To do this, create a scope mapping with a name and scope of your choice, and set the expression to: return { "ak_proxy": { "backend_override": f"http://foo.bar.baz/{request.user.username}" }} Afterwards, edit the proxy provider and add this new mapping. The expression is only evaluated when the user logs into the application. Host headerauthentik: 2025.6.1+[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#host-header "Direct link to host-header") ------------------------------------------------------------------------------------------------------------------------------------------ By default, the proxy provider will use the forwarded host header received from the client. Starting with authentik 2025.6.1, it is possible to dynamically adjust the host header with a property mapping. To do this, create a scope mapping with a name and scope of your choice, and set the expression to: return { "ak_proxy": { "host_header": "my-internal-host-header" }} Afterwards, edit the proxy provider and add this new mapping. The expression is only evaluated when the user logs into the application. ### Dynamically setting host header[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#dynamically-setting-host-header "Direct link to Dynamically setting host header") You can dynamically set the host header to match the **Internal host** value set on the proxy provider. To do this, create a scope mapping with a name and scope of your choice, and set the expression to: from urllib.parse import urlparseparsed_url = urlparse(provider.proxyprovider.internal_host)return { "ak_proxy": { "host_header": parsed_url.netloc }} Afterwards, edit the proxy provider and add this new mapping. The expression is only evaluated when the user logs into the application. Proxy authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#proxy-authentication "Direct link to Proxy authentication") ------------------------------------------------------------------------------------------------------------------------------------------------- When a user authenticates to the proxy, authentik uses the OAuth client credentials grant as described in the [Header authentication](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/) and [Machine-to-Machine](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/) documentation. Troubleshooting[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#troubleshooting "Direct link to Troubleshooting") ---------------------------------------------------------------------------------------------------------------------------------- To obtain more detailed information on a failure, you can search the logs of the server container. You will need to search for the `client_id` of the proxy provider that you're experiencing issues with. The `client_id` of a proxy provider can be obtained from its **Authentication** tab. * [Headers](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#headers) * [`X-authentik-username`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-username) * [`X-authentik-groups`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-groups) * [`X-authentik-entitlements`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-entitlements) * [`X-authentik-email`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-email) * [`X-authentik-name`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-name) * [`X-authentik-uid`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-uid) * [`X-authentik-meta-outpost`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-meta-outpost) * [`X-authentik-meta-provider`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-meta-provider) * [`X-authentik-meta-app`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-meta-app) * [`X-authentik-meta-version`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-authentik-meta-version) * [`X-Forwarded-Host`](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#x-forwarded-host) * [Additional headers](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#additional-headers) * [HTTPS](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#https) * [Logging out](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#logging-out) * [Allowing unauthenticated requests](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#allowing-unauthenticated-requests) * [Proxy and Forward auth (single application)](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#proxy-and-forward-auth-single-application) * [Forward auth (domain level)](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#forward-auth-domain-level) * [Dynamic backend selection](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#dynamic-backend-selection) * [Host header](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#host-header) * [Dynamically setting host header](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#dynamically-setting-host-header) * [Proxy authentication](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#proxy-authentication) * [Troubleshooting](https://docs.goauthentik.io/add-secure-apps/providers/proxy/#troubleshooting) --- # Header authentication | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#__docusaurus_skipToContent_fallback) On this page Sending authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#sending-authentication "Direct link to Sending authentication") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Send HTTP Basic authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#send-http-basic-authentication "Direct link to Send HTTP Basic authentication") Proxy providers have the option to _Send HTTP-Basic Authentication_ to the upstream application. When the option in the provider is enabled, two attributes must be specified. These attributes are the keys of values which can be saved on a user or group level that contain the credentials. For example, with _HTTP-Basic Username Key_ set to `app_username` and _HTTP-Basic Password Key_ set to `app_password`, these attributes would have to be set either on a user or a group the user is member of: app_username: adminapp_password: admin-password These credentials are only retrieved when the user authenticates to the proxy. If the user does not have a matching attribute, authentik falls back to using the user's email address as username, and the password will be empty if not found. Receiving authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#receiving-authentication "Direct link to Receiving authentication") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- By default, when **Intercept header authentication** is enabled, authentik will intercept the authorization header. If the authorization header value is invalid, an error response will be shown with a 401 status code. Requests without an authorization header will still be redirected to the standard login flow. If the proxied application requires usage of the "Authorization" header, the setting should be disabled. When this setting is disabled, authentik will still attempt to interpret the "Authorization" header, and fall back to the default behaviour if it can't. ### Receiving HTTP Basic authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#receiving-http-basic-authentication "Direct link to Receiving HTTP Basic authentication") Proxy providers can receive HTTP basic authentication credentials. The password is expected to be an _App password_, as the credentials are used internally with the [OAuth2 machine-to-machine authentication flow](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/) . Access control is done with the policies bound to the application being accessed. If the received credentials are invalid, a normal authentication flow is initiated. If the credentials are correct, the Authorization header is removed to prevent sending the credentials to the proxied application. danger It is **strongly** recommended that the client sending requests with HTTP-Basic authentication persists the cookies returned by the outpost. If this is not the case, every request must be authenticated independently, which will increase load on the authentik server and encounter a performance hit. Starting with authentik 2023.2, logging in with the reserved username `goauthentik.io/token` will behave as if a bearer token was used. All the same options as below apply. This is to allow token-based authentication for applications which might only support basic authentication. ### Receiving HTTP Bearer authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#receiving-http-bearer-authentication "Direct link to Receiving HTTP Bearer authentication") Proxy providers can receive HTTP bearer authentication credentials. The token is expected to be a JWT token issued for the proxy provider. This is described in the [OAuth2 machine-to-machine authentication flow](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/machine_to_machine/) documentation, using the _client\_id_ value shown in the admin interface. Both static and JWT authentication methods are supported. Access control is done with the policies bound to the application being accessed. If the received credentials are invalid, a normal authentication flow is initiated. If the credentials are correct, the Authorization header is removed to prevent sending the credentials to the proxied application. caution It is recommended that the client sending requests with HTTP-Bearer authentication persists the cookies returned by the outpost. For bearer authentication this has a smaller impact than for Basic authentication, but each request is still verified with the authentik server. * [Sending authentication](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#sending-authentication) * [Send HTTP Basic authentication](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#send-http-basic-authentication) * [Receiving authentication](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#receiving-authentication) * [Receiving HTTP Basic authentication](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#receiving-http-basic-authentication) * [Receiving HTTP Bearer authentication](https://docs.goauthentik.io/add-secure-apps/providers/proxy/header_authentication/#receiving-http-bearer-authentication) --- # Forward auth | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#__docusaurus_skipToContent_fallback) On this page Using forward auth uses your existing reverse proxy to do the proxying, and only uses the authentik outpost to check authentication and authorization. To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to use one of the Forward auth modes. Forward auth modes[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#forward-auth-modes "Direct link to Forward auth modes") -------------------------------------------------------------------------------------------------------------------------------------------------------- The only configuration difference between single application mode and domain level mode is the host that you specify. For single application, you'd use the domain that the application is running on, and only `/outpost.goauthentik.io` is redirected to the outpost. For domain level, you'd use the same domain as authentik. ### Single application[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#single-application "Direct link to Single application") Single application mode works for a single application hosted on its dedicated subdomain. This has the advantage that you can still do per-application access policies in authentik. ### Domain level[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#domain-level "Direct link to Domain level") To use forward auth instead of proxying, you have to change a couple of settings. In the Proxy Provider, make sure to use the _Forward auth (domain level)_ mode. This mode differs from the _Forward auth (single application)_ mode in the following points: * You don't have to configure an application in authentik for each domain * Users don't have to authorize multiple times There are, however, also some downsides, mainly the fact that you **can't** restrict individual applications to different users. Configuration templates[​](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#configuration-templates "Direct link to Configuration templates") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- For configuration templates for each web server, refer to the following: [📄️ nginx\ ---------\ \ The configuration templates shown below apply to both single-application and domain-level forward auth.](https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_nginx/) [📄️ Traefik\ -----------\ \ The configuration templates shown below apply to both single-application and domain-level forward auth.](https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_traefik/) [📄️ Envoy\ ---------\ \ The configuration template shown below apply to both single-application and domain-level forward auth.](https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_envoy/) [📄️ Caddy\ ---------\ \ The configuration template shown below apply to both single-application and domain-level forward auth.](https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_caddy/) * [Forward auth modes](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#forward-auth-modes) * [Single application](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#single-application) * [Domain level](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#domain-level) * [Configuration templates](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/#configuration-templates) --- # Architecture | authentik [Skip to main content](https://docs.goauthentik.io/core/architecture/#__docusaurus_skipToContent_fallback) On this page authentik consists of a handful of components, most of which are required for a functioning setup. ### Server[​](https://docs.goauthentik.io/core/architecture/#server "Direct link to Server") The server container consists of two sub-components, the actual server itself and the embedded outpost. Incoming requests to the server container(s) are routed by a lightweight router to either the _Core_ server or the embedded outpost. This router also handles requests for any static assets such as JavaScript and CSS files. #### Core[​](https://docs.goauthentik.io/core/architecture/#core "Direct link to Core") The core sub-component handles most of authentik's logic, such as API requests, flow executions, any kind of SSO requests, etc. #### Embedded outpost[​](https://docs.goauthentik.io/core/architecture/#embedded-outpost "Direct link to Embedded outpost") Similar to [other outposts](https://docs.goauthentik.io/add-secure-apps/outposts/) , this outpost allows using [Proxy providers](https://docs.goauthentik.io/add-secure-apps/providers/proxy/) without deploying a separate outpost. #### Persistence[​](https://docs.goauthentik.io/core/architecture/#persistence "Direct link to Persistence") * `/media` is used to store icons and such, but not required, and if not mounted, authentik will allow you to set a URL to icons in place of a file upload ### Worker[​](https://docs.goauthentik.io/core/architecture/#worker "Direct link to Worker") This container executes background tasks, such as sending emails, the event notification system, and everything you can see on the _System Tasks_ page in the Admin interface. #### Persistence[​](https://docs.goauthentik.io/core/architecture/#persistence-1 "Direct link to Persistence") * `/certs` is used for authentik to import external certs, which in most cases shouldn't be used for SAML, but rather if you use authentik without a reverse proxy, this can be used for example for the [Let's Encrypt integration](https://docs.goauthentik.io/sys-mgmt/certificates/#lets-encrypt-integration) * `/templates` is used for [custom email templates](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/#custom-templates) , and as with the other ones fully optional ### PostgreSQL[​](https://docs.goauthentik.io/core/architecture/#postgresql "Direct link to PostgreSQL") authentik uses PostgreSQL to store all of its configuration and other data (excluding uploaded files). #### Persistence[​](https://docs.goauthentik.io/core/architecture/#persistence-2 "Direct link to Persistence") * `/var/lib/postgresql/data` is used to store the PostgreSQL database On Kubernetes, with the default Helm chart and using the packaged PostgreSQL sub-chart, persistent data is stored in a PVC. * [Server](https://docs.goauthentik.io/core/architecture/#server) * [Worker](https://docs.goauthentik.io/core/architecture/#worker) * [PostgreSQL](https://docs.goauthentik.io/core/architecture/#postgresql) --- # Markdown template: conceptual | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual.tmpl/#__docusaurus_skipToContent_fallback) On this page Write a few sentences introducing the feature/component/technology. Add a title here If needed, use this syntax to add a note (info) or warning (warning) anywhere in the document that is appropriate. Common use cases[​](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual.tmpl/#common-use-cases "Direct link to Common use cases") --------------------------------------------------------------------------------------------------------------------------------------------------- Provide a few use cases, with examples/scenarios when possible. About feature x[​](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual.tmpl/#about-feature-x "Direct link to About feature x") ------------------------------------------------------------------------------------------------------------------------------------------------ Provide more conceptual details. ##Important considerations List anything users should know before implementing the feature/technology. * [Common use cases](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual.tmpl/#common-use-cases) * [About feature x](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual.tmpl/#about-feature-x) --- # Caddy | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_caddy/#__docusaurus_skipToContent_fallback) The configuration template shown below apply to both single-application and domain-level forward auth. info _example-outpost_ is used as a placeholder for the outpost name. _authentik.company_ is used as a placeholder for the authentik install. _app.company_ is used as a placeholder for the external domain for the application. _outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_ * Caddy (standalone) Use the following configuration: app.company { # directive execution order is only as stated if enclosed with route. route { # always forward outpost path to actual outpost reverse_proxy /outpost.goauthentik.io/* http://outpost.company:9000 # forward authentication to outpost forward_auth http://outpost.company:9000 { uri /outpost.goauthentik.io/auth/caddy # capitalization of the headers is important, otherwise they will be empty copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version # optional, in this config trust all private ranges, should probably be set to the outposts IP trusted_proxies private_ranges } # actual site configuration below, for example reverse_proxy localhost:1234 }} If you're trying to proxy to an upstream over HTTPS, you need to set the `Host` header to the value they expect for it to work correctly. reverse_proxy /outpost.goauthentik.io/* https://outpost.company { header_up Host {http.reverse_proxy.upstream.host}} --- # Branding | authentik [Skip to main content](https://docs.goauthentik.io/branding/#__docusaurus_skipToContent_fallback) You can configure several differently "branded" options depending on the associated domain, even though objects such as applications, providers, etc, are still global. This can be handy to use the same authentik instance, but branded differently for different domains. The main settings that control your instance's appearance and behaviour are the [_branding settings_](https://docs.goauthentik.io/brands/#branding-settings) and the the [_default flows_](https://docs.goauthentik.io/brands/#default-flows) . Review our tips for using images and icons in the [Image optimization](https://docs.goauthentik.io/brands/#image-optimization) section. To create or modify a brand, open the Admin interface and navigate to **System** > **Brands**. For complete instructions refer to our [Brands documentation](https://docs.goauthentik.io/brands/) . --- # Customize your instance | authentik [Skip to main content](https://docs.goauthentik.io/customize/#__docusaurus_skipToContent_fallback) You can customize the behaviour, look, and available resources for your authentik instance. For more information refer to each of the topics below: [🗃️ Policies\ ------------\ \ 3 items](https://docs.goauthentik.io/customize/policies/) [🗃️ Interfaces\ --------------\ \ 3 items](https://docs.goauthentik.io/customize/interfaces/flow/) [🗃️ Blueprints\ --------------\ \ 6 items](https://docs.goauthentik.io/customize/blueprints/) [📄️ Branding\ ------------\ \ You can configure several differently "branded" options depending on the associated domain, even though objects such as applications, providers, etc, are still global. This can be handy to use the same authentik instance, but branded differently for different domains.](https://docs.goauthentik.io/branding/) --- # Traefik | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_traefik/#__docusaurus_skipToContent_fallback) The configuration templates shown below apply to both single-application and domain-level forward auth. info _example-outpost_ is used as a placeholder for the outpost name. _authentik.company_ is used as a placeholder for the authentik install. _app.company_ is used as a placeholder for the external domain for the application. _outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_ * Standalone traefik * Docker Compose * Ingress http: middlewares: authentik: forwardAuth: address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - X-authentik-username - X-authentik-groups - X-authentik-entitlements - X-authentik-email - X-authentik-name - X-authentik-uid - X-authentik-jwt - X-authentik-meta-jwks - X-authentik-meta-outpost - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version routers: default-router: rule: "Host(`app.company`)" middlewares: - authentik priority: 10 service: app default-router-auth: rule: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" priority: 15 service: authentik services: app: loadBalancer: servers: - url: http://ip.internal authentik: loadBalancer: servers: - url: http://outpost.company:9000/outpost.goauthentik.io services: traefik: image: traefik:v3.0 container_name: traefik volumes: - /var/run/docker.sock:/var/run/docker.sock ports: - 80:80 command: - "--api" - "--providers.docker=true" - "--providers.docker.exposedByDefault=false" - "--entrypoints.web.address=:80" authentik-proxy: image: ghcr.io/goauthentik/proxy ports: - 9000:9000 - 9443:9443 environment: AUTHENTIK_HOST: https://your-authentik.tld AUTHENTIK_INSECURE: "false" AUTHENTIK_TOKEN: token-generated-by-authentik # Starting with 2021.9, you can optionally set this too # when authentik_host for internal communication doesn't match the public URL # AUTHENTIK_HOST_BROWSER: https://external-domain.tld labels: traefik.enable: true traefik.port: 9000 traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`) # `authentik-proxy` refers to the service name in the compose file. traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version restart: unless-stopped whoami: image: containous/whoami labels: traefik.enable: true traefik.http.routers.whoami.rule: Host(`app.company`) traefik.http.routers.whoami.middlewares: authentik@docker restart: unless-stopped Create a middleware: apiVersion: traefik.io/v1alpha1kind: Middlewaremetadata: name: authentikspec: forwardAuth: # This address should point to the cluster endpoint provided by the kubernetes service, not the Ingress. address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - X-authentik-username - X-authentik-groups - X-authentik-entitlements - X-authentik-email - X-authentik-name - X-authentik-uid - X-authentik-jwt - X-authentik-meta-jwks - X-authentik-meta-outpost - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version info Traefik changed the apiVersion of the middleware CRD in version 3.0, for older versions please substitute "apiVersion: traefik.containo.us/v1alpha1" Add the following settings to your IngressRoute By default traefik does not allow cross-namespace references for middlewares: See [here](https://doc.traefik.io/traefik/v2.4/providers/kubernetes-crd/#allowcrossnamespace) to enable it. spec: routes: - kind: Rule match: "Host(`app.company`)" middlewares: - name: authentik namespace: authentik priority: 10 services: # Unchanged # This part is only required for single-app setups - kind: Rule match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)" priority: 15 services: - kind: Service # Or, to use an external Outpost, create an ExternalName service and reference that here. # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname name: ak-outpost-example-outpost port: 9000 --- # Create a SAML provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#__docusaurus_skipToContent_fallback) On this page authentik SAML providers can be created either from scratch or by using SAML metadata exported from the Service Provider (SP). Optionally, the metadata of an authentik SAML provider can be exported back to the SP. Note, however, that many SPs do not support exporting their metadata or importing Identity Provider (IdP) metadata. Create a SAML provider and application pair[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#create-a-saml-provider-and-application-pair "Direct link to Create a SAML provider and application pair") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ To create a provider along with the corresponding application that uses it for authentication, navigate to **Applications** > **Applications** and click **Create with provider**. We recommend this combined approach for most common use cases. Alternatively, you can use the legacy method to solely create the provider by navigating to **Applications** > **Providers** and clicking **Create**. 1. Log in to authentik as an administrator, and open the authentik Admin interface. 2. Navigate to **Applications > Applications** and click **Create with provider** to create an application and provider pair. 3. On the **New application** page, define the application details, and then click **Next**. 4. Select **SAML Provider** as the **Provider Type**, and then click **Next**. 5. On the **Configure SAML Provider** page, provide the configuration settings and then click **Submit** to create both the application and the provider. Create a SAML provider from SP metadata (import SP metadata)[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#create-a-saml-provider-from-sp-metadata-import-sp-metadata "Direct link to Create a SAML provider from SP metadata (import SP metadata)") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If you have exported SAML metadata from your SP, you can optionally create the authentik SAML provider by importing this metadata. 1. Log in to authentik as an administrator, and open the authentik Admin interface. 2. Navigate to **Applications > Providers** and click **Create** to create a provider. 3. Select **SAML Provider from Metadata** as the **Provider Type**, and then click **Next**. 4. On the **Create SAML Provider from Metadata** page, provide the configuration settings along with an SP metadata file and then click **Finish** to create the provider. 5. (Optional) Edit the created SAML provider and configure any further settings. Export authentik SAML provider metadata[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#export-authentik-saml-provider-metadata "Direct link to Export authentik SAML provider metadata") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ After an authentik SAML provider has been created via any of the above methods, you can access its metadata in one of two ways: ### Download authentik metadata[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#download-authentik-metadata "Direct link to Download authentik metadata") To download the metadata of an authentik SAML provider, follow these steps: 1. Log in to authentik as an administrator, and open the authentik Admin interface. 2. Navigate to **Applications > Providers**. 3. Click the name of the provider you want metadata from to open its overview tab. 4. In the **Related objects** section, under **Metadata** click on **Download**. This will download the metadata xml file for that provider. ### Access metadata tab[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#access-metadata-tab "Direct link to Access metadata tab") To view and optionally download the metadata of an authentik SAML provider, follow these steps: 1. Log in to authentik as an administrator, and open the authentik Admin interface. 2. Navigate to **Applications > Providers**. 3. Click the name of the provider you want metadata from to open its overview tab. 4. Navigate to the **Metadata** tab. 5. The metadata for the provider will be shown in a codebox. You can optionally use the **Download** button to obtain the metadata as a file. * [Create a SAML provider and application pair](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#create-a-saml-provider-and-application-pair) * [Create a SAML provider from SP metadata (import SP metadata)](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#create-a-saml-provider-from-sp-metadata-import-sp-metadata) * [Export authentik SAML provider metadata](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#export-authentik-saml-provider-metadata) * [Download authentik metadata](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#download-authentik-metadata) * [Access metadata tab](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#access-metadata-tab) --- # Markdown template: combo | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#__docusaurus_skipToContent_fallback) On this page add brief description of the feature/functionality About feature XYZ[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#about-feature-xyz "Direct link to About feature XYZ") ------------------------------------------------------------------------------------------------------------------------------------------------- In this section, go into a deeper explanation of the feature, provide typical use cases, etc. Add a title here If needed, use this syntax to add a note (info) or warning (warning) anywhere in the document that is appropriate. ### More info about the feature, a sub-category of info[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#more-info-about-the-feature-a-sub-category-of-info "Direct link to More info about the feature, a sub-category of info") Use this section if there are several big topics or categories of info that the reader needs to know about the feature or task. Add as many of these sections as needed. Prerequisites[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#prerequisites "Direct link to Prerequisites") ------------------------------------------------------------------------------------------------------------------------------------- bullet list of pre-reqs Overview of steps/workflow (Optional, only if there are a lot of steps)[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#overview-of-stepsworkflow-optional-only-if-there-are-a-lot-of-steps "Direct link to Overview of steps/workflow (Optional, only if there are a lot of steps)") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- describe the 50,000 meter view before they dive into the detailed steps, using a bullet list of the main steps, or even a diagram of the workflow. first several group steps[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#first-several-group-steps "Direct link to first several group steps") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. first step 2. second step 3. third step if you need a tabbed section to represent diff processes or code snippets for diff install environments, use an MDX tabbed component. next step of grouped steps, if needed[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#next-step-of-grouped-steps-if-needed "Direct link to next step of grouped steps, if needed") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Continue with the steps... verify the steps[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#verify-the-steps "Direct link to verify the steps") ---------------------------------------------------------------------------------------------------------------------------------------------- add verification steps * [About feature XYZ](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#about-feature-xyz) * [More info about the feature, a sub-category of info](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#more-info-about-the-feature-a-sub-category-of-info) * [Prerequisites](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#prerequisites) * [Overview of steps/workflow (Optional, only if there are a lot of steps)](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#overview-of-stepsworkflow-optional-only-if-there-are-a-lot-of-steps) * [first several group steps](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#first-several-group-steps) * [next step of grouped steps, if needed](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#next-step-of-grouped-steps-if-needed) * [verify the steps](https://docs.goauthentik.io/developer-docs/docs/templates/combo.tmpl/#verify-the-steps) --- # Expressions | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#__docusaurus_skipToContent_fallback) On this page The property mapping should return a value that is expected by the provider. Supported types are documented in the individual provider. Returning `None` is always accepted and would simply skip the mapping for which `None` was returned. Available Functions[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#available-functions "Direct link to Available Functions") --------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### `regex_match(value: Any, regex: str) -> bool`[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#regex_matchvalue-any-regex-str---bool "Direct link to regex_matchvalue-any-regex-str---bool") Check if `value` matches Regular Expression `regex`. Example: return regex_match(request.user.username, '.*admin.*') ### `regex_replace(value: Any, regex: str, repl: str) -> str`[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#regex_replacevalue-any-regex-str-repl-str---str "Direct link to regex_replacevalue-any-regex-str-repl-str---str") Replace anything matching `regex` within `value` with `repl` and return it. Example: user_email_local = regex_replace(request.user.email, '(.+)@.+', '') ### `list_flatten(value: list[Any] | Any) -> Optional[Any]`[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#list_flattenvalue-listany--any---optionalany "Direct link to list_flattenvalue-listany--any---optionalany") Flatten a list by either returning its first element, None if the list is empty, or the passed in object if its not a list. Example: user = list_flatten(["foo"])# user = "foo" ### `ak_call_policy(name: str, **kwargs) -> PolicyResult`[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_call_policyname-str-kwargs---policyresult "Direct link to ak_call_policyname-str-kwargs---policyresult") Call another policy with the name _name_. Current request is passed to policy. Key-word arguments can be used to modify the request's context. Example: result = ak_call_policy("test-policy")# result is a PolicyResult object, so you can access `.passing` and `.messages`.# Starting with authentik 2023.4 you can also access `.raw_result`, which is the raw value returned from the called policy# `result.passing` will always be a boolean if the policy is passing or not.return result.passingresult = ak_call_policy("test-policy-2", foo="bar")# Inside the `test-policy-2` you can then use `request.context["foo"]`return result.passing ### `ak_is_group_member(user: User, **group_filters) -> bool`[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_is_group_memberuser-user-group_filters---bool "Direct link to ak_is_group_memberuser-user-group_filters---bool") Check if `user` is member of a group matching `**group_filters`. Example: return ak_is_group_member(request.user, name="test_group") ### `ak_user_by(**filters) -> Optional[User]`[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_user_byfilters---optionaluser "Direct link to ak_user_byfilters---optionaluser") Fetch a user matching `**filters`. Returns "None" if no user was found, otherwise returns the [User](https://docs.goauthentik.io/users-sources/user/) object. Example: # Find user by usernameother_user = ak_user_by(username="other_user")# Find user by custom attributeother_user = ak_user_by(attributes__="") ### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool`[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_user_has_authenticatoruser-user-device_type-optionalstr--none---bool "Direct link to ak_user_has_authenticatoruser-user-device_type-optionalstr--none---bool") Check if a user has any authenticator devices. Only fully validated devices are counted. Optionally, you can filter a specific device type. The following options are valid: * `totp` * `duo` * `static` * `webauthn` Example: return ak_user_has_authenticator(request.user) ### `ak_create_event(action: str, **kwargs) -> None`[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_create_eventaction-str-kwargs---none "Direct link to ak_create_eventaction-str-kwargs---none") Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called. Before saving, any data-structure which are not representable in JSON are flattened, and credentials are removed. The event is saved automatically Example: ak_create_event("my_custom_event", foo=request.user) ### `ak_create_jwt(user: User, provider: OAuth2Provider | str, scopes: list[str], validity = "seconds=60") -> str | None`authentik: 2025.2.0+[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_create_jwtuser-user-provider-oauth2provider--str-scopes-liststr-validity--seconds60---str--none "Direct link to ak_create_jwtuser-user-provider-oauth2provider--str-scopes-liststr-validity--seconds60---str--none") Requires HTTP Request This function will only work when there is an HTTP request in the current context. Create a new JWT signed by the given `provider` for `user`. The `provider` parameter can either be an instance of `OAuth2Provider` or a the name of a provider instance as a string. Scopes is an array of all scopes that the JWT should have. The JWT is valid for 60 seconds by default, this can be customized using the `validity` parameter. The syntax of the parameter is `hours=1,minutes=2,seconds=3`. The following keys are allowed: * Microseconds * Milliseconds * Seconds * Minutes * Hours * Days * Weeks All values accept floating-point values. Example: jwt = ak_create_jwt(request.user, "my-oauth2-provider-name", ["openid", "profile", "email"]) ### `ak_send_email(address: str | list[str], subject: str, body: str = None, stage: EmailStage = None, template: str = None, context: dict = None) -> bool`authentik: 2025.10.0+[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none---bool "Direct link to ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none---bool") Send an email using authentik's email system. The `address` parameter specifies the recipient email address(es). It can be: * A single email address as a string: `"[[email protected]](https://docs.goauthentik.io/cdn-cgi/l/email-protection) "` * A list of email addresses: `["[[email protected]](https://docs.goauthentik.io/cdn-cgi/l/email-protection) ", "[[email protected]](https://docs.goauthentik.io/cdn-cgi/l/email-protection) "]` info When using multiple recipients, all email addresses will be visible in the "To:" field of the email. If you need to send to multiple recipients without revealing all addresses to each other, send individual emails instead. The `subject` parameter sets the email subject line. You must provide either `body` (for plain text/HTML content) or `template` (for template rendering), but not both. The `stage` parameter can be an `EmailStage` instance for custom email settings. If `None`, global email settings are used. The `template` parameter specifies a template name to render. When using templates, you can pass additional context variables via the `context` parameter. If the email is queued successfully, the function returns `True`; otherwise, it returns `False`. Examples: # Send email with plain body to single recipientak_send_email("[email protected]", "Welcome!", body="Welcome to our platform!")# Send email to multiple recipientsak_send_email( ["[email protected]", "[email protected]", "[email protected]"], "System Maintenance", body="Scheduled maintenance will occur tonight.")# Send email using a templateak_send_email("[email protected]", "Password Reset", template="email/password_reset.html")# Send email with custom context for template to multiple recipientsak_send_email( ["[email protected]", "[email protected]"], "Account Update", template="email/event_notification.html", context={ "title": "Profile Updated", "body": "Your account profile has been successfully updated.", "key_value": {"Updated Field": "Email Address", "Date": "2025-01-01"} })# Send email with custom email stageak_send_email("[email protected]", "Report", body="Daily report", stage=my_custom_stage) Comparing IP Addresses[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#comparing-ip-addresses "Direct link to Comparing IP Addresses") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ To compare IP Addresses or check if an IP Address is within a given subnet, you can use the functions `ip_address('192.0.2.1')` and `ip_network('192.0.2.0/24')`. With these objects you can do [arithmetic operations](https://docs.python.org/3/library/ipaddress.html#operators) . You can also check if an IP Address is within a subnet by writing the following: ip_address('192.0.2.1') in ip_network('192.0.2.0/24')# evaluates to True DNS resolution and reverse DNS lookups[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#dns-resolution-and-reverse-dns-lookups "Direct link to DNS resolution and reverse DNS lookups") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`. resolve_dns("google.com") # return a list of all IPv4 and IPv6 addressesresolve_dns("google.com", 4) # return a list of only IP4 addressesresolve_dns("google.com", 6) # return a list of only IP6 addresses You can also do reverse DNS lookups. note Reverse DNS lookups may not return the expected host if the IP address is part of a shared hosting environment. See: [https://stackoverflow.com/a/19867936](https://stackoverflow.com/a/19867936) To perform a reverse DNS lookup use `reverse_dns("192.0.2.0")`. If no DNS records are found the original IP address is returned. info DNS resolving results are cached in memory. The last 32 unique queries are cached for up to 3 minutes. Variables[​](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#variables "Direct link to Variables") --------------------------------------------------------------------------------------------------------------------------------------- * `ak_logger`: structlog BoundLogger. See ([structlog documentation](https://www.structlog.org/en/stable/api.html#structlog.BoundLogger) ) Example: ak_logger.debug("This is a test message")ak_logger.warning("This will be logged with a warning level")ak_logger.info("Passing structured data", request=request) * `requests`: requests Session object. See ([request documentation](https://requests.readthedocs.io/en/master/user/advanced/) ) * `user`: The current user. This may be `None` if there is no contextual user. See [User](https://docs.goauthentik.io/users-sources/user/user_ref/#object-properties) . Example: return { "custom_attribute": request.user.attributes.get("custom_attribute", "default"),} * `request`: The current request. This may be `None` if there is no contextual request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects) ) * Other arbitrary arguments given by the provider, this is documented on the provider. * [Available Functions](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#available-functions) * [`regex_match(value: Any, regex: str) -> bool`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#regex_matchvalue-any-regex-str---bool) * [`regex_replace(value: Any, regex: str, repl: str) -> str`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#regex_replacevalue-any-regex-str-repl-str---str) * [`list_flatten(value: list[Any] | Any) -> Optional[Any]`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#list_flattenvalue-listany--any---optionalany) * [`ak_call_policy(name: str, **kwargs) -> PolicyResult`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_call_policyname-str-kwargs---policyresult) * [`ak_is_group_member(user: User, **group_filters) -> bool`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_is_group_memberuser-user-group_filters---bool) * [`ak_user_by(**filters) -> Optional[User]`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_user_byfilters---optionaluser) * [`ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_user_has_authenticatoruser-user-device_type-optionalstr--none---bool) * [`ak_create_event(action: str, **kwargs) -> None`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_create_eventaction-str-kwargs---none) * [`ak_create_jwt(user: User, provider: OAuth2Provider | str, scopes: list[str], validity = "seconds=60") -> str | None`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_create_jwtuser-user-provider-oauth2provider--str-scopes-liststr-validity--seconds60---str--none) * [`ak_send_email(address: str | list[str], subject: str, body: str = None, stage: EmailStage = None, template: str = None, context: dict = None) -> bool`](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none---bool) * [Comparing IP Addresses](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#comparing-ip-addresses) * [DNS resolution and reverse DNS lookups](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#dns-resolution-and-reverse-dns-lookups) * [Variables](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/#variables) --- # Brands | authentik [Skip to main content](https://docs.goauthentik.io/brands/#__docusaurus_skipToContent_fallback) On this page As an authentik administrator, you can customize your instance's appearance and behavior using brands. Brands apply to a single domain, a domain wildcard, or can be set as default, in which case the brand will be applied when no other brand matches the domain. For an overview of branding and other customization options in authentik refer to [Customize your instance](https://docs.goauthentik.io/customize/) . Create or edit a brand[​](https://docs.goauthentik.io/brands/#create-or-edit-a-brand "Direct link to Create or edit a brand") ------------------------------------------------------------------------------------------------------------------------------ To create or edit a brand, follow these steps: 1. Log in as an administrator, open the authentik Admin interface, and navigate to **System** > **Brands**. 2. Click **Create** to add a new brand, or click the **Edit** icon next to an existing brand to modify it. 3. Define the configurations in the following settings: ### Branding settings[​](https://docs.goauthentik.io/brands/#branding-settings "Direct link to Branding settings") The brand settings define the visual identity of the brand, including: * **Branding title**: Displayed in the browser tab (document title) and throughout the UI; * **Logo**: Appears in the sidebar/header; info Starting with authentik 2024.6.2, the placeholder `%(theme)s` can be used in the logo configuration option, which will be replaced with the active theme. * **Favicon**: Shown on the browser tab. * **Default flow background** authentik: 2025.4.0+: Default background image for the flow executor, can be overridden per flow, see [Flow configuration options](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#flow-configuration-options) . * **Custom CSS** authentik: 2025.4.0+: Add custom CSS to further customize the look of authentik. Creating such a file is outside the scope of this document. ### External user settings[​](https://docs.goauthentik.io/brands/#external-user-settings "Direct link to External user settings") You can configure authentik to redirect external users to a default application after they log in (if they weren't originally redirected from a specific application). To do this: 1. Open the authentik Admin interface and navigate to **System** > **Brands**. 2. Click the **Edit** icon for the relevant brand. 3. Under **External user settings** select a **Default application**. ### Default flows[​](https://docs.goauthentik.io/brands/#default-flows "Direct link to Default flows") You can explicitly select, in your instance's Brand settings, the _default flows_ to use for the current brand. You can optionally configure these default flows ([learn more about each default flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/default_flows/) ): * **Authentication** flow: the flow used to authenticate users. If left empty, the first applicable flow sorted by the slug is used. * **Invalidation flow**: for typical use cases, select the `default-invalidation-flow` (Logout) flow. This flow logs the user out of authentik when the application session ends (user logs out of the app). * **Recovery flow**: if set, the user can access an option to recover their login credentials. * **Unenrollment flow**: if set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown. * **User settings flow**: if set, users are able to configure details of their profile. * **Device code flow**: if set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code. If a default flow is _not_ set in the brand, then authentik selects any flow that: * matches the required designation * comes first sorted by slug * is allowed by policies This means that if you want to select a default flow based on policy, you can leave the brand default empty. Other global settings[​](https://docs.goauthentik.io/brands/#other-global-settings "Direct link to Other global settings") --------------------------------------------------------------------------------------------------------------------------- #### Web Certificate[​](https://docs.goauthentik.io/brands/#web-certificate "Direct link to Web Certificate") The **Web Certificate** option can be used to configure which certificate authentik uses when its accessed directly via HTTPS (via port 9443). #### Client Certificatesauthentik: 2025.4.0+[​](https://docs.goauthentik.io/brands/#client-certificates "Direct link to client-certificates") When using the [Mutual TLS Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/) and accessing authentik directly, this setting specifies which certificate authorities are trusted to issue client certificates. #### Attributes[​](https://docs.goauthentik.io/brands/#attributes "Direct link to Attributes") Attributes such as locale, theme settings (light/dark mode), and custom attributes can be set to a per-brand default value here. Any custom attributes can be retrieved via [`group_attributes()`](https://docs.goauthentik.io/users-sources/user/user_ref/#object-properties) . Image optimization[​](https://docs.goauthentik.io/brands/#image-optimization "Direct link to Image optimization") ------------------------------------------------------------------------------------------------------------------ When you use images and icons for a brand's logo, favicon, etc., be aware of the following optimization tips: * Use an SVG version of the image. * Trim excess whitespace from around the logo. You can use an SVG editor such as Inkscape, Sketch, or Adobe Illustrator. * Adjust the viewBox: Ensure the SVG’s `viewBox` attribute tightly wraps the actual logo content. This helps in scaling the logo appropriately. * Remove fixed dimensions: delete any fixed width and height attributes from the SVG. This allows the logo to scale responsively within its container. * Check if your SVG needs `preserveAspectRatio` to retain its shape when resized. * Wordmark logos: aim for an aspect ratio of approximately 7:1 (width to height). * Icon logos: use a 1:1 aspect ratio, ensuring the icon fills the entire viewBox and is centered. * The SVG tool [SVGOMG](https://svgomg.net/) is useful for trimming any excess metadata that might affect how the browser rasterizes the image. * [Create or edit a brand](https://docs.goauthentik.io/brands/#create-or-edit-a-brand) * [Branding settings](https://docs.goauthentik.io/brands/#branding-settings) * [External user settings](https://docs.goauthentik.io/brands/#external-user-settings) * [Default flows](https://docs.goauthentik.io/brands/#default-flows) * [Other global settings](https://docs.goauthentik.io/brands/#other-global-settings) * [Image optimization](https://docs.goauthentik.io/brands/#image-optimization) --- # Markdown template: procedural | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#__docusaurus_skipToContent_fallback) On this page add brief description of the feature/functionality Add a title here If needed, use this syntax to add a note (info) or warning (warning) anywhere in the document that is appropriate. Prerequisites[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#prerequisites "Direct link to Prerequisites") ------------------------------------------------------------------------------------------------------------------------------------------ bullet list of pre-reqs Overview of steps/workflow[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#overview-of-stepsworkflow "Direct link to Overview of steps/workflow") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- describe the 50,000 meter view before they dive into the detailed steps, using a bullet list of the main steps, or even a diagram of the workflow. first several group steps[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#first-several-group-steps "Direct link to first several group steps") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 1. first step 2. second step 3. third step if you need a tabbed section to represent diff processes or code snippets for diff install environments, use an MDX tabbed component. next step of grouped steps, if needed[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#next-step-of-grouped-steps-if-needed "Direct link to next step of grouped steps, if needed") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Continue with the steps... verify the steps[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#verify-the-steps "Direct link to verify the steps") --------------------------------------------------------------------------------------------------------------------------------------------------- add verification steps * [Prerequisites](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#prerequisites) * [Overview of steps/workflow](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#overview-of-stepsworkflow) * [first several group steps](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#first-several-group-steps) * [next step of grouped steps, if needed](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#next-step-of-grouped-steps-if-needed) * [verify the steps](https://docs.goauthentik.io/developer-docs/docs/templates/procedural.tmpl/#verify-the-steps) --- # RAC Credentials Prompt | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#__docusaurus_skipToContent_fallback) On this page About the RAC credentials prompt[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#about-the-rac-credentials-prompt "Direct link to About the RAC credentials prompt") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You can configure the RAC provider to prompt users for their credentials when connecting to RAC endpoints. This is particularly useful for establishing RDP connections to modern Windows systems that often require credentials to establish a connection. After implementing this configuration, when connecting to an RAC endpoint users are prompted to enter their credentials which are then passed to the RAC endpoint. This means that static credentials do not need to be set in the RAC provider, property mapping, or endpoint. This configurations requires: 1. Creating an authorization flow. 2. Creating two prompts. 3. Creating and binding a prompt stage. 4. Updating the RAC provider. Create a new authorization flow[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#create-a-new-authorization-flow "Direct link to Create a new authorization flow") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows and Stages** > **Flows**, click **Create**, and enter the following required settings: * **Name**: Enter a descriptive name for the flow. * **Title**: Enter a title for the flow. This will be displayed to users when they're prompted for their credentials. * **Slug**: Enter a slug for the flow. This will be displayed in the flow URL. * **Designation**: `Authorization` * **Authentication**: `Require authentication` 3. Click **Create**. Create prompts[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#create-prompts "Direct link to Create prompts") ---------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows and Stages** > **Prompts**, click **Create**, and enter the following required settings: * **Name**: Enter a descriptive name for the prompt (e.g. `username`). * **Field Key**: `connection_settings.username` * **Label**: Enter a label for the field which will be displayed above it. * **Type**: `Text` * **Required**: Toggled on. * **Order**: `0` 3. Click **Create** to save the prompt. 4. On the **Prompts** page, click **Create** again, and enter the following required settings: * **Name**: Enter a descriptive name for the prompt (e.g. `password`). * **Field Key**: `connection_settings.password` * **Label**: Enter a label for the field which will be displayed above it. * **Type**: `Password` * **Required**: Toggled. * **Order**: `1` 5. Click **Create** to save the prompt. info You can optionally add other prompt fields such as `domain` (e.g. `connection_settings.domain`), which can be useful for Windows based RDP. There is also the option of adding a `Text (read-only)` type prompt field that includes explanatory text for the user (e.g. `please enter your RDP credentials`). Create and bind a prompt stage[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#create-and-bind-a-prompt-stage "Direct link to Create and bind a prompt stage") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows and Stages** > **Flows**. 3. Click the name of the newly created authorization flow. 4. Click on **Stage bindings**, click **Create and bind stage**, and enter the following required settings: * **Select Type**: Select `Prompt stage` as the prompt type. * **Create Prompt Stage**: * **Name**: Enter a name for the prompt stage. * Under **Fields**: * Click the **x** icon to remove all selected fields. * Add the two newly created prompt fields (e.g.`username` and `password`) to selected fields. * Under **Validation Policies**: * Click the **x** icon to remove all selected validation policies. * **Create binding**: * Click **Finish**. Update the RAC provider[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#update-the-rac-provider "Direct link to Update the RAC provider") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers**. 3. Click the **Edit** icon of the RAC provider that you wish to add a credentials prompt to. 4. Change **Authorization flow** to the newly created authorization flow. 5. Click **Update** to save the change. Update the RAC endpoint _(sometimes required)_[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#update-the-rac-endpoint-sometimes-required "Direct link to update-the-rac-endpoint-sometimes-required") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Depending on the configuration of the RDP server that's being connected to, it is sometimes necessary to set the security type that's used for the connection. For many modern windows RDP servers, this often needs to be set to `tls`. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click the name of the RAC provider that you're using. 3. Under **Endpoints**, click the **Edit** icon of the endpoint that you're using. 4. Under **Advanced Settings** in the **Settings** box, enter `security: tls` 5. Click **Update** to save the change. info Other options for the connection security type are: `any`, `nla`, `nla-ext`, `vmconnect`, and `rdp`. For more information see the [Guacamole RDP Authentication and Security Documentation](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#authentication-and-security) . Configuration verification[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#configuration-verification "Direct link to Configuration verification") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Log in to authentik with a user account that has the required privileges to access the RAC application. Open the User interface, and on the **My applications** page click the RAC application. You should then be redirected to the prompt stage and prompted for a username and password. Enter the credentials for the RAC endpoint and if the credentials are valid the RDP/SSH/VNC connection should be established. * [About the RAC credentials prompt](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#about-the-rac-credentials-prompt) * [Create a new authorization flow](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#create-a-new-authorization-flow) * [Create prompts](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#create-prompts) * [Create and bind a prompt stage](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#create-and-bind-a-prompt-stage) * [Update the RAC provider](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#update-the-rac-provider) * [Update the RAC endpoint _(sometimes required)_](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#update-the-rac-endpoint-sometimes-required) * [Configuration verification](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac_credentials_prompt/#configuration-verification) --- # Envoy | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_envoy/#__docusaurus_skipToContent_fallback) The configuration template shown below apply to both single-application and domain-level forward auth. info If you are using Istio and Kubernetes, use the port number that is exposed for your cluster. info _example-outpost_ is used as a placeholder for the outpost name. _authentik.company_ is used as a placeholder for the authentik install. _app.company_ is used as a placeholder for the external domain for the application. _outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_ * Envoy (Istio) Set the following settings on the _IstioOperator_ resource: apiVersion: install.istio.io/v1alpha1kind: IstioOperatormetadata: name: istio namespace: istio-systemspec: meshConfig: extensionProviders: - name: "authentik" envoyExtAuthzHttp: # Replace with ..svc.cluster.local service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local" port: "9000" pathPrefix: "/outpost.goauthentik.io/auth/envoy" headersToDownstreamOnAllow: - cookie headersToUpstreamOnAllow: - set-cookie - x-authentik-* # Add authorization headers to the allow list if you need proxy providers which # send a custom HTTP-Basic Authentication header based on values from authentik # - authorization includeRequestHeadersInCheck: - cookie Afterwards, you can create _AuthorizationPolicy_ resources to protect your applications like this: apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata: name: authentik-policy namespace: istio-systemspec: selector: matchLabels: istio: ingressgateway action: CUSTOM provider: name: "authentik" rules: - to: - operation: hosts: # You can create a single resource and list all Domain names here, or create multiple resources - "app.company" --- # Markdown template: reference | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/reference.tmpl/#__docusaurus_skipToContent_fallback) On this page Write a few sentences introducing the feature/component/technology, and state that this page contains reference materials. Optionally add a title here If needed, use this syntax to add a info, warning or danger box to the document. Head 2[​](https://docs.goauthentik.io/developer-docs/docs/templates/reference.tmpl/#head-2 "Direct link to Head 2") -------------------------------------------------------------------------------------------------------------------- After a brief description of this section, list the reference values. Consider using a table if that is cleaner looking. ### Head 3 (optional, if needed)[​](https://docs.goauthentik.io/developer-docs/docs/templates/reference.tmpl/#head-3-optional-if-needed "Direct link to Head 3 (optional, if needed)") After a brief description of this section, list the reference values. * [Head 2](https://docs.goauthentik.io/developer-docs/docs/templates/reference.tmpl/#head-2) * [Head 3 (optional, if needed)](https://docs.goauthentik.io/developer-docs/docs/templates/reference.tmpl/#head-3-optional-if-needed) --- # RADIUS Provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/radius/#__docusaurus_skipToContent_fallback) On this page You can configure a Radius provider for applications that don't support any other protocols or that require Radius. info This provider requires the deployment of a [RADIUS outpost](https://docs.goauthentik.io/add-secure-apps/outposts/) . Currently, only authentication requests are supported. ### Authentication flow[​](https://docs.goauthentik.io/add-secure-apps/providers/radius/#authentication-flow "Direct link to Authentication flow") Authentication requests against the Radius Server use a flow in the background. This allows you to use the same flows, stages, and policies as you do for web-based logins. The following stages are supported: * [Identification](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/) * [Password](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/password/) * [Authenticator validation](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) info Authenticator validation currently only supports DUO, TOTP, and static authenticator. For code-based authenticators, the code must be given as part of the bind password, separated by a semicolon. For example for the password `example-password` and the MFA token `123456`, the input must be `example-password;123456`. SMS-based authenticators are not supported because they require a code to be sent from authentik, which is not possible during the bind. * [User Logout](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/) * [User Login](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/) * [Deny](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/deny/) * [Mutual TLS stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/) ### Protocol support[​](https://docs.goauthentik.io/add-secure-apps/providers/radius/#protocol-support "Direct link to Protocol support") The RADIUS provider supports EAP-TLS and [PAP](https://en.wikipedia.org/wiki/Password_Authentication_Protocol) (Password Authentication Protocol) protocol. For password-based authentication, only PAP protocol is supported due to other password hashing methods requiring reversible password hashes, which we don’t support for security reasons. RADIUS compatibility matrix for password-based authentication: This table represents the password-hash compatibillity with various RADIUS protocols. | | Cleartext | NT | MD5 | Salted MD5 | SHA1 | Salted SHA1 | Unix Crypt | | --- | --- | --- | --- | --- | --- | --- | --- | | PAP | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | CHAP | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | | Digest | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | | MS-CHAP | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | | PEAP | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | | MS-CHAPv2 | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | | Cisco LEAP | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | | EAP-GTC | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | | EAP-MD5 | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ | | EAP-PWD | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ | ✓ | ### EAP Enterprise authentik: 2025.10.0+[​](https://docs.goauthentik.io/add-secure-apps/providers/radius/#eap-- "Direct link to eap--") authentik supports EAP with TLS as the inner protocol, between the application and transport layers to encrypt and secure communications. To set this up, a certificate authority needs to be available and client certificates need to be installed on machines, the configuration of which is outside of the scope of this document. #### EAP-TLS[​](https://docs.goauthentik.io/add-secure-apps/providers/radius/#eap-tls "Direct link to EAP-TLS") Create an authentication flow with a [Mutual TLS stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/) as its first stage. This stage should be configured to use your CA's certificate. Afterwards a server certificate needs to be selected in the RADIUS provider (which serves as an outpost). Then, configure your RADIUS provider to use this authentication flow to enable EAP-TLS authentication. After the certificate and the authentication flow are configured in the provider, authentication via EAP-TLS is possible. For certificates, ensure that you use a client certificate and a server certificate that are created by a certificate authority, not a self-generated certificate. Use of trusted Certificate Authority For EAP-TLS, note that you should NOT use a globally known CA. Using private PKI certificates that are trusted by the end-device is best practise. For example, using a Verisign certificate as a "known CA" means that ANYONE who has a certificate signed by them can authenticate via EAP-TLS, and in addition you should implement [custom validation](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/#auth_method-string) to prevent unauthorized access. ### RADIUS attributes[​](https://docs.goauthentik.io/add-secure-apps/providers/radius/#radius-attributes "Direct link to RADIUS attributes") Starting with authentik 2024.8, you can create RADIUS provider property mappings, which make it possible to add custom attributes to the RADIUS response packets. For example, to add the Cisco AV-Pair attribute, this snippet can be used: define_attribute( vendor_code=9, vendor_name="Cisco", attribute_name="AV-Pair", attribute_code=1, attribute_type="string",)packet["Cisco-AV-Pair"] = "shell:priv-lvl=15"return packet After creation, make sure to select the RADIUS property mapping in the RADIUS provider. * [Authentication flow](https://docs.goauthentik.io/add-secure-apps/providers/radius/#authentication-flow) * [Protocol support](https://docs.goauthentik.io/add-secure-apps/providers/radius/#protocol-support) * [EAP](https://docs.goauthentik.io/add-secure-apps/providers/radius/#eap--) * [RADIUS attributes](https://docs.goauthentik.io/add-secure-apps/providers/radius/#radius-attributes) --- # Export configurations to blueprints | authentik [Skip to main content](https://docs.goauthentik.io/customize/blueprints/export/#__docusaurus_skipToContent_fallback) On this page Global export[​](https://docs.goauthentik.io/customize/blueprints/export/#global-export "Direct link to Global export") ------------------------------------------------------------------------------------------------------------------------ To migrate existing configurations to blueprints, run `ak export_blueprint` within any authentik Worker container. This will output a blueprint for most currently created objects. Some objects will not be exported as they might have dependencies on other things. Exported blueprints don't use any of the YAML Tags, they just contain a list of entries as they are in the database. Note that fields which are write-only (for example, OAuth Provider's Secret Key) will not be added to the blueprint, as the serialisation logic from the API is used for blueprints. Additionally, default values will be skipped and not added to the blueprint. Flow exports[​](https://docs.goauthentik.io/customize/blueprints/export/#flow-exports "Direct link to Flow exports") --------------------------------------------------------------------------------------------------------------------- A specific flow with its attached stages, policies, and other objects can be exported. This export can be triggered via the API or the Admin interface by clicking the **Export** button (download icon) next to the flow in the flow list. Cleaning up[​](https://docs.goauthentik.io/customize/blueprints/export/#cleaning-up "Direct link to Cleaning up") ------------------------------------------------------------------------------------------------------------------ Exports from either method will contain a (potentially) long list of objects, all with hardcoded primary keys and no ability for templating/instantiation. This is because currently, authentik does not check which primary keys are used where. It is assumed that for most exports, there'll be some manual changes done regardless, to filter out unwanted objects, adjust properties, etc. * [Global export](https://docs.goauthentik.io/customize/blueprints/export/#global-export) * [Flow exports](https://docs.goauthentik.io/customize/blueprints/export/#flow-exports) * [Cleaning up](https://docs.goauthentik.io/customize/blueprints/export/#cleaning-up) --- # RAC SSH Public Key Authentication | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#__docusaurus_skipToContent_fallback) On this page About RAC SSH public key authentication[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#about-rac-ssh-public-key-authentication "Direct link to About RAC SSH public key authentication") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The RAC provider supports SSH public key authentication. This allows for secure connections to SSH endpoints without the use of passwords. SSH private keys can be configured via several methods: Apply a private key to an RAC provider[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#apply-a-private-key-to-an-rac-provider "Direct link to Apply a private key to an RAC provider") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers**. 3. Click the **Edit** icon on the RAC provider that requires public key authentication. 4. In the **Settings** codebox enter the private key of the endpoint, for example: private-key: | -----BEGIN SSH PRIVATE KEY----- SAMPLEgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 -----END SSH PRIVATE KEY----- 5. Click **Update**. info The pipe character (`|`) is required to preserve linebreaks in the YAML text. See the [YAML spec](https://yaml.org/spec/1.2.2/#literal-style) for more information. Apply a private key to an RAC endpoint[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#apply-a-private-key-to-an-rac-endpoint "Direct link to Apply a private key to an RAC endpoint") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers**. 3. Click the name of the RAC provider that the endpoint belongs to. 4. Under **Endpoints**, click on the **Edit** icon next to the endpoint that requires public key authentication. 5. Under **Advanced settings**, in the **Settings** codebox enter the private key of the endpoint: private-key: | -----BEGIN SSH PRIVATE KEY----- SAMPLEgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 -----END SSH PRIVATE KEY----- 6. Click **Update**. info The pipe character (`|`) is required to preserve linebreaks in the YAML text. See the [YAML spec](https://yaml.org/spec/1.2.2/#literal-style) for more information. Apply a private key to an RAC property mapping[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#apply-a-private-key-to-an-rac-property-mapping "Direct link to Apply a private key to an RAC property mapping") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Property Mappings** and click **Create**, then create a **RAC Provider Property Mapping** with the following settings: * **Name**: Choose a descriptive name * Under **Advanced Settings**: * **Expression**: return {"private-key": "-----BEGIN SSH PRIVATE KEY-----SAMPLEgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8QuKUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEmo3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2kTQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp79mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uyv/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00-----END SSH PRIVATE KEY-----",} 3. Click **Finish**. 4. Navigate to **Applications** > **Providers**. 5. Click the **Edit** icon on the RAC provider that requires public key authentication. 6. Under **Protocol Settings** add the newly created property mapping to **Selected Property Mappings**. 7. Click **Update**. Retrieve a private key from a user's attributes and apply it to an RAC property mapping[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#retrieve-a-private-key-from-a-users-attributes-and-apply-it-to-an-rac-property-mapping "Direct link to Retrieve a private key from a user's attributes and apply it to an RAC property mapping") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **RAC Provider Property Mapping** with the following settings: * **Name**: Choose a descriptive name * Under **Advanced Settings**: * **Expression**: return {"private-key": request.user.attributes.get("", "default"),} 3. Click **Finish**. 4. Navigate to **Applications** > **Providers**. 5. Click the **Edit** icon on the RAC provider that requires public key authentication. 6. Under **Protocol Settings**, add the newly created property mapping to **Selected Property Mappings**. 7. Click **Update**. info For group attributes, the following expression can be used `request.user.group_attributes(request.http_request)`. * [About RAC SSH public key authentication](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#about-rac-ssh-public-key-authentication) * [Apply a private key to an RAC provider](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#apply-a-private-key-to-an-rac-provider) * [Apply a private key to an RAC endpoint](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#apply-a-private-key-to-an-rac-endpoint) * [Apply a private key to an RAC property mapping](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#apply-a-private-key-to-an-rac-property-mapping) * [Retrieve a private key from a user's attributes and apply it to an RAC property mapping](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/#retrieve-a-private-key-from-a-users-attributes-and-apply-it-to-an-rac-property-mapping) --- # Shared Signals Framework (SSF) Provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#__docusaurus_skipToContent_fallback) On this page Shared Signals Framework (SSF) is a common standard for sharing asynchronous real-time security signals and events across multiple applications and an identity provider. The framework is a collection of standards and communication processes, documented in a [specification](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html) . SSF leverages the APIs of the application and the IdP, using privacy-protected, secure webhooks. About Shared Signals Framework[​](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#about-shared-signals-framework "Direct link to About Shared Signals Framework") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In authentik, an SSF provider allows applications to subscribe to certain types of security signals (which are then translated into SETs, or Security Event Tokens) that are captured by authentik (the IdP), and then the application can respond to each event. In this scenario, authentik acts as the _transmitter_ and the application acts as the _receiver_ of the events. Events in authentik that are tracked via SSF include when an MFA device is added or removed, logouts, sessions being revoked by Admin or user clicking logout, or credentials changed. Example use cases[​](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#example-use-cases "Direct link to Example use cases") -------------------------------------------------------------------------------------------------------------------------------------- One important use case for SFF is to [integrate Apple Business Manager](https://integrations.goauthentik.io/device-management/apple/) or any of the Apple device management platforms with authentik, so that users can enroll their Apple devices using their authentik credentials. When a user signs in with their email address, Apple redirects them to authentik for authentication. Once authenticated, Apple enrolls the user's device and grants access to Apple services. Another use case for SSF is when an Admin wants to know if a user logs out of authentik, so that the user is then also automatically logged out of all other work-focused applications. Another example use case is when an application uses SSF to subscribe to authorization events because the application needs to know if a user changed their password in authentik. If a user did change their password, then the application receives a POST request to write the fact that the password was changed. About using SSF in authentik[​](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#about-using-ssf-in-authentik "Direct link to About using SSF in authentik") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Let's look at a few details about using SSF in authentik. The SSF provider in authentik serves as a [backchannel provider](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#backchannel-providers) . Backchannel providers are used to augment the functionality of the main provider for an application. Thus you will still need to [create a typical application/provider pair](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-and-provider-pair) (using an OIDC provider), and when creating the application, assign the SSF provider as a backchannel provider. When an authentik Admin [creates an SSF provider](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/) , they need to configure both the application (the receiver) and authentik (the IdP and the transmitter). ### The application (the receiver)[​](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#the-application-the-receiver "Direct link to The application (the receiver)") Within the application, the admin creates an SSF stream (which comprises all the signals that the app wants to subscribe to) and defines the audience, called `aud` in the specification (the URL that identifies the stream). A stream is basically an API request to authentik, which asks for a POST of all events. How that request is sent varies from application to application. An application can change or delete the stream. Note that authentik doesn't specify which events to subscribe to; instead the application defines which they want to listen for. ### authentik (the transmitter)[​](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#authentik-the-transmitter "Direct link to authentik (the transmitter)") To configure authentik as a shared signals transmitter, the authentik Admin [creates a new provider](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/) , selecting the type "SSF", to serve as the backchannelprovider for the application. When creating the SSF provider you will need to select a signing key. This is the key that the Security Event Tokens (SET) is signed with. Optionally, you can specify a event retention time period: this value determines how long events are stored for. If an event could not be sent correctly, and retries occur, the event's expiration is also increased by this duration. info Be aware that the SET events are different events than those displayed in the authentik Admin interface under **Events**. * [About Shared Signals Framework](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#about-shared-signals-framework) * [Example use cases](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#example-use-cases) * [About using SSF in authentik](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#about-using-ssf-in-authentik) * [The application (the receiver)](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#the-application-the-receiver) * [authentik (the transmitter)](https://docs.goauthentik.io/add-secure-apps/providers/ssf/#authentik-the-transmitter) --- # Create a Remote Access Control (RAC) provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#__docusaurus_skipToContent_fallback) On this page The Remote Access Control (RAC) provider is a highly flexible feature for accessing remote machines. For overview information, see the [RAC provider](https://docs.goauthentik.io/add-secure-apps/providers/rac/) documentation. You can also view our video on YouTube for setting up RAC. Overview workflow to create an RAC provider[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#overview-workflow-to-create-an-rac-provider "Direct link to Overview workflow to create an RAC provider") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The typical workflow to create and configure a RAC provider is: 1. Create an application and provider. 2. Create property mappings (that define the access credentials to each remote machine). 3. Create an endpoint for each remote machine you want to connect to. 4. Create an RAC outpost to service the provider. Depending on whether you are connecting using RDP, SSH, or VNC, the exact configuration choices will differ, but the overall workflow applies to all RAC connections. ### Create an application and RAC provider[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#create-an-application-and-rac-provider "Direct link to Create an application and RAC provider") The first step is to create the RAC application and provider pair. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Applications** and click **Create with provider**. 3. Follow these [instructions](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-and-provider-pair) to create your RAC application and provider. ### Create RAC property mappings[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#create-rac-property-mappings "Direct link to Create RAC property mappings") Next, you need to add property mappings for each remote machine you want to access. Property mappings allow you to pass information to external applications, and with RAC they are used to pass the host name, IP address, and access credentials of the remote machine. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Property Mappings** and click **Create**. * **Select Type**: `RAC Provider Property Mapping` * **Create RAC Property Mapping**: * **Name**s: define a name for the property mapping, perhaps include the type of connection (RDP, SSH, VNC) * **General settings**: * **Username**: the username for the remote machine * **Password**: the password for the remote machine * **RDP settings**: * **Ignore server certificate**: select **Enabled** (Depending on the setup of your RDP Server, it might be required to enable this setting.) * **Enable wallpaper**: optional * **Enable font smoothing**: optional * **Enable full window dragging**: optional * Advanced settings: * **Expressions**: optional, using Python you can define custom [expressions](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/expression/) . 3. Click **Finish**. ### Create endpoints for the provider[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#create-endpoints-for-the-provider "Direct link to Create endpoints for the provider") Then, you need to create an endpoint for each remote machine. Endpoints are defined within providers; connections between the remote machine and authentik are enabled through communication between the provider's endpoint and the remote machine. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers**. 3. Click the **Edit** button on the RAC provider that you previously created. 4. On the Provider page, under **Endpoints**, click **Create**, and provide the following settings: * **Name**: define a name for the endpoint, perhaps include the type of connection (RDP, SSH, VNC). * **Protocol**: select the appropriate protocol. * **Host**: enter the host name or IP address of the remote machine. * **Maximum concurrent connections**: select a value or use `-1` to disable the limitation. * **Property mapping**: select either the property mapping that you previously created, or use one of the default settings. * **Advance settings**: (_optional_) 5. Click **Create**. ### Create an RAC outpost[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#create-an-rac-outpost "Direct link to Create an RAC outpost") The RAC provider requires the deployment of an [RAC Outpost](https://docs.goauthentik.io/add-secure-apps/outposts/) . 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Applications** > **Outposts**. 3. Click **Create** and set the following values: * **Name**: define a name for the outpost. * **Type**: `RAC` * **Integration**: select either Docker or Kubernetes, or optionally [manually deploy the outpost](https://docs.goauthentik.io/add-secure-apps/outposts/#outpost-integrations) . * **Applications**: select the RAC application that you previously created. * **Advanced settings (optional)**: for further optional configuration settings, refer to [RAC Configuration](https://docs.goauthentik.io/add-secure-apps/outposts/#configuration) . 4. Click Create to save your new outpost. Access the remote machine[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#access-the-remote-machine "Direct link to Access the remote machine") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To verify your configuration and then access the remote machine, go to the **User interface** of your authentik instance. On the **My applications** page click the **Remote Access** application and authentik then connects you to a secure session on the remote machine, in your web browser. If you defined multiple endpoints, click the endpoint for the remote machine that you want to access. * [Overview workflow to create an RAC provider](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#overview-workflow-to-create-an-rac-provider) * [Create an application and RAC provider](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#create-an-application-and-rac-provider) * [Create RAC property mappings](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#create-rac-property-mappings) * [Create endpoints for the provider](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#create-endpoints-for-the-provider) * [Create an RAC outpost](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#create-an-rac-outpost) * [Access the remote machine](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/#access-the-remote-machine) --- # Blueprints | authentik [Skip to main content](https://docs.goauthentik.io/customize/blueprints/#__docusaurus_skipToContent_fallback) On this page Blueprints provide a way to template, automate, and distribute authentik configuration. Blueprints can be used to automatically configure instances, manage infrastructure-as-code without any external tools, and to distribute application configurations. Blueprints are YAML files, whose format is described further in [File structure](https://docs.goauthentik.io/customize/blueprints/v1/structure/) . Blueprints are used to manage authentik's default flows and other system objects. For example, authentik's `default-authentication-flow` is, under the covers, created by a blueprint. Custom blueprints can be used to replace or modify default blueprints in certain circumstances. For example, you could create a new flow that is based on the `default-authentication-flow` but adds an additional stage or policy. Applying blueprints[​](https://docs.goauthentik.io/customize/blueprints/#applying-blueprints "Direct link to Applying blueprints") ----------------------------------------------------------------------------------------------------------------------------------- To _apply_ a blueprint means that the content in the blueprint file is instantiated and then implemented by authentik. Blueprints can be applied in one of two ways: * as a _blueprint instance_ (a new instance of any authentik configuration, which you can then further customize) * as an _imported flow_ (to add a new flow, or to revert to the default, out-of-box flow) To learn how to apply, create, modify, and manage blueprints, refer to [Working with blueprints](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/) . ### Blueprint instance[​](https://docs.goauthentik.io/customize/blueprints/#blueprint-instance "Direct link to Blueprint instance") A Blueprint _instance_ is an instantiation of a blueprint. Each instance refers to a YAML file that is either mounted into the authentik (worker) container, in an OCI registry or the local database. (See [Blueprint storage](https://docs.goauthentik.io/customize/blueprints/#blueprint-storage) for more information.) This file is read and applied regularly (every 60 minutes). Multiple instances can be created for a single blueprint file, and instances can be given context key:value attributes to configure the blueprint. info authentik watches for file modification/creation events in the blueprint directory and will automatically trigger a discovery when a new blueprint file is created, and trigger a blueprint apply when a file is modified. ### Imported flow[​](https://docs.goauthentik.io/customize/blueprints/#imported-flow "Direct link to Imported flow") You can apply an example flow, either by importing it from the **Flows** page, or by selecting it from the list of blueprints under **Customization > Blueprints** in the Admin interface and clicking **Apply**. After applying the flow, you can decide if you want to further customize the flow, or just use it as it is. This YAML file is validated and applied directly after being uploaded, but is not monitored further, nor is it automatically applied on startup like blueprint instances. info Be aware that if you [modify and save](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#flow-configuration-options) an existing default flow, what you get is a merged version of the two: the _original flow_ (which is based on the blueprint) _plus any changes you made to the flow_. If you want to revert any modifications that you made to the default flow and get a fresh start with the original default flow, you have to _first_ delete the modified flow, and _then_ [apply the flow's blueprint](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#apply-a-new-flow) again. Blueprint execution[​](https://docs.goauthentik.io/customize/blueprints/#blueprint-execution "Direct link to Blueprint execution") ----------------------------------------------------------------------------------------------------------------------------------- When a blueprint is applied, all entries are processed within a single **atomic database transaction**. This means: * If any entry fails validation or encounters an error, the **entire blueprint is rolled back** * No partial changes are committed - it's all-or-nothing * This ensures database consistency and prevents incomplete configurations Additionally, all blueprints have access to built-in context variables: * `goauthentik.io/enterprise/licensed`: Boolean indicating if an enterprise license is active * `goauthentik.io/rbac/models`: Dictionary of available RBAC models When you create or edit a blueprint instance, these context variables can be accessed using the `!Context` tag in the YAML file (or in the UI under **Advanced settings** on the Create/Edit page). **Example**: conditions: - !Context goauthentik.io/enterprise/licensed Blueprint storage[​](https://docs.goauthentik.io/customize/blueprints/#blueprint-storage "Direct link to Blueprint storage") ----------------------------------------------------------------------------------------------------------------------------- When you add a new blueprint instance you can define from where the `.yaml` file is accessed and read by authentik: as a local file, in an OCI registry, or internally in authentik's database. ### As a local file[​](https://docs.goauthentik.io/customize/blueprints/#as-a-local-file "Direct link to As a local file") The authentik container by default looks for blueprints in `/blueprints`. Underneath this directory, there are a couple of default subdirectories: * `/blueprints/default`: Default blueprints for default flows, tenants, etc * `/blueprints/example`: Example blueprints for common configurations and flows * `/blueprints/system`: System blueprints for authentik managed Property mappings, etc Any additional `.yaml` file in `/blueprints` will be discovered and automatically instantiated, depending on their labels. To disable existing blueprints, an empty file can be mounted over the existing blueprint. File-based blueprints are automatically removed once they become unavailable, however none of the objects created by those blueprints are affected by this. info Please note that, by default, blueprint discovery and evaluation is not guaranteed to follow any specific order. If you have dependencies between blueprints, you should use [meta models](https://docs.goauthentik.io/customize/blueprints/v1/meta/#authentik_blueprintsmetaapplyblueprint) to make sure that objects are created in the correct order. ### In an OCI registry[​](https://docs.goauthentik.io/customize/blueprints/#in-an-oci-registry "Direct link to In an OCI registry") Blueprints can also be stored in remote [OCI](https://opencontainers.org/) compliant registries. This includes GitHub Container Registry, Docker hub and many other registries. To download a blueprint via OCI, set the path to `oci://ghcr.io//:`. This will fetch the blueprint from an OCI package hosted on GHCR. To fetch blueprints from a private registry with authentication, credentials can be embedded into the URL. Blueprints are re-fetched each execution, so when using changing tags, blueprints will automatically be updated. To push a blueprint to an OCI-compatible registry, [ORAS](https://oras.land/) can be used with this command oras push ghcr.io//blueprint/:latest :application/vnd.goauthentik.blueprint.v1+yaml ### Internally in authentik's database[​](https://docs.goauthentik.io/customize/blueprints/#internally-in-authentiks-database "Direct link to Internally in authentik's database") Blueprints can be stored in authentik's database, which allows blueprints to be managed via external configuration management tools like Terraform. Modifying the contents of a blueprint will trigger its reconciliation. Blueprints are validated on submission to prevent invalid blueprints from being saved. * [Applying blueprints](https://docs.goauthentik.io/customize/blueprints/#applying-blueprints) * [Blueprint instance](https://docs.goauthentik.io/customize/blueprints/#blueprint-instance) * [Imported flow](https://docs.goauthentik.io/customize/blueprints/#imported-flow) * [Blueprint execution](https://docs.goauthentik.io/customize/blueprints/#blueprint-execution) * [Blueprint storage](https://docs.goauthentik.io/customize/blueprints/#blueprint-storage) * [As a local file](https://docs.goauthentik.io/customize/blueprints/#as-a-local-file) * [In an OCI registry](https://docs.goauthentik.io/customize/blueprints/#in-an-oci-registry) * [Internally in authentik's database](https://docs.goauthentik.io/customize/blueprints/#internally-in-authentiks-database) --- # Customize the Admin interface | authentik [Skip to main content](https://docs.goauthentik.io/customize/interfaces/admin/#__docusaurus_skipToContent_fallback) On this page The Admin interface can be customized using attributes configured in [Brands](https://docs.goauthentik.io/brands/) To add, remove, or modify attributes for a brand, log in to the Admin interface and navigate to **System > Brands > Other global settings > Attributes**. Most attributes defined in a brand apply to _both_ the User and Admin interfaces. However, any settings that are specific to only the Admin interface are explicitly noted as such below. The following screenshot shows the syntax for setting several attributes for a brand: dark mode, a 3-column display of applications on **My applications** page of the User interface, and hiding the API and Notifications drawers from the Admin interface tool bar. ![](https://docs.goauthentik.io/assets/images/admin-interface-attributes-37e88a7a8e52515d8a852c7e9c99b7fa.png) Custom settings[​](https://docs.goauthentik.io/customize/interfaces/admin/#custom-settings "Direct link to Custom settings") ----------------------------------------------------------------------------------------------------------------------------- The following settings for attributes are grouped by: * `enabledFeatures` settings * General settings (used on both the Admin interface and the User interface) * Admin interface only ### Enabling/disabling features[​](https://docs.goauthentik.io/customize/interfaces/admin/#enablingdisabling-features "Direct link to Enabling/disabling features") The features listed below can be enabled or disabled through attributes set on the Brand. By default, all of the listed features are enabled. To disable a specific feature, set its value to `false`. #### `settings.enabledFeatures.apiDrawer`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingsenabledfeaturesapidrawer "Direct link to settingsenabledfeaturesapidrawer") Display the API Request drawer in the upper tool bar. #### `settings.enabledFeatures.notificationDrawer`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingsenabledfeaturesnotificationdrawer "Direct link to settingsenabledfeaturesnotificationdrawer") Display the Notification drawer in the upper tool bar. #### `settings.enabledFeatures.settings`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingsenabledfeaturessettings "Direct link to settingsenabledfeaturessettings") Display the Settings link in the upper tool bar. #### `settings.enabledFeatures.search`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingsenabledfeaturessearch "Direct link to settingsenabledfeaturessearch") Display the Search bar in the upper tool bar. ### General settings (both Admin and User interfaces)[​](https://docs.goauthentik.io/customize/interfaces/admin/#general-settings-both-admin-and-user-interfaces "Direct link to General settings (both Admin and User interfaces)") #### `settings.navbar.userDisplay`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingsnavbaruserdisplay "Direct link to settingsnavbaruserdisplay") Configure what is shown in the top right corner. Defaults to `username`. Available options: `username`, `name`, `email` #### `settings.theme.base`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingsthemebase "Direct link to settingsthemebase") Configure the base color scheme or toggle between dark and light modes. The default setting is `automatic`, which adapts based on the user’s browser preference. Available options: `automatic`, `dark`, `light`. **Example**: settings: theme: base: dark #### `settings.theme.background`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingsthemebackground "Direct link to settingsthemebackground") Optional CSS that is applied to the background of the User interface, for example to set a custom background color, gradient, or image. settings: theme: background: > background: url('https://picsum.photos/1920/1080'); filter: blur(8px); background-position: center; background-repeat: no-repeat; background-size: cover; #### `settings.locale`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingslocale "Direct link to settingslocale") The locale which can be configured in the user settings by default. This can be used to preset locales for groups of users, but still let them choose their own preferred locale. ### Settings for the Admin interface only[​](https://docs.goauthentik.io/customize/interfaces/admin/#settings-for-the-admin-interface-only "Direct link to Settings for the Admin interface only") The following settings can only be used to customize the Admin interface, not the User interface. #### `settings.pagination.perPage`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingspaginationperpage "Direct link to settingspaginationperpage") How many items should be retrieved per page. Defaults to 20. #### `settings.defaults.userPath`[​](https://docs.goauthentik.io/customize/interfaces/admin/#settingsdefaultsuserpath "Direct link to settingsdefaultsuserpath") Default user path which is used when opening the user list. Defaults to `users`. Global customization[​](https://docs.goauthentik.io/customize/interfaces/admin/#global-customization "Direct link to Global customization") -------------------------------------------------------------------------------------------------------------------------------------------- To customize the following brand settings, log in to the Admin interface and navigate to **System > Brands > Brand settings**. * Title * Logo * Favicon * Default flow background image * Custom CSS For more details, see the [Brand settings](https://docs.goauthentik.io/brands/#branding-settings) documentation. * [Custom settings](https://docs.goauthentik.io/customize/interfaces/admin/#custom-settings) * [Enabling/disabling features](https://docs.goauthentik.io/customize/interfaces/admin/#enablingdisabling-features) * [General settings (both Admin and User interfaces)](https://docs.goauthentik.io/customize/interfaces/admin/#general-settings-both-admin-and-user-interfaces) * [Settings for the Admin interface only](https://docs.goauthentik.io/customize/interfaces/admin/#settings-for-the-admin-interface-only) * [Global customization](https://docs.goauthentik.io/customize/interfaces/admin/#global-customization) --- # Hackathon 2023 | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/hackathon/#__docusaurus_skipToContent_fallback) On this page ![hackathon-image](https://docs.goauthentik.io/assets/images/horizontal-brandon-frie-rdHeGGn7rwQ-unsplash-5af96aa238f2daa007faec2d3c070fbd.jpg) **REGISTRATION NOW CLOSED. PLEASE JOIN US FOR A FUTURE AUTHENTIK HACKATHON.** ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Join us for our first authentik hackathon![​](https://docs.goauthentik.io/developer-docs/hackathon/#join-us-for-our-first-authentik-hackathon "Direct link to Join us for our first authentik hackathon!") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Everyone welcome; we will work on code, docs, and anything else that looks interesting and challenging. Moderators will be available for most US and European hours, so if during the multi-day event, participants have questions or a PR needs a technical review, we are here for you. Prizes? Why, Yes! We've got a total prize pool of $5000 and a bunch of cool authentik-branded socks and, indubitably, GitHub fame. When[​](https://docs.goauthentik.io/developer-docs/hackathon/#when "Direct link to When") ------------------------------------------------------------------------------------------ July 26-30, 2023 * Kickoff meeting is on Wednesday, July 26th, at 8:00am Pacific USA (UTC -7), 5:00pm in Central Europe (UTC +2), and 8:30pm in Mumbai (UTC +5.30) * Check-in calls on Thursday and Friday, for one hour, at the same times as above. * Wrap-up and first demos on Saturday, starting at same times as above. * Final demos, voting, and awards on Sunday! Yep, same times as above. Where[​](https://docs.goauthentik.io/developer-docs/hackathon/#where "Direct link to Where") --------------------------------------------------------------------------------------------- Online, in our [GitHub repo](https://github.com/goauthentik/authentik) , and on Discord in our [#hackathon23 channel](https://discord.com/channels/809154715984199690/1110948434552299673) for our Kickoff call, checkins, and the wrap-up and awards events. We will also use the #hackathon23 channel throughout the entire five days, for questions and general chatting. Be sure to first visit our [welcome-info-rules channel](https://discord.com/channels/809154715984199690/813452440660606986) , to review our code of conduct and see the latest posts about the hackathon. Take a look on GitHub[​](https://docs.goauthentik.io/developer-docs/hackathon/#take-a-look-on-github "Direct link to Take a look on GitHub") --------------------------------------------------------------------------------------------------------------------------------------------- If you already know what you and/or your team want to work on, you can open an [Issue](https://github.com/goauthentik/authentik/issues) using our template for all hackathon Issues at any time (why not now?) and add the `hackathon` label. Then, when you register, enter the Issue number that you opened on your registration form. This way, on Kickoff Day we can easily match participants with their Issue of interest. During the Kickoff call, there will be time to peruse existing Issues and add emotes to indicate your interest in working on it (or having it worked on!) * 🚀 I want to work on this * ❤️ I want to see this worked on Agenda[​](https://docs.goauthentik.io/developer-docs/hackathon/#agenda "Direct link to Agenda") ------------------------------------------------------------------------------------------------ * **Wednesday, July 26th**: Kickoff, voting for topics to work on, teams formed, participants select the Issue/team they are going to work on, and get their environment set up. After the online kickoff, you can start your work at any time. * **Thursday July 27th**: HackDay [#1](https://github.com/goauthentik/authentik/issues/1) : participants working on their PRs, a one-hour Check-in call * **Friday, July 28th**: HackDay [#2](https://github.com/goauthentik/authentik/issues/2) : participants working on their PRs, a one-hour Check-in call * **Saturday, July 29th**: an online “meeting” to do wrap-up, participants sign-up for demo slots (Saturday and Sunday slots available), then some demos * **Sunday, July 30th**: rest of the demos, votes, and awards About that money...[​](https://docs.goauthentik.io/developer-docs/hackathon/#about-that-money "Direct link to About that money...") ------------------------------------------------------------------------------------------------------------------------------------ Be aware that all prize money distributions will follow local/state/country laws regarding taxation, not providing funds to citizens of countries prohibited by US law, and all other legal requirements. Questions?[​](https://docs.goauthentik.io/developer-docs/hackathon/#questions "Direct link to Questions?") ----------------------------------------------------------------------------------------------------------- Chat with us on [Discord](https://discord.com/channels/809154715984199690/1110948434552299673) and email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#5b333a38303a2f3334351b3c343a2e2f333e352f3230753234) ! Spread the word![​](https://docs.goauthentik.io/developer-docs/hackathon/#spread-the-word "Direct link to Spread the word!") ----------------------------------------------------------------------------------------------------------------------------- We would be grateful if you help us get the word out. Share this page and information wherever you hang out. Bring 'em all! * [Join us for our first authentik hackathon!](https://docs.goauthentik.io/developer-docs/hackathon/#join-us-for-our-first-authentik-hackathon) * [When](https://docs.goauthentik.io/developer-docs/hackathon/#when) * [Where](https://docs.goauthentik.io/developer-docs/hackathon/#where) * [Take a look on GitHub](https://docs.goauthentik.io/developer-docs/hackathon/#take-a-look-on-github) * [Agenda](https://docs.goauthentik.io/developer-docs/hackathon/#agenda) * [About that money...](https://docs.goauthentik.io/developer-docs/hackathon/#about-that-money) * [Questions?](https://docs.goauthentik.io/developer-docs/hackathon/#questions) * [Spread the word!](https://docs.goauthentik.io/developer-docs/hackathon/#spread-the-word) --- # Single Logout (SLO) | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#__docusaurus_skipToContent_fallback) On this page Single Logout (SLO) is a security feature that logs users out of all active applications when they log out of authentik. It uses the OAuth2/OpenID Connect front-channel and back-channel logout specifications in combination with SAML's Single Logout specification. For example, if a user is concurrently logged into an OIDC application and two SAML applications, when the user logs out of authentik, they will automatically be logged out of all three applications. Without SLO configured, users with active sessions across multiple applications would need to manually log out of each one. info Check with your service provider to see if they support SAML Single Logout or OIDC front-channel/back-channel logout. Not all service providers support these features. How Single Logout works in authentik[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#how-single-logout-works-in-authentik "Direct link to How Single Logout works in authentik") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When a user logs out or their session is terminated in authentik, the following process occurs: 1. **Session Termination**: The user's session ends through one of the following: * User-initiated logout via a logout flow * Administrative action (session deletion or user deactivation) * Token revocation or expiration 2. **Provider Identification**: authentik identifies all OAuth2/OIDC and SAML providers with active sessions for the users who have SLO configured. 3. **Logout Request Dispatch**: * **Back-channel**: HTTP POST requests are sent directly from the authentik server to each back-channel provider's configured logout endpoint. * **Front-channel**: For user-initiated logouts, a logout stage is automatically injected into the flow that handles browser-based logout (typically via iframes or sequential redirects). 4. **Provider Processing**: Each provider processes the logout request, validates it, and terminates the user's active session. 5. **Completion**: After all providers have been notified, the user is redirected back to the authentik login screen. Front-channel vs. back-channel logout[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#front-channel-vs-back-channel-logout "Direct link to Front-channel vs. back-channel logout") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- authentik supports both front-channel (browser-based) and back-channel (server-to-server) logout methods, depending on how each provider is configured. ### Front-channel logout[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#front-channel-logout "Direct link to Front-channel logout") Front-channel logout sends logout requests through the user's browser. authentik supports two front-channel modes: #### iframe mode (default for OIDC)[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#iframe-mode-default-for-oidc "Direct link to iframe mode (default for OIDC)") * Loads all provider logout URLs simultaneously in hidden iframes * Provides fast, parallel logout across multiple providers * Required by the OIDC front-channel logout specification * Most SAML providers also support iframe-based logout * Provides fast, parallel logout across multiple providers * Required by the OIDC front-channel logout specification * Most SAML providers also support iframe-based logout #### Native Mode (SAML Only)[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#native-mode-saml-only "Direct link to Native Mode (SAML Only)") * Uses the active browser tab to chain redirects and POST requests sequentially * Provides better compatibility with SAML providers that have iframe restrictions * Each provider redirects the user back to authentik before proceeding to the next provider * Not available for OIDC providers as the specification requires iframe support info Use native front-channel mode for SAML providers if you encounter iframe compatibility issues, such as Content Security Policy (CSP) restrictions or cookie handling problems. ### Back-channel Logout[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#back-channel-logout "Direct link to Back-channel Logout") Back-channel logout sends logout requests directly from the authentik server to each provider's logout endpoint via HTTP POST. * Does not require user browser interaction * Works even when the user is offline or their browser is closed * Is automatically triggered by administrators terminating a user session (user deactivation or session deletion) * Requires the provider to accept server-to-server POST requests **For SAML**: Requires POST SLS binding. **For OIDC**: Requires a `logout_uri` configured for back-channel that accepts logout tokens. Enable Single Logout[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#enable-single-logout "Direct link to Enable Single Logout") --------------------------------------------------------------------------------------------------------------------------------------------------------- Enabling single logout requires configuring logout endpoints on your SAML or OIDC providers in authentik. ### SAML Providers[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#saml-providers "Direct link to SAML Providers") See the [SAML Single Logout documentation](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/) for detailed instructions. You will need to: 1. Configure the **SLS URL** (Single Logout Service URL) - the provider's logout endpoint 2. Select the **SLS Binding** (Redirect or POST) 3. Choose a **Logout Method**; front-channel iframe, front-channel native, or back-channel 4. Optionally, enable **Sign Logout Request** for additional security ### OIDC providers[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#oidc-providers "Direct link to OIDC providers") See the [OIDC Front-channel and Back-channel logout documentation](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/) for detailed instructions. You will need to: 1. Configure the **logout URI** - the provider's logout endpoint 2. Enable the desired **Logout Method**; front-channel or back-channel 3. Optionally configure logout token signing for back-channel requests Session tracking[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#session-tracking "Direct link to Session tracking") --------------------------------------------------------------------------------------------------------------------------------------------- authentik tracks provider sessions to enable single logout: * **SAML**: Creates `SAMLSession` records containing the `SessionIndex`, `NameID`, and `NameID format` for each successful authentication. * **OIDC**: Tracks session identifiers (`sid`) and ID tokens required for logout requests. These session records are automatically created during authentication and deleted after logout or expiration. Administrative session termination[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#administrative-session-termination "Direct link to Administrative session termination") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Back-channel logout is always triggered when a user session is terminated via administrative actions: * **Session Deletion**: When an administrator manually deletes a user's session through the Admin interface or API, authentik sends back-channel logout requests to all configured providers. * **User Deactivation**: When a user account is deactivated, authentik automatically sends back-channel logout requests to terminate all active sessions across all providers. These requests are processed asynchronously to avoid blocking administrative operations. Resources[​](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#resources "Direct link to Resources") ------------------------------------------------------------------------------------------------------------------------ * [SAML Single Logout](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/) * [OIDC Front-channel and Back-channel Logout](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/frontchannel_and_backchannel_logout/) * [User Logout Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/) * [SAML Profiles 2.0 Specification](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) * [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html) * [OpenID Connect Back-Channel Logout 1.0](https://openid.net/specs/openid-connect-backchannel-1_0.html) * [How Single Logout works in authentik](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#how-single-logout-works-in-authentik) * [Front-channel vs. back-channel logout](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#front-channel-vs-back-channel-logout) * [Front-channel logout](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#front-channel-logout) * [Back-channel Logout](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#back-channel-logout) * [Enable Single Logout](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#enable-single-logout) * [SAML Providers](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#saml-providers) * [OIDC providers](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#oidc-providers) * [Session tracking](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#session-tracking) * [Administrative session termination](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#administrative-session-termination) * [Resources](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/#resources) --- # SCIM Provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/scim/#__docusaurus_skipToContent_fallback) On this page SCIM (System for Cross-domain Identity Management) is a set of APIs to provision users and groups. The SCIM provider in authentik supports SCIM 2.0 and can be used to provision and sync users from authentik into other applications. A SCIM provider requires a SCIM base URL for the endpoint and an authentication token. SCIM works via HTTP requests, so authentik must be able to reach the specified endpoint. This endpoint usually ends in `/v2`, which corresponds to the SCIM version supported. SCIM providers in authentik always serve as [backchannel providers](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#backchannel-providers) , which are used in addition to the main provider that supplies SSO authentication. A backchannel provider is used for an application that requires backend authentication, directory synchronization, or other additional authentication needs. For example, you can create an application and provider pair for Slack, creating Slack as the application and SAML as the provider. Say you then want to use SCIM for further authentication using a token. For this scenario use the following workflow: 1. [Create](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-and-provider-pair) the application and provider pair. 2. [Create](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#backchannel-providers) the SCIM backchannel provider. 3. Edit the application and in the **Backchannel Providers** field add the backchannel provider that you just created. Authentication mode options[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#authentication-mode-options "Direct link to Authentication mode options") --------------------------------------------------------------------------------------------------------------------------------------------------------------------- In authentik, there are two options for how to configure authentication for a SCIM provider: * **Static token** provided by the application (default) * **OAuth token** authentik will retrieve an OAuth token from a specified source and use that token for authentication When you create a new SCIM provider, select which **Authentication Mode** the application supports. ![Creating a SCIM provider](https://docs.goauthentik.io/assets/images/scim_oauth-4a41f347076a228a096e771b5bd2936d.png) Whichever mode you select you'll need to enter a SCIM base **URL**, for the endpoint. ### Default authentication method for a SCIM provider[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#default-authentication-method-for-a-scim-provider "Direct link to Default authentication method for a SCIM provider") With authentik's default mode, the token that you enter (provided by the application) is sent with all outgoing SCIM requests to authenticate each request. ### OAuth authentication for a SCIM provider Enterprise authentik: 2025.10.0+[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#oauth-authentication-for-a-scim-provider-- "Direct link to oauth-authentication-for-a-scim-provider--") Configuring your SCIM provider to use OAuth for authentication means that short-lived tokens are dynamically generated through an OAuth flow and sent to the SCIM endpoint. This offers improved security and control versus a static token. You can also add additional token request parameters to the OAuth token, such as `grant_type`, `subject_token`, or `client_assertion`. Some examples are: * `grant_type: client_credentials` * `grant_type: password` OAuth source required To use OAuth authentication for your application, you will need to create and connect to an [OAuth source](https://docs.goauthentik.io/users-sources/sources/protocols/oauth/) . ### Syncing[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#syncing "Direct link to Syncing") Data is synchronized in multiple ways: * When a user/group is created/modified/deleted, that action is sent to all SCIM providers * Periodically (once an hour), all SCIM providers are fully synchronized The actual synchronization process is run in the authentik worker. To allow this process to better to scale, a task is started for each 100 users and groups, so when multiple workers are available the workload will be distributed. ### Attribute mapping[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#attribute-mapping "Direct link to Attribute mapping") Attribute mapping from authentik to SCIM users is done via property mappings as with other providers. The default mappings for users and groups make some assumptions that should work for most setups, but it is also possible to define custom mappings to add fields. All selected mappings are applied in the order of their name, and are deeply merged onto the final user data. The final data is then validated against the SCIM schema, and if the data is not valid, the sync is stopped. ### Filtering users[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#filtering-users "Direct link to Filtering users") By default service accounts are excluded from being synchronized. This can be configured in the SCIM provider. Additionally, an optional group can be configured to only synchronize the users that are members of the selected group. Changing this group selection does _not_ remove members outside of the group that might have been created previously. ### Supported options[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#supported-options "Direct link to Supported options") SCIM defines several optional settings that allow clients to discover a service provider's supported features. In authentik, the [`ServiceProviderConfig`](https://datatracker.ietf.org/doc/html/rfc7644#section-4) endpoint provides support for the following options (if the option is supported by the service provider). * Filtering When the remote system supports [filtering](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) , authentik uses this operation to filter users and groups in the remote system to match them to existing authentik users and groups. * Bulk The [`bulk`](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) configuration enables clients to send large collections of resource operations in a single request. If the remote system sets this attribute, authentik will respect the `maxOperations` value to determine the maximum number of individual operations a server can process within a single bulk request. * Patch updates If the service provider supports [PATCH updates](https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2) , authentik will use patch requests to add/remove members of groups. For all other updates, such as user updates and other group updates, PUT requests are used. ### Using in conjunction with other providers[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#using-in-conjunction-with-other-providers "Direct link to Using in conjunction with other providers") A lot of applications support SCIM in conjunction with another SSO protocol like OAuth/OIDC or SAML. With default settings, the unique user IDs in SCIM and other protocols are identical, which should easily allow applications to link users the are provisioned with users that are logging in. Applications can either match users on a unique ID sent by authentik called `externalId`, by their email or username. #### OAuth/OIDC[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#oauthoidc "Direct link to OAuth/OIDC") The default provider configuration for the _Subject mode_ option of _Based on the User's hashed ID_ matches the `externalId` that's generated by default. If any other _Subject mode_ is selected, the `externalId` attribute can be customized via SCIM mappings. #### SAML[​](https://docs.goauthentik.io/add-secure-apps/providers/scim/#saml "Direct link to SAML") The SAML NameID policy _urn:oasis:names:tc:SAML:2.0:nameid-format:persistent_ uses the same unique user identifier as the default `externalId` value used by the SCIM provider. If a SAML application does not send a NameID request, this value is also used as fallback. * [Authentication mode options](https://docs.goauthentik.io/add-secure-apps/providers/scim/#authentication-mode-options) * [Default authentication method for a SCIM provider](https://docs.goauthentik.io/add-secure-apps/providers/scim/#default-authentication-method-for-a-scim-provider) * [OAuth authentication for a SCIM provider](https://docs.goauthentik.io/add-secure-apps/providers/scim/#oauth-authentication-for-a-scim-provider--) * [Syncing](https://docs.goauthentik.io/add-secure-apps/providers/scim/#syncing) * [Attribute mapping](https://docs.goauthentik.io/add-secure-apps/providers/scim/#attribute-mapping) * [Filtering users](https://docs.goauthentik.io/add-secure-apps/providers/scim/#filtering-users) * [Supported options](https://docs.goauthentik.io/add-secure-apps/providers/scim/#supported-options) * [Using in conjunction with other providers](https://docs.goauthentik.io/add-secure-apps/providers/scim/#using-in-conjunction-with-other-providers) --- # Configure an SSF provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/#__docusaurus_skipToContent_fallback) On this page The workflow to implement an SSF provider as a [backchannel provider](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#backchannel-providers) for an application/provider pair is as follows: 1. Create the SSF provider (which serves as the backchannel provider). 2. Create an OIDC provider (which serves as the protocol provider for the application). 3. Create the application, and assign both the OIDC provider and the SSF provider. Create the SSF provider[​](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/#create-the-ssf-provider "Direct link to Create the SSF provider") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and in the Admin interface navigate to **Applications > Providers**. 2. Click **Create**. 3. In the modal, select the **Provider Type** of **SSF**, and then click **Next**. 4. On the **New provider** page, provide the configuration settings. Be sure to select a **Signing Key**. 5. Click **Finish** to create and save the provider. Create the OIDC provider[​](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/#create-the-oidc-provider "Direct link to Create the OIDC provider") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and in the Admin interface navigate to **Applications > Providers**. 2. Click **Create**. 3. In the modal, select the **Provider Type** of **OIDC**, and then click **Next**. 4. Define the settings for the provider, and then click **Finish** to save the new provider. Create the application[​](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/#create-the-application "Direct link to Create the application") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. Log in to authentik as an administrator and in the Admin interface navigate to **Applications > Applications**. 2. Click **Create**. 3. Define the settings for the application: * **Name**: define a descriptive name of the application. * **Slug**: optionally define the internal application name used in URLs. * **Group**: optionally select a group that you want to have access to this application. * **Provider**: select the OIDC provider that you created. * **Backchannel Providers**: select the SSF provider you created. * **Policy engine mode**: define policy-based access. * **UI Settings**: optionally define a launch URL, an icon, and other UI elements. 4. Click **Create** to save the new application. The new application, with its OIDC provider and the backchannel SFF provider, should now appear in your list of Applications. * [Create the SSF provider](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/#create-the-ssf-provider) * [Create the OIDC provider](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/#create-the-oidc-provider) * [Create the application](https://docs.goauthentik.io/add-secure-apps/providers/ssf/create-ssf-provider/#create-the-application) --- # SAML Provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/saml/#__docusaurus_skipToContent_fallback) On this page The SAML provider allows you to integrate with Service Providers using the SAML2 protocol. It supports [importing and exporting SAML metadata](https://docs.goauthentik.io/add-secure-apps/providers/saml/#saml-metadata) , [signed requests](https://docs.goauthentik.io/add-secure-apps/providers/saml/#certificates) and uses [property mappings](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/#saml-property-mappings) to align, or "map", Service Provider and authentik attributes. Refer to our documentation to learn how to [create a SAML provider](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/) . SAML bindings and endpoints[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#saml-bindings-and-endpoints "Direct link to SAML bindings and endpoints") --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Bindings define how SAML messages are exchanged between an Identity Provider (IdP) and a Service Provider (SP), typically a service or application. Both IdPs and SPs define various endpoints in their metadata, each associated with a specific SAML binding. A binding defines how SAML messages are transported over network protocols. In authentik, you can select one of two SAML bindings: `HTTP Redirect` or `HTTP POST`. Endpoint URLs specify where and how the messages are sent according to that binding. The table below shows the supported endpoints for each binding: | Endpoint | URL | | --- | --- | | SSO (Redirect binding) | `/application/saml//sso/binding/redirect/` | | SSO (POST binding) | `/application/saml//sso/binding/post/` | | SSO (IdP-initiated login) | `/application/saml//sso/binding/init/` | | SLO (Redirect binding) | `/application/saml//slo/binding/redirect/` | | SLO (POST binding) | `/application/saml//slo/binding/post/` | | Metadata Download | `/application/saml//metadata/` | SAML metadata[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#saml-metadata "Direct link to SAML metadata") --------------------------------------------------------------------------------------------------------------------------- SAML Metadata ensures that SAML single sign-on works reliably by exchanging and maintaining identity and connection information. SAML metadata is an XML document that defines how IdPs and SPs securely interact for authentication. It includes information such as endpoints, bindings, certificates, and unique identifiers. ### Importing SP SAML metadata[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#importing-sp-saml-metadata "Direct link to Importing SP SAML metadata") You can [import SP SAML metadata](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#create-a-saml-provider-from-sp-metadata-import-sp-metadata) to automatically configure a SAML provider based on the requirements of an SP. ### Exporting authentik SAML metadata[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#exporting-authentik-saml-metadata "Direct link to Exporting authentik SAML metadata") You can [export SAML metadata from an authentik SAML provider](https://docs.goauthentik.io/add-secure-apps/providers/saml/create-saml-provider/#export-authentik-saml-provider-metadata) to an SP to automatically provide important endpoint and certificate information to the SP. Certificates[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#certificates "Direct link to Certificates") ------------------------------------------------------------------------------------------------------------------------ Certificates are vital for trust and security during SAML authentication and are used for several purposes. ### Signing certificates[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#signing-certificates "Direct link to Signing certificates") A signing certificate allows authentik to digitally sign SAML assertions and responses. This certificate contains a private key that creates a cryptographic signature, proving the authenticity and integrity of the transmitted data. The SP then uses the corresponding public key from this certificate to verify the signature. Ensuring the response was not tampered with and that it originated from authentik. #### Signing algorithm[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#signing-algorithm "Direct link to Signing algorithm") Signing algorithms (such as RSA-SHA256 or ECDSA-SHA256) define the cryptographic method used for creating and validating the signatures. #### Digest algorithm[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#digest-algorithm "Direct link to Digest algorithm") A digest algorithm is a cryptographic hash function used to create a fixed-size hash (digest) from the data in the SAML assertion or message. authentik computes a digest value using the chosen algorithm (such as SHA-1 or SHA-256), and it is included as part of the digital signature process. The SP uses the same digest algorithm to independently compare it with the received digest to validate the integrity of the received assertion or message. ### Verification certificates[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#verification-certificates "Direct link to Verification certificates") A verification certificate in authentik acts as the public key used to verify digital signatures on SAML responses and assertions from an SP. When a SAML message is received, authentik validates it by comparing the signature against its configured verification certificate, ensuring that messages originated from the SP. ### Encryption certificates[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#encryption-certificates "Direct link to Encryption certificates") An encryption certificate is a public key certificate used by authentik to encrypt sensitive data in SAML assertions before sending them to an SP. This ensures that sensitive data within the assertion, such as user attributes and authentication details, remain confidential and can only be decrypted by the SP possessing the corresponding private key. SAML property mappings[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#saml-property-mappings "Direct link to SAML property mappings") ------------------------------------------------------------------------------------------------------------------------------------------------------ During a SAML authentication process, communication between the SP and the IdP relies on property mappings to align, or "map", user attributes values between the IdP and SP. Each SAML property mapping includes the following fields: * **Name**: The name of the property mapping that's displayed in the authentik admin interface. * **SAML Attribute Name**: The label that maps IdP user information to SP expectations. Can be a URN OID, a schema reference, or any other string. * **Friendly Name**: A human-friendly identifier for a SAML attribute. * **Expression**: The Python expression that maps an authentik user attribute to a value that an SP is expecting. ### Default SAML property mappings[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#default-saml-property-mappings "Direct link to Default SAML property mappings") The following property mappings are automatically added when you create a new SAML provider and can be removed at will. | Property Mapping Name | SAML Attribute Name | | --- | --- | | authentik default SAML Mapping: Email | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` | | authentik default SAML Mapping: Groups | `http://schemas.xmlsoap.org/claims/Group` | | authentik default SAML Mapping: Name | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` | | authentik default SAML Mapping: UPN | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` | | authentik default SAML Mapping: User ID | `http://schemas.goauthentik.io/2021/02/saml/uid` | | authentik default SAML Mapping: Username | `http://schemas.goauthentik.io/2021/02/saml/username` | | authentik default SAML Mapping: WindowsAccountName (Username) | `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` | The default SAML property mappings can be viewed on the **Property Mappings** page of the admin interface by disabling the **Hide managed mappings** toggle. ### Custom SAML property mappings[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#custom-saml-property-mappings "Direct link to Custom SAML property mappings") If there is not already a property mapping that maps the user attributes that your SP requires, you can [create a custom property mapping](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/) or edit one of the existing mappings. For example, some SPs require users' first name (givenname) and last name (surname) attributes to be provided separately. However, the `authentik default SAML Mapping: Name` property mapping returns both attributes as one string. The following custom property mappings can be useful in such cases: #### `surname`[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#surname "Direct link to surname") * SAML Attribute Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` * Expression: return request.user.name.rsplit(" ", 1)[-1] #### `givenname`[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#givenname "Direct link to givenname") * SAML Attribute Name: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` * Expression: return request.user.name.split(" ", 1)[0] NameID[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#nameid "Direct link to NameID") ------------------------------------------------------------------------------------------------------ The NameID attribute acts as a unique identifier for a user. While other attributes might change (givenname, email address, etc) the NameID attribute is persistent and should never change. When the IdP sends a SAML assertion to the SP, the NameID is the unique identifier used to represent a specific user in the assertion. It's not used for authentication itself, only for identification purposes in the assertion. ### NameID property mapping[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#nameid-property-mapping "Direct link to NameID property mapping") In authentik, it's possible to configure which property mapping will be used to create the NameID value. The **NameID property mapping** field on a SAML provider can be set to any property mapping that's enabled on a SAML provider. When left empty, the NameID Policy of the incoming SP request will be respected. ### Default NameID policy[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#default-nameid-policy "Direct link to Default NameID policy") In authentik, it's also possible to configure the default SAML NameID policy used for IDP-initiated logins or when an incoming SP assertion doesn't specify a NameID policy (also applies when using a custom NameID Mapping). The following table outlines how NameID policies are handled: | Default NameID policy | How authentik will handle the NameID | | --- | --- | | Persistent - `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` | NameID will be set to the user's hashed ID. | | x509 Subject - `urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName` | NameID will be set to the user's `distinguishedName` attribute. This attribute is set by the LDAP source by default. If the attribute does not exist, it will fall back the persistent identifier. | | Windows - `urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName` | NameID will be set to the user's UPN. This is also set by the LDAP source, and also falls back to the persistent identifier. | | Transient - `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` | NameID will be set based on the user's session ID. | | Email address - `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` | NameID will be set to the user's email address. | warning By default, users are free to change their email addresses. Therefore, it is recommended to either: disallow changing email addresses or, if possible, avoid using a user's email address as the NameID attribute. AuthnContextClassRef[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/#authncontextclassref "Direct link to AuthnContextClassRef") ------------------------------------------------------------------------------------------------------------------------------------------------ The AuthnContextClassRef attribute appears in the SAML assertion and contains a URI that describes the assurance level, such as password, multi-factor, or smartcard authentication. SPs use this information to understand and verify how the user was authenticated by an IdP. In authentik, it's possible to set the AuthnContextClassRef attribute to any property mapping that's enabled on a SAML provider. This is done via the **AuthnContextClassRef Property Mapping** on a SAML provider. Alternatively, when the **AuthnContextClassRef Property Mapping** field is left unpopulated on a SAML provider, the AuthnContextClassRef will be set based on the method that the user authenticated with. * [SAML bindings and endpoints](https://docs.goauthentik.io/add-secure-apps/providers/saml/#saml-bindings-and-endpoints) * [SAML metadata](https://docs.goauthentik.io/add-secure-apps/providers/saml/#saml-metadata) * [Importing SP SAML metadata](https://docs.goauthentik.io/add-secure-apps/providers/saml/#importing-sp-saml-metadata) * [Exporting authentik SAML metadata](https://docs.goauthentik.io/add-secure-apps/providers/saml/#exporting-authentik-saml-metadata) * [Certificates](https://docs.goauthentik.io/add-secure-apps/providers/saml/#certificates) * [Signing certificates](https://docs.goauthentik.io/add-secure-apps/providers/saml/#signing-certificates) * [Verification certificates](https://docs.goauthentik.io/add-secure-apps/providers/saml/#verification-certificates) * [Encryption certificates](https://docs.goauthentik.io/add-secure-apps/providers/saml/#encryption-certificates) * [SAML property mappings](https://docs.goauthentik.io/add-secure-apps/providers/saml/#saml-property-mappings) * [Default SAML property mappings](https://docs.goauthentik.io/add-secure-apps/providers/saml/#default-saml-property-mappings) * [Custom SAML property mappings](https://docs.goauthentik.io/add-secure-apps/providers/saml/#custom-saml-property-mappings) * [NameID](https://docs.goauthentik.io/add-secure-apps/providers/saml/#nameid) * [NameID property mapping](https://docs.goauthentik.io/add-secure-apps/providers/saml/#nameid-property-mapping) * [Default NameID policy](https://docs.goauthentik.io/add-secure-apps/providers/saml/#default-nameid-policy) * [AuthnContextClassRef](https://docs.goauthentik.io/add-secure-apps/providers/saml/#authncontextclassref) --- # Working with blueprints | authentik [Skip to main content](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#__docusaurus_skipToContent_fallback) On this page For an overview of what blueprints are, how they're executed, and where they are stored, see the [Blueprints overview](https://docs.goauthentik.io/customize/blueprints/) documentation. To export configurations (including custom flows) to create a blueprint, read our [Export](https://docs.goauthentik.io/customize/blueprints/export/) documentation. The docs below cover applying, creating, editing, and managing blueprints. Apply a blueprint[​](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#apply-a-blueprint "Direct link to Apply a blueprint") ----------------------------------------------------------------------------------------------------------------------------------------------------- To _apply_ a blueprint is to have authentik read and execute the contents of a blueprint file. authentik provides many out-of-the-box blueprints, which can be applied either as a [blueprint instance](https://docs.goauthentik.io/customize/blueprints/#blueprint-instance) or as an [imported flow](https://docs.goauthentik.io/customize/blueprints/#imported-flow) . ### Add and apply a new blueprint instance[​](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#add-and-apply-a-new-blueprint-instance "Direct link to Add and apply a new blueprint instance") 1. Log in to authentik as an administrator and open the Admin interface. 2. Navigate to **Customization** > **Blueprints**. 3. Click **Create** and define the new blueprint instance. * **Name**: provide a descriptive name. * **Enabled**: toggle on or off. Disabled blueprints cannot be applied. * **Blueprint**: select the source for this instance. You can choose a file from a **Local path**, an **OCI registry**, or **Internal** (paste file contents directly, stored in database). * **Additional Settings**: * **Context**: add any [`key:value` context variable](https://docs.goauthentik.io/customize/blueprints/#blueprint-execution) used in the blueprint instance. 4. Click **Create** to save the new blueprint instance. This file is read and applied regularly by authentik. ### Apply a new flow[​](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#apply-a-new-flow "Direct link to Apply a new flow") You can apply a new flow from either the **Flows** page or the **Blueprints** page. #### Flows page[​](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#flows-page "Direct link to Flows page") 1. Log in to authentik as an administrator and open the Admin interface. 2. Navigate to **Flows and Stages > Flows**, then click **Import**. 3. Under **Flow**, select the YAML file to import. Typically this is a file you [exported](https://docs.goauthentik.io/customize/blueprints/export/) and saved to your local file system. #### Blueprints page[​](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#blueprints-page "Direct link to Blueprints page") 1. Log in to authentik as an administrator and open the Admin interface. 2. Navigate to **Customization > Blueprints**. 3. Select the blueprint, and, under **Actions**, click the **Apply** icon. Download example flows You can download our [example flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/) and import them into your authentik instance. Edit a blueprint instance or flow[​](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#edit-a-blueprint-instance-or-flow "Direct link to Edit a blueprint instance or flow") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * To edit a blueprint instance, navigate to **Customization** > **Blueprints** in the Admin interface and click the **Edit** icon of the instance. Alternatively, edit the YAML file directly. * To edit a flow, navigate to **Flows and Stages > Flows** in the Admin interface and click **Edit** next to the flow you want to modify. Delete a blueprint instance or flow[​](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#delete-a-blueprint-instance-or-flow "Direct link to Delete a blueprint instance or flow") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * To delete a blueprint instance, go to **Customization** > **Blueprints**, select the checkbox next to the instance, and click **Delete**. You can recreate and apply it by creating a new blueprint instance and selecting the file in the **Create** page, under **Path**.. * To delete a flow, navigate to **Flows and Stages** > **Flows**, select the checkbox next to the flow, and click **Delete**. You can re-import the flow later by repeating the import steps in the previous section. * [Apply a blueprint](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#apply-a-blueprint) * [Add and apply a new blueprint instance](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#add-and-apply-a-new-blueprint-instance) * [Apply a new flow](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#apply-a-new-flow) * [Edit a blueprint instance or flow](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#edit-a-blueprint-instance-or-flow) * [Delete a blueprint instance or flow](https://docs.goauthentik.io/customize/blueprints/working_with_blueprints/#delete-a-blueprint-instance-or-flow) --- # Meta models | authentik [Skip to main content](https://docs.goauthentik.io/customize/blueprints/v1/meta/#__docusaurus_skipToContent_fallback) On this page Since blueprints have a pretty strict mapping of each entry mapping to an instance of a model in the database, _meta models_ exist to trigger other actions within authentik that don't directly map to a model. ### `authentik_blueprints.metaapplyblueprint`[​](https://docs.goauthentik.io/customize/blueprints/v1/meta/#authentik_blueprintsmetaapplyblueprint "Direct link to authentik_blueprintsmetaapplyblueprint") This meta model can be used to apply another blueprint instance within a blueprint instance. This allows for dependency management and ensuring related objects are created. See [examples](https://github.com/search?q=repo%3Agoauthentik%2Fauthentik+path%3A%2F%5Eblueprints%5C%2F%2F+metaapplyblueprint&type=code) in the default blueprints for more information. #### Attributes[​](https://docs.goauthentik.io/customize/blueprints/v1/meta/#attributes "Direct link to Attributes") * `identifiers`: Key-value attributes used to match the blueprint instance Example: attrs: identifiers: name: Default - Password change flow * `required`: (Default: `true`) Configure if the blueprint instance must exist If this is set to `true` and no blueprint instance matches the query above, an error will be thrown. Otherwise, execution will continue without applying anything extra. * [`authentik_blueprints.metaapplyblueprint`](https://docs.goauthentik.io/customize/blueprints/v1/meta/#authentik_blueprintsmetaapplyblueprint) --- # File structure | authentik [Skip to main content](https://docs.goauthentik.io/customize/blueprints/v1/structure/#__docusaurus_skipToContent_fallback) On this page Blueprints are YAML files, which can use some additional tags to ease blueprint creation. Schema[​](https://docs.goauthentik.io/customize/blueprints/v1/structure/#schema "Direct link to Schema") --------------------------------------------------------------------------------------------------------- The blueprint schema is available under `https://goauthentik.io/blueprints/schema.json`. It is also possible to target a specific version's blueprint schema by using `https://version-2023-4.goauthentik.io/blueprints/schema.json`. To use the schema with Visual Studio code and the YAML extension, add this comment at the top of your blueprint files: # yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json Example[​](https://docs.goauthentik.io/customize/blueprints/v1/structure/#example "Direct link to Example") ------------------------------------------------------------------------------------------------------------ # yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json# The version of this blueprint, currently 1version: 1# Optional block of metadata, name is required if metadata is setmetadata: # Arbitrary key=value store, special labels are listed below labels: foo: bar name: example-blueprint# Optional default context, instance context is merged over this.context: foo: bar# List of entries (required)entries: - # Model in app.model notation, possibilities are listed in the schema (required) model: authentik_flows.flow # The state this object should be in (optional, can be "present", "created", "must_created", or "absent") # - present (default): Creates the object if it doesn't exist, or updates the fields # specified in attrs if it does exist. This will overwrite any manual changes to those # fields, but fields not in attrs are left unchanged. # - created: Creates the object if it doesn't exist, but never updates it afterward. # Manual changes are preserved. # - must_created: Creates the object only if it doesn't exist. If the object already exists, # the blueprint will fail with a validation error. # - absent: Deletes the object if it exists. This uses Django's .delete() which may # cascade to related objects (e.g., deleting a Flow will delete its FlowStageBindings). state: present # An optional list of boolean-like conditions. If all conditions match (or # no conditions are provided) the entry will be evaluated and acted upon # as normal. Otherwise, the entry is skipped as if not defined at all. # Each condition will be evaluated in Python to its boolean representation # bool(). Furthermore, complex conditions can be built using # a special !Condition tag. See the documentattion for custom tags for more # information. conditions: - true - text - 2 - !Condition [AND, ...] # See custom tags section # Key:value filters to uniquely identify this object (required) # On creation: identifiers are merged with attrs to create the object # On lookup: identifiers are used to find existing objects (using OR logic - see below) # On update: only attrs are applied (if state is present) # # Multiple identifiers create an OR query: an object matches if ANY identifier matches. # Example: identifiers with both slug and pk will match if either the slug OR pk matches. # # Dictionary values use Django's __contains query for JSON field matching: # identifiers: # attributes: {foo: bar} # Matches if attributes JSON contains {"foo": "bar"} identifiers: slug: initial-setup # Optional ID for use with !KeyOf id: flow # Attributes to set on the object. Only explicitly required settings should be stated # as these values will override existing attributes. # Note: When creating objects, both identifiers and attrs are merged together. # On updates (state: present), only fields specified in attrs are modified - other # fields (like auto-generated client_id/client_secret) are left unchanged. attrs: denied_action: message_continue designation: stage_configuration name: default-oobe-setup title: Welcome to authentik! # Optionally set object-level permissions on the object # Requires authentik 2024.8 permissions: - permission: inspect_flow user: !Find [authentik_core.user, [username, akadmin]] Special Labels[​](https://docs.goauthentik.io/customize/blueprints/v1/structure/#special-labels "Direct link to Special Labels") --------------------------------------------------------------------------------------------------------------------------------- #### `blueprints.goauthentik.io/system`:[​](https://docs.goauthentik.io/customize/blueprints/v1/structure/#blueprintsgoauthentikiosystem "Direct link to blueprintsgoauthentikiosystem") Used by authentik's packaged blueprints to keep globals up-to-date. Should only be removed in special cases. #### `blueprints.goauthentik.io/instantiate`:[​](https://docs.goauthentik.io/customize/blueprints/v1/structure/#blueprintsgoauthentikioinstantiate "Direct link to blueprintsgoauthentikioinstantiate") Configure if this blueprint should automatically be instantiated (defaults to `"true"`). When set to `"false"`, blueprints are listed and available to be instantiated via API/Browser. #### `blueprints.goauthentik.io/description`:[​](https://docs.goauthentik.io/customize/blueprints/v1/structure/#blueprintsgoauthentikiodescription "Direct link to blueprintsgoauthentikiodescription") Optionally set a description, which can be seen in the web interface. * [Schema](https://docs.goauthentik.io/customize/blueprints/v1/structure/#schema) * [Example](https://docs.goauthentik.io/customize/blueprints/v1/structure/#example) * [Special Labels](https://docs.goauthentik.io/customize/blueprints/v1/structure/#special-labels) --- # nginx | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/proxy/server_nginx/#__docusaurus_skipToContent_fallback) The configuration templates shown below apply to both single-application and domain-level forward auth. info _example-outpost_ is used as a placeholder for the outpost name. _authentik.company_ is used as a placeholder for the authentik install. _app.company_ is used as a placeholder for the external domain for the application. _outpost.company_ is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as _authentik.company_ * Standalone nginx * Ingress * Nginx Proxy Manager # Upgrade WebSocket if requested, otherwise use keepalivemap $http_upgrade $connection_upgrade_keepalive { default upgrade; '' '';}server { # SSL and VHost configuration listen 443 ssl http2; server_name _; ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; # Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; location / { # Put your proxy_pass to your application here, and all the other statements you'll need # proxy_pass http://localhost:5000; # proxy_set_header Host $host; # proxy_set_header ... # Support for websocket proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_keepalive; ############################## # authentik-specific config ############################## auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-entitlements $authentik_entitlements; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; # This section should be uncommented when the "Send HTTP Basic authentication" option # is enabled in the proxy provider # auth_request_set $authentik_auth $upstream_http_authorization; # proxy_set_header Authorization $authentik_auth; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { # When using the embedded outpost, use: proxy_pass http://authentik.company:9000/outpost.goauthentik.io; # For manual outpost deployments: # proxy_pass http://outpost.company:9000; # Note: ensure the Host header matches your external authentik URL: proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; }} Create a new ingress for the outpost apiVersion: networking.k8s.io/v1kind: Ingressmetadata: name: authentik-outpostspec: rules: - host: app.company http: paths: - path: /outpost.goauthentik.io pathType: Prefix backend: # Or, to use an external Outpost, create an ExternalName service and reference that here. # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname service: name: ak-outpost-example-outpost port: number: 9000 This ingress handles authentication requests, and the sign-in flow. Add these annotations to the ingress you want to protect warning This configuration requires that you enable [`allow-snippet-annotations`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations) , for example by setting `controller.allowSnippetAnnotations` to `true` in your helm values for the ingress-nginx installation. metadata: annotations: # This should be the in-cluster DNS name for the authentik outpost service # as when the external URL is specified here, nginx will overwrite some crucial headers nginx.ingress.kubernetes.io/auth-url: |- http://ak-outpost-example.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx # If you're using domain-level auth, use the authentication URL instead of the application URL nginx.ingress.kubernetes.io/auth-signin: |- https://app.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$escaped_request_uri nginx.ingress.kubernetes.io/auth-response-headers: |- Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; # Increase buffer size for large headers# This is needed only if you get 'upstream sent too big header while reading response# header from upstream' error when trying to access an application protected by goauthentikproxy_buffers 8 16k;proxy_buffer_size 32k;# Make sure not to redirect traffic to a port 4443port_in_redirect off;location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # Set any other headers your application might need # proxy_set_header Host $host; # proxy_set_header ... # Support for websocket proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; ############################## # authentik-specific config ############################## auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-entitlements $authentik_entitlements; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; # This section should be uncommented when the "Send HTTP Basic authentication" option # is enabled in the proxy provider # auth_request_set $authentik_auth $upstream_http_authorization; # proxy_set_header Authorization $authentik_auth;}# all requests to /outpost.goauthentik.io must be accessible without authenticationlocation /outpost.goauthentik.io { # When using the embedded outpost, use: proxy_pass http://authentik.company:9000/outpost.goauthentik.io; # For manual outpost deployments: # proxy_pass http://outpost.company:9000; # Note: ensure the Host header matches your external authentik URL: proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length "";}# Special location for when the /auth endpoint returns a 401,# redirect to the /start URL which initiates SSOlocation @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;} --- # SAML Single Logout | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#__docusaurus_skipToContent_fallback) On this page [Single Logout (SLO)](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/) allows authentik to log out users from all configured providers simultaneously when they sign out of authentik. For SAML providers, this requires your service provider to support Single Logout via a Single Logout Service URL. Check your provider's documentation to confirm Single Logout support. Configure your SAML provider[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#configure-your-saml-provider "Direct link to Configure your SAML provider") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To enable single logout, add a **Single Logout Service URL** to your SAML provider. The URL is the service provider’s endpoint to which authentik sends logout requests. 1. Log in to authentik as an administrator and open the authentik Admin interface 2. Navigate to **Applications** > **Providers** 3. Click the edit icon of the SAML provider that you want to configure for SLO 4. Set the **SLS URL** field to your service provider's logout endpoint 5. Select the appropriate **SLS Binding**: * **Redirect** - Uses HTTP redirects to send logout requests to the provider (front-channel only) * **POST** - Supports both front-channel and back-channel logout methods 6. Select the appropriate **Logout Method**: * **Front-channel iframe** - Performs parallel logout requests using hidden iframes. Supports both Redirect and POST bindings * **Front-channel native** - Uses the active browser tab to chain redirects and POST requests for sequential logout. Supports both Redirect and POST bindings * **Back-channel** - Performs server-to-server POST requests to log out the user. Requires POST SLS binding. Users are logged out even when their session is administratively terminated 7. (Optional) Enable **Sign Logout Request** to cryptographically sign SAML logout requests sent to the service provider 8. Click **Finish** info Back-channel logout ensures users are logged out even when their session is terminated administratively (e.g., when a user is deactivated or their session is deleted). This requires POST SLS binding. How SAML Single Logout Works[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#how-saml-single-logout-works "Direct link to How SAML Single Logout Works") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When a user logs out of authentik through a logout flow, authentik initiates the single logout process for all SAML providers configured with an SLS URL and logout method. ### Front-channel iframe logout[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#front-channel-iframe-logout "Direct link to Front-channel iframe logout") With front-channel iframe logout, authentik injects an iframe logout stage into the logout flow. This stage loads all provider logout URLs simultaneously in hidden iframes within the browser, allowing parallel logout across multiple providers. After all iframes complete their requests, the user continues through the authentik logout flow. ### Front-channel native logout[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#front-channel-native-logout "Direct link to Front-channel native logout") With front-channel native logout, authentik chains logout requests sequentially using the active browser tab. For POST bindings, the browser automatically submits forms to each provider. For Redirect bindings, the browser follows redirect URLs. Each provider returns the user to authentik who redirects to the next provider. After all providers have been visited, the user completes the authentik logout flow. ### Back-channel logout[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#back-channel-logout "Direct link to Back-channel logout") With back-channel logout, authentik sends SAML logout requests directly from the server to each provider's SLS URL via HTTP POST. This happens asynchronously and does not require browser interaction. Back-channel logout is also triggered automatically when: * A user's session is administratively deleted. * A user account is deactivated. info Back-channel logout requires POST SLS binding. Binding Comparison[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#binding-comparison "Direct link to Binding Comparison") ------------------------------------------------------------------------------------------------------------------------------------------------------------- | Feature | Redirect Binding | POST Binding | | --- | --- | --- | | Front-channel iframe | ✅ Supported | ✅ Supported | | Front-channel native | ✅ Supported | ✅ Supported | | Back-channel | ❌ Not supported | ✅ Supported | | Request sent via | URL query parameters | HTTP POST body | | Maximum data size | Limited by URL length | Large requests supported | SAML session tracking[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#saml-session-tracking "Direct link to SAML session tracking") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- authentik tracks SAML sessions for each provider to support single logout. When a user successfully authenticates to a SAML provider, authentik creates a `SAMLSession` record containing: * The SAML `SessionIndex` * The `NameID` and `NameID format` used for the session * A link to the user's authenticated session These session records are used to generate proper SAML logout requests with the correct `SessionIndex` and `NameID` values that the service provider expects. Resources[​](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#resources "Direct link to Resources") ---------------------------------------------------------------------------------------------------------------------------------- * [Single Logout (SLO) Overview](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/) * [User Logout Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_logout/) * [SAML Profiles 2.0 Specification](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf) * [Configure your SAML provider](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#configure-your-saml-provider) * [How SAML Single Logout Works](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#how-saml-single-logout-works) * [Front-channel iframe logout](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#front-channel-iframe-logout) * [Front-channel native logout](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#front-channel-native-logout) * [Back-channel logout](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#back-channel-logout) * [Binding Comparison](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#binding-comparison) * [SAML session tracking](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#saml-session-tracking) * [Resources](https://docs.goauthentik.io/add-secure-apps/providers/saml/saml_single_logout/#resources) --- # Background tasks | authentik [Skip to main content](https://docs.goauthentik.io/background-tasks/#__docusaurus_skipToContent_fallback) On this page authentik uses background tasks to run various operations independently and asynchronously, separated from the continuous web requests processed for general user interaction. These background tasks are run by the [worker](https://docs.goauthentik.io/worker/) . What are background tasks used for?[​](https://docs.goauthentik.io/background-tasks/#what-are-background-tasks-used-for "Direct link to What are background tasks used for?") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Here is a non-exhaustive list of what background tasks are used for: * Outposts: manage [outpost](https://docs.goauthentik.io/add-secure-apps/outposts/) deployments, send notifications to outpost when a refresh is needed * Housekeeping: clean up old objects, check for updates, etc. * Blueprints: import and apply [Blueprints](https://docs.goauthentik.io/customize/blueprints/) * Synchronization: sync users to and from authentik, from sources and to providers. This is used by: * [SCIM Provider](https://docs.goauthentik.io/add-secure-apps/providers/scim/) * [Google Workspace Provider](https://docs.goauthentik.io/add-secure-apps/providers/gws/) * [Microsoft Entra Provider](https://docs.goauthentik.io/add-secure-apps/providers/entra/) * [SSF Provider](https://docs.goauthentik.io/add-secure-apps/providers/ssf/) * [Kerberos Source](https://docs.goauthentik.io/users-sources/sources/protocols/kerberos/) * [LDAP Source](https://docs.goauthentik.io/users-sources/sources/protocols/ldap/) * Enterprise [license management](https://docs.goauthentik.io/enterprise/manage-enterprise/#license-management) * Event Notifications: send [Notifications](https://docs.goauthentik.io/sys-mgmt/events/notifications/) when events are created * Emails: send emails when triggered by one of the email stages or otherwise Schedules[​](https://docs.goauthentik.io/background-tasks/#schedules "Direct link to Schedules") ------------------------------------------------------------------------------------------------- authentik runs some tasks on a schedule. Schedules can be [configured](https://docs.goauthentik.io/background-tasks/#schedule-configuration) or manually triggered by clicking the play arrow. Manual triggering behavior When you manually trigger a schedule using the play arrow, it will run immediately but the "Next run" time will not be updated. The "Next run" field only reflects when the automatic scheduler will dispatch the task according to its cron schedule. Tasks statuses[​](https://docs.goauthentik.io/background-tasks/#tasks-statuses "Direct link to Tasks statuses") ---------------------------------------------------------------------------------------------------------------- A task can have the following statuses: * **Successful**: the task executed successfully. No extra action is required. * **Warning**: the task emitted a warning. Look at the task logs for further information. See [Failed tasks](https://docs.goauthentik.io/background-tasks/#failed-tasks) for more details. * **Error**: the task failed to process. Either the task threw an exception, or reported an other error. Look at the task logs for further information. See [Failed tasks](https://docs.goauthentik.io/background-tasks/#failed-tasks) for more details. * **Waiting to run**: the task has been queued for running, but no worker has picked it up yet, either because none are available, they are already busy, or because it's just been queued. * **Consumed**: the task has been picked up by a worker. * **Pre-processing**: the task is being prepared to run. * **Running**: the task is currently running. * **Post-processing**: the task has finished running and is being cleaned up. Manage background tasks[​](https://docs.goauthentik.io/background-tasks/#manage-background-tasks "Direct link to Manage background tasks") ------------------------------------------------------------------------------------------------------------------------------------------- ### View system tasks[​](https://docs.goauthentik.io/background-tasks/#view-system-tasks "Direct link to View system tasks") You can view and manage all background tasks and schedules from the Admin interface. However, by default, tasks are shown _as close as possible_ to their relevant objects. For instance, LDAP source synchronization tasks and schedules are shown on the LDAP source detail page. When a task or a schedule cannot be associated to an object (for example, housekeeping tasks), it is referred to as "standalone" and is displayed under **Dashboards** > **System Tasks**. Note that tasks created from a schedule are associated to that schedule and thus are not considered standalone. Both schedule and task items can be expanded to view additional details about them. If you cannot find the object to which a task or schedule is attached, deselect the "Show only standalone tasks/schedules" toggle on the **System Tasks** page to show all tasks and schedules, including the ones that are attached to objects. By default, successful tasks are hidden to minimize the number of shown items. Deselect "Exclude successful tasks" to display them. ### Schedule configuration[​](https://docs.goauthentik.io/background-tasks/#schedule-configuration "Direct link to Schedule configuration") When the authentik system creates a schedule it is assigned a default interval. The schedule uses a format based on [unix-cron](https://man7.org/linux/man-pages/man5/crontab.5.html) . To change that interval, click the Edit icon for the specific schedule and update it. warning Some tasks are required to run at regular intervals. For tuning reasons we recommend editing the intervals only for synchronization schedules, not for other types of schedules. "Next run" in the past If the "Next run" field appears to be in the past, this is normal and expected. It simply means the scheduler will dispatch the task the next time the scheduler runs. By default, the scheduler runs every 60 seconds (configurable via [`AUTHENTIK_WORKER__SCHEDULER_INTERVAL`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__scheduler_interval) ). Schedules can also be _paused_ to prevent new tasks to be created from them. They can still be triggered manually while paused. When you un-pause a schedule, it will be triggered immediately. ### Failed tasks[​](https://docs.goauthentik.io/background-tasks/#failed-tasks "Direct link to Failed tasks") When a task fails, i.e. when the code throws an exception, the task will be retried as many times as the value configured in [`AUTHENTIK_WORKER__TASK_MAX_RETRIES`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_max_retries) . Tasks that self-reported an error or a warning will not be retried. Failed tasks will be displayed like any other tasks. Each task can be expanded to show its logs. The logs are split into two parts: "Current execution logs" for the current execution, and "Previous execution logs" for logs from previous executions that happened before a retry was initiated. The information contained in the logs indicate either a transient error (a network connection failed for example), a mis-configuration (wrong password set in the LDAP source for example), or a bug in authentik. #### Restarting tasks[​](https://docs.goauthentik.io/background-tasks/#restarting-tasks "Direct link to Restarting tasks") To restart a task, click the retry arrow next to the task. It will be queued again and picked up by a worker. info To retry tasks created from a schedule, we recommend manually triggering the schedule (click the Run arrow beside the schedule) instead of restarting one of its tasks. * [What are background tasks used for?](https://docs.goauthentik.io/background-tasks/#what-are-background-tasks-used-for) * [Schedules](https://docs.goauthentik.io/background-tasks/#schedules) * [Tasks statuses](https://docs.goauthentik.io/background-tasks/#tasks-statuses) * [Manage background tasks](https://docs.goauthentik.io/background-tasks/#manage-background-tasks) * [View system tasks](https://docs.goauthentik.io/background-tasks/#view-system-tasks) * [Schedule configuration](https://docs.goauthentik.io/background-tasks/#schedule-configuration) * [Failed tasks](https://docs.goauthentik.io/background-tasks/#failed-tasks) --- # Example | authentik [Skip to main content](https://docs.goauthentik.io/customize/blueprints/v1/example/#__docusaurus_skipToContent_fallback) This is one of the default packaged blueprints to create the default authentication flow. version: 1metadata: name: Default - Authentication flowentries: # Order of entries is important when using !KeyOf, as tags are evaluated in order they are in # the document - attrs: # Only options that are required should be set here. Default values should not be stated # here, as they will prevent anyone from overwriting the value designation: authentication name: Welcome to authentik! title: Welcome to authentik! identifiers: slug: default-authentication-flow model: authentik_flows.flow id: flow - attrs: configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]] identifiers: name: default-authentication-password id: default-authentication-password model: authentik_stages_password.passwordstage - identifiers: name: default-authentication-mfa-validation # If we're fine with all defaults, `attrs` can be omitted id: default-authentication-mfa-validation model: authentik_stages_authenticator_validate.authenticatorvalidatestage - identifiers: name: default-authentication-identification id: default-authentication-identification model: authentik_stages_identification.identificationstage - attrs: session_duration: seconds=0 identifiers: name: default-authentication-login id: default-authentication-login model: authentik_stages_user_login.userloginstage - identifiers: order: 10 stage: !KeyOf default-authentication-identification target: !KeyOf flow model: authentik_flows.flowstagebinding - identifiers: order: 20 stage: !KeyOf default-authentication-password target: !KeyOf flow model: authentik_flows.flowstagebinding - identifiers: order: 30 stage: !KeyOf default-authentication-mfa-validation target: !KeyOf flow model: authentik_flows.flowstagebinding - identifiers: order: 100 stage: !KeyOf default-authentication-login target: !KeyOf flow model: authentik_flows.flowstagebinding --- # Customize a flow | authentik [Skip to main content](https://docs.goauthentik.io/customize/interfaces/flow/#__docusaurus_skipToContent_fallback) On this page Typically, settings for flows are defined as defaults in the [Brand settings](https://docs.goauthentik.io/brands/) . However, it’s important to note that some flows are executed before the specific user is authenticated and thus before authentik can determine which user is viewing the flow (for example, the `default-authentication-flow`!). Consequently, using default settings for all flows ensures a more consistent user experience. Two settings that you can configure per flow are the _background image_ for the flow, and the _layout_. Customize a flow's background image[​](https://docs.goauthentik.io/customize/interfaces/flow/#customize-a-flows-background-image "Direct link to Customize a flow's background image") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You can define a: * Default background image for all flows, set in the instance's [brand](https://docs.goauthentik.io/brands/) * A background image for [one or more specific flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#flow-configuration-options) (overrides the default) Set the layout for a flow[​](https://docs.goauthentik.io/customize/interfaces/flow/#set-the-layout-for-a-flow "Direct link to Set the layout for a flow") ---------------------------------------------------------------------------------------------------------------------------------------------------------- To define the layout for a flow, edit the flow and under **Appearance settings > Layout** select how the UI displays the flow when it is executed; with stacked elements, content left or right, and sidebar left or right. * [Customize a flow's background image](https://docs.goauthentik.io/customize/interfaces/flow/#customize-a-flows-background-image) * [Set the layout for a flow](https://docs.goauthentik.io/customize/interfaces/flow/#set-the-layout-for-a-flow) --- # Policies | authentik [Skip to main content](https://docs.goauthentik.io/customize/policies/#__docusaurus_skipToContent_fallback) On this page Policies provide customization and flexibility when defining your users' login and authentication experience. In effect, policies determine whether or not a specific stage is applied to a flow, or whether certain users can even access the flow. For example, you can create a policy that, for certain users, skips over a stage that prompts for MFA input. Or, you can define a policy that allows users to access a login flow only if the policy criteria are met. See below for other policies, including the reputation policy and an events-driven policy to manage notifications. Create and manage policies[​](https://docs.goauthentik.io/customize/policies/#create-and-manage-policies "Direct link to Create and manage policies") ------------------------------------------------------------------------------------------------------------------------------------------------------ For instructions about creating and binding policies to flows and stages, refer to [Working with policies](https://docs.goauthentik.io/customize/policies/working_with_policies/) . Standard policies[​](https://docs.goauthentik.io/customize/policies/#standard-policies "Direct link to Standard policies") --------------------------------------------------------------------------------------------------------------------------- The following are our standard, out-of-the box policies that you can [create and customize](https://docs.goauthentik.io/customize/policies/working_with_policies/) as needed. ### Event-matcher policy[​](https://docs.goauthentik.io/customize/policies/#event-matcher-policy "Direct link to Event-matcher policy") This policy is used by the events subsystem. You can use this policy to match events by multiple different criteria, to choose when you get notified. ### Expression Policy[​](https://docs.goauthentik.io/customize/policies/#expression-policy "Direct link to Expression Policy") See [Expression Policy](https://docs.goauthentik.io/customize/policies/expression/) . ### GeoIP policy[​](https://docs.goauthentik.io/customize/policies/#geoip-policy "Direct link to GeoIP policy") Use this policy for simple GeoIP lookups, such as country or ASN matching. (For a more advanced GeoIP lookup, use an [Expression policy](https://docs.goauthentik.io/customize/policies/expression/) .) With the GeoIP policy, you can use the **Distance Settings** options to set travel "expectations" and control login attempts based on GeoIP location. The GeoIP policy calculates the values defined for travel distances (in kilometers), and then either passes or fails based on the results. If the GeoIP policy failed, the current login attempt is not allowed. * **Maximum distance**: define the allowed maximum distance between a login's initial GeoIP location and the GeoIP location of a subsequent login attempt. * **Distance tolerance**: optionally, add an additional "tolerance" distance. This value is added to the **Maximum distance** value, then the total is used in the calculations that determine if the policy fails or passes. * **Historical Login Count**: define the number of login events that you want to use for the distance calculations. For example, with the default value of 5, the policy will check the distance between each of the past 5 login attempts, and if any of those distances exceed the **Maximum distance** PLUS the **Distance tolerance**, then the policy will fail and the current login attempt will not be allowed. * **Check impossible travel**: this option, when enabled, provides an additional layer of calculations to the policy. With Impossible travel, a built-in value of 1,000 kilometers is used as the base distance. This distance, PLUS the value defined for **Impossible travel tolerance**, is the maximum allowed distance for the policy to pass. Note that the value defined in **Historical Login Count** (the number of login events to check) is also used for Impossible travel calculations. * **Impossible travel tolerance**: optionally, you can add an additional "tolerance" distance. This value is added to the built-in allowance of 1000 kilometers per hour, then the total is used in the calculations that run against each of the login events (to determine if the travel would have been possible in the amount of time since the previous login event) to determine if the policy fails or passes. info GeoIP is included in every release of authentik and does not require any additional setup for creating GeoIP policies. For information about advanced uses (configuring your own database, etc.) and system management of GeoIP data, refer to our [GeoIP documentation](https://docs.goauthentik.io/sys-mgmt/ops/geoip/) . ### Password-Expiry Policy[​](https://docs.goauthentik.io/customize/policies/#password-expiry-policy "Direct link to Password-Expiry Policy") This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password. ### Password Policy[​](https://docs.goauthentik.io/customize/policies/#password-policy "Direct link to Password Policy") warning By default, authentik's Password policy is compliant with [NIST's recommendations](https://pages.nist.gov/800-63-4/sp800-63b.html#password) for passwords. To remain compliant with NIST, be cautious when editing the default values. For additional hardening configuration settings, refer to [Hardening authentik](https://docs.goauthentik.io/security/security-hardening/#password-policy) . This policy allows you to specify password rules, such as length and required characters. The following rules can be set: * Minimum amount of uppercase characters. * Minimum amount of lowercase characters. * Minimum amount of symbols characters. * Minimum length. * Symbol charset (define which characters are counted as symbols). The following checks can also be done with this policy: * Check the password hash against the database of [Have I Been Pwned](https://haveibeenpwned.com/) . Only the first 5 characters of the hashed password are transmitted, the rest is compared in authentik. * Check the password against the password complexity checker [zxcvbn](https://github.com/dropbox/zxcvbn) , which detects weak password on various metrics. ### Password Uniqueness Policy[​](https://docs.goauthentik.io/customize/policies/#password-uniqueness-policy "Direct link to Password Uniqueness Policy") This policy prevents users from reusing their previous passwords when setting a new password. For detailed information, see [Password Uniqueness Policy](https://docs.goauthentik.io/customize/policies/unique_password/) . ### Reputation Policy[​](https://docs.goauthentik.io/customize/policies/#reputation-policy "Direct link to Reputation Policy") authentik keeps track of recent login attempts per [Identifier](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/identification/#user-fields) and client IP. These values are saved as scores. Failed logins decrease the score by 1, while successful logins increase the score by 1. This policy can be used, for example, to prompt clients with a low score to pass a CAPTCHA test before they can continue. To make sure this policy is executed correctly, set _Evaluate when stage is run_ when using it with a flow. ### Have I Been Pwned Policy[​](https://docs.goauthentik.io/customize/policies/#have-i-been-pwned-policy "Direct link to Have I Been Pwned Policy") info This policy is deprecated since authentik 2022.11.0, as this can be done with the password policy now. This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik. * [Create and manage policies](https://docs.goauthentik.io/customize/policies/#create-and-manage-policies) * [Standard policies](https://docs.goauthentik.io/customize/policies/#standard-policies) * [Event-matcher policy](https://docs.goauthentik.io/customize/policies/#event-matcher-policy) * [Expression Policy](https://docs.goauthentik.io/customize/policies/#expression-policy) * [GeoIP policy](https://docs.goauthentik.io/customize/policies/#geoip-policy) * [Password-Expiry Policy](https://docs.goauthentik.io/customize/policies/#password-expiry-policy) * [Password Policy](https://docs.goauthentik.io/customize/policies/#password-policy) * [Password Uniqueness Policy](https://docs.goauthentik.io/customize/policies/#password-uniqueness-policy) * [Reputation Policy](https://docs.goauthentik.io/customize/policies/#reputation-policy) * [Have I Been Pwned Policy](https://docs.goauthentik.io/customize/policies/#have-i-been-pwned-policy) --- # Customize the User interface | authentik [Skip to main content](https://docs.goauthentik.io/customize/interfaces/user/#__docusaurus_skipToContent_fallback) On this page The User interface can be customized using attributes configured in [Brands](https://docs.goauthentik.io/brands/) . To add, remove, or modify attributes for a brand, log in as an administrator and navigate to **System > Brands > Other global settings > Attributes**. Most attributes defined in a brand apply to _both_ the User and Admin interfaces. However, any settings that are specific to only one interface are explicitly noted as such below. The following screenshot shows the syntax for setting several attributes for a brand: light mode, a 3-column display of applications on **My applications** page, hiding the API drawer and the Notification drawer from the tool bar, and disallowing users to edit the applications on **My applications** page. ![](https://docs.goauthentik.io/assets/images/user-interface-attributes-7284bb2daf09cc8673f2fd3c07656da8.png) Custom settings[​](https://docs.goauthentik.io/customize/interfaces/user/#custom-settings "Direct link to Custom settings") ---------------------------------------------------------------------------------------------------------------------------- The following settings for attributes are grouped by: * `enabledFeatures` settings * General attributes (used on both the Admin interface and the User interface) * User interface only ### Enabling/disabling features[​](https://docs.goauthentik.io/customize/interfaces/user/#enablingdisabling-features "Direct link to Enabling/disabling features") The features listed below can be enabled or disabled through attributes set on the Brand. By default, all of the listed features are enabled. To disable a specific feature, set its value to `false`. #### `settings.enabledFeatures.apiDrawer`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingsenabledfeaturesapidrawer "Direct link to settingsenabledfeaturesapidrawer") Display the API Request drawer in the upper tool bar. #### `settings.enabledFeatures.notificationDrawer`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingsenabledfeaturesnotificationdrawer "Direct link to settingsenabledfeaturesnotificationdrawer") Display the Notification drawer in the upper tool bar. #### `settings.enabledFeatures.settings`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingsenabledfeaturessettings "Direct link to settingsenabledfeaturessettings") Display the Settings link in the upper tool bar. #### `settings.enabledFeatures.search`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingsenabledfeaturessearch "Direct link to settingsenabledfeaturessearch") Display the Search bar in the upper tool bar. #### `settings.enabledFeatures.applicationEdit` (User interface only)[​](https://docs.goauthentik.io/customize/interfaces/user/#settingsenabledfeaturesapplicationedit-user-interface-only "Direct link to settingsenabledfeaturesapplicationedit-user-interface-only") Display the Edit option for each application on the **My applications** page (only shown when user is superuser). ### General settings (both Admin and User interfaces)[​](https://docs.goauthentik.io/customize/interfaces/user/#general-settings-both-admin-and-user-interfaces "Direct link to General settings (both Admin and User interfaces)") #### `settings.navbar.userDisplay`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingsnavbaruserdisplay "Direct link to settingsnavbaruserdisplay") Configure what is shown in the top right corner. Defaults to `username`. Available options: `username`, `name`, `email` #### `settings.theme.base`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingsthemebase "Direct link to settingsthemebase") Configure the base color scheme or toggle between dark and light modes. The default setting is `automatic`, which adapts based on the user’s browser preference. Available options: `automatic`, `dark`, `light`. **Example**: settings: theme: base: dark #### `settings.theme.background`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingsthemebackground "Direct link to settingsthemebackground") Optional CSS that is applied to the background of the User interface, for example to set a custom background color, gradient, or image. settings: theme: background: > background: url('https://picsum.photos/1920/1080'); filter: blur(8px); background-position: center; background-repeat: no-repeat; background-size: cover; #### `settings.locale`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingslocale "Direct link to settingslocale") The locale which can be configured in the user settings by default. This can be used to preset locales for groups of users, but still let them choose their own preferred locale. ### Settings for the User interface only[​](https://docs.goauthentik.io/customize/interfaces/user/#settings-for-the-user-interface-only "Direct link to Settings for the User interface only") #### `settings.layout.type`[​](https://docs.goauthentik.io/customize/interfaces/user/#settingslayouttype "Direct link to settingslayouttype") Which layout to use for the **My applications** page. Defaults to `row`. Choices: `row`, `2-column`, `3-column` Global customization[​](https://docs.goauthentik.io/customize/interfaces/user/#global-customization "Direct link to Global customization") ------------------------------------------------------------------------------------------------------------------------------------------- To customize the following brand settings, log in to the Admin interface and navigate to **System > Brands > Brand settings**. * Title * Logo * Favicon * Default flow background image * Custom CSS For more details, see the [Brand settings](https://docs.goauthentik.io/brands/#branding-settings) documentation. * [Custom settings](https://docs.goauthentik.io/customize/interfaces/user/#custom-settings) * [Enabling/disabling features](https://docs.goauthentik.io/customize/interfaces/user/#enablingdisabling-features) * [General settings (both Admin and User interfaces)](https://docs.goauthentik.io/customize/interfaces/user/#general-settings-both-admin-and-user-interfaces) * [Settings for the User interface only](https://docs.goauthentik.io/customize/interfaces/user/#settings-for-the-user-interface-only) * [Global customization](https://docs.goauthentik.io/customize/interfaces/user/#global-customization) --- # Models | authentik [Skip to main content](https://docs.goauthentik.io/customize/blueprints/v1/models/#__docusaurus_skipToContent_fallback) On this page Some models behave differently and allow for access to different API fields when created via blueprint. `authentik_core.token`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_coretoken "Direct link to authentik_coretoken") ------------------------------------------------------------------------------------------------------------------------------------------------ ### `key`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#key "Direct link to key") Via the standard API, a token's key cannot be changed, it can only be rotated. This is to ensure a high entropy in it's key, and to prevent insecure data from being used. However, when provisioning tokens via a blueprint, it may be required to set a token to an existing value. With blueprints, the field `key` can be set, to set the token's key to any value. For example: # [...]- model: authentik_core.token state: present identifiers: identifier: my-token attrs: key: this-should-be-a-long-value user: !KeyOf my-user intent: api `authentik_core.user`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_coreuser "Direct link to authentik_coreuser") --------------------------------------------------------------------------------------------------------------------------------------------- ### `password`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#password "Direct link to password") Via the standard API, a user's password can only be set via the separate `/api/v3/core/users//set_password/` endpoint. In blueprints, the password of a user can be set using the `password` field. Keep in mind that if an LDAP Source is configured and the user maps to an LDAP user, this password change will be propagated to the LDAP server. For example: # [...]- model: authentik_core.user state: present identifiers: username: test-user attrs: name: test user password: this-should-be-a-long-value ### `permissions`authentik: 2024.8.0+[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#permissions "Direct link to permissions") The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints. For example: # [...]- model: authentik_core.user identifiers: username: test-user attrs: permissions: - authentik_blueprints.view_blueprintinstance `authentik_core.application`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_coreapplication "Direct link to authentik_coreapplication") ------------------------------------------------------------------------------------------------------------------------------------------------------------------ ### `icon`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#icon "Direct link to icon") Application icons can be directly set to URLs with the `icon` field. For example: # [...]- model: authentik_core.application identifiers: slug: my-app attrs: name: My App icon: https://goauthentik.io/img/icon.png `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_sources_oauthoauthsource-authentik_sources_samlsamlsource-authentik_sources_plexplexsource "Direct link to authentik_sources_oauthoauthsource-authentik_sources_samlsamlsource-authentik_sources_plexplexsource") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### `icon`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#icon-1 "Direct link to icon-1") Source icons can be directly set to URLs with the `icon` field. For example: # [...]- model: authentik_sources_oauth.oauthsource identifiers: slug: my-source attrs: name: My source icon: https://goauthentik.io/img/icon.png `authentik_flows.flow`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_flowsflow "Direct link to authentik_flowsflow") ------------------------------------------------------------------------------------------------------------------------------------------------ ### `icon`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#icon-2 "Direct link to icon-2") Flow backgrounds can be directly set to URLs with the `background` field. For example: # [...]- model: authentik_flows.flow identifiers: slug: my-flow attrs: name: my-flow title: My flow designation: authentication background: https://goauthentik.io/img/icon.png `authentik_rbac.role`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_rbacrole "Direct link to authentik_rbacrole") --------------------------------------------------------------------------------------------------------------------------------------------- ### `permissions`authentik: 2024.8.0+[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#permissions-1 "Direct link to permissions-1") The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints. For example: # [...]- model: authentik_rbac.role identifiers: name: test-role attrs: permissions: - authentik_blueprints.view_blueprintinstance `authentik_policies.policybinding`[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_policiespolicybinding "Direct link to authentik_policiespolicybinding") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ### Required fields[​](https://docs.goauthentik.io/customize/blueprints/v1/models/#required-fields "Direct link to Required fields") Each PolicyBinding entry must have **exactly one** of the following set in `attrs`: * `policy`: Reference to a Policy object * `group`: Reference to a Group object * `user`: Reference to a User object Setting none or multiple in a single binding will cause validation errors. However, you can create multiple separate bindings to the same target with different `order` values. Example with multiple bindings to the same application: # Bind a policy- model: authentik_policies.policybinding identifiers: target: !Find [authentik_core.application, [slug, my-app]] order: 0 attrs: policy: !Find [authentik_policies.expression.expressionpolicy, [name, my-policy]]# Bind a group to the same application- model: authentik_policies.policybinding identifiers: target: !Find [authentik_core.application, [slug, my-app]] order: 1 attrs: group: !Find [authentik_core.group, [name, admins]] * [`authentik_core.token`](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_coretoken) * [`key`](https://docs.goauthentik.io/customize/blueprints/v1/models/#key) * [`authentik_core.user`](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_coreuser) * [`password`](https://docs.goauthentik.io/customize/blueprints/v1/models/#password) * [`permissions`](https://docs.goauthentik.io/customize/blueprints/v1/models/#permissions) * [`authentik_core.application`](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_coreapplication) * [`icon`](https://docs.goauthentik.io/customize/blueprints/v1/models/#icon) * [`authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_sources_oauthoauthsource-authentik_sources_samlsamlsource-authentik_sources_plexplexsource) * [`icon`](https://docs.goauthentik.io/customize/blueprints/v1/models/#icon-1) * [`authentik_flows.flow`](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_flowsflow) * [`icon`](https://docs.goauthentik.io/customize/blueprints/v1/models/#icon-2) * [`authentik_rbac.role`](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_rbacrole) * [`permissions`](https://docs.goauthentik.io/customize/blueprints/v1/models/#permissions-1) * [`authentik_policies.policybinding`](https://docs.goauthentik.io/customize/blueprints/v1/models/#authentik_policiespolicybinding) * [Required fields](https://docs.goauthentik.io/customize/blueprints/v1/models/#required-fields) --- # Remote Access Control (RAC) Provider | authentik [Skip to main content](https://docs.goauthentik.io/add-secure-apps/providers/rac/#__docusaurus_skipToContent_fallback) On this page info This provider requires the deployment of the [RAC Outpost](https://docs.goauthentik.io/add-secure-apps/outposts/) . About the Remote Access Control (RAC) Provider[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/#about-the-remote-access-control-rac-provider "Direct link to About the Remote Access Control (RAC) Provider") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The RAC provider allows users to access remote Windows, macOS, and Linux machines via [RDP](https://en.wikipedia.org/wiki/Remote_Desktop_Protocol) /[SSH](https://en.wikipedia.org/wiki/Secure_Shell) /[VNC](https://en.wikipedia.org/wiki/Virtual_Network_Computing) . Just like other providers in authentik, the RAC provider is associated with an application that appears on a user's **My applications** page. info Note that with RAC, you create a single application and associated provider that serves to connect with _all remote machines_ that you want to configure for access via RAC. For instructions on creating a RAC provider, refer to the [Managing RAC providers](https://docs.goauthentik.io/add-secure-apps/providers/rac/how-to-rac/) documentation. You can also view our [video on YouTube](https://www.youtube.com/watch?v=9wahIBRV6Ts) for setting up a RAC. For an example of how to configure RAC connections settings, refer to the [RAC SSH Public Key Authentication](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/) documentation. There are several components used with a RAC provider; let's take a closer look at the high-level configuration layout of these components and how they are managed using endpoints and connections. ![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAApAAAAERCAMAAAD7b2eCAAAAeFBMVEX////avffK3cjt7vH0r4b5+fvV6NT/gADMzMyazP/AwtHk5OjQ0du+0L3rpYAfHyI+OTrc3uaChJEDAgLRtPH9vY7HkXSVv4WtyaWlkb1RVV2WTQmxsbyipaNtzYKtfGTTagJqcnBwOhCDr9yGYFEtwi6CqQ1pcgonUAA1AAAACXBIWXMAAAsSAAALEgHS3X78AAAZ70lEQVR42u2djZqiuhJFHf/GRiUxMGpHaaW173n/N7xVCSAg2qiggHvrIAT1+M1ZU0mqkqpeD3qqRqRBNeKvwl8oVAGRBFLBsze67QkeoYqYrODRA4wQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEEQBEFQWqPBtJUaXK8LM5vNJpNZU4QSNjcAOR0Mpi18LK6XKlIyLSHkU5X772lUVboFyFb+7OnMVHO7DOTmb0qbzFX92n9nrvRgACJLAzlrKZCL6TUiGwWknILI7gM5m03bAqTmfz0AsttATpzZojUWcnb1t0IZICet/NmzVgHpAMjyQDrtBNJxZrP2AOnQHAxAdhxIp1VATgFkSSC32bFZdZrMqvuus589AZDvAeRMNFFbAPm2QMqPqiQOVX2TPgfSmQPIjgIZtBJI5nEBIAFkYyzkFkACyAYBuW0rkCOVUxiqRzXpko8TQD4byD9Zffp/HtTnpEuriQDkq4H8fBhIZ9AhIkcKQLYfyAGAfDGQQVuBHNQB5NWVeAASQD4ZyO0CQALIRgE57U6f3VYgg04B6ds/p5dbzgAkgHwcyIgpA6QPC5kCMgSQzbCQf1Kv5c/o9E2BPBzKt54DeTgUvdO25e+cvbXrQPopyk498enkl7Y3BdLziogqbC0A0iOJ808rc0/nPphvKABStR9IP2shz/rtoo7cR5cdS3mMCRkvFR8NKp6nygGpD8pTB3p8HLQ6fNCTLrQ50hcfFH0N37aQi3cA8sxCFgP3O5cdA1KWA1IK7dHRGDqZmDtPC1kSSAJNE9VSeYI+TB+TgizkgU2nPlCbZCt6MJDrnNktADLs5hjyvH/ON521dW4MKUoBeWBqFEN08A72aMzmQV/ss3NdtiDcFHEpBX0ZfezDfCN9nL5am+/x7CeEOOT67AIgtWo7kP65H9JHl10aSLJrbMQMTcoe2WxyqyoFpOTumAD+EGwruZ9mFO1XafpqKSMMD4bd7gOZtpA+3D63AimEJmwO0pgyGRlGsmnUKkp22daifmhhPsz9NgGp2EiyhVQ6ApIvZdbsXgRy0B9d8q42FsjwMyulPh+UekMgDSzGoHmm1zUzHMPXx8U++wKQB/thTZaVLSUZWeq76aii9zDgB0+WAHK2+vkpWHe1+lmPmg2kDyAftpDJ1OZ0vNsxnnUzHlLH8o5xApJwZPTOkBxw+w1AbvYX2jd/96d7+833pTdWOMtGl/0KIKuI1Ojwh7WyWsfqs774zn+lgBTi796TBTB6m7/C+/vt7ZMG1r62MaRf5Ir0kzu5eU10I3q+M5CNCR1mgWR9JTJ3fi4BSVaPuKI/e5Lw9gSkNYTmSG30sicg6cQAuTcU0hvpim1m8i77ar+Pv2t/Yyw7Ys1YSD8TqEko/PSzb46C3/5nxisEIJsAZNRlR2kiM2Icw0td9t5YOjaLe++bHKpiH9k+dq5+E3QkyW0bayGl922B3OwtwZ4xnp6Q5jP7jXn/hkbCm4dm2f6ZU0eqPyLMt3Kj/vQyK4TeFMiDVToEfSgfy776TfblcCOQDk9qZoZIYtI+SANqXS0uAvktjPmzQFoLyVR9s6Ekvr7pRXBD1GVHPNou+5tu00c9uiU39lv2RDQ1bvjmA2PIBLpP9en7iiD7/PSkL7RSvmn84yu+xY00CfJ4XvTuY0gK0FDmbDMTNnNg8vmwg1zeDqQ8KMF5uI0jk7+JfEo0yb5sUS8BOZvNOfPi4ESk0WqwmF2c1Oy/hWfwYyAZuuh0Y9yfm2/TNZ+ATMaN+w2Z0I1xvHqELJtaYZjklu+Nt6lkgW5IP0KxARSSTj8FR7B8jm2Fn/wvQplGtpBC+G/eZWsK03AYmwhSxk3IDnFFrvLDrUASw8o4kdgFxG+SfCUOSt8K5IJlu+x0t01Z/BcXgRRszgqB/N7Q+DAPJBFoPia/DYKSPk3vYiDNzT1jSQ2FQMZz9AIg/dAvtJBkBT1pgfzjhb6Qvvbo+Cm9T3vJRwJSkI30/be2kEQOA6kEWzipDJnGtahvBZLQjoHUmpD+iByZB3EbkNxbT6eDsyGkIfIikJ4dFpoxIgMZDyeZLNNlR0Byd27HkBvLsdwwjfRCM3MDJBlH/iRb1U0RkPv//rsCZOgXWUjtUTfEPXLMnh96vsc1HdKNbC0VA+m/MZBmZYXwjDubsYzxuYzRJSDJpnInxP2+iYkfYs/6xaj45UjNoIDHARN5EUjqmiWBZF54DiNiY7nhHvtvBOQ+mdTsbae9N3Oe/d524gbIv+YO35B/C4AkHq8B+RUmk+bUxMXTPvXRvAqFjxGQQnyGYQykNkAq6rITE/mmiys+YgupedR0MBbyoO8AktojC3mwoXC7xudwD5Cjomo13HTZMR65Z7IvZ+d/z12O+ws39vsiPyTx+L+rQH5FNjI3hqS/Ep9HqpKOygLJQ8nPCEjTSOfcg781kExLNIZk0LSmRRLc5X4c5D0WUpv79HFDOLcIY4RvBHJUXD1p9PrQIfOYB3KUBTIiMrv8zL9JnVwxXhJIGQPJ6LBd5PhzzNZtY0gdAansAo3DgW3u4Qrat6/2eTmQzCMBaVzmG0l5NiY8BZtOFzO2bP4nA0lE+mfbYG8D8o0tZAF4xnt4xyy7oJM/2MlOZUC+ePnZRjCP//svkgzDMIkj6dDoKyYy64e8ici3ntRcIO+gb/dD6sMFb1BXgDT99Un//XyllLkgIhMLGYUOr/FXaCAROmxI6LCxQBKPPyWBJCLzFpKp5Fg1r1Hzrye2QCwbQJbj8QYgwzRxEWHSoxi2Cc1o9pCnV1Zk11kASABZQuTvKQ3kl+bgddZC+uT7obEl+b5NmOa3LTUAEkBW2GVzx+xnaQu9kFdP0B96Jd+j71/usn0ACSBLEFkWyJCX7fi5tbk2IGO6bOEbIP2C/Yg+LCSALO32KTnLJh4tkGngPs26IwLS9OaxhfQLd2wDSABZykTKjB9ShCnJkx8y5BUSSZcdY0Y9dig9Eyv0/UILmeuzASSA/DVSs7GRmiR0yGuTjGbKuBPDmMcMkAYyg6BZhHYCssjb48NCAsjym7w2/+WAXCRA/rFAWh59423MbmAojMn4fwoSqgBIAFl21+Emu9on2moxWChDXBjz6BdkrrgQsy50jKPLBpAlt8FuMushIx4HyQLdiEc/m9vHzxFpY4n5ebWPWTaAvD1zxeY7DWS0eDMCUsc8FuX2OUWtC0j0z4aTABJAlksUsM+th0wB+Zl0xumk94XRmPMhZs5GdhxIXZV4J0hFCjqR/WyUS8fn+/kV4znr55dJxtf1fdlBZZK7qnTsIpB/fN8vSlias4eFUPrv02VXKPWvKi2n75Gw9IoVLM778wZdNoBEJa8uA7m1ApApICtPWAogywPpGNebAyBPQFLUZlu1ugXkqCZVCOTs7Mv1Z0uB7NlUL9WqU+WJRW3abHYOv8rtbvOQZMGXtxhIJjKjxXQxfUiDDgHZGw2ms5lTg0LX/bdVrK27ZO/N0k20TJ2TdtlLup+9vS36/jYDWbE61GObLmRRC5EE5HA7YW1daXYsnRCTMoOfd4zOhD05er8DOVtMWwlkL85AlDxMGsHRI49Rh3hkICmfQg1ShJIdcweuFEs2isflcce8HQlIOl+a8x23L83lztNL5tM7B/Ls668P5BsMZK+WEXuvQ0CejWkqEA2KlDt0o6ANAXk8EnVsJ48up0WWybnwjmQhj3y5PHqCgV3qBMihBZIBjEZai1LjpiYDmTDZs4foxZ7d+to1HKO/nEENUsN/w2HcRVP2HjKSTCChuHMZSO1SE51zCwG547teusseukOrXWr11klX/z80HEjoNyJH1XYkJgEZAxkRKYUdKzJ+TJvFUntHb0lHA6TrJkAO+SrBkYFcLArykl77PwwguwBlxX7I4b+ESNNl72J7qHdsIeVOaD7nYwIkT3yGBsgTjwzkdHDboEl9pyXl91MlRfaSgBwAyFcrAnJou2w7bmQgySR6jCUNH5fmfHkCUrKJvAjkDf9xHrmq0gpVvbLrc4HEi4H8Z4G0cvOeRm9X5HJ0YxILgKzNmfX1s3Lq1VWfKfQsIIcpIIenSXMWyNR8epiZyjwK5KCsM8uhQkuGmvp08++H6raQRKTlbZjCcmgxHJ5QPHXVj1rI8iHjL1MSbBbvnK5DXQo2d8VC5pXqnn/THUCeInTTX/4MpqY0YrRPdVrD41cfFfQSC1labs5A3gVkL1Mn5NqflQFyPSv0LCGU0l0L6RacXW551EKW9mRRee3+z/rnq2YgwUMbLGS5HvtOIMuKVif88PxnYfvVUQ0PqNVd9pOBHFkgFwsM9ABkU4Dk+Tgmwh3Xsbp92dta/XgEpJ1wA8hOa1kUoLlLS6d+IOGa6T6QlXXZS6febXWDnxF4fD8g3WUuRN0kIEfg8Q2AzPohd4IO+phqOS4z7p9LRwAJ1WEhYyBpjyFDthvylq6lW95C9gAkVKmFpAmzPC6FFschp+ujMzdjMV8D5JiBHAPI97OQHlNIK8fJNA6lJuMolzeNIWv6nRTH/qF4Noh80zGk3A2HHm0sFKIhQK7N4ooxptnvOIakLvpItlG42h3KndyVW4BW8xiSefyaYsniO1pIApI2fNHGmaOgjYiajOSxxAqLeoEcsYnsLxZTmMg3dIy7xTtoXggkUUgG0qz2gYl8KwtZzGQtY8jZbZsCw5/S2w6nuZ+x7j+iMWxyo0KHrltuVeTtQMqwHolpdrFtf7Va36/Vaoy1u6+3kHeHDm8BclKPxCw7GR8TkA9YyPUK/s9XxrKXv8RlLnXgTQIyOxkfr9YPE4mR64ssJCVPkUIXRLJPLbrxQOa2/I9X80eJ7IPIF1nIpWAoKUBDUeydy5FsujYrgI4ux7ZdBrLQhjYKyFn6pxCQILK1FtICKcSR8ktR9j2KZEstJfknNbskKSckAVkY224QkFvnDEgQ2VYLSfmmaH2P2A0pZLjTdFzKIR35aifIPh5b0GUXAQki22shOY04pTlz+UIuGUBKzefae0fdDiAXZ0CCyNaOIS2QFMM+Ggsp+JJWW1CSSG496mJPeeOBBJHtBnLJ+Z1dM3L0eKkF5Yw8UhNRyrHtNgIJIlsaqTEG8OoOw2E7gQSRLQDSrUptABJENl7HyqS3LQASRPZakmP8BalUXgIkiOwmkO5FIEcNBxJENh/IuIB7AXaXHsP2AgkiGw+kTSTv/Ittn1syJ6SbeXdrgCQiHxNWrdcNZFTA/a4MKm0bQ7JW40e0miFJZb35IR1bL/uf+xCRbwTkDPVDagVySwEYIbe0zCy7OneZWQvJq9GurdR9HyBRYaluIM0YMi7gfkKMVp1l1gHFAUMbOdSZ974VkCiKWDOQprDaNl3AnVeG76IC7rw4l1riAu5Drlls+KQqse8KJPrsOoHMFHB3zwu4D88KuBOIy6O783YAEqocyGQdxYUC7nw+jAu4UzXYYdR30wKgh4pvNh5ICSBfVYWhsID7MFXAfXhWwJ3ypMnMwp8WAxnMg3E/mI/763nQXwfUQg3jtbemW2sA+UIgbyjgTqW0d7tl+4BcFQApRBjQdiE15y2XUupxSFd95ak+7SQKAeSzu+x49eNNBdyPdqjZWCBXq+S3ZFb7/PyszoEMxlrNlZx7fX6KsRiPQzX2xkrPqQFAvqpwkntjAffmdtmU2/QrqV6YsZBfJs9kDsj5mAyjDAlF81wTkCokIDU3A8gXWMgskcOLBdzjCu7DRgO5sslNo9LHgyR2/cUymU9XeSC1GgcJkNwgA2Mhx3OJLvvFBdwj4NxhqoB7poR7UsDdbeYs++eSTkCu80CuycGwToBUFLnqk9XsU5pMBSBfZyGfWsC9PgtpoOtzYURTy/isy/4q8ubMz6+os573Mct+l+KbNY4hGbuvmSGSOu5+Gki6Acd4myyke1PR7KY6xh3n64fS7U7NGLK/Wl93+wBIFHCvG0izXiTqs7NEAsg2jyFf1WUHtD7zQSAXnCHfjCHPiLwCpB0zzgEkxpBphex1V9GFEkXv0Ncd41F3PRoVEXkFSG0Ch3lXT+ilAjYAsk6FS3dZjY7VARl4chsIzwnUZKu2FNML6EEWMwjDgI/KCYQIfgkdRjj2TAmH3DgyQusUuw4UG0W1Jn8kxbTHawpvK7aVNpRNrvK+WAPIZ+hYGZC76hIFhF5gDlJMKKBMqYWMxQy25ki0elJ5XvhrLDvJVU9AZoiMgUxi11qGgkKGoVCUAlMo8kSSSRTzOJQ9J18kgOy1s4B7NUCSOSQUDZBB6FGD2nph6DkOH8NQTaSclACyl5S5yRB5AjKKXav5WpD5JfJ0yAFsYYM3p1D2XEp02e0EsoptsIrHj7GFtEA6EyE1DSZp7w+tAZGlgOylCy+liUyAjCMzbBcDGdgxZGCA7NPyiiSUHQiFSc3TgMz6eJZXCi08C8itJxTNIyY0epQM5JasIkFqn6GkUeVWCucWILNE5oE0ljKg5RQqzAAZh7LnXnrazZ7M8XhKQkmlOi2kmyngnq/D4P72rDQdH40bPZq1BHTkQaMgOj3pOGwbaT5Du8vIZuqbgMwQeWYhJcWu5ZyO8wyQcShbmcFrAuRJKKlUu4WMgXR3zOFyx3UY3KX79MJJW+uGNGbQcajXdk6tgWMabwMyTeSqKJDdN89Ct2TOD5mkVZmjpNITyhPvdjt5pOoLVBCEa7lzHYbCqgvPTFhKQD6wYtzymCLywUhNP0UkEv3UbSE9ppC2MpBpHEpK5VxfAfcbgLxiDktbyJSNrAxIEPmUAu7UZVOO+yGVT9K0sbAJQD62p+aMyOqAJCLnILLuMSR10UdOc+9SQgC5kzu7ItJ9OpCBs6Xt4nbYaI5bFSSjy3uAjImsEEgQ+QQLSUDSDkTawXUUkoswFFddqB1IR0w4jsIhGceTxj1JvycI5P0WMiKySiBBZL0Wsnizl/sKIMNwIhUHtglFSbEbh93linziwd0WMraRj6kPIp8fqbmZx+qBJEckA8mLfaSSIZFp3D0Tpe8H0trI8WTu0I5Yu1x3zY/cgsnr6oPIJ1vIgqx77vOBJP4ouQuvoth6DmEZL0MLxAMW0trIBSUMNko2NzyU5hlEdnxxRRQ/nBgLGQpyQwoTsSELudUPAmlt5GJhlpTPTrttQGRTY9nLX+IylzrwqoF0aNjIQBKYvPZRhxMROvyi5EMW0trIwXRKS8oXqe1fILKh5YlpiaDOR7LTelo1WGnHkDSXEXbdeEA9uHR4svMYkGbFrlUm6w+IbKCFjAq4L92dyeFMkewotbN75Cyl1ERALp9SDbZg8mIiNnL7KJC9UaxMXjQQ2dBqsASkEEdKeObtOJItNeV2pit2SWqPaxbr51SDlYUBwyCcPAxkwmQ2UR+IbKCFpIVWtL5H7KhS9nBn6mVTpnG55Cuqlz3kooatDR2eU5nLHAkiG1wvmzKW0oVcMoCUK9K19466y0DOH3SZg8haxpAWSIphH42FFHxJqy0oaym3HnWxp7wbQD5iIillC4p8VW4htQGSsjUvtZZL90iVGLQ88pV2d+ZwdPWuq0Cu149EuddzVLCpxTHuFge0r4cSAeR4vUaRr0fFa8sq2pcNINdr7Ed8VBQ+mzgXtHWoaLHjbM9U/PbFjQOobgKJPvsxcczCRtHymi1u1RRAAsjHgbSB3WItCNXoyM/U2bkGNpvOWwAZzgFkvURWpFHXgJzPKfcUp6OitFTrvs0/Naed3JTxZx0AyJqAzGkwekC9hgDZrwZI2jVBaX2kSbbiUfR0Puf8U2uhx6YVQNZkIrPP5/BYa45xynlf5tecgPyi1ONFQErOtDIXASWh4qeijFR9ynSxtq0A8imEEqM987jMXfHjxgl+bUByEYbBoMQ/kJSF5OIMBUBSvh/OOBVoLvZF2VU4I5U3l2vbCiBrY9D+6T3z77ImINe2JM26VBDwKwlDf0WfOgOSEv2M9TwGkhqozpcMbCuA7JQLtB4g56caSb8rX1qpAEiqxElDxhjIuck/RelNTSuABJAlJBnIpAbDVWW6bOqzC90+/flZ/ql+vhVAAsgrkxoqdri2ae95llb8MP6u1KTGzGrgGAeQ9dSp+XLiskmXiLR7apL92D+I1ADIOit52cIgiVv17GhPx7kMAQASQNZVySspm3RVOSKvAGnHjEUZTAEkgPw1UlNqSsOGMkvkFSDnJjATngUMU95IAAkgrxROKuMYzxOZAEmFkyiObWrUsGUMAo7YBGwhqZnfxEFuU5/BA5AAstziijKxw1yRrwRIYWPXFKcJKUIoQhlSlSW61oHyKK5N7RTYthVsACSArGq1z1lJpROQgXlyijQdriWvOKMSSlylwYS3qbDXPAzRZQPIqoHMEXkCkumjJ1lCGaowGkMaIHl5BRelkwpAAsjKgcwSeQYkmUlJy82oZ84AyTej+Q2ABJCVApkh8gxIDlmbwHWQBVIJIfoAEkDWAGSayHO3T/9CSaWiIu8AEkBWAWSKSERqAGQDgDwRCSABZBOATIgEkG8NZFCPGMhbE0hERALItwayLt0BZFzABkD23jlpxjQuz1Gx7sn5FBP5gFYAsu1ZXBa1EGnW+ozu+T19ntfcLwdAtt1ExgVjKtVicVcOsgr+hSAdXyfyCg0qft6a1CVD5GP/QpBCt+1pXAbVazQYje6jwv4LWdyvKXhsf2KhXtXP0b08VpF6awQgW5+4pYZHhbm3as1vBEE1I4m/QKg5ZhuCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCWqb/A2ELareKsynbAAAAAElFTkSuQmCC) The provider-application pair, the authentik server, and the authentik API are typical to all configurations. With RAC, there are some new components, namely the endpoints, the outpost, and of course the target remote machines. When a user starts the RAC application, the app communicates with the authentik server, which then connects to an instance of the outpost (the exact instance is selected dynamically based on connection load). After the outpost is selected, then the authentik server sends the outpost the instructions (based on the data you defined in the endpoint) required to connect to the remote machine. After the connection to the remote machine is made, the outpost sends a message back to the authentik server (via websockets), and the web browser opens the websocket connection to the remote machine. ### Endpoints[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/#endpoints "Direct link to Endpoints") Unlike other providers, where one provider-application pair must be created for each resource you wish to access, the RAC provider handles this slightly differently. For each remote machine (computer/server) that should be accessible, you create an _Endpoint_ object within a single RAC provider. (And as mentioned above, a single provider-application pair is used for all remote connections.) The _Endpoint_ object specifies the hostname/IP of the machine to connect to, as well as the protocol to use. Additionally it is possible to bind policies to _endpoint_ objects to restrict access. Users must have access to both the application that the RAC Provider is using as well as the individual endpoint. Configuration details such as credentials can be specified through _settings_, which can be specified on different levels and are all merged together when connecting: 1. Default settings 2. Provider settings 3. Endpoint settings 4. Provider property mapping settings 5. Endpoint property mapping settings 6. Connection settings ### Connection settings[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/#connection-settings "Direct link to Connection settings") Each connection is authorized through authentik policy objects that are bound to the application and the endpoint. Additional verification can be done with the authorization flow. A new connection is created every time an endpoint is selected in the [User Interface](https://docs.goauthentik.io/customize/interfaces/user/) . After the user's authentik session expires, the connection is terminated. Additionally, the connection timeout can be specified in the provider, which applies even if the user is still authenticated. The connection can also be terminated manually from the **Connections** tab of the RAC provider. Additionally, it is possible to modify the connection settings through the authorization flow. Configuration set in `connection_settings` in the flow plan context will be merged with other settings as shown above. The RAC provider utilises [Apache Guacamole](https://guacamole.apache.org/) for establishing SSH, RDP and VNC connections. RAC supports the use of Apache Guacamole connection configurations. For a full list of possible connection configurations, see the [Apache Guacamole connection configuration documentation](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#configuring-connections) . RAC connection settings can be set via several methods: 1. The settings of the RAC provider 2. RAC endpoint settings 3. RAC property mappings 4. Retrieved from user or group attributes via RAC property mappings For an example of how to set a connection setting see the [RAC SSH public key authentication](https://docs.goauthentik.io/add-secure-apps/providers/rac/rac-public-key/) page. Capabilities[​](https://docs.goauthentik.io/add-secure-apps/providers/rac/#capabilities "Direct link to Capabilities") ----------------------------------------------------------------------------------------------------------------------- The following features are currently supported: * Bi-directional clipboard * Audio redirection (from remote machine to browser) * Resizing * [About the Remote Access Control (RAC) Provider](https://docs.goauthentik.io/add-secure-apps/providers/rac/#about-the-remote-access-control-rac-provider) * [Endpoints](https://docs.goauthentik.io/add-secure-apps/providers/rac/#endpoints) * [Connection settings](https://docs.goauthentik.io/add-secure-apps/providers/rac/#connection-settings) * [Capabilities](https://docs.goauthentik.io/add-secure-apps/providers/rac/#capabilities) --- # Developer Documentation | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/#__docusaurus_skipToContent_fallback) We're thrilled you're here! 🎉 Thanks for jumping in to contribute to authentik; your ideas, fixes, and features make a real impact. Pick a topic below to dive in and have fun hacking! 🚀 Even small PRs and typo fixes are hugely appreciated. [🔗 API Overview\ ---------------](https://api.goauthentik.io/) [📄️ Contributing\ ----------------\ \ Guidelines for contributing code, docs, and enhancements to authentik.](https://docs.goauthentik.io/developer-docs/contributing/) [🗃️ Development environment\ ---------------------------\ \ 3 items](https://docs.goauthentik.io/developer-docs/setup/) [🗃️ Writing documentation\ -------------------------\ \ 2 items](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/) [📄️ Releasing authentik\ -----------------------\ \ Creating a standard release](https://docs.goauthentik.io/developer-docs/releases/) [📄️ Translations\ ----------------\ \ Translation in authentik is done in two places. Most of the text is defined in the frontend in web/, and a subset of messages is defined in the backend.](https://docs.goauthentik.io/developer-docs/translation/) --- # Ensure unique email addresses | authentik [Skip to main content](https://docs.goauthentik.io/customize/policies/expression/unique_email/#__docusaurus_skipToContent_fallback) Due to the database design of authentik, email addresses are by default not required to be unique. This behavior can however be changed by policies. The snippet below can be used as the expression in policies both with enrollment flows, where the policy should be bound to any stage before the [User write](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/) stage, or with the [Prompt stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/) . # Ensure this matches the *Field Key* value of the promptfield_name = "email"email = request.context["prompt_data"][field_name]if ak_user_by(email__iexact=email): ak_message("Email address in use") return Falsereturn True --- # Managing flow context keys | authentik [Skip to main content](https://docs.goauthentik.io/customize/policies/expression/managing_flow_context_keys/#__docusaurus_skipToContent_fallback) [Flow context](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/context/) can be managed in [Expression policies](https://docs.goauthentik.io/customize/policies/expression/) via the `context['flow_plan'].context` variable. Here's an example of setting a key in an Expression policy: context['flow_plan'].context['redirect_stage_target'] = 'ak-flow://redirected-authentication-flow' And here's an example of removing that key: context['flow_plan'].context.pop('redirect_stage_target', None) --- # Switch which source is used based on email address | authentik [Skip to main content](https://docs.goauthentik.io/customize/policies/expression/source_switch/#__docusaurus_skipToContent_fallback) On this page You can use an expression policy to determine which [source](https://docs.goauthentik.io/users-sources/sources/) (a set of user credentials and data, stored in authentik, Google, GitHub, etc) is used for a particular user, based on the domain of the email address the user enters when they log in and authenticate. To switch which source is used for a specific user based on their email domain, create an expression policy and then bind it to the appropriate stage. Create an expression policy[​](https://docs.goauthentik.io/customize/policies/expression/source_switch/#create-an-expression-policy "Direct link to Create an expression policy") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Create](https://docs.goauthentik.io/customize/policies/working_with_policies/#create-a-policy) an expression policy\] that does the following: 1. Maps the desired source for each user domain. 2. Determines the user's domain based on their email address. 3. Then "switches" the user to the desired source. ### Example expression[​](https://docs.goauthentik.io/customize/policies/expression/source_switch/#example-expression "Direct link to Example expression") # This is a mapping of domains to sources# the key is a domain for the user and the value is the 'slug' of the source to redirect tosource_email_map = { "foo.bar.com": "entra-foo", "bar.baz.com": "entra-bar",}user_email = request.context["pending_user_identifier"]_username, _, domain = user_email.partition("@")source = source_email_map.get(domain)if not source: return Trueplan = request.context.get("flow_plan")if not plan: return False# For OIDC# plan.redirect(f"/source/oauth/login/{source}/")# For SAMLplan.redirect(f"/source/saml/{source}")return False Bind the policy to the stage[​](https://docs.goauthentik.io/customize/policies/expression/source_switch/#bind-the-policy-to-the-stage "Direct link to Bind the policy to the stage") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The new expression policy needs to be bound to the stage binding that comes after the Identification stage (or any custom stage that you might have created). For more information read our documentation about [bindings](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/) , and for instructions to bind a policy, see [Bind a policy to a stage](https://docs.goauthentik.io/customize/policies/working_with_policies/#bind-a-policy-to-a-stage) . * [Create an expression policy](https://docs.goauthentik.io/customize/policies/expression/source_switch/#create-an-expression-policy) * [Example expression](https://docs.goauthentik.io/customize/policies/expression/source_switch/#example-expression) * [Bind the policy to the stage](https://docs.goauthentik.io/customize/policies/expression/source_switch/#bind-the-policy-to-the-stage) --- # Whitelist email domains | authentik [Skip to main content](https://docs.goauthentik.io/customize/policies/expression/whitelist_email/#__docusaurus_skipToContent_fallback) To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, follow these steps: 1. In the authentik Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`. 2. Add the following code snippet in the policy-specific settings under **Expression** and then click **Update**. allowed_domains = ["example.org", "example.net", "example.com"]current_domain = request.context["prompt_data"]["email"].split("@")[1] if request.context.get("prompt_data", {}).get("email") else Noneif current_domain in allowed_domains: email = request.context["prompt_data"]["email"] request.context["prompt_data"]["username"] = email return ak_is_sso_flowelse: return ak_message("Enrollment denied for this email domain") This configuration specifies the `allowed_domains` list of domains for logging in through SSO, such as Google OAuth2. If your email is not in the available domains, you will receive a 'Permission Denied' message on the login screen. You can also enforce your allowed domains policy for authentication by modifying the policy `default-source-authentication-if-sso` with the following expression: allowed_domains = ["example.org", "example.net", "example.com"]current_domain = request.user.email.split("@")[1] if hasattr(request.user, 'email') and request.user.email else Noneif current_domain in allowed_domains: return ak_is_sso_flowelse: return ak_message("Authentication denied for this email domain") --- # Password Uniqueness Policy | authentik [Skip to main content](https://docs.goauthentik.io/customize/policies/unique_password/#__docusaurus_skipToContent_fallback) On this page The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below. How it works[​](https://docs.goauthentik.io/customize/policies/unique_password/#how-it-works "Direct link to How it works") ---------------------------------------------------------------------------------------------------------------------------- This policy maintains a record of previously used passwords for each user. When a new password is created, it is compared against this historical log. If a match is found with any previous password, the policy is not met, and the user is required to choose a different password. The password history is maintained automatically when this policy is in use. Old password hashes are stored securely in authentik's database. info This policy takes effect after the first password change following policy activation. Before that first change, there's no password history data to compare against. Integration with other policies[​](https://docs.goauthentik.io/customize/policies/unique_password/#integration-with-other-policies "Direct link to Integration with other policies") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- For comprehensive password security, consider using this policy alongside: * [Password Policy](https://docs.goauthentik.io/customize/policies/#password-policy) - To enforce password complexity rules * [Password-Expiry Policy](https://docs.goauthentik.io/customize/policies/#password-expiry-policy) - To enforce regular password rotation Implement a Password Uniqueness policy[​](https://docs.goauthentik.io/customize/policies/unique_password/#implement-a-password-uniqueness-policy "Direct link to Implement a Password Uniqueness policy") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To implement a policy that prevents users from reusing their previous passwords, follow these steps: 1. In the Admin interface, navigate to **Customization** > **Policies**. 2. Click **Create** to define a new Password Uniqueness Policy. * **Name**: provide a descriptive name for the policy. * **Password field**: enter the name of the input field to check for the new password. By default, if no custom flows are used, the field name is `password`. This field name must match the field name used in your Prompt stage. * **Number of previous passwords to check**: enter the number of past passwords that you want to set as the number of previous passwords that are checked and stored for each user, with a default of 1. For instance, if set to 3, users will not be able to reuse any of their last 3 passwords. 3. Bind the policy to your **password prompt stage**: For example, if you're using the `default-password-change` flow, edit the `default-password-change-prompt` stage and add the policy in the **Validation Policies** section. info Password history records are stored securely and cannot be used to reconstruct original passwords. * [How it works](https://docs.goauthentik.io/customize/policies/unique_password/#how-it-works) * [Integration with other policies](https://docs.goauthentik.io/customize/policies/unique_password/#integration-with-other-policies) * [Implement a Password Uniqueness policy](https://docs.goauthentik.io/customize/policies/unique_password/#implement-a-password-uniqueness-policy) --- # Working with policies | authentik [Skip to main content](https://docs.goauthentik.io/customize/policies/working_with_policies/#__docusaurus_skipToContent_fallback) On this page For an overview of policies, refer to our documentation on [Policies](https://docs.goauthentik.io/customize/policies/) . authentik provides several [standard policy types](https://docs.goauthentik.io/customize/policies/#standard-policies) , which can be configured for your specific needs. We also document several useful [expression policies](https://docs.goauthentik.io/customize/policies/expression/#sample-expression-policies) . info You can add expressions to our standard policies to further customize them. To learn more, see the [bindings](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/) and how to [bind policy bindings to a new application when the application is created](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-and-provider-pair) documentation (for example, to configure application-specific access). Create a policy[​](https://docs.goauthentik.io/customize/policies/working_with_policies/#create-a-policy "Direct link to Create a policy") ------------------------------------------------------------------------------------------------------------------------------------------- To create a new policy, _either a pre-configured one or an expression policy_, follow these steps: 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Customization** > **Policies**. 3. Click **Create**, and select the type of policy. Here you select whether you want to create a custom expression policy, or a standard, out-of-the box one. 4. Define the policy and click **Finish**. Bind a policy to a flow or stage[​](https://docs.goauthentik.io/customize/policies/working_with_policies/#bind-a-policy-to-a-flow-or-stage "Direct link to Bind a policy to a flow or stage") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- After creating the policy, you can bind it to either a [flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/) or to a [stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/) . info Bindings are instantiated objects themselves, and conceptually can be considered as the "connector" between the policy and the stage or flow. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the policy. To learn more refer to our [Bindings documentation](https://docs.goauthentik.io/add-secure-apps/flows-stages/bindings/) . ### Bind a policy to a flow[​](https://docs.goauthentik.io/customize/policies/working_with_policies/#bind-a-policy-to-a-flow "Direct link to Bind a policy to a flow") These bindings control which users can access a flow. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows and Stages** > **Flows**. 3. In the list of flows, click on the name of the flow to which you want to bind a policy. 4. Click on the **Policy/Group/User Bindings** tab at the top of the page. 5. Here, you can decide if you want to create a new policy and bind it to the flow (**Create and bind Policy**), or if you want to select an existing policy and bind it to the flow (**Bind existing policy/group/user**). ### Bind a policy to a stage[​](https://docs.goauthentik.io/customize/policies/working_with_policies/#bind-a-policy-to-a-stage "Direct link to Bind a policy to a stage") These bindings control which stages are applied to a flow. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows and Stages** > **Flows**. 3. In the list of flows, click on the name of the flow which has the stage to which you want to bind a policy. 4. Click on the **Stage Bindings** tab at the top of the page. 5. Click the arrow (**\>**) beside the name of the stage to which you want to bind a policy. The details for that stage displays. 6. Here, you can decide if you want to create a new policy and bind it to the stage (**Create and bind Policy**), or if you want to select an existing policy and bind it to the stage (**Bind existing policy/group/user**). * [Create a policy](https://docs.goauthentik.io/customize/policies/working_with_policies/#create-a-policy) * [Bind a policy to a flow or stage](https://docs.goauthentik.io/customize/policies/working_with_policies/#bind-a-policy-to-a-flow-or-stage) * [Bind a policy to a flow](https://docs.goauthentik.io/customize/policies/working_with_policies/#bind-a-policy-to-a-flow) * [Bind a policy to a stage](https://docs.goauthentik.io/customize/policies/working_with_policies/#bind-a-policy-to-a-stage) --- # YAML Tags | authentik [Skip to main content](https://docs.goauthentik.io/customize/blueprints/v1/tags/#__docusaurus_skipToContent_fallback) On this page To use the custom tags with your preferred editor, you must make the editor aware of the custom tags. For VS Code, for example, add these entries to your `settings.json`: { "yaml.customTags": [ "!Condition sequence", "!Context scalar", "!Enumerate sequence", "!Env scalar", "!File scalar", "!File sequence", "!Find sequence", "!Format sequence", "!If sequence", "!Index scalar", "!KeyOf scalar", "!Value scalar", "!AtIndex scalar" ]} #### `!KeyOf`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#keyof "Direct link to keyof") Example: policy: !KeyOf my-policy-id Resolves to the primary key of the model instance defined by id _my-policy-id_. If no matching entry can be found, an error is raised and the blueprint is invalid. #### `!Env`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#env "Direct link to env") Example: password: !Env my_env_var Returns the value of the given environment variable. Can be used as a scalar with `!Env my_env_var, default` to return a default value. #### `!File`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#file "Direct link to file") Example: password: !File /path/to/file Returns the contents of the file at the given path. Can be used as a scalar with `!File /file/to/path, default` to return a default value. #### `!Find`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#find "Direct link to find") Examples: configure_flow: !Find [authentik_flows.flow, [slug, default-password-change]] configure_flow: !Find [ authentik_flows.flow, [!Context property_name, !Context property_value], ] Looks up any model and resolves to the the matches' primary key. First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for. #### `!FindObject` authentik 2025.8+[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#findobject-authentik-20258 "Direct link to findobject-authentik-20258") Examples: flow_designation: !AtIndex [ !FindObject [authentik_flows.flow, [slug, default-password-change]], designation, ] Looks up any model and resolves to the matches' serialized data. First argument is the model to be queried, remaining arguments are expected to be pairs of key=value pairs to query for. #### `!Context`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#context "Direct link to context") Example: configure_flow: !Context foo Find values from the context. Can optionally be called with a default like `!Context [foo, default-value]`. #### `!Format`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#format "Direct link to format") Example: name: !Format [my-policy-%s, !Context instance_name] Format a string using python's % formatting. First argument is the format string, any remaining arguments are used for formatting. #### `!If`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#if "Direct link to if") Minimal example: # Short form# !If []required: !If [true] # Longer form# !If [, , ]required: !If [true, true, false] Full example: attributes: !If [ !Condition [...], # Or any valid YAML or custom tag. Evaluated as boolean in Python { # When condition evaluates to true dictionary: { with: { keys: "and_values" }, and_nested_custom_tags: !Format ["foo-%s", !Context foo], }, }, [ # When condition evaluates to false list, with, items, !Format ["foo-%s", !Context foo], ], ] Conditionally add YAML to a blueprint. Similar to a one-line if, the first argument is the condition, which can be any valid yaml or custom tag. It will be evaluated as boolean in python. However, keep in mind that dictionaries and lists will always evaluate to `true`, unless they are empty. The second argument is used when the condition is `true`, and the third - when `false`. The YAML inside both arguments will be fully resolved, thus it is possible to use custom YAML tags and even nest them inside dictionaries and lists. #### `!Condition`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#condition "Direct link to condition") Minimal example: required: !Condition [OR, true] Full example: required: !Condition [ AND, # Valid modes are: AND, NAND, OR, NOR, XOR, XNOR !Context instance_name, !Find [authentik_flows.flow, [slug, default-password-change], "My string", 123]\ \ Converts one or more arguments to their boolean representations, then merges all representations together. Requires at least one argument after the mode selection.\ \ If only a single argument is provided, its boolean representation will be returned for all normal modes and its negated boolean representation will be returned for all negated modes.\ \ Normally, it should be used to define complex conditions for use with an `!If` tag or for the `conditions` attribute of a blueprint entry (see [the blueprint file structure](https://docs.goauthentik.io/customize/blueprints/v1/structure/)\ ). However, this is essentially just a boolean evaluator so it can be used everywhere a boolean representation is required.\ \ #### `!Enumerate`, `!Index` and `!Value`[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#enumerate-index-and-value "Direct link to enumerate-index-and-value")\ \ These tags collectively make it possible to iterate over objects which support iteration. Any iterable Python object is supported. Such objects are sequences (`[]`), mappings (`{}`) and even strings.\ \ 1. `!Enumerate` tag:\ \ This tag takes 3 arguments:\ \ !Enumerate [, , ]\ \ * **iterable**: Any Python iterable or custom tag that resolves to such iterable\ * **output\_object\_type**: `SEQ` or `MAP`. Controls whether the returned YAML will be a mapping or a sequence.\ * **single\_item\_yaml**: The YAML to use to create a single entry in the output object\ \ 2. `!Index` tag:\ \ info\ \ This tag is only valid inside an `!Enumerate` tag\ \ This tag takes 1 argument:\ \ !Index \ \ * **depth**: Must be >= 0. A depth of 0 refers to the `!Enumerate` tag this tag is located in. A depth of 1 refers to one `!Enumerate` tag above that (to be used when multiple `!Enumerate` tags are nested inside each other).\ \ Accesses the `!Enumerate` tag's iterable and resolves to the index of the item currently being iterated (in case `!Enumerate` is iterating over a sequence), or the mapping key (in case `!Enumerate` is iterating over a mapping).\ \ For example, given a sequence like this - `["a", "b", "c"]`, this tag will resolve to `0` on the first `!Enumerate` tag iteration, `1` on the second and so on. However, if given a mapping like this - `{"key1": "value1", "key2": "value2", "key3": "value3"}`, it will first resolve to `key1`, then to `key2` and so on.\ \ 3. `!Value` tag:\ \ info\ \ This tag is only valid inside an `!Enumerate` tag\ \ This tag takes 1 argument:\ \ !Value \ \ * **depth**: Must be >= 0. A depth of 0 refers to the `!Enumerate` tag this tag is located in. A depth of 1 refers to one `!Enumerate` tag above that (to be used when multiple `!Enumerate` tags are nested inside each other).\ \ Accesses the `!Enumerate` tag's iterable and resolves to the value of the item currently being iterated.\ \ For example, given a sequence like this - `["a", "b", "c"]`, this tag will resolve to `a` on the first `!Enumerate` tag iteration, `b` on the second and so on. If given a mapping like this - `{"key1": "value1", "key2": "value2", "key3": "value3"}`, it will first resolve to `value1`, then to `value2` and so on.\ \ Minimal examples:\ \ configuration_stages: !Enumerate [ !Context map_of_totp_stage_names_and_types, SEQ, # Output a sequence !Find [ !Format [ "authentik_stages_authenticator_%s.authenticator%sstage", !Index 0, !Index 0, ], [name, !Value 0], ], # The value of each item in the sequence ]\ \ The above example will resolve to something like this:\ \ configuration_stages: - !Find [ authentik_stages_authenticator_.authenticatorstage, [name, ], ] - !Find [ authentik_stages_authenticator_.authenticatorstage, [name, ], ]\ \ Similarly, a mapping can be generated like so:\ \ example: !Enumerate [ !Context list_of_totp_stage_names, MAP, # Output a map [ !Index 0, # The key to assign to each entry !Value 0, # The value to assign to each entry ], ]\ \ The above example will resolve to something like this:\ \ example: 0: 1: \ \ Full example:\ \ caution\ \ Note that an `!Enumeration` tag's iterable can never be an `!Item` or `!Value` tag with a depth of `0`. Minimum depth allowed is `1`. This is because a depth of `0` refers to the `!Enumeration` tag the `!Item` or `!Value` tag is in, and an `!Enumeration` tag cannot iterate over itself.\ \ example: !Enumerate [ !Context sequence, # ["foo", "bar"] MAP, # Output a map [ !Index 0, # Use the indexes of the items in the sequence as keys !Enumerate [ # Nested enumeration # Iterate over each item of the parent enumerate tag. # Notice depth is 1, not 0, since we are inside the nested enumeration tag! !Value 1, SEQ, # Output a sequence !Format [ "%s: (index: %d, letter: %s)", !Value 1, !Index 0, !Value 0, ], ], ], ]\ \ The above example will resolve to something like this:\ \ "0": - "foo: (index: 0, letter: f)" - "foo: (index: 1, letter: o)" - "foo: (index: 2, letter: o)""1": - "bar: (index: 0, letter: b)" - "bar: (index: 1, letter: a)" - "bar: (index: 2, letter: r)"\ \ #### `!AtIndex`authentik: 2024.12.0+[​](https://docs.goauthentik.io/customize/blueprints/v1/tags/#atindex "Direct link to atindex")\ \ Minimal example:\ \ value_in_sequence: !AtIndex [["first", "second"], 0] # Resolves to "first"value_in_mapping: !AtIndex [{ "foo": "bar", "other": "value" }, "foo"] # Resolves to "bar"\ \ Example with default value:\ \ default_value: !AtIndex [["first"], 100, "default"] # Resolves to "default"default_value: !AtIndex [["first"], 100] # Throws an error\ \ Resolves to the value at a specific index in a sequence or a mapping.\ \ If no value can be found at the specified index and no default is provided, an error is raised and the blueprint is invalid. --- # Templates | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/#__docusaurus_skipToContent_fallback) On this page In technical documentation, there are document "types" (similar to how there are data types). We have templates for the different types, to make it super-easy to divide longer topics into separate pages (one for each content type) if needed. And templates in general make it easy for whomever wants to contribute some documentation! The most common types are: * [**Combo**](https://docs.goauthentik.io/developer-docs/docs/templates/combo/) : For most topics (unless they are very large and complex), we can combine the procedural and conceptual information into a single document. A handy guideline to follow is: "If the actual 1., 2., 3. steps are buried at the bottom, and a reader has to scroll multiple times to find them, then the combo approach is _not_ the right one. Use separate topics.". * [**Procedural**](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/) : these are How To docs, the HOW information, with step-by-step instructions for accomplishing a task. This is what most people are looking for when they open the docs... and best practice is to separate the procedural docs from long, lengthy conceptual or reference docs. * [**Conceptual**](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual/) : these docs provide the WHY information, and explain when to use a feature (or when not to!), and general concepts behind the feature or functionality. * [**Reference**](https://docs.goauthentik.io/developer-docs/docs/templates/reference/) : this is typically tables or lists of reference information, such as configuration values, or functions, or most commonly APIs. ### Add a new integration[​](https://docs.goauthentik.io/developer-docs/docs/templates/#add-a-new-integration "Direct link to Add a new integration") To add documentation for a new integration (with support level Community or Vendor), please use the integration templates [`service.md`](https://github.com/goauthentik/authentik/blob/main/website/integrations/template/service.md) from our GitHub repo. You can download the template using the following command: wget https://raw.githubusercontent.com/goauthentik/authentik/main/website/integrations/template/service.md * [Add a new integration](https://docs.goauthentik.io/developer-docs/docs/templates/#add-a-new-integration) --- # Contributing to authentik | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/contributing/#__docusaurus_skipToContent_fallback) On this page 👍🎉 Thanks for taking the time to contribute! 🎉👍 The following is a set of guidelines for contributing to authentik and its components, which are hosted in the [goauthentik Organization](https://github.com/goauthentik) on GitHub. These are mostly guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request. We appreciate contributions of code, documentation, enhancements, and bug fixes. Read more [below](https://docs.goauthentik.io/developer-docs/contributing/#how-can-i-contribute) about the many ways to contribute. Code of conduct[​](https://docs.goauthentik.io/developer-docs/contributing/#code-of-conduct "Direct link to Code of conduct") ------------------------------------------------------------------------------------------------------------------------------ We expect all contributors to act professionally and respectfully in all interactions. If there's something you dislike or think can be done better, tell us! We'd love to hear any suggestions for improvement. I don't want to read this whole thing I just have a question!!![​](https://docs.goauthentik.io/developer-docs/contributing/#i-dont-want-to-read-this-whole-thing-i-just-have-a-question "Direct link to I don't want to read this whole thing I just have a question!!!") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Either [create a question on GitHub](https://github.com/goauthentik/authentik/issues/new?assignees=&labels=question&template=question.md&title=) or join [the Discord server](https://goauthentik.io/discord?utm_source=developer-docs) . What should I know before I get started?[​](https://docs.goauthentik.io/developer-docs/contributing/#what-should-i-know-before-i-get-started "Direct link to What should I know before I get started?") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### The components[​](https://docs.goauthentik.io/developer-docs/contributing/#the-components "Direct link to The components") authentik consists of a few larger components: * _authentik_ — the actual application server, described below. * _outpost-proxy_ — a Go application based on a forked version of oauth2\_proxy, which does identity-aware reverse proxying. * _outpost-ldap_ — a Go LDAP server that uses the _authentik_ application server as its backend. * _outpost-radius_ — a Go RADIUS server that uses the _authentik_ application server as its backend. * _web_ — the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS library. * _website_ — the website/documentation, which uses Docusaurus. ### authentik's structure[​](https://docs.goauthentik.io/developer-docs/contributing/#authentiks-structure "Direct link to authentik's structure") authentik is at its very core a Django project. It consists of many individual Django applications. These applications are intended to separate concerns, and they may share code between each other. These are the current packages: authentik├── admin - Administrative tasks and APIs, no models (Version updates, Metrics, system tasks)├── api - General API Configuration (Routes, Schema and general API utilities)├── blueprints - Handle managed models and their state.├── core - Core authentik functionality, central routes, core Models├── crypto - Cryptography, currently used to generate and hold Certificates and Private Keys├── enterprise - Enterprise features, which are source available but not open source├── events - Event Log, middleware and signals to generate signals├── flows - Flows, the FlowPlanner and the FlowExecutor, used for all flows for authentication, authorization, etc├── lib - Generic library of functions, few dependencies on other packages.├── outposts - Configure and deploy outposts on Kubernetes and Docker.├── policies - General PolicyEngine│   ├── dummy - A Dummy policy used for testing│   ├── event_matcher - Match events based on different criteria│   ├── expiry - Check when a user's password was last set│   ├── expression - Execute any arbitrary python code│   ├── password - Check a password against several rules│   └── reputation - Check the user's/client's reputation├── providers│   ├── ldap - Provide LDAP access to authentik users/groups using an outpost│   ├── oauth2 - OIDC-compliant OAuth2 provider│   ├── proxy - Provides an identity-aware proxy using an outpost│   ├── radius - Provides a RADIUS server that authenticates using flows│   ├── saml - SAML2 provider│   └── scim - SCIM provider├── recovery - Generate keys to use in case you lock yourself out├── root - Root Django application, contains global settings and routes├── sources│   ├── kerberos - Sync Kerberos users into authentik│   ├── ldap - Sync LDAP users from OpenLDAP or Active Directory into authentik│   ├── oauth - OAuth1 and OAuth2 source│   ├── plex - Plex source│   ├── saml - SAML2 source│   └── telegram - Telegram source├── stages│   ├── authenticator_duo - Configure a DUO authenticator│   ├── authenticator_static - Configure TOTP backup keys│   ├── authenticator_totp - Configure a TOTP authenticator│   ├── authenticator_validate - Validate any authenticator│   ├── authenticator_webauthn - Configure a WebAuthn / Passkeys authenticator│   ├── captcha - Make the user pass a captcha│   ├── consent - Let the user decide if they want to consent to an action│   ├── deny - Static deny, can be used with policies│   ├── dummy - Dummy stage to test│   ├── email - Send the user an email and block execution until they click the link│   ├── identification - Identify a user with any combination of fields│   ├── invitation - Invitation system to limit flows to certain users│   ├── password - Password authentication│   ├── prompt - Arbitrary prompts│   ├── user_delete - Delete the currently pending user│   ├── user_login - Login the currently pending user│   ├── user_logout - Logout the currently pending user│   └── user_write - Write any currently pending data to the user.├── tasks - Background tasks└── tenants - Soft tenancy, configure defaults and branding per domain This Django project is running in gunicorn, which spawns multiple workers and threads. Gunicorn is run from a lightweight Go application that reverse-proxies the application and handles static files. There are also several background tasks that run in Dramatiq, via the `django-dramatiq-postgres` package, with some additional helpers in `authentik.tasks`. How can I contribute?[​](https://docs.goauthentik.io/developer-docs/contributing/#how-can-i-contribute "Direct link to How can I contribute?") ----------------------------------------------------------------------------------------------------------------------------------------------- ### Reporting bugs[​](https://docs.goauthentik.io/developer-docs/contributing/#reporting-bugs "Direct link to Reporting bugs") This section guides you through submitting a bug report for authentik. Following these guidelines helps maintainers and the community understand your report, reproduce the behavior, and find related reports. Whenever authentik encounters an error, it will be logged as an Event with the type `system_exception`. This event type has a button to directly open a pre-filled GitHub issue form. This form will have the full stack trace of the error that occurred and shouldn't contain any sensitive data. ### Suggesting enhancements[​](https://docs.goauthentik.io/developer-docs/contributing/#suggesting-enhancements "Direct link to Suggesting enhancements") This section guides you through submitting an enhancement suggestion for authentik, including completely new features and minor improvements to existing functionality. Following these guidelines helps maintainers and the community understand your suggestion and find related suggestions. When you are creating an enhancement suggestion, please fill in [the template](https://github.com/goauthentik/authentik/issues/new?assignees=&labels=enhancement&template=feature_request.md&title=) , including the steps that you imagine you would take if the feature you're requesting existed. ### Your first code contribution[​](https://docs.goauthentik.io/developer-docs/contributing/#your-first-code-contribution "Direct link to Your first code contribution") #### Local development[​](https://docs.goauthentik.io/developer-docs/contributing/#local-development "Direct link to Local development") authentik can be run locally, although depending on which part you want to work on, different prerequisites are required. This is documented in the [developer docs](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/) . ### Help with the docs[​](https://docs.goauthentik.io/developer-docs/contributing/#help-with-the-docs "Direct link to Help with the docs") Contributions to the technical documentation are greatly appreciated. Open a PR if you have improvements to make or new content to add. If you have questions or suggestions about the documentation, open an Issue. No contribution is too small. Please be sure to refer to our [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) for the docs, and use a [template](https://docs.goauthentik.io/developer-docs/docs/templates/) to make it easier for you. The style guidelines are also used for any Integrations documentation, and we have a template for Integrations as well, in our [Github repo](https://github.com/goauthentik/authentik) at `/website/integrations/template/service.md`. ### Pull requests[​](https://docs.goauthentik.io/developer-docs/contributing/#pull-requests "Direct link to Pull requests") The process described here has several goals: * Maintain authentik's quality * Fix problems that are important to users * Engage the community in working toward the best possible authentik * Enable a sustainable system for authentik's maintainers to review contributions Please follow these steps to have your contribution considered by the maintainers: 1. Follow the [style guides](https://docs.goauthentik.io/developer-docs/contributing/#style-guides) 2. After you submit your pull request, verify that all [status checks](https://help.github.com/articles/about-status-checks/) are passing What if the status checks are failing?If a status check is failing, and you believe that the failure is unrelated to your change, please leave a comment on the pull request explaining why you believe the failure is unrelated. A maintainer will re-run the status check for you. If we conclude that the failure was a false positive, then we will open an issue to track that problem with our status check suite. 3. Ensure your code has tests. While it is not always possible to test every single case, the majority of the code should be tested. While the prerequisites above must be satisfied prior to having your pull request reviewed, the reviewer(s) may ask you to complete additional design work, tests, or other changes before your pull request can be ultimately accepted. Style guides[​](https://docs.goauthentik.io/developer-docs/contributing/#style-guides "Direct link to Style guides") --------------------------------------------------------------------------------------------------------------------- ### PR naming[​](https://docs.goauthentik.io/developer-docs/contributing/#pr-naming "Direct link to PR naming") * Use the format of `: ` * See [here](https://docs.goauthentik.io/developer-docs/contributing/#authentiks-structure) for `package` * Examples: `providers/saml2: fix parsing of requests` `website/docs: add config info for GWS` ### Git commit messages[​](https://docs.goauthentik.io/developer-docs/contributing/#git-commit-messages "Direct link to Git commit messages") * Use the format of `: ` * See [here](https://docs.goauthentik.io/developer-docs/contributing/#authentiks-structure) for `package` * Example: `providers/saml2: fix parsing of requests` * Reference issues and pull requests liberally after the first line * Naming of commits within a PR does not need to adhere to the guidelines as we squash merge PRs ### Python Style Guide[​](https://docs.goauthentik.io/developer-docs/contributing/#python-style-guide "Direct link to Python Style Guide") All Python code is linted with [black](https://black.readthedocs.io/en/stable/) and [Ruff](https://docs.astral.sh/ruff) . authentik runs on Python 3.13 at the time of writing this. * Use native type-annotations wherever possible. * Add meaningful docstrings when possible. * Ensure any database migrations work properly from the last stable version (this is checked via CI) * If your code changes central functions, make sure nothing else is broken. ### Documentation Style Guide[​](https://docs.goauthentik.io/developer-docs/contributing/#documentation-style-guide "Direct link to Documentation Style Guide") Refer to the full [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) for details, but here are some important highlights: * Our product name is authentik, with a lower-case "a" and a "k" on the end. Our company name is Authentik Security. * We use sentence style case in our titles and headings. * We use **bold** text to name UI components, and _italic_ text for variables. * Use [MDX](https://mdxjs.com/) whenever appropriate. MDX, which uses React components, is useful for creating tabs, action buttons, and advanced content formatting. * [Code of conduct](https://docs.goauthentik.io/developer-docs/contributing/#code-of-conduct) * [I don't want to read this whole thing I just have a question!!!](https://docs.goauthentik.io/developer-docs/contributing/#i-dont-want-to-read-this-whole-thing-i-just-have-a-question) * [What should I know before I get started?](https://docs.goauthentik.io/developer-docs/contributing/#what-should-i-know-before-i-get-started) * [The components](https://docs.goauthentik.io/developer-docs/contributing/#the-components) * [authentik's structure](https://docs.goauthentik.io/developer-docs/contributing/#authentiks-structure) * [How can I contribute?](https://docs.goauthentik.io/developer-docs/contributing/#how-can-i-contribute) * [Reporting bugs](https://docs.goauthentik.io/developer-docs/contributing/#reporting-bugs) * [Suggesting enhancements](https://docs.goauthentik.io/developer-docs/contributing/#suggesting-enhancements) * [Your first code contribution](https://docs.goauthentik.io/developer-docs/contributing/#your-first-code-contribution) * [Help with the docs](https://docs.goauthentik.io/developer-docs/contributing/#help-with-the-docs) * [Pull requests](https://docs.goauthentik.io/developer-docs/contributing/#pull-requests) * [Style guides](https://docs.goauthentik.io/developer-docs/contributing/#style-guides) * [PR naming](https://docs.goauthentik.io/developer-docs/contributing/#pr-naming) * [Git commit messages](https://docs.goauthentik.io/developer-docs/contributing/#git-commit-messages) * [Python Style Guide](https://docs.goauthentik.io/developer-docs/contributing/#python-style-guide) * [Documentation Style Guide](https://docs.goauthentik.io/developer-docs/contributing/#documentation-style-guide) --- # Combination topic (most common) | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#__docusaurus_skipToContent_fallback) On this page How to use this template Start with the markdown version of the template, either by copying the [`combo.tmpl.md`](https://github.com/goauthentik/authentik/tree/main/website/docs/developer-docs/docs/templates) file from our GitHub repo or downloading the template file using the following command: wget https://raw.githubusercontent.com/goauthentik/authentik/main/website/docs/developer-docs/docs/templates/combo.tmpl.md Edit your markdown file as you work, reading this page for the descriptions of each section. You can build out a "stub file" with just headers, then gradually add content to each section. Use screenshots sparingly, only for complex UIs where it is difficult to describe a UI element with words. Refer to our [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) for writing tips and authentik-specific rules. For a combo topic, the title is typically the name of the feature ("Branding" or "Remote Access Control"). In this first section, right after the title but with no header, write one or two sentences about the task. Keep it brief, just an overview. About feature XYZ[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#about-feature-xyz "Direct link to About feature XYZ") -------------------------------------------------------------------------------------------------------------------------------------------- In this section, go into a deeper explanation of the feature, provide typical use cases, etc. ### More info about the feature, a sub-category of info[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#more-info-about-the-feature-a-sub-category-of-info "Direct link to More info about the feature, a sub-category of info") Use this section if there are several big topics or categories of info that the reader needs to know about the feature or task. Add as many of these sections as needed. Prerequisites (optional section)[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#prerequisites-optional-section "Direct link to Prerequisites (optional section)") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In this section, inform the reader of anything they need to do, or have configured or installed, before they start following the procedural instructions below. Overview of steps/workflow (optional section)[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#overview-of-stepsworkflow-optional-section "Direct link to Overview of steps/workflow (optional section)") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If the task is quite long or complex, it might be good to add a bullet list of the main steps, or even a diagram of the workflow, just so that the reader can first familiarize themselves with the 50,000 meter view before they dive into the detailed steps. First several group steps[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#first-several-group-steps "Direct link to First several group steps") -------------------------------------------------------------------------------------------------------------------------------------------------------------------- If the task involves a lot of steps, try to group them into similar steps and have a Head3 or Head4 title for each group. In this section, help the reader get oriented... where do they need to be (i.e. in the GUI, on a CLI, etc). Have a separate paragraph for each step. _Start instructions with the desired goal_, followed by the instructions. For example, in this sentence: "To define a new port number, navigate to the Admin interface, and then to the **Settings** tab." we first read the goal (to define a new port) and then we see the instructions. Next step of grouped steps (if a second group is needed)[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#next-step-of-grouped-steps-if-a-second-group-is-needed "Direct link to Next step of grouped steps (if a second group is needed)") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Continue with the steps... Use screenshots sparingly, only for complex UIs where it is difficult to describe a UI element with words. Provide as many code snippets and examples as needed. Verify the steps[​](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#verify-the-steps "Direct link to Verify the steps") ----------------------------------------------------------------------------------------------------------------------------------------- Use a heading such as "Verify your installation" or "Verify successful configuration". Whenever possible, it is useful to add verification steps at the end of a procedural topic. For example, if the procedural was about installing a product, use this section to tell them how they can verify that the install was successful. * [About feature XYZ](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#about-feature-xyz) * [More info about the feature, a sub-category of info](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#more-info-about-the-feature-a-sub-category-of-info) * [Prerequisites (optional section)](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#prerequisites-optional-section) * [Overview of steps/workflow (optional section)](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#overview-of-stepsworkflow-optional-section) * [First several group steps](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#first-several-group-steps) * [Next step of grouped steps (if a second group is needed)](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#next-step-of-grouped-steps-if-a-second-group-is-needed) * [Verify the steps](https://docs.goauthentik.io/developer-docs/docs/templates/combo/#verify-the-steps) --- # Conceptual topic | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual/#__docusaurus_skipToContent_fallback) On this page How to use this template Start with the markdown version of the template, either by copying the [`conceptual.tmpl.md`](https://github.com/goauthentik/authentik/tree/main/website/docs/developer-docs/docs/templates) file from our GitHub repo or downloading the template file using the following command: wget https://raw.githubusercontent.com/goauthentik/authentik/main/website/docs/developer-docs/docs/templates/conceptual.tmpl.md Edit your markdown file as you work, reading this page for the descriptions of each section. You can build out a "stub file" with just headers, then gradually add content to each section. Use screenshots sparingly, only for complex UIs where it is difficult to describe a UI element with words. Refer to our [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) for writing tips and authentik-specific rules. Use a title that focuses on the feature, component, or technology you are writing about... for example, "About authentik polices" or "Understanding outposts". For conceptual docs, the verb in the title should indicate a concept, such as "About" or "Overview" or "Understanding", followed by the noun (the component or object you are writing about). In this first section, immediately after the title, write one or two sentences about the feature, component, or technology. The following sections can help break up the content. Common use cases (optional section)[​](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual/#common-use-cases-optional-section "Direct link to Common use cases (optional section)") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In this optional section, provide some example use cases for the feature. Who would use it, WHY? If you mention HOW to use the feature, be sure to link off to the related procedural doc. Also share situations where users might NOT want to use the feature; for example, if the feature is intended for a specific environment. Overview of feature/component[​](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual/#overview-of-featurecomponent "Direct link to Overview of feature/component") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Dive deeper into explaining the concepts behind the feature/component. Write about the feature/functionality from the user's perspective. What is this feature used for, why should they use it, are there situations where they should **_not_** use it? > Pro Tip: If you were writing the related procedural topic, and you found that you had a lot to say about the topic, this is exactly where that info would go (not crowded up at the top of the procedural topic!). Cover anything the user needs to know about the feature. If there are Reference docs or a related procedural doc for this feature or component, be sure to link to them from this page. Important considerations[​](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual/#important-considerations "Direct link to Important considerations") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- List anything that might be critical for user to know, such as situations where this feature might not be ideal, or pre-configs that need to be set, etc. * [Common use cases (optional section)](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual/#common-use-cases-optional-section) * [Overview of feature/component](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual/#overview-of-featurecomponent) * [Important considerations](https://docs.goauthentik.io/developer-docs/docs/templates/conceptual/#important-considerations) --- # Welcome to authentik Enterprise | authentik [Skip to main content](https://docs.goauthentik.io/enterprise/#__docusaurus_skipToContent_fallback) The Enterprise release of authentik provides all of the functionality that we have spent years building in our open source product, with a full support plan and an expanded feature set. Refer to our Enterprise documentation for information about creating and managing your organization, purchasing and activating a license, support, and managing billing and organization members. * [Get started with Enterprise](https://docs.goauthentik.io/enterprise/get-started/) * [Manage your Enterprise account](https://docs.goauthentik.io/enterprise/manage-enterprise/) * [Support for Enterprise accounts](https://docs.goauthentik.io/enterprise/entsupport/) Our standard technical documentation covers how to configure, customize, and use authentik, whether the open source version that we have built our reputation on or our Enterprise version with dedicated support. --- # Support | authentik [Skip to main content](https://docs.goauthentik.io/enterprise/entsupport/#__docusaurus_skipToContent_fallback) On this page Enterprise authentik provides expert support, with a Support center where you can open a request and view the progress and communications for your current requests. info Only licensed instances of authentik can access the Support center. ### Managing tickets and requests[​](https://docs.goauthentik.io/enterprise/entsupport/#managing-tickets-and-requests "Direct link to Managing tickets and requests") To access the Support center, where you can open a request and view current requests, go to the Customer Portal and then click **Support** in the top menu. You can also bookmark the direct link to your Requests page, using the following URL: > [https://customers.goauthentik.io/l/support](https://customers.goauthentik.io/l/support) You can also always reach out to us via email, using [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#1d75787171725d7a727c6869757873697476337472) email address. ### Product version support[​](https://docs.goauthentik.io/enterprise/entsupport/#product-version-support "Direct link to Product version support") We [support](https://docs.goauthentik.io/security/policy/#supported-versions) the current, released version of authentik and one version back (including all major, minor, and patch versions). * [Managing tickets and requests](https://docs.goauthentik.io/enterprise/entsupport/#managing-tickets-and-requests) * [Product version support](https://docs.goauthentik.io/enterprise/entsupport/#product-version-support) --- # Development environment | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/setup/#__docusaurus_skipToContent_fallback) Pick the setup that fits your workflow: full stack, frontend-only, or just the docs and grab some debugging tips along the way. [📄️ Full development\ --------------------\ \ Prerequisites](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/) [📄️ Frontend development\ ------------------------\ \ If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend.](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/) [📄️ Debugging authentik\ -----------------------\ \ This page describes how to debug different components of an authentik instance, running either in production or in a development setup. To learn more about the structure of authentik, refer to our architecture documentation.](https://docs.goauthentik.io/developer-docs/setup/debugging/) --- # Translations | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/translation/#__docusaurus_skipToContent_fallback) On this page Translation in authentik is done in two places. Most of the text is defined in the frontend in `web/`, and a subset of messages is defined in the backend. The frontend uses [@lit/localize](https://lit.dev/docs/localization/overview/) , and the backend uses the built-in django translation tools. info Please review the [Writing documentation](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/) guidelines as they apply to documentation too. Online translation[​](https://docs.goauthentik.io/developer-docs/translation/#online-translation "Direct link to Online translation") -------------------------------------------------------------------------------------------------------------------------------------- To simplify translation you can use [https://www.transifex.com/authentik/authentik](https://www.transifex.com/authentik/authentik) , which has no local requirements. Local translation[​](https://docs.goauthentik.io/developer-docs/translation/#local-translation "Direct link to Local translation") ----------------------------------------------------------------------------------------------------------------------------------- ### Prerequisites[​](https://docs.goauthentik.io/developer-docs/translation/#prerequisites "Direct link to Prerequisites") * Node (any recent version should work, we use 16.x to build) * Make (again, any recent version should work) * Docker ### Frontend[​](https://docs.goauthentik.io/developer-docs/translation/#frontend "Direct link to Frontend") Run `npm i` in the `/web` folder to install all dependencies. Ensure the language code is in the `lit-localize.json` file in `web/`: // [...] "targetLocales": [ "en", "pseudo-LOCALE", "a-new-locale" // [...] ], // [...] Afterwards, run `make web-i18n-extract` to generate a base .xlf file. The .xlf files can be edited by any text editor, or using a tool such as [POEdit](https://poedit.net/) . To see the change, run `make web-watch` in the root directory of the repository. ### Backend[​](https://docs.goauthentik.io/developer-docs/translation/#backend "Direct link to Backend") Backend translations are handled by `core-i18n-extract`. Use Django's translation utility to declare the string, e.g.: from django.utils.translation import gettext as __("New text to be translated.") Afterwards, run `make core-i18n-extract` to generate the updated translation files. * [Online translation](https://docs.goauthentik.io/developer-docs/translation/#online-translation) * [Local translation](https://docs.goauthentik.io/developer-docs/translation/#local-translation) * [Prerequisites](https://docs.goauthentik.io/developer-docs/translation/#prerequisites) * [Frontend](https://docs.goauthentik.io/developer-docs/translation/#frontend) * [Backend](https://docs.goauthentik.io/developer-docs/translation/#backend) --- # Procedural topic | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#__docusaurus_skipToContent_fallback) On this page How to use this template Start with the markdown version of the template, either by copying the [`procedural.tmpl.md`](https://github.com/goauthentik/authentik/tree/main/website/docs/developer-docs/docs/templates) file from our GitHub repo or downloading the template file using the following command: wget https://raw.githubusercontent.com/goauthentik/authentik/main/website/docs/developer-docs/docs/templates/procedural.tmpl.md Edit your markdown file as you work, reading this page for the descriptions of each section. You can build out a "stub file" with just headers, then gradually add content to each section. Use screenshots sparingly, only for complex UIs where it is difficult to describe a UI element with words. Refer to our [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) for writing tips and authentik-specific rules. For a procedural topic, use a title that focuses on the task you are writing about. For example, "Add a new Group" or "Edit user profiles". For procedural docs, there should be a verb in the title, and usually the noun (the component or object you are working on). For the title (and all headings) use the infinitive form of the verb (i.e. "add") not the gerund form (i.e. "adding"). In this first section, right after the title, write one or two sentences about the task. Keep it brief; if it goes on too long, then create a separate conceptual topic, in a separate `.md` file. We don't want readers to have to scroll through paragraphs of conceptual info before they get to Step 1. Prerequisites (optional section)[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#prerequisites-optional-section "Direct link to Prerequisites (optional section)") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In this section, inform the reader of anything they need to do, or have configured or installed, before they start following the procedural instructions below. Overview of steps/workflow (optional section)[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#overview-of-stepsworkflow-optional-section "Direct link to Overview of steps/workflow (optional section)") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If the task is quite long or complex, it might be good to add a bullet list of the main steps, or even a diagram of the workflow, just so that the reader can first familiarize themselves with the 50,000 meter view before they dive into the detailed steps. First several group steps[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#first-several-group-steps "Direct link to First several group steps") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If the task involves a lot of steps, try to group them into similar steps and have a Head3 or Head4 title for each group. In this section, help the reader get oriented... where do they need to be (i.e. in the GUI, on a CLI, etc). Have a separate paragraph for each step. Start instructions with the desired goal, followed by the instructions. For example, in this sentence we first read the goal (to define a new port) and then we see the instructions: "To define a new port number, navigate to the Admin interface, and then to the **Settings** tab." Next step of grouped steps (if a second group is needed)[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#next-step-of-grouped-steps-if-a-second-group-is-needed "Direct link to Next step of grouped steps (if a second group is needed)") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Continue with the steps... Use screenshots sparingly, only for complex UIs where it is difficult to describe a UI element with words. Provide as many code snippets and examples as needed. Verify the steps[​](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#verify-the-steps "Direct link to Verify the steps") ---------------------------------------------------------------------------------------------------------------------------------------------- Use a heading such as "Verify your installation" or "Verify successful configuration". Whenever possible, it is useful to add verification steps at the end of a procedural topic. For example, if the procedural was about installing a product, use this section to tell them how they can verify that the install was successful. * [Prerequisites (optional section)](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#prerequisites-optional-section) * [Overview of steps/workflow (optional section)](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#overview-of-stepsworkflow-optional-section) * [First several group steps](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#first-several-group-steps) * [Next step of grouped steps (if a second group is needed)](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#next-step-of-grouped-steps-if-a-second-group-is-needed) * [Verify the steps](https://docs.goauthentik.io/developer-docs/docs/templates/procedural/#verify-the-steps) --- # Reference topic | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/templates/reference/#__docusaurus_skipToContent_fallback) On this page How to use this template Start with the markdown version of the template, either by copying the [`reference.tmpl.md`](https://github.com/goauthentik/authentik/tree/main/website/docs/developer-docs/docs/templates) file from our GitHub repo or downloading the template file using the following command: wget https://raw.githubusercontent.com/goauthentik/authentik/main/website/docs/developer-docs/docs/templates/reference.tmpl.md Edit your markdown file as you work, reading this page for the descriptions of each section. You can build out a "stub file" with just headers, then gradually add content to each section. Use screenshots sparingly, only for complex UIs where it is difficult to describe a UI element with words. Refer to our [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) for writing tips and authentik-specific rules. Create a title that specifies the component you are documenting. For example, "Group attributes". Provide a sentence or two about the topic. Reference documentation provides details, values, syntax, etc., about specific programming elements. The most common type of reference documentation is for REST APIs; the request syntax, a successful response, any parameters such as query, header, or request body parameters, and possible http status codes. Other types of reference content include lists of functions, parameters, object properties, event actions, and attributes. Head 2[​](https://docs.goauthentik.io/developer-docs/docs/templates/reference/#head-2 "Direct link to Head 2") --------------------------------------------------------------------------------------------------------------- Use a title that is descriptive, such as "User object attributes" or "Expression policy functions". Use tables, bullet lists, Head3s... whatever you need to clearly present the values. Be sure to use a sentence after every heading, to explain what the section is about, how the values are used, etc. ### Head 3 (optional, if needed)[​](https://docs.goauthentik.io/developer-docs/docs/templates/reference/#head-3-optional-if-needed "Direct link to Head 3 (optional, if needed)") Add a sentence explaining the following grouping. ### Head 3 (optional, if needed)[​](https://docs.goauthentik.io/developer-docs/docs/templates/reference/#head-3-optional-if-needed-1 "Direct link to Head 3 (optional, if needed)") Add a sentence explaining the following grouping. * [Head 2](https://docs.goauthentik.io/developer-docs/docs/templates/reference/#head-2) * [Head 3 (optional, if needed)](https://docs.goauthentik.io/developer-docs/docs/templates/reference/#head-3-optional-if-needed) * [Head 3 (optional, if needed)](https://docs.goauthentik.io/developer-docs/docs/templates/reference/#head-3-optional-if-needed-1) --- # Releasing authentik | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/releases/#__docusaurus_skipToContent_fallback) On this page ### Creating a standard release[​](https://docs.goauthentik.io/developer-docs/releases/#creating-a-standard-release "Direct link to Creating a standard release") * Ensure a branch exists for the version family (for 2022.12.2 the branch would be `version-2022.12`) * Merge all the commits that should be released on the version branch If backporting commits to a non-current version branch, cherry-pick the commits. * Check if any of the changes merged to the branch make changes to the API schema, and if so update the package `@goauthentik/api` in `/web` * Push the branch, which will run the CI pipeline to make sure all tests pass * Create the version subdomain for the version branch ([see](https://github.com/goauthentik/terraform/commit/87792678ed525711be9c8c15dd4b931077dbaac2) ) and add the subdomain in Netlify ([here](https://app.netlify.com/sites/authentik/settings/domain) ) * Create/update the release notes #### For initial releases:[​](https://docs.goauthentik.io/developer-docs/releases/#for-initial-releases "Direct link to For initial releases:") * Copy `website/docs/releases/_template.md` to `website/docs/releases/v2022.12.md` and replace `xxxx.x` with the version that is being released * Fill in the section of `Breaking changes` and `New features`, or remove the headers if there's nothing applicable * Run `git log --pretty=format:'- %s' version/2022.11.3...version-2022.12`, where `version/2022.11.3` is the tag of the previous stable release. This will output a list of all commits since the previous release. * Paste the list of commits since the previous release under the `Minor changes/fixes` section. Run `make gen-changelog` and use the contents of `changelog.md`. Remove merged PRs from bumped dependencies unless they fix security issues or are otherwise notable. Remove merged PRs with the `website/` prefix. * Sort the list of commits alphabetically and remove all commits that have little importance, like dependency updates and linting fixes * Run `make gen-diff` and copy the contents of `diff.md` under `API Changes` * Update `website/sidebars.js` to include the new release notes, and move the oldest release into the `Previous versions` category. If the release notes are created in advance without a fixed date for the release, only add them to the sidebar once the release is published. * Run `make docs` #### For subsequent releases:[​](https://docs.goauthentik.io/developer-docs/releases/#for-subsequent-releases "Direct link to For subsequent releases:") * Paste the list of commits since the previous release into `website/docs/releases/v2022.12.md`, creating a new section called `## Fixed in 2022.12.2` underneath the `Minor changes/fixes` section * Run `make gen-changelog` and use the contents of `changelog.md`. Remove merged PRs from bumped dependencies unless they fix security issues or are otherwise notable. Remove merged PRs with the `website/` prefix. * Run `make gen-diff` and copy the contents of `diff.md` under `API Changes`, replacing the previous changes * Run `make docs` * Run `bumpversion` on the version branch with the new version (i.e. `bumpversion --new-version 2022.12.2 minor --verbose`) * Push the tag and commit * A GitHub actions workflow will start to run a last test in container images and create a draft release on GitHub * Edit the draft GitHub release * Make sure the title is formatted `Release 2022.12.0` * Add the following to the release notes See https://docs.goauthentik.io/releases/2022.12 Or if creating a subsequent release See https://docs.goauthentik.io/releases/2022.12#fixed-in-2022121 * Auto-generate the full release notes using the GitHub _Generate Release Notes_ feature ### Preparing a security release[​](https://docs.goauthentik.io/developer-docs/releases/#preparing-a-security-release "Direct link to Preparing a security release") * Create a draft GitHub Security advisory Template ### SummaryShort summary of the issue### Patchesauthentik x, y and z fix this issue, for other versions the workaround below can be used.### ImpactDescribe the impact that this issue has### DetailsFurther explain how the issue works### WorkaroundsDescribe a workaround if possible### For more informationIf you have any questions or comments about this advisory:- Email us at [[email protected]](mailto:[email protected]). * Request a CVE via the draft advisory * If possible, add the original reporter in the advisory * Implement a fix on a local branch `security/CVE-...` The fix must include unit tests to ensure the issue can't happen again in the future Update the release notes as specified above, making sure to address the CVE being fixed Create a new file `/website/docs/security/CVE-....md` with the same structure as the GitHub advisory Include the new file in the `/website/sidebars.js` Push the branch to [https://github.com/goauthentik/authentik-internal](https://github.com/goauthentik/authentik-internal) for CI to run and for reviews An image with the fix is built under `ghcr.io/goauthentik/internal-server` which can be made accessible to the reporter for testing * Check with the original reporter that the fix works as intended * Wait for GitHub to assign a CVE * Announce the release of the vulnerability via Mailing list and discord Mailing list template Subject: `Notice of upcoming authentik Security releases 2022.10.3 and 2022.11.3` We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _date_, 13:00 UTC with the Severity level High. Fixed versions x, y and z will be released alongside a workaround for previous versions. For more info, see the authentik Security policy here: https://docs.goauthentik.io/security/policy. Discord template @everyone We'll be publishing a security Issue (CVE-2022-xxxxx) and accompanying fix on _date_, 13:00 UTC with the Severity level High. Fixed versions x, y and z will be released alongside a workaround for previous versions. For more info, see the authentik Security policy here: https://docs.goauthentik.io/security/policy. ### Creating a security release[​](https://docs.goauthentik.io/developer-docs/releases/#creating-a-security-release "Direct link to Creating a security release") * On the date specified in the announcement, retag the image from `authentik-internal` to the main image: docker buildx imagetools create -t ghcr.io/goauthentik/server:xxxx.x ghcr.io/goauthentik/internal-server:gh-cve-2022-xxxdocker buildx imagetools create -t ghcr.io/goauthentik/server:xxxx.x.x ghcr.io/goauthentik/internal-server:gh-cve-2022-xxx Where xxxx.x is the version family and xxxx.x.x is the full version. This will make the fixed container image available instantly, while the full release is running on the main repository. * Push the local `security/CVE-2022-xxxxx` branch into a PR, and squash merge it if the pipeline passes * If the fix made any changes to the API schema, merge the PR to update the web API client * Cherry-pick the merge commit onto the version branch * If the fix made any changes to the API schema, manually install the latest version of the API client in `/web` * Resume the instructions above, starting with the `bumpversion` step * After the release has been published, update the Discord announcement and send another mail to the mailing list to point to the new releases Mailing list template Subject: `Release of authentik Security releases 2022.10.3 and 2022.11.3` The security advisory for CVE-2022-xxxxx has been published: https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjfReleases 2022.10.3 and 2022.11.3 with fixes included are available here: https://github.com/goauthentik/authentik/releases Discord template [...existing announcement...]Edit:Advisory for for CVE-2022-xxxxx has been published here https://github.com/goauthentik/authentik/security/advisories/GHSA-mjfw-54m5-fvjfThe fixed versions 2022.10.3 and 2022.11.3 are available here: https://github.com/goauthentik/authentik/releases * [Creating a standard release](https://docs.goauthentik.io/developer-docs/releases/#creating-a-standard-release) * [Preparing a security release](https://docs.goauthentik.io/developer-docs/releases/#preparing-a-security-release) * [Creating a security release](https://docs.goauthentik.io/developer-docs/releases/#creating-a-security-release) --- # Expression Policies | authentik [Skip to main content](https://docs.goauthentik.io/customize/policies/expression/#__docusaurus_skipToContent_fallback) On this page Expression policies are perhaps the most flexible way to define specific implementations of flows and stages. When you [create](https://docs.goauthentik.io/customize/policies/working_with_policies/#create-a-policy) an expression policy, you provide your own custom Python code to enforce custom checks and validation. The passing of the policy is determined by the return value of the code: `True` or `False`. To pass a policy, use: return True To fail a policy use: return False **Example**: Here's a simple policy that you could bind to a MFA validation stage if you want to specify that only certain users should be prompted for MFA validation: if request.context["pending_user"].username == "marie": return Truereturn False When the policy returns `True`, the MFA validation stage is enforced. When it returns `False`, the MFA validation stage is skipped. Sample expression policies[​](https://docs.goauthentik.io/customize/policies/expression/#sample-expression-policies "Direct link to Sample expression policies") ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Expressions policies with sample Python that we have documented: * [Source-switching based on email address](https://docs.goauthentik.io/customize/policies/expression/source_switch/) * [Managing flow context keys](https://docs.goauthentik.io/customize/policies/expression/managing_flow_context_keys/) * [Unique email addresses](https://docs.goauthentik.io/customize/policies/expression/unique_email/) * [Create an email address allow list](https://docs.goauthentik.io/customize/policies/expression/whitelist_email/) Available functions[​](https://docs.goauthentik.io/customize/policies/expression/#available-functions "Direct link to Available functions") -------------------------------------------------------------------------------------------------------------------------------------------- ### `ak_message(message: str)`[​](https://docs.goauthentik.io/customize/policies/expression/#ak_messagemessage-str "Direct link to ak_messagemessage-str") Add a message, visible by the end user. This can be used to show the reason why they were denied. Example: ak_message("Access denied")return False ### `regex_match(value: Any, regex: str) -> bool`[​](https://docs.goauthentik.io/customize/policies/expression/#regex_matchvalue-any-regex-str---bool "Direct link to regex_matchvalue-any-regex-str---bool") Check if `value` matches Regular Expression `regex`. Example: return regex_match(request.user.username, '.*admin.*') ### `regex_replace(value: Any, regex: str, repl: str) -> str`[​](https://docs.goauthentik.io/customize/policies/expression/#regex_replacevalue-any-regex-str-repl-str---str "Direct link to regex_replacevalue-any-regex-str-repl-str---str") Replace anything matching `regex` within `value` with `repl` and return it. Example: user_email_local = regex_replace(request.user.email, '(.+)@.+', '') ### `list_flatten(value: list[Any] | Any) -> Optional[Any]`[​](https://docs.goauthentik.io/customize/policies/expression/#list_flattenvalue-listany--any---optionalany "Direct link to list_flattenvalue-listany--any---optionalany") Flatten a list by either returning its first element, None if the list is empty, or the passed in object if its not a list. Example: user = list_flatten(["foo"])# user = "foo" ### `ak_call_policy(name: str, **kwargs) -> PolicyResult`[​](https://docs.goauthentik.io/customize/policies/expression/#ak_call_policyname-str-kwargs---policyresult "Direct link to ak_call_policyname-str-kwargs---policyresult") Call another policy with the name _name_. Current request is passed to policy. Key-word arguments can be used to modify the request's context. Example: result = ak_call_policy("test-policy")# result is a PolicyResult object, so you can access `.passing` and `.messages`.# Starting with authentik 2023.4 you can also access `.raw_result`, which is the raw value returned from the called policy# `result.passing` will always be a boolean if the policy is passing or not.return result.passingresult = ak_call_policy("test-policy-2", foo="bar")# Inside the `test-policy-2` you can then use `request.context["foo"]`return result.passing ### `ak_is_group_member(user: User, **group_filters) -> bool`[​](https://docs.goauthentik.io/customize/policies/expression/#ak_is_group_memberuser-user-group_filters---bool "Direct link to ak_is_group_memberuser-user-group_filters---bool") Check if `user` is member of a group matching `**group_filters`. Example: return ak_is_group_member(request.user, name="test_group") ### `ak_user_by(**filters) -> Optional[User]`[​](https://docs.goauthentik.io/customize/policies/expression/#ak_user_byfilters---optionaluser "Direct link to ak_user_byfilters---optionaluser") Fetch a user matching `**filters`. Returns "None" if no user was found, otherwise returns the [User](https://docs.goauthentik.io/users-sources/user/) object. Example: # Find user by usernameother_user = ak_user_by(username="other_user")# Find user by custom attributeother_user = ak_user_by(attributes__="") ### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool`[​](https://docs.goauthentik.io/customize/policies/expression/#ak_user_has_authenticatoruser-user-device_type-optionalstr--none---bool "Direct link to ak_user_has_authenticatoruser-user-device_type-optionalstr--none---bool") Check if a user has any authenticator devices. Only fully validated devices are counted. Optionally, you can filter a specific device type. The following options are valid: * `totp` * `duo` * `static` * `webauthn` Example: return ak_user_has_authenticator(request.user) ### `ak_create_event(action: str, **kwargs) -> None`[​](https://docs.goauthentik.io/customize/policies/expression/#ak_create_eventaction-str-kwargs---none "Direct link to ak_create_eventaction-str-kwargs---none") Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called. Before saving, any data-structure which are not representable in JSON are flattened, and credentials are removed. The event is saved automatically Example: ak_create_event("my_custom_event", foo=request.user) ### `ak_create_jwt(user: User, provider: OAuth2Provider | str, scopes: list[str], validity = "seconds=60") -> str | None`authentik: 2025.2.0+[​](https://docs.goauthentik.io/customize/policies/expression/#ak_create_jwtuser-user-provider-oauth2provider--str-scopes-liststr-validity--seconds60---str--none "Direct link to ak_create_jwtuser-user-provider-oauth2provider--str-scopes-liststr-validity--seconds60---str--none") Requires HTTP Request This function will only work when there is an HTTP request in the current context. Create a new JWT signed by the given `provider` for `user`. The `provider` parameter can either be an instance of `OAuth2Provider` or a the name of a provider instance as a string. Scopes is an array of all scopes that the JWT should have. The JWT is valid for 60 seconds by default, this can be customized using the `validity` parameter. The syntax of the parameter is `hours=1,minutes=2,seconds=3`. The following keys are allowed: * Microseconds * Milliseconds * Seconds * Minutes * Hours * Days * Weeks All values accept floating-point values. Example: jwt = ak_create_jwt(request.user, "my-oauth2-provider-name", ["openid", "profile", "email"]) ### `ak_send_email(address: str | list[str], subject: str, body: str = None, stage: EmailStage = None, template: str = None, context: dict = None) -> bool`authentik: 2025.10.0+[​](https://docs.goauthentik.io/customize/policies/expression/#ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none---bool "Direct link to ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none---bool") Send an email using authentik's email system. The `address` parameter specifies the recipient email address(es). It can be: * A single email address as a string: `"[[email protected]](https://docs.goauthentik.io/cdn-cgi/l/email-protection) "` * A list of email addresses: `["[[email protected]](https://docs.goauthentik.io/cdn-cgi/l/email-protection) ", "[[email protected]](https://docs.goauthentik.io/cdn-cgi/l/email-protection) "]` info When using multiple recipients, all email addresses will be visible in the "To:" field of the email. If you need to send to multiple recipients without revealing all addresses to each other, send individual emails instead. The `subject` parameter sets the email subject line. You must provide either `body` (for plain text/HTML content) or `template` (for template rendering), but not both. The `stage` parameter can be an `EmailStage` instance for custom email settings. If `None`, global email settings are used. The `template` parameter specifies a template name to render. When using templates, you can pass additional context variables via the `context` parameter. If the email is queued successfully, the function returns `True`; otherwise, it returns `False`. Examples: # Send email with plain body to single recipientak_send_email("[email protected]", "Welcome!", body="Welcome to our platform!")# Send email to multiple recipientsak_send_email( ["[email protected]", "[email protected]", "[email protected]"], "System Maintenance", body="Scheduled maintenance will occur tonight.")# Send email using a templateak_send_email("[email protected]", "Password Reset", template="email/password_reset.html")# Send email with custom context for template to multiple recipientsak_send_email( ["[email protected]", "[email protected]"], "Account Update", template="email/event_notification.html", context={ "title": "Profile Updated", "body": "Your account profile has been successfully updated.", "key_value": {"Updated Field": "Email Address", "Date": "2025-01-01"} })# Send email with custom email stageak_send_email("[email protected]", "Report", body="Daily report", stage=my_custom_stage) Comparing IP Addresses[​](https://docs.goauthentik.io/customize/policies/expression/#comparing-ip-addresses "Direct link to Comparing IP Addresses") ----------------------------------------------------------------------------------------------------------------------------------------------------- To compare IP Addresses or check if an IP Address is within a given subnet, you can use the functions `ip_address('192.0.2.1')` and `ip_network('192.0.2.0/24')`. With these objects you can do [arithmetic operations](https://docs.python.org/3/library/ipaddress.html#operators) . You can also check if an IP Address is within a subnet by writing the following: ip_address('192.0.2.1') in ip_network('192.0.2.0/24')# evaluates to True DNS resolution and reverse DNS lookups[​](https://docs.goauthentik.io/customize/policies/expression/#dns-resolution-and-reverse-dns-lookups "Direct link to DNS resolution and reverse DNS lookups") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`. resolve_dns("google.com") # return a list of all IPv4 and IPv6 addressesresolve_dns("google.com", 4) # return a list of only IP4 addressesresolve_dns("google.com", 6) # return a list of only IP6 addresses You can also do reverse DNS lookups. note Reverse DNS lookups may not return the expected host if the IP address is part of a shared hosting environment. See: [https://stackoverflow.com/a/19867936](https://stackoverflow.com/a/19867936) To perform a reverse DNS lookup use `reverse_dns("192.0.2.0")`. If no DNS records are found the original IP address is returned. info DNS resolving results are cached in memory. The last 32 unique queries are cached for up to 3 minutes. Variables[​](https://docs.goauthentik.io/customize/policies/expression/#variables "Direct link to Variables") -------------------------------------------------------------------------------------------------------------- * `ak_logger`: structlog BoundLogger. See ([structlog documentation](https://www.structlog.org/en/stable/api.html#structlog.BoundLogger) ) Example: ak_logger.debug("This is a test message")ak_logger.warning("This will be logged with a warning level")ak_logger.info("Passing structured data", request=request) * `requests`: requests Session object. See ([request documentation](https://requests.readthedocs.io/en/master/user/advanced/) ) * `request`: A PolicyRequest object, which has the following properties: * `request.user`: The current user, against which the policy is applied. See [User](https://docs.goauthentik.io/users-sources/user/) caution When a policy is executed in the context of a flow, this will be set to the user initiating the request, and will only be changed by a `user_login` stage. For that reason, using this value in authentication flow policies may not return the expected user. Use `context['pending_user']` instead; User Identification and other stages update this value during flow execution. If the user is not authenticated, this will be set to a user called _AnonymousUser_, which is an instance of [authentik.core.models.User](https://docs.djangoproject.com/en/4.1/ref/contrib/auth/#django.contrib.auth.models.User) (authentik uses django-guardian for per-object permissions, [see](https://django-guardian.readthedocs.io/en/stable/) ). * `request.http_request`: The Django HTTP Request. See [Django documentation](https://docs.djangoproject.com/en/4.1/ref/request-response/#httprequest-objects) . * `request.obj`: A Django Model instance. This is only set if the policy is ran against an object. * `request.context`: A dictionary with dynamic data. This depends on the origin of the execution. * `geoip`: GeoIP dictionary. The following fields are available: info For basic country matching, consider using a [GeoIP policy](https://docs.goauthentik.io/customize/policies/#geoip-policy) . * `continent`: a two character continent code like `NA` (North America) or `OC` (Oceania). * `country`: the two character [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1) alpha code for the country. * `lat`: the approximate latitude of the location associated with the IP address. * `long`: the approximate longitude of the location associated with the IP address. * `city`: the name of the city. May be empty. return context["geoip"]["continent"] == "EU" * `asn`: ASN dictionary. The following fields are available: info For basic ASN matching, consider using a [GeoIP policy](https://docs.goauthentik.io/customize/policies/#geoip-policy) . * `asn`: the autonomous system number associated with the IP address. * `as_org`: the organization associated with the registered autonomous system number for the IP address. * `network`: the network associated with the record. In particular, this is the largest network where all of the fields except `ip_address` have the same value. return context["asn"]["asn"] == 64496 * `ak_is_sso_flow`: Boolean which is true if request was initiated by authenticating through an external provider. * `ak_client_ip`: Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be [compared](https://docs.goauthentik.io/customize/policies/expression/#comparing-ip-addresses) , for example return ak_client_ip in ip_network('10.0.0.0/24')# orreturn ak_client_ip.is_private See also [Python documentation](https://docs.python.org/3/library/ipaddress.html#ipaddress.ip_address) Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the `context` object. This includes the following: * `context['flow_plan']`: The actual flow plan itself, can be used to inject stages. * `context['flow_plan'].context`: The context of the currently active flow, which differs from the policy context. Some fields of flow plan context are passed to the root context, and updated from it, like 'prompt\_data', but not every variable * `context['flow_plan'].context['redirect']`: The URL the user should be redirected to after the flow execution succeeds. (Optional) * `context['prompt_data']`: Data which has been saved from a prompt stage or an external source. (Optional) * `context['application']`: The application the user is in the process of authorizing. (Optional) * `context['source']`: The source the user is authenticating/enrolling with. (Optional) * `context['pending_user']`: The currently pending user, see [User](https://docs.goauthentik.io/users-sources/user/user_ref/) * `context['is_restored']`: Contains the flow token when the flow plan was restored from a link, for example the user clicked a link to a flow which was sent by an email stage. (Optional) * `context['auth_method']`: Authentication method (this value is set by password stages) (Optional) Depending on method, `context['auth_method_args']` is also set. Can be any of: * `password`: Standard password login * `auth_mfa`: MFA login (this method is only set if no password was used) Sets `context['auth_method_args']` to { "mfa_devices": [ { "pk": 1, "app": "otp_static", "name": "Static Token", "model_name": "staticdevice" } ]} * `auth_webauthn_pwl`: Password-less WebAuthn with Passkeys login * `jwt`: OAuth Machine-to-machine login via external JWT * `app_password`: App password (token) Sets `context['auth_method_args']` to { "token": { "pk": "f6d639aac81940f38dcfdc6e0fe2a786", "app": "authentik_core", "name": "test (expires=2021-08-23 15:45:54.725880+00:00)", "model_name": "token" }} * `ldap`: LDAP bind authentication Sets `context['auth_method_args']` to { "source": {} // Information about the source used} * [Sample expression policies](https://docs.goauthentik.io/customize/policies/expression/#sample-expression-policies) * [Available functions](https://docs.goauthentik.io/customize/policies/expression/#available-functions) * [`ak_message(message: str)`](https://docs.goauthentik.io/customize/policies/expression/#ak_messagemessage-str) * [`regex_match(value: Any, regex: str) -> bool`](https://docs.goauthentik.io/customize/policies/expression/#regex_matchvalue-any-regex-str---bool) * [`regex_replace(value: Any, regex: str, repl: str) -> str`](https://docs.goauthentik.io/customize/policies/expression/#regex_replacevalue-any-regex-str-repl-str---str) * [`list_flatten(value: list[Any] | Any) -> Optional[Any]`](https://docs.goauthentik.io/customize/policies/expression/#list_flattenvalue-listany--any---optionalany) * [`ak_call_policy(name: str, **kwargs) -> PolicyResult`](https://docs.goauthentik.io/customize/policies/expression/#ak_call_policyname-str-kwargs---policyresult) * [`ak_is_group_member(user: User, **group_filters) -> bool`](https://docs.goauthentik.io/customize/policies/expression/#ak_is_group_memberuser-user-group_filters---bool) * [`ak_user_by(**filters) -> Optional[User]`](https://docs.goauthentik.io/customize/policies/expression/#ak_user_byfilters---optionaluser) * [`ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool`](https://docs.goauthentik.io/customize/policies/expression/#ak_user_has_authenticatoruser-user-device_type-optionalstr--none---bool) * [`ak_create_event(action: str, **kwargs) -> None`](https://docs.goauthentik.io/customize/policies/expression/#ak_create_eventaction-str-kwargs---none) * [`ak_create_jwt(user: User, provider: OAuth2Provider | str, scopes: list[str], validity = "seconds=60") -> str | None`](https://docs.goauthentik.io/customize/policies/expression/#ak_create_jwtuser-user-provider-oauth2provider--str-scopes-liststr-validity--seconds60---str--none) * [`ak_send_email(address: str | list[str], subject: str, body: str = None, stage: EmailStage = None, template: str = None, context: dict = None) -> bool`](https://docs.goauthentik.io/customize/policies/expression/#ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none---bool) * [Comparing IP Addresses](https://docs.goauthentik.io/customize/policies/expression/#comparing-ip-addresses) * [DNS resolution and reverse DNS lookups](https://docs.goauthentik.io/customize/policies/expression/#dns-resolution-and-reverse-dns-lookups) * [Variables](https://docs.goauthentik.io/customize/policies/expression/#variables) --- # Get started | authentik [Skip to main content](https://docs.goauthentik.io/enterprise/get-started/#__docusaurus_skipToContent_fallback) On this page Installing authentik is exactly the same process for both Enterprise version and our open source version. 1\. Install Enterprise[​](https://docs.goauthentik.io/enterprise/get-started/#1-install-enterprise "Direct link to 1. Install Enterprise") ------------------------------------------------------------------------------------------------------------------------------------------- To get started working with Enterprise authentik, [upgrade](https://docs.goauthentik.io/install-config/upgrade/) to the [2023.8.x](https://docs.goauthentik.io/releases/) version or later. If this is a fresh install, refer to our technical documentation for instructions on how to [install and configure authentik](https://docs.goauthentik.io/install-config/) . * [Docker Compose installation](https://docs.goauthentik.io/install-config/install/docker-compose/) * [Kubernetes installation](https://docs.goauthentik.io/install-config/install/kubernetes/) 2\. Access Enterprise[​](https://docs.goauthentik.io/enterprise/get-started/#2-access-enterprise "Direct link to 2. Access Enterprise") ---------------------------------------------------------------------------------------------------------------------------------------- Access your Enterprise features by [purchasing a license](https://docs.goauthentik.io/enterprise/manage-enterprise/#buy-a-license) for the organization. To open the Customer Portal and buy a license, go to the Admin interface and in the left pane, navigate to **Enterprise > Licenses**, and then click **Go to Customer Portal**. Alternatively you can open a new browser window and go directly to the [Customer Portal](https://customers.goauthentik.io/) . If you do not yet have an authentik account, there is a [Sign up link](https://customers.goauthentik.io/signup) on the Customer Portal login page. In the Customer Portal you [define your organization](https://docs.goauthentik.io/enterprise/manage-enterprise/#create-an-organization) and its members, manage your [licenses](https://docs.goauthentik.io/enterprise/manage-enterprise/#license-management) and [billing](https://docs.goauthentik.io/enterprise/manage-enterprise/#manage-billing) , and access our [Support center](https://docs.goauthentik.io/enterprise/entsupport/) . info A license is associated with a specific Organization in the customer portal and a specific authentik instance (with a unique Install ID), and not with individual users. A single license is purchased for a specified number of users. Additional users can be added to a license, or additional licenses purchased for the same instance, if more users need to be added later. 3\. Visit the Support center[​](https://docs.goauthentik.io/enterprise/get-started/#3-visit-the-support-center "Direct link to 3. Visit the Support center") ------------------------------------------------------------------------------------------------------------------------------------------------------------- Enterprise authentik provides dedicated support, with a Support center where you can open a request and view the progress and communications for your current requests. info Access to the Support Center and the ticketing system requires a licensed instance of authentik. To learn about our Support center, see ["Enterprise support"](https://docs.goauthentik.io/enterprise/entsupport/) . * [1\. Install Enterprise](https://docs.goauthentik.io/enterprise/get-started/#1-install-enterprise) * [2\. Access Enterprise](https://docs.goauthentik.io/enterprise/get-started/#2-access-enterprise) * [3\. Visit the Support center](https://docs.goauthentik.io/enterprise/get-started/#3-visit-the-support-center) --- # Installation and Configuration | authentik [Skip to main content](https://docs.goauthentik.io/install-config/#__docusaurus_skipToContent_fallback) Everything you need to get authentik up and running! The installation process for our free open source version and our [Enterprise](https://docs.goauthentik.io/enterprise/) version are exactly the same. For information about obtaining an Enterprise license, refer to [License management](https://docs.goauthentik.io/enterprise/manage-enterprise/#license-management) documentation. For information about upgrading to a new version, refer to the **Upgrade** section in the relevant [Release Notes](https://docs.goauthentik.io/releases/) and to our [Upgrade authentik](https://docs.goauthentik.io/install-config/upgrade/) documentation. [🗃️ Installation\ ----------------\ \ 3 items](https://docs.goauthentik.io/install-config/install/docker-compose/) [📄️ Configuration\ -----------------\ \ This page details all the authentik configuration options that you can set via environment variables.](https://docs.goauthentik.io/install-config/configuration/) [📄️ Email\ ---------\ \ This page covers both configuring authentik to send emails and testing that email delivery is working.](https://docs.goauthentik.io/install-config/email/) [📄️ Upgrade authentik\ ---------------------\ \ Upgrading to the latest version of authentik, whether a new major release or a patch, involves running a few commands to pull down the latest images and then restarting the servers and databases.](https://docs.goauthentik.io/install-config/upgrade/) [📄️ Beta and release candidate versions\ ---------------------------------------\ \ You can test upcoming authentik versions before they are released as stable. There are two types of pre-release versions available:](https://docs.goauthentik.io/install-config/beta/) [📄️ Reverse-proxy\ -----------------\ \ Since authentik uses WebSockets to communicate with Outposts, it does not support HTTP/1.0 reverse-proxies. The HTTP/1.0 specification does not officially support WebSockets or protocol upgrades, though some clients may allow it.](https://docs.goauthentik.io/install-config/reverse-proxy/) [📄️ Automated install\ ---------------------\ \ To install authentik automatically (skipping the Out-of-box experience), you can use the following environment variables on the worker container:](https://docs.goauthentik.io/install-config/automated-install/) [📄️ High availability\ ---------------------\ \ High availability refers to system design that minimizes downtime even in the event of failures or disruptions.](https://docs.goauthentik.io/install-config/high-availability/) [📄️ Air-gapped environments\ ---------------------------\ \ Outbound connections](https://docs.goauthentik.io/install-config/air-gapped/) --- # Debugging authentik | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/setup/debugging/#__docusaurus_skipToContent_fallback) On this page This page describes how to debug different components of an authentik instance, running either in production or in a development setup. To learn more about the structure of authentik, refer to our [architecture documentation](https://docs.goauthentik.io/core/architecture/) . authentik Server & Worker (Python)[​](https://docs.goauthentik.io/developer-docs/setup/debugging/#authentik-server--worker-python "Direct link to authentik Server & Worker (Python)") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The majority of the authentik codebase is in Python, running in Gunicorn for the server and Dramatiq for the worker. These instructions show how this code can be debugged/inspected. The local debugging setup requires a setup as described in [Full development environment](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/) Note that authentik uses [debugpy](https://github.com/microsoft/debugpy) , which relies on the "Debug Adapter Protocol" (DAP). These instructions demonstrate debugging using [Visual Studio Code](https://code.visualstudio.com/) , however they should be adaptable to other editors that support DAP. To enable the debugging server, set the environment variable `AUTHENTIK_DEBUGGER` to `true`. This will launch the debugging server (by default on port _9901_). With this setup in place, you can set Breakpoints in VS Code. To connect to the debugging server, run the command \`> Debug: Start Debugging" in VS Code. ![](https://docs.goauthentik.io/assets/images/debug_vscode-4570715bccbe2efc5bbd2f06a495dfaa.png) info Note that due to the Python debugger for VS Code, when a Python file in authentik is saved and the Django process restarts, you must manually reconnect the Debug session. Automatic re-connection is not supported for the Python debugger (see [here](https://github.com/microsoft/vscode-python/issues/19998) and [here](https://github.com/microsoft/vscode-python/issues/1182) ). #### Debug the server or the worker[​](https://docs.goauthentik.io/developer-docs/setup/debugging/#debug-the-server-or-the-worker "Direct link to Debug the server or the worker") Whichever process is first started listens on port `9901`. Additional processes started after that will then try to listen on the same port, which will fail, and will simply not start the debugger in that case. #### Debugging in containers[​](https://docs.goauthentik.io/developer-docs/setup/debugging/#debugging-in-containers "Direct link to Debugging in containers") When debugging an authentik instance running in containers, there are some additional steps that need to be taken in addition to the steps above. A local clone of the authentik repository is required to be able to set breakpoints in the code. The locally checked out repository must be on the same version/commit as the authentik version running in the containers. To checkout version 2024.12.3 for example, you can run `git checkout version/2024.12.3`. The debug port needs to be accessible on the local machine. By default, this is port 9901. Additionally, the container being debugged must be started as `root`, because additional dependencies need to be installed on startup. When running in Docker Compose, a file `docker-compose.override.yml` can be created next to the authentik docker-compose.yml file to expose the port, change the user, and enable debug mode. services: # Replace `server` with `worker` to debug the worker container. server: user: root healthcheck: disable: true environment: AUTHENTIK_DEBUGGER: "true" AUTHENTIK_LOG_LEVEL: "debug" ports: - 9901:9901 After re-creating the containers with `AUTHENTIK_DEBUGGER` set to `true` and the port mapped, the steps are identical to the steps above. If the authentik instance is running on a remote server, the `.vscode/launch.json` file needs to be adjusted to point to the IP of the remote server. Alternatively, it is also possible to forward the debug port via an SSH tunnel, using `-L 9901:127.0.0.1:9901`. authentik Server / Outposts (Golang)[​](https://docs.goauthentik.io/developer-docs/setup/debugging/#authentik-server--outposts-golang "Direct link to authentik Server / Outposts (Golang)") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Outposts, as well as some auxiliary code of the authentik server, are written in Go. These components can be debugged using standard Golang tooling, such as [Delve](https://github.com/go-delve/delve) . * [authentik Server & Worker (Python)](https://docs.goauthentik.io/developer-docs/setup/debugging/#authentik-server--worker-python) * [authentik Server / Outposts (Golang)](https://docs.goauthentik.io/developer-docs/setup/debugging/#authentik-server--outposts-golang) --- # Style Guide | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/style-guide/#__docusaurus_skipToContent_fallback) On this page This Style Guide provides guidelines to ensure that the authentik documentation is consistent, clear, and easy to follow. It standardizes aspects like phrasing, formatting, tone, and structure across all documentation. We appreciate all contributions to our documentation — whether it's fixing a typo, adding new content, or writing an entirely new topic. To help us review and merge your contributions more efficiently, please follow our [writing documentation](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/) guidelines. If you notice any inconsistencies, feel free to open an [Issue](https://github.com/goauthentik/authentik/issues) or submit a [Pull Request](https://github.com/goauthentik/authentik/pulls) to fix them. * [General Style Guidelines](https://docs.goauthentik.io/developer-docs/docs/style-guide/#general-style-guidelines) * [Terminology](https://docs.goauthentik.io/developer-docs/docs/style-guide/#terminology) * [Writing Style](https://docs.goauthentik.io/developer-docs/docs/style-guide/#writing-style) * [Word Choices](https://docs.goauthentik.io/developer-docs/docs/style-guide/#word-choices) * [Formatting Guidelines](https://docs.goauthentik.io/developer-docs/docs/style-guide/#formatting-guidelines) * [Component-Based Formatting](https://docs.goauthentik.io/developer-docs/docs/style-guide/#component-based-formatting) * [Error Message Formatting and Troubleshooting](https://docs.goauthentik.io/developer-docs/docs/style-guide/#error-message-formatting-and-troubleshooting) * [Accessibility Best Practices](https://docs.goauthentik.io/developer-docs/docs/style-guide/#accessibility-best-practices) * [Inclusive Language](https://docs.goauthentik.io/developer-docs/docs/style-guide/#inclusive-language) * [Images and Media](https://docs.goauthentik.io/developer-docs/docs/style-guide/#images-and-media) * [Document Structure and Metadata](https://docs.goauthentik.io/developer-docs/docs/style-guide/#document-structure-and-metadata) * * * General style guidelines[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#general-style-guidelines "Direct link to General style guidelines") ------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Logical order[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#logical-order "Direct link to Logical order") * Documentation should be structured to follow the natural order of tasks, making it easier for users to follow. Organize sections in a manner that reflects the actual workflow used to complete tasks. * When writing procedural documentation (How Tos) the steps should follow the workflow in the UI, specifying the exact pages to navigate and the precise fields, tabs, etc., to select or complete. Present the UI components in the document in the same order they appear in the UI. ### Headings[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#headings "Direct link to Headings") Use headings (sub-titles) to break up large blocks of text, making it easier for users to navigate the content and find specific sections quickly. ### Look and feel of the docs[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#look-and-feel-of-the-docs "Direct link to Look and feel of the docs") In general, the visual, aesthetics of the technical documentation is intended to be lean and clean. Both the content (shorter sentences, concise instructions, etc) and the layout strive to have a clean, uncluttered look, with restrained use of colors and large callouts or announcements. Relatedly, the colors used for our Info and Warning callouts, light blue and light yellow respectively, are reserved for those purposes only. ### Cross-references[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#cross-references "Direct link to Cross-references") Always include cross-references to related content. If a concept is referenced elsewhere in the documentation, link to the relevant section to provide users with additional context or instructions. ### Relative vs. absolute paths[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#relative-vs-absolute-paths "Direct link to Relative vs. absolute paths") Use relative paths when linking to other documentation files. This will ensure links are automatically updated if file paths change in the future. If you are linking between another authentik resource that is not in the same repository and our regular technical docs, then use an absolute path. ### Markdown file type[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#markdown-file-type "Direct link to Markdown file type") The standard file type for documentation is `.md`. Use `.mdx` only if React components, such as interactive elements, are required. ### OS-agnostic, clarify where needed[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#os-agnostic-clarify-where-needed "Direct link to OS-agnostic, clarify where needed") Try to write procedural (How To) docs generically enough that it does not endorse or force a specific operating system. If it is necessary to specify a specific OS be sure to label it clearly. Consider using tabs (with MDX) to show the different OSes. * * * Terminology[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#terminology "Direct link to Terminology") ---------------------------------------------------------------------------------------------------------------------- ### authentik product name and terms[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#authentik-product-name-and-terms "Direct link to authentik product name and terms") * The product name **authentik** should always be written with a lowercase "a" and a "k" at the end, even if it begins a sentence. * The company name is **Authentik Security, Inc.**, but for non-legal documentation, you may shorten it to **Authentik Security**. * When referring to the authentik Admin interface, capitalize "Admin" like it is in the UI, but do not bold the phrase "Admin interface" unless in a sentence that explicitly says "Click on **Admin interface**". However, if you are referring to a user or role that is an administrator, or has administrative rights, then do not capitalize it and spell out the full word "administrator" or "administrative". ### Industry terms and technology names[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#industry-terms-and-technology-names "Direct link to Industry terms and technology names") * When referring to external tools or industry terms, always use the exact capitalization and naming conventions that the product or company uses. Refer to their website or official documentation for the proper formatting. For example, use "OAuth", "SAML", or "Docker" as per the official conventions. * Avoid abbreviations unless they are well-known and widely recognized (e.g., SSO, MFA, RBAC). * If an acronym is used less frequently, spell out its full meaning when first mentioned on the page, followed by the acronym in parentheses. In some cases the acronym can come first, followed by the full term in parentheses. ### Trademarks and legal terms[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#trademarks-and-legal-terms "Direct link to Trademarks and legal terms") * Respect third-party trademarks. Use the correct symbols (™, ®) where applicable (e.g., "GitHub®", "Okta™") in the _first_ instance of the name. * When mentioning third-party products, follow their branding guidelines (e.g., "GitHub", not "Github"). * Where appropriate, include required legal disclaimers when referencing external services or integrations. * * * Writing style[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#writing-style "Direct link to Writing style") ---------------------------------------------------------------------------------------------------------------------------- ### Tone[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#tone "Direct link to Tone") The tone of the authentik documentation should be friendly but professional. It should be approachable, yet not overly casual. When appropriate, address the reader directly using second-person pronouns (e.g., "Next, you need to configure the login settings"). ### Language[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#language "Direct link to Language") The documentation uses **American English** spelling conventions (e.g., "customize" instead of "customise"). ### Voice[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#voice "Direct link to Voice") Use **active voice** and **present tense** for clear, direct communication. * **DON'T:** "The Applications page will be loaded." * **DO:** "The Applications page displays." ### User-friendly phrasing[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#user-friendly-phrasing "Direct link to User-friendly phrasing") Avoid phrasing that blames the user. Be subjective and polite when providing instructions. * **DON'T:** "Never modify the default file." * **DO:** "We recommend that you do not modify the default file, as doing so may result in unexpected issues." ### Punctuation[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#punctuation "Direct link to Punctuation") For Ken's sake, and many others, try to not use too many commas (avoid commaitis). Use a comma when needed to separate clauses, or for "slowing the pace" or clarity. Please **do** use the [Serial comma](https://en.wikipedia.org/wiki/Serial_comma) (also known as the Oxford comma). In [lists](https://docs.goauthentik.io/developer-docs/docs/style-guide/#lists) , add a period at the end of a bulleted item if it is a complete sentence. Try not to mix incomplete and complete sentences in the same list. ### Capitalization[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#capitalization "Direct link to Capitalization") #### Titles and headers[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#titles-and-headers "Direct link to Titles and headers") Titles and headers (H1, H2, H3, etc.) should follow **sentence case capitalization**, meaning only the first word is capitalized, except for proper nouns or product names. For more information, see [below](https://docs.goauthentik.io/developer-docs/docs/style-guide/#titles-and-headers) . #### Following a colon[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#following-a-colon "Direct link to Following a colon") Whether to capitalize after a colon depends on the context. Typically, we do not capitalize the first word after a colon _unless_ it's a proper noun or if it is the start of a complete sentence. If the colon introduces a list, do not capitalize the first word unless it's a proper noun. In headings and titles, capitalize the first word after the colon. * * * Word choices[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#word-choices "Direct link to Word choices") ------------------------------------------------------------------------------------------------------------------------- ### "May" versus "Might" versus "Can"[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#may-versus-might-versus-can "Direct link to "May" versus "Might" versus "Can"") * Typically, avoid using the word "may" in technical writing, as it implies permission rather than ability to perform an action. Instead, use **"can"** to suggest possibility. * **"Might"** should be used to indicate that something could happen under certain conditions, but use it sparingly. It implies unpredictability, which can be undesirable in software documentation. * **DON'T:** "You may use an Expression policy to enforce MFA adherence." * **DO:** "You can use an Expression policy to enforce MFA adherence." * **DO:** "Values might differ depending on the source of the property mappings." ### "Login", "Log in", and "Log in to"[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#login-log-in-and-log-in-to "Direct link to "Login", "Log in", and "Log in to"") * As a noun or descriptive term, use **login** (e.g., "The login panel"). * As a verb, use **"log in"** (e.g., "This stage prompts the user to log in"). * As a verb followed by the proposition **"to"**, use **"log in to"** (e.g., "Log in to the application"). ### Use "that" as a conjunction[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#use-that-as-a-conjunction "Direct link to Use "that" as a conjunction") It's important to use "that" as a conjunction to introduce a dependent clause, or as a "connection" between a noun and a verb ("The provider that you created in Step 3."). Including "that" as a conjunction helps non-native English speakers more easily parse phrases, and improves output for translation tools. * **DO:** "Ensure that the new user's password is valid." * **DON'T:** "Ensure the new user's password is valid." ### "which" vs "that"[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#which-vs-that "Direct link to "which" vs "that"") The easiest way to remember when to use "which" versus "that" is: * If the second part (clause) of the sentence is required to understand the first part, use "that." If the second clause is only additional info, use "which". For more information, see [this guide](https://www.grammarly.com/blog/which-vs-that/) . ### "since" (time-based) vs "because" (causal)[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#since-time-based-vs-because-causal "Direct link to "since" (time-based) vs "because" (causal)") When writing about a status or anything that is causal ("this happened because of that"), use the word "because". Use the word "since" for time-based topics (this will be rare in technical writing). ### Avoid using "once" (numeric) to mean "after" (time-based).[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#avoid-using-once-numeric-to-mean-after-time-based "Direct link to Avoid using "once" (numeric) to mean "after" (time-based).") When writing out steps in a procedural topic, avoid starting with "Once...". Instead, you can say "After you have created the scope mapping...". * * * Formatting guidelines[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#formatting-guidelines "Direct link to Formatting guidelines") ---------------------------------------------------------------------------------------------------------------------------------------------------- ### Fonts and font styling[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#fonts-and-font-styling "Direct link to Fonts and font styling") * When referring to internal components in authentik, like the policy engine, or blueprints, do not use any special formatting, and do not capitalize. Link to the relevant documentation when possible. * When referring to authentik functionality and features, such as flows, stages, sources, or policies, do not capitalize and do not use bold or italic text. When possible link to the corresponding documentation. * Use **bold** to highlight: * UI elements such as field names, labels, buttons, or options (e.g., **Save** button, **Username** field). * Key actions in instructions (e.g., **Click Next**). * Use _italic_ for: * Emphasis, but sparingly, to avoid overuse. For example, you can use italics for important terms or concepts on first mention in a section. Do not use italics to indicate a variable or placeholder; instead use angle brackets as described under [Variables](https://docs.goauthentik.io/developer-docs/docs/style-guide/#variables) . * Use `code formatting` for: * Commands (e.g., `kubectl get nodes`). * File paths, file names, and directory names (e.g., `/usr/local/bin/`). * Inline code snippets (e.g., `.env`). ### Lists[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#lists "Direct link to Lists") Add a period at the end of a bulleted item if it is a complete sentence. Try not to mix incomplete and complete sentences in the same list. If there is a [colon](https://docs.goauthentik.io/developer-docs/docs/style-guide/#following-a-colon) used in a bulleted list item, follow the capitalization rules. ### Notes and warnings[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#notes-and-warnings "Direct link to Notes and warnings") We use Info, Warning, and Danger boxes, to provide supplemental information. Info boxes can optionally have a title, but do not use a title with Warning or Danger boxes. Use the following syntax for these components: **Info**: ::: info add-title-hereThis is a tip or general note.::: **Warnings**: :::warningThis level is for more serious situations: an action cannot be undone, a process might be canceled, etc.::: **Critical warnings** (for irreversible actions): :::dangerThis level is for extremely serious situations, such as an action permanently removing data.::: ### URLs[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#urls "Direct link to URLs") * When mentioning URLs in text or within procedural instructions, omit code formatting. For instance: "In your browser, go to [https://example.com](https://example.com/) ." * For URLs entered as values or defined in fields, enclose any variables inside angle brackets (`< >`) and use underscores between words. See more about variables below (#variables). ### Variables[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#variables "Direct link to Variables") To clearly indicate terms or values that are placeholders and require user input, enclose any variables inside angle brackets (`< >`) and use underscores between words to clearly indicate that these are placeholders that require user input. Examples: `https://authentik.company/application/o//.well-known/openid-configuration` "Add the configuration setting: ``." ### Titles and headers[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#titles-and-headers-1 "Direct link to Titles and headers") * Titles and headers (H1, H2, H3) should follow **sentence case capitalization**, meaning only the first word is capitalized, except for proper nouns or product names. * **DO:** "Configure the Google Workspace provider" * **DON'T:** "CONFIGURE THE GOOGLE WORKSPACE PROVIDER" * **DON'T:** "Configure The Google Workspace Provider" * Ensure that titles and headers are descriptive and clearly convey the purpose of the section. Avoid vague titles like "Overview." Instead, opt for something more specific, like "About authentik policies." * Use the **imperative verb form** in procedural topics, not gerunds. For example, use "Configure your instance" instead of "Configuring your instance." ### Examples[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#examples "Direct link to Examples") When you want to show an example (say, a code snippet), start on a new line, use bold text for the word "Example", and a colon, like this: **Example**: This expression policy uses an expression based on the user's name: if request.context["pending_user"].username == "marie": return Truereturn False ### Code blocks[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#code-blocks "Direct link to Code blocks") When you want to show sections of code use **Code blocks** to provide syntax highlighting, a copy button, line numbering and line highlighting: ` ` ` yaml showLineNumbers {5} title="/etc/wazuh-indexer/opensearch-security/roles_mapping.yml"all_access:reserved: truehidden: falsebackend_roles: - "wazuh-admin" - "admin"hosts: []users: []and_backend_roles: []description: "Maps admin to all_access"` ` ` Which is rendered as: /etc/wazuh-indexer/opensearch-security/roles\_mapping.yml all_access:reserved: truehidden: falsebackend_roles: - "wazuh-admin" - "admin"hosts: []users: []and_backend_roles: []description: "Maps admin to all_access" * yaml `defines the language used for syntax highlighting. Other languages can be used such as`jsx`,` python`,` bash`, and` text\`. Optional configurations: * `showLineNumbers`: enables line numbering. * `title=" "`: defines the title displayed at the top (e.g., filenames). * `{5}`: highlights specific lines. Ranges and lists are allowed (e.g., `{5, 7, 9-11}`). * `// highlight-next-line`: highlights the next line within a code block. * `// highlight-start` and `// highlight-end`: highlight multiple lines. For more details, see the [Docusaurus code block documentation](https://docusaurus.io/docs/markdown-features/code-blocks) . ### Tables[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#tables "Direct link to Tables") Use tables to compare options, list parameters, or summarize information. Ensure tables are concise and avoid nesting complex content. Only use a table when there are 4 or more items. For only 2 or 3 items, use a bullet list. ### Lists[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#lists-1 "Direct link to Lists") * Use bullet points for unordered lists. * Use numbered lists for sequential steps. * Keep list items parallel in structure. * * * Component-based formatting[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#component-based-formatting "Direct link to Component-based formatting") ------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Tabs for multiple configurations[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#tabs-for-multiple-configurations "Direct link to Tabs for multiple configurations") Use **Tabs** to display different configurations (e.g., setting up authentication with OIDC vs. SAML) to help users navigate between options. Default to the easier or more common option. For example: import TabItem from "@theme/TabItem";import Tabs from "@theme/Tabs"; OIDC configuration details go here. SAML configuration details go here.; * * * Error message formatting and troubleshooting[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#error-message-formatting-and-troubleshooting "Direct link to Error message formatting and troubleshooting") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- When documenting errors, follow this structure: 1. **Error Message**: Display the error in a code block. 2. **Possible Causes**: List common reasons for the error. 3. **Solutions**: Provide step-by-step fixes or a work-around if there is one. **Example**: * **Error message**: Error: Authentication failed. Invalid credentials. * **Possible causes**: * Incorrect username or password. * Account locked due to multiple failed attempts. * **Solutions**: * Verify your credentials. * Reset your password using the **Forgot Password** link. * Contact your administrator if the account is locked. * * * Accessibility best practices[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#accessibility-best-practices "Direct link to Accessibility best practices") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * **Alt text for images**: Describe the purpose of the image, not just its appearance. For example, use "Screenshot of the login form" instead of "Image of a form." * **Heading hierarchy**: Use headings in order (H1 → H2 → H3) to support screen readers. * **Color usage**: Avoid using color as the sole method of conveying information (e.g., "Click the red button"). Instead, use descriptive labels to ensure accessibility. * **Descriptive link text**: Provide descriptive link text. Avoid using generic terms like "Click here". Be specific about where the link will take the user. * **DON'T:** "Click here." * **DO:** "See the [Authentication Settings](https://docs.goauthentik.io/) for more details." * * * Inclusive language[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#inclusive-language "Direct link to Inclusive language") ------------------------------------------------------------------------------------------------------------------------------------------- * Use **gender-neutral pronouns** like "they/them" instead of "he/she" (e.g., "The user should check their settings"). * Avoid **ableist terms** such as "dumb" or "lame"; use "non-functional" or "unavailable" instead. * **Avoid idioms** that may not translate well (e.g., instead of "hit a home run" use "achieve success"). * * * Images and media[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#images-and-media "Direct link to Images and media") ------------------------------------------------------------------------------------------------------------------------------------- * **Screenshots**: * Use screenshots very sparingly, only for very complex UIs. If there are screenshots, update any existing ones if the UI changes. * Crop to focus on relevant elements, use red arrows or circles to call out the important element. * Add descriptive alt text (e.g., "Screenshot of the Provider configuration page"). * **Diagrams**: * Use [Mermaid](https://mermaid.js.org/) for creating diagrams directly in markdown. Mermaid is our preferred tool for documentation diagrams as it allows for version control and easy updates. * For more complex diagrams, you can use tools like [Draw.io](https://draw.io/) . Ensure high contrast and text descriptions. * **authentik icons**: * For authentik icons in integration guides, reference assets from the user's own self-hosted instance to avoid external calls, for example: `https://authentik.company/static/dist/assets/icons/icon.svg` * * * Document structure and metadata[​](https://docs.goauthentik.io/developer-docs/docs/style-guide/#document-structure-and-metadata "Direct link to Document structure and metadata") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * **Front matter**: Include a title and optional summary. You can also add badge metadata in the front matter: ---title: Getting Starteddescription: Install and configure authentik in 5 minutes.authentik_version: "2025.4" # Semantic version when feature was introduced (Optional)authentik_preview: true # For preview features (Optional)authentik_enterprise: true # For enterprise features (Optional)support_level: "authentik" # For integrations: Support level: "authentik" (tested by team) or "community" (community maintained)--- Note: Badges should be defined in the front matter, not in the markdown content. The system will automatically display the appropriate badges based on the front matter metadata. * **Directives**: You can also use directives in your markdown content to add badges inline: * `:ak-version[2025.4]` - Shows when a feature was introduced (requires semantic version) * `:ak-preview` - Indicates preview features * `:ak-enterprise` - Indicates features in our Enterprise offering Example usage in a heading: # New Feature :ak-version[2025.4] :ak-preview Note: When using directives, they should be placed at the end of the heading or paragraph where they apply. * **SEO**: Use keywords in titles and headings to improve searchability. Include relevant terms that users might search for, but avoid keyword stuffing. Focus on natural, descriptive language that accurately represents the content. * [General style guidelines](https://docs.goauthentik.io/developer-docs/docs/style-guide/#general-style-guidelines) * [Logical order](https://docs.goauthentik.io/developer-docs/docs/style-guide/#logical-order) * [Headings](https://docs.goauthentik.io/developer-docs/docs/style-guide/#headings) * [Look and feel of the docs](https://docs.goauthentik.io/developer-docs/docs/style-guide/#look-and-feel-of-the-docs) * [Cross-references](https://docs.goauthentik.io/developer-docs/docs/style-guide/#cross-references) * [Relative vs. absolute paths](https://docs.goauthentik.io/developer-docs/docs/style-guide/#relative-vs-absolute-paths) * [Markdown file type](https://docs.goauthentik.io/developer-docs/docs/style-guide/#markdown-file-type) * [OS-agnostic, clarify where needed](https://docs.goauthentik.io/developer-docs/docs/style-guide/#os-agnostic-clarify-where-needed) * [Terminology](https://docs.goauthentik.io/developer-docs/docs/style-guide/#terminology) * [authentik product name and terms](https://docs.goauthentik.io/developer-docs/docs/style-guide/#authentik-product-name-and-terms) * [Industry terms and technology names](https://docs.goauthentik.io/developer-docs/docs/style-guide/#industry-terms-and-technology-names) * [Trademarks and legal terms](https://docs.goauthentik.io/developer-docs/docs/style-guide/#trademarks-and-legal-terms) * [Writing style](https://docs.goauthentik.io/developer-docs/docs/style-guide/#writing-style) * [Tone](https://docs.goauthentik.io/developer-docs/docs/style-guide/#tone) * [Language](https://docs.goauthentik.io/developer-docs/docs/style-guide/#language) * [Voice](https://docs.goauthentik.io/developer-docs/docs/style-guide/#voice) * [User-friendly phrasing](https://docs.goauthentik.io/developer-docs/docs/style-guide/#user-friendly-phrasing) * [Punctuation](https://docs.goauthentik.io/developer-docs/docs/style-guide/#punctuation) * [Capitalization](https://docs.goauthentik.io/developer-docs/docs/style-guide/#capitalization) * [Word choices](https://docs.goauthentik.io/developer-docs/docs/style-guide/#word-choices) * ["May" versus "Might" versus "Can"](https://docs.goauthentik.io/developer-docs/docs/style-guide/#may-versus-might-versus-can) * ["Login", "Log in", and "Log in to"](https://docs.goauthentik.io/developer-docs/docs/style-guide/#login-log-in-and-log-in-to) * [Use "that" as a conjunction](https://docs.goauthentik.io/developer-docs/docs/style-guide/#use-that-as-a-conjunction) * ["which" vs "that"](https://docs.goauthentik.io/developer-docs/docs/style-guide/#which-vs-that) * ["since" (time-based) vs "because" (causal)](https://docs.goauthentik.io/developer-docs/docs/style-guide/#since-time-based-vs-because-causal) * [Avoid using "once" (numeric) to mean "after" (time-based).](https://docs.goauthentik.io/developer-docs/docs/style-guide/#avoid-using-once-numeric-to-mean-after-time-based) * [Formatting guidelines](https://docs.goauthentik.io/developer-docs/docs/style-guide/#formatting-guidelines) * [Fonts and font styling](https://docs.goauthentik.io/developer-docs/docs/style-guide/#fonts-and-font-styling) * [Lists](https://docs.goauthentik.io/developer-docs/docs/style-guide/#lists) * [Notes and warnings](https://docs.goauthentik.io/developer-docs/docs/style-guide/#notes-and-warnings) * [URLs](https://docs.goauthentik.io/developer-docs/docs/style-guide/#urls) * [Variables](https://docs.goauthentik.io/developer-docs/docs/style-guide/#variables) * [Titles and headers](https://docs.goauthentik.io/developer-docs/docs/style-guide/#titles-and-headers-1) * [Examples](https://docs.goauthentik.io/developer-docs/docs/style-guide/#examples) * [Code blocks](https://docs.goauthentik.io/developer-docs/docs/style-guide/#code-blocks) * [Tables](https://docs.goauthentik.io/developer-docs/docs/style-guide/#tables) * [Lists](https://docs.goauthentik.io/developer-docs/docs/style-guide/#lists-1) * [Component-based formatting](https://docs.goauthentik.io/developer-docs/docs/style-guide/#component-based-formatting) * [Tabs for multiple configurations](https://docs.goauthentik.io/developer-docs/docs/style-guide/#tabs-for-multiple-configurations) * [Error message formatting and troubleshooting](https://docs.goauthentik.io/developer-docs/docs/style-guide/#error-message-formatting-and-troubleshooting) * [Accessibility best practices](https://docs.goauthentik.io/developer-docs/docs/style-guide/#accessibility-best-practices) * [Inclusive language](https://docs.goauthentik.io/developer-docs/docs/style-guide/#inclusive-language) * [Images and media](https://docs.goauthentik.io/developer-docs/docs/style-guide/#images-and-media) * [Document structure and metadata](https://docs.goauthentik.io/developer-docs/docs/style-guide/#document-structure-and-metadata) --- # Manage your Enterprise account | authentik [Skip to main content](https://docs.goauthentik.io/enterprise/manage-enterprise/#__docusaurus_skipToContent_fallback) On this page Organization management[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#organization-management "Direct link to Organization management") ------------------------------------------------------------------------------------------------------------------------------------------------------- Your organization defines the members, their roles, the licenses associated with the organization, and account management for billing, payment methods, and invoice history. ### Create an Organization[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#create-an-organization "Direct link to Create an Organization") 1. To create a new organization, log in to the [Customer Portal](https://customers.goauthentik.io/) . 2. On the **My organizations** page, click **Create an organization**. 3. Specify the organization's name and notification email address, and then click **Create**. Your new organization page displays. info If you need to delete an organization open a ticket in the Support center. ### Add/remove members of an organization[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#addremove-members-of-an-organization "Direct link to Add/remove members of an organization") In the Customer Portal you can remove members and invite new members to the organization. When you invite new members, you can specify the role for the new member. * **Member**: can view licenses, including the license key. * **Owner**: can do everything the Member role can do, plus: add and remove members, order and renew licenses, and edit the organization. 1. To manage membership in an organization, log in to the [Customer Portal](https://customers.goauthentik.io/) . 2. On the **My organizations** page, click the name of the organization you want to edit membership in. Your organization page displays. * To remove a member, scroll down to the **Membership** area and then click **Remove** beside the name of the member. * To invite a new member, scroll down to the **Pending invitations** area, and enter the email address for the person, select the role, and then click **Invite**. A message appears that the invitation has been sent. When the recipient accepts the invitation by clicking a link in the email, they will be added to the organization. License management[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#license-management "Direct link to License management") ---------------------------------------------------------------------------------------------------------------------------------------- Note that a license is associated with a specific Organization in the Customer Portal and a specific authentik instance (with a unique Install ID), and not with individual users. A single license is purchased for a specified number of users. Additional users can be added to a license, or additional licenses purchased for the same instance, if more users need to be added later. ### Buy a license[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#buy-a-license "Direct link to Buy a license") info [Learn more](https://docs.goauthentik.io/enterprise/manage-enterprise/#about-users-and-licenses) about **internal** and **external** users, and how we forecast the number of users. 1. To get a license key, log in to your authentik account with your administrator credentials, and then click **Admin interface** in the upper right. 2. On the **Admin interface**, navigate to **Enterprise → Licenses** in the left menu, and then click **Go to Customer Portal** under the **Get a license** section. Alternatively you can open a new browser window and go directly to the [Customer Portal](https://customers.goauthentik.io/) . 3. Log in to the Customer Portal. In the Customer Portal, if you have not already created an Organization (nor been invited to join one), you are first prompted to create an organization. 4. On the **My organizations** page, click **Create an organization**. 5. Specify the organization's name and notification email address, and then click **Create**. Your new organization page displays. 6. Click **Purchase license**, and then on the **Purchase a license** page, review the pricing plans and (optionally) change the name of the license. The name is simply a nickname, a convenient way to label the license. 7. Click **Continue** to display the checkout page. Select the number of users, provide your payment information, and then click **Subscribe**. When payment verification is complete, you are redirected to the **My organizations** page, where you should see a message saying "Successful purchase. Your license will appear here once we've validated your payment. If it doesn't, please contact us." When ready, the license displays on the organization's page. info If you access the checkout page directly from the Customer Portal, and not through the admin interface, you are prompted to provide the Install ID for your authentik installation. This ID can be found in the Admin interface on the **Licenses** page; click **Install** to view the **Install ID** number. 8. To retrieve your license key, click on **Details** beside the license name and copy the key to your clipboard. 9. Go back to the Admin interface, navigate to **Enterprise > Licenses** page, click on **Install**, paste the key, and then click **Install**. #### License verification[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#license-verification "Direct link to License verification") To verify that the license was successfully installed, confirm that the expriry date on the **Enterprise --> Licenses** page displays a date one year later. ### How to view your license key[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#how-to-view-your-license-key "Direct link to How to view your license key") You can view the list of licenses that are applied to your organization on either the Admin interface, on the **Enterprise > Licenses** page, or in the Customer Portal, under your organization's page. ### Update your license[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#update-your-license "Direct link to Update your license") If you purchase a new license, or receive a new one due to a change in the number of users, you will need to remove the old license and add the new one. To do so open the Admin interface, navigate to **Enterprise > Licenses** page, click on **Install**, paste the new key, and then click **Install**. ### About the license expiry date[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#about-the-license-expiry-date "Direct link to About the license expiry date") The **Enterprise > Licenses** page shows your current licenses' **Cumulative license expiry**. Expiry date calculation works by verifying the individual expiry date for all valid licenses and then picking the lowest expiry date. After the date of the earliest expiring license, all calculations will be updated without that license, by selecting the next earliest date. ### License violation notifications[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#license-violation-notifications "Direct link to License violation notifications") The following events occur when a license expires or the internal/external user count is over the licensed user count for the time period below. * After 2 weeks of the expiry date administrators see a warning banner on the Admin interface * After another 2 weeks, users get a warning banner * After another 2 weeks, the authentik Enterprise instance becomes "read-only" When an authentik instance is in read-only mode, the following actions are still possible: * Users can authenticate and authorize applications * Licenses can be modified * Users can be modified/deletedauthentik: 2024.10.5+ After the violation is corrected (either the user count returns to be within the limits of the license or the license is renewed), authentik will return to the standard read-write mode and the notification will disappear. ### About users and licenses[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#about-users-and-licenses "Direct link to About users and licenses") License usage is calculated based on total user counts that authentik regularly captures. This data is checked against all valid licenses, and the sum total of all users. Internal and external users are counted based on the total number of users of the respective type saved in authentik. info Accounts that are disabled, as well as service accounts, are excluded from the license user count. #### Internal vs external users[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#internal-vs-external-users "Direct link to Internal vs external users") An **internal** user is typically a team member, such as a company employee, who is granted access to the full Enterprise feature set. This includes the ability to view and use the **My Applications** and **User Settings** pages. An **external** user might be an external consultant, a volunteer in a charitable site, or a B2C customer. External users can't access the **My Applications** and **User Settings** pages. Instead, external users are typically authenticated and then redirected to log directly into their [default application](https://docs.goauthentik.io/brands/#external-user-settings) . ### Upgrade the number of users in a license[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#upgrade-the-number-of-users-in-a-license "Direct link to Upgrade the number of users in a license") There are two ways to update the number of users in a license. You can either purchase a new license and enter it in the same authentik instance as the other one, in which case the total number of users in all your licenses is used to calculate the maximum number of users. However, this means that your licensing renewals will not happen at the same date. The second way is to [open a support ticket](https://docs.goauthentik.io/enterprise/entsupport/) with us and we'll upgrade the number of users in your license. You'll be charged the prorated amount for the remaining time until the next license renewal. ### Cancel your subscription[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#cancel-your-subscription "Direct link to Cancel your subscription") To cancel your subscription, access the [billing management interface](https://docs.goauthentik.io/enterprise/manage-enterprise/#manage-billing) , choose the subscription to cancel, and click "Cancel subscription". Once a subscription is canceled, the associated license will still be valid until the end of the billing period, but it will not be automatically renewed. Manage Billing[​](https://docs.goauthentik.io/enterprise/manage-enterprise/#manage-billing "Direct link to Manage Billing") ---------------------------------------------------------------------------------------------------------------------------- Billing is based on each individual organization. 1. To manage your billing, go to the [Customer Portal](https://customers.goauthentik.io/) and navigate to **Organizations > My organizations**. 2. Select the organization for which you want to manage billing. The organization detail page displays. 3. Click **Manage Billing** in the top left of the page. On the billing page you can: * update your account information (address, name, phone number, and tax ID) * add a payment method * view your invoice and payment history * cancel your license subscriptions * [Organization management](https://docs.goauthentik.io/enterprise/manage-enterprise/#organization-management) * [Create an Organization](https://docs.goauthentik.io/enterprise/manage-enterprise/#create-an-organization) * [Add/remove members of an organization](https://docs.goauthentik.io/enterprise/manage-enterprise/#addremove-members-of-an-organization) * [License management](https://docs.goauthentik.io/enterprise/manage-enterprise/#license-management) * [Buy a license](https://docs.goauthentik.io/enterprise/manage-enterprise/#buy-a-license) * [How to view your license key](https://docs.goauthentik.io/enterprise/manage-enterprise/#how-to-view-your-license-key) * [Update your license](https://docs.goauthentik.io/enterprise/manage-enterprise/#update-your-license) * [About the license expiry date](https://docs.goauthentik.io/enterprise/manage-enterprise/#about-the-license-expiry-date) * [License violation notifications](https://docs.goauthentik.io/enterprise/manage-enterprise/#license-violation-notifications) * [About users and licenses](https://docs.goauthentik.io/enterprise/manage-enterprise/#about-users-and-licenses) * [Upgrade the number of users in a license](https://docs.goauthentik.io/enterprise/manage-enterprise/#upgrade-the-number-of-users-in-a-license) * [Cancel your subscription](https://docs.goauthentik.io/enterprise/manage-enterprise/#cancel-your-subscription) * [Manage Billing](https://docs.goauthentik.io/enterprise/manage-enterprise/#manage-billing) --- # Frontend development environment | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/#__docusaurus_skipToContent_fallback) On this page If you're focusing solely on frontend development, you can create a minimal development environment using Docker and Node.js. This setup allows you to make and preview changes to the frontend in real-time, without needing to interact with the backend. ### Prerequisites[​](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/#prerequisites "Direct link to Prerequisites") * [Node.js](https://nodejs.org/en) (24 or later) * [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop) * [Docker Compose](https://docs.docker.com/compose/) (Compose v2) * [Make](https://www.gnu.org/software/make/) (3 or later) info Depending on platform, some native dependencies might be required. On macOS, run `brew install node@24`, and for Docker `brew install --cask docker` ### Instructions[​](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/#instructions "Direct link to Instructions") 1. Clone the Git repo to your development machine and navigate to the authentik directory. git clone https://github.com/goauthentik/authentikcd authentik 2. From the cloned repository, follow the Docker Compose [installation instructions](https://docs.goauthentik.io/install-config/install/docker-compose/) . 3. Create a `.env` file in the root of the repository to configure the Docker Compose environment. AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-serverAUTHENTIK_TAG=gh-nextAUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-nextAUTHENTIK_LOG_LEVEL=debugGIT_BUILD_HASH="dev" 4. Create a Docker Compose override file (`docker-compose.override.yml`) in the same directory as the `docker-compose.yml`. This will override the volume configurations for the local configuration file (`local.env.yml`) and mount the directory for the frontend code (`web`) into the docker containers. By creating this file in the root of the repository, Docker will automatically mount the web files generated by the build process. The `local.env.yml` mount is optional, but allows you to override the default configuration. docker-compose.override.yml services: server: volumes: - ./web:/web - ./local.env.yml:/local.env.yml 5. From the repository root, run the front-end build script. This will install the npm packages needed to run the frontend project and start the project in watch mode. make node-installmake web-watch 6. In a new terminal, navigate to the cloned repository root and start the backend containers with Docker Compose. docker compose up You can now access authentik on [http://localhost:9000](http://localhost:9000/) (or [https://localhost:9443](https://localhost:9443/) ). You might also want to complete the initial setup under `/if/flow/initial-setup/`. * [Prerequisites](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/#prerequisites) * [Instructions](https://docs.goauthentik.io/developer-docs/setup/frontend-dev-environment/#instructions) --- # Writing documentation | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#__docusaurus_skipToContent_fallback) On this page Writing documentation for authentik is a great way for both new and experienced users to improve and contribute to the project. We appreciate contributions to our documentation; everything from fixing a typo to adding additional content to writing a completely new topic. The [technical documentation](https://docs.goauthentik.io/) and our [integration guides](https://integrations.goauthentik.io/) are built, formatted, and tested using `npm`. The commands to build the content locally are defined in the `Makefile` in the root of the repository. Each command is prefixed with `docs-` or `integrations-` and corresponds to an NPM script within the `website` directory. Documentation subdomains[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#documentation-subdomains "Direct link to Documentation subdomains") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- authentik documentation is deployed to different subdomains based on the git branch: | Subdomain | Git Branch | Description | | --- | --- | --- | | [main.goauthentik.io](https://main.goauthentik.io/) | `main` | Latest changes and features | | [next.goauthentik.io](https://next.goauthentik.io/) | `next` | Upcoming release content | | [docs.goauthentik.io](https://docs.goauthentik.io/) | Current release | Official stable documentation | | version-YYYY-MM.goauthentik.io | Specific release | Historical version documentation | Guidelines[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#guidelines "Direct link to Guidelines") ----------------------------------------------------------------------------------------------------------------------------- Adhering to the following guidelines will help us get your PRs merged much easier and faster, with fewer edits needed. * Ideally, when you are making contributions to the documentation, you should fork and clone our repo, then [build it locally](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#set-up-your-local-build-tools) , so that you can test the docs and run the required linting and spell checkers before pushing your PR. While you can do much of the writing and editing within the GitHub UI, you cannot run the required linters from the GitHub UI. * After submitting a PR, you can view the Netlify Deploy Preview for the PR on GitHub, to check that your content rendered correctly, links work, etc. This is especially useful when using Docusaurus-specific features in your content. * Please refer to our [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) for authentik documentation. Here you will learn important guidelines about not capitalizing authentik, how we format our titles and headers, and much more. * Remember to use our templates when possible; they are already set up to follow our style guidelines, they make it a lot easier for you (no blank page frights!), and they keep the documentation structure and headings consistent. * [docs templates](https://docs.goauthentik.io/developer-docs/docs/templates/) * [integration guide template](https://integrations.goauthentik.io/applications#add-a-new-application) tip If you encounter build check fails, or issues you with your local build, you might need to run `make docs-install` in order to get the latest build tools and dependencies; we do occasionally update our build tools. Setting up a docs development environment[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#setting-up-a-docs-development-environment "Direct link to Setting up a docs development environment") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Prerequisites[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#prerequisites "Direct link to Prerequisites") * [Node.js](https://nodejs.org/en) (24 or later) * [Make](https://www.gnu.org/software/make/) (3 or later) * macOS * Linux * Windows Install the required dependencies on macOS using Homebrew: brew install node@24 [Download NodeJS version 24](https://nodejs.org/en/download/current) for your Linux distribution. We're currently seeking community input on building the docs in Windows. If you have experience with this setup, please consider contributing to this documentation. ### Clone and fork the authentik repository[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#clone-and-fork-the-authentik-repository "Direct link to Clone and fork the authentik repository") git clone https://github.com/goauthentik/authentik The documentation, integration guides, API docs, and the code are in the same [GitHub repo](https://github.com/goauthentik/authentik) , so if you have cloned and forked the repo, you already have the docs and integration guides. ### Set up your local build tools[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#set-up-your-local-build-tools "Direct link to Set up your local build tools") Run the following command to install or update the build tools for both the technical docs and integration guides. make docs-install Installs or updates the build dependencies such as Docusaurus, Prettier, and ESLint. You should run this command when you are first setting up your writing environment, and also if you encounter build check fails either when you build locally or when you push your PR to the authentik repository. Running this command will grab any new dependencies that we might have added to our build tool package. Writing or modifying technical docs[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#writing-or-modifying-technical-docs "Direct link to Writing or modifying technical docs") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In addition to following the [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) please review the following guidelines about our technical documentation ([https://docs.goauthentik.io/docs/](https://docs.goauthentik.io/docs/) ): * For new entries, make sure to add any new pages to the `/docs/sidebar.mjs` file. Otherwise, the new page will not appear in the table of contents to the left. * Always be sure to run the `make docs` command on your local branch _before_ pushing the PR to the authentik repo. This command does important linting, and the build check in our repo will fail if the linting has not been done. In general, check on the health of your build before pushing to the authentik repo, and also check on the build status of your PR after you create it. For our technical documentation ([https://docs.goauthentik.io/docs/](https://docs.goauthentik.io/docs/) ), the following commands are used: ### Build locally[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#build-locally "Direct link to Build locally") make docs This command is a combination of `make docs-lint-fix` and `make docs-build`. It is important to run this command before committing changes because linter errors will prevent the build checks from passing. ### Live editing[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#live-editing "Direct link to Live editing") make docs-watch Starts a local development server for the documentation site and opens a preview in your browser. This command will automatically rebuild your local documentation site in real time, as you write or make changes to the Markdown files in the `website/docs` directory. Writing or modifying integration guides[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#writing-or-modifying-integration-guides "Direct link to Writing or modifying integration guides") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In addition to following the [Style Guide](https://docs.goauthentik.io/developer-docs/docs/style-guide/) please review the following guidelines about our integration guides ([https://integrations.goauthentik.io/](https://integrations.goauthentik.io/) ). * For new integration documentation, please use the Integrations template in our [Github repo](https://github.com/goauthentik/authentik) at `/website/integrations/template/service.md`. * For placeholder domains, use `authentik.company` and `app-name.company`, where `app-name` is the name of the application that you are writing documentation for. * Make sure to create a directory for your service in a fitting category within [`/website/integrations/`](https://github.com/goauthentik/authentik/tree/main/website/integrations) . Sidebars and categories You no longer need to modify the integrations sidebar file manually. This is now automatically generated from the categories in [`/website/integrations/categories.mjs`](https://github.com/goauthentik/authentik/blob/main/website/integrations/categories.mjs) . When authoring integration guides, the following commands are used: ### Build locally[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#build-locally-1 "Direct link to Build locally") make integrations This command is a combination of `make docs-lint-fix` and `make integrations-build`. This command should always be run on your local branch before committing your changes to a pull request to the authentik repo. It is important to run this command before committing changes because linter errors will prevent the build checks from passing. ### Live editing[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#live-editing-1 "Direct link to Live editing") make integrations-watch Starts a local development server for the integrations site and opens a preview in your browser. This command will automatically rebuild your local integrations site in real time, as you write or make changes to the Markdown files in the `website/integrations` directory. Page routing and URLs[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#page-routing-and-urls "Direct link to Page routing and URLs") -------------------------------------------------------------------------------------------------------------------------------------------------------------- Every documentation page you see on our website starts as a simple Markdown file in our repository. When you create or edit these files, our build system automatically transforms them into web pages with predictable URLs. ### Converting file paths to URLs[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#converting-file-paths-to-urls "Direct link to Converting file paths to URLs") Let's take a look at the file path of the [Style Guide page](https://docs.goauthentik.io/developer-docs/docs/style-guide/) : /website/docs/developer-docs/docs/style-guide.mdx Compared to the URL path of this page, there are a few differences: * The `website/docs` prefix is dropped. * File extensions are removed. * A trailing slash is added. This results in the following URL path: https://docs.goauthentik.io/developer-docs/docs/style-guide/ The final published URL is made possible with a combination of [Docusaurus's routing system](https://docusaurus.io/docs/advanced/routing) and [Netlify's redirects](https://docs.netlify.com/routing/redirects/) . ### Sidebar files[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#sidebar-files "Direct link to Sidebar files") The sidebar files define the navigation structure of the documentation pages. * **Documentation**: [`website/docs/sidebar.mjs`](https://github.com/goauthentik/authentik/blob/main/website/docs/sidebar.mjs) * **Integrations**: [`website/integrations/sidebar.mjs`](https://github.com/goauthentik/authentik/blob/main/website/integrations/sidebar.mjs) * Automatically generated from the categories in [`/website/integrations/categories.mjs`](https://github.com/goauthentik/authentik/blob/main/website/integrations/categories.mjs) . * **API Reference**: [`website/api/sidebar.mjs`](https://github.com/goauthentik/authentik/blob/main/website/api/sidebar.mjs) * Mostly automatically generated from authentik API schema. ### Redirects[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#redirects "Direct link to Redirects") Sometimes we need to move pages or change URLs. Instead of breaking bookmarks and links, we can define a redirect to automatically send readers from old URLs to new ones. All our redirects are defined within three files: * **Documentation**: [`website/docs/static/_redirects`](https://github.com/goauthentik/authentik/blob/main/website/docs/static/_redirects) * **Integrations**: [`website/integrations/static/_redirects`](https://github.com/goauthentik/authentik/blob/main/website/integrations/static/_redirects) * **API Reference**: [`website/api/static/_redirects`](https://github.com/goauthentik/authentik/blob/main/website/api/static/_redirects) A `_redirects` file contains a list of rules that define how to handle requests, each of which has the following format: 1. The source URL path (i.e the old URL to match against). 2. The destination URL path (i.e. the new URL to redirect to). 3. The HTTP status code to use when redirecting, followed by an exclamation mark (`!`). For example, if we moved our applications page: website/docs/static/\_redirects # Source URL Path | Destination URL Path | Status Code/core/applications /add-secure-apps/applications/ 302! Anyone visiting the old URL will automatically land on the new page using a combination of Netlify and Docusaurus. #### Initial page loads (server-side)[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#initial-page-loads-server-side "Direct link to Initial page loads (server-side)") When a reader first visits a documentation page or refreshes their browser: 1. Their browser requests the URL from our server (Netlify). 2. Netlify checks if that exact page exists. 3. If not, it checks our `_redirects` file for a matching rule. 4. The server sends back the correct page, or a 404 if no matching rule exists. #### Navigating between pages (client-side)[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#navigating-between-pages-client-side "Direct link to Navigating between pages (client-side)") When a reader clicks a link to another documentation page: 1. Docusaurus intercepts the click (no server request needed). 2. The URL in the browser's address bar changes. 3. Docusaurus router fetches the new page content without a full reload. If Docusaurus's router attempts to render a page that does not exist, the `_redirects` file will be used to determine if a redirect rule should be applied, without a server request or a full reload. Whether the reader is viewing a page for the first time or navigating between pages, this arrangement allows us to have a single source of truth for all URLs, ensuring that each page remains consistently accessible across authentik versions and throughout our three Docusaurus deployments (Topics, Integrations, and API). ### Updating a page's URL[​](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#updating-a-pages-url "Direct link to Updating a page's URL") Every URL is a promise When someone bookmarks a page or shares a link, they expect it to keep working. **Before changing any URL, ask yourself:** * [x] Is this move absolutely necessary? * [x] Could better organization be achieved without moving files? * [x] Will this help or confuse readers migrating between authentik versions? Remember, [Cool URIs don't change!](https://www.w3.org/Provider/Style/URI) Moving a documentation page to a new location requires updating a `sidebar.mjs` and `_redirects` file. 1. Take note of the page's current URL path in the browser's address bar. 2. Move the Markdown file to the new location. 3. Add a new redirect rule to the `_redirects` file in the respective [documentation directory](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#redirects) . 4. Update the `sidebar.mjs` file in the respective [documentation directory](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#redirects) . * [Documentation subdomains](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#documentation-subdomains) * [Guidelines](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#guidelines) * [Setting up a docs development environment](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#setting-up-a-docs-development-environment) * [Prerequisites](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#prerequisites) * [Clone and fork the authentik repository](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#clone-and-fork-the-authentik-repository) * [Set up your local build tools](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#set-up-your-local-build-tools) * [Writing or modifying technical docs](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#writing-or-modifying-technical-docs) * [Build locally](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#build-locally) * [Live editing](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#live-editing) * [Writing or modifying integration guides](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#writing-or-modifying-integration-guides) * [Build locally](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#build-locally-1) * [Live editing](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#live-editing-1) * [Page routing and URLs](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#page-routing-and-urls) * [Converting file paths to URLs](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#converting-file-paths-to-urls) * [Sidebar files](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#sidebar-files) * [Redirects](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#redirects) * [Updating a page's URL](https://docs.goauthentik.io/developer-docs/docs/writing-documentation/#updating-a-pages-url) --- # Air-gapped environments | authentik [Skip to main content](https://docs.goauthentik.io/install-config/air-gapped/#__docusaurus_skipToContent_fallback) On this page Outbound connections[​](https://docs.goauthentik.io/install-config/air-gapped/#outbound-connections "Direct link to Outbound connections") ------------------------------------------------------------------------------------------------------------------------------------------- By default, authentik creates outbound connections to the following URLs: * [https://version.goauthentik.io](https://version.goauthentik.io/) : Periodic update check * [https://goauthentik.io](https://goauthentik.io/) : Anonymous analytics on startup * [https://secure.gravatar.com](https://secure.gravatar.com/) : Avatars for users * [https://authentik.error-reporting.a7k.io](https://authentik.error-reporting.a7k.io/) : Error reporting * [https://tile.openstreetmap.org](https://tile.openstreetmap.org/) : Map tiles for event logs Enterprise authentik: 2025.8.0+ Configuration[​](https://docs.goauthentik.io/install-config/air-gapped/#configuration "Direct link to Configuration") ---------------------------------------------------------------------------------------------------------------------- To disable these outbound connections, adjust the following settings: * Docker Compose * Kubernetes Add the following block to your `.env` file: AUTHENTIK_DISABLE_STARTUP_ANALYTICS=trueAUTHENTIK_DISABLE_UPDATE_CHECK=trueAUTHENTIK_ERROR_REPORTING__ENABLED=false Afterwards, run the upgrade commands from the latest release notes. Add the following block to your `values.yml` file: authentik: error_reporting: enabled: false disable_update_check: true disable_startup_analytics: true Afterwards, run the upgrade commands from the latest release notes. Additionally, adjust the following [System settings](https://docs.goauthentik.io/sys-mgmt/settings/) : * **Avatars**: By default this setting connects to [Gravatar](https://secure.gravatar.com/) . To avoid outgoing connections, set this to a combination of other options, such as `initials`. Required resources[​](https://docs.goauthentik.io/install-config/air-gapped/#required-resources "Direct link to Required resources") ------------------------------------------------------------------------------------------------------------------------------------- ### Container images[​](https://docs.goauthentik.io/install-config/air-gapped/#container-images "Direct link to Container images") authentik deployments require access to the following container images. In an air-gapped environment, this can be achieved by mirroring the images to an internal registry, or using other methods appropriate for your environment. #### Main image[​](https://docs.goauthentik.io/install-config/air-gapped/#main-image "Direct link to Main image") * `ghcr.io/goauthentik/server` or `authentik/server` #### Outpost images[​](https://docs.goauthentik.io/install-config/air-gapped/#outpost-images "Direct link to Outpost images") * `ghcr.io/goauthentik/ldap` or `authentik/ldap` * `ghcr.io/goauthentik/proxy` or `authentik/proxy` * `ghcr.io/goauthentik/rac` or `authentik/rac` * `ghcr.io/goauthentik/radius` or `authentik/radius` #### Supporting services[​](https://docs.goauthentik.io/install-config/air-gapped/#supporting-services "Direct link to Supporting services") * PostgreSQL ### Helm repositories[​](https://docs.goauthentik.io/install-config/air-gapped/#helm-repositories "Direct link to Helm repositories") For Helm deployments, ensure access to the following repository. In an air-gapped environment, this can be achieved by mirroring the chart to an internal registry, or using other methods appropriate for your environment. * [https://charts.goauthentik.io](https://charts.goauthentik.io/) Network requirements[​](https://docs.goauthentik.io/install-config/air-gapped/#network-requirements "Direct link to Network requirements") ------------------------------------------------------------------------------------------------------------------------------------------- ### Required ports[​](https://docs.goauthentik.io/install-config/air-gapped/#required-ports "Direct link to Required ports") * **9000/9443**: Default authentik server ports for HTTP/HTTPS access. * **80/443**: For reverse proxy setups (if using a load balancer or ingress controller). * **SMTP ports**: Connectivity to your configured SMTP server (typically 25, 465, or 587). * **S3/object storage**: If configured, connectivity to your S3-compatible storage. ### Outpost-specific ports[​](https://docs.goauthentik.io/install-config/air-gapped/#outpost-specific-ports "Direct link to Outpost-specific ports") Each outpost container, in order to communicate with authentik, requires access to the authentik server via whichever protocol is specified in the URL set in the `AUTHENTIK_HOST` environment variable (preferably HTTPS). The outpost containers also need certain ports exposed: * **LDAP Outpost**: Ports 389/636 (LDAP/LDAPS) exposed to ports 3389/6636 of the container. * **Proxy Outpost**: Ports 9000/9443 (HTTP/HTTPS) exposed to ports 9000/9443 of the container. * **RAC Outpost**: Exposed ports not required. * **RADIUS Outpost**: Port 1812 (RADIUS Authentication) exposed to port 1812/udp of the container. For more detailed information about outpost configuration in air-gapped environments, see the [Outposts documentation](https://docs.goauthentik.io/add-secure-apps/outposts/) . * [Outbound connections](https://docs.goauthentik.io/install-config/air-gapped/#outbound-connections) * [Configuration](https://docs.goauthentik.io/install-config/air-gapped/#configuration) * [Required resources](https://docs.goauthentik.io/install-config/air-gapped/#required-resources) * [Container images](https://docs.goauthentik.io/install-config/air-gapped/#container-images) * [Helm repositories](https://docs.goauthentik.io/install-config/air-gapped/#helm-repositories) * [Network requirements](https://docs.goauthentik.io/install-config/air-gapped/#network-requirements) * [Required ports](https://docs.goauthentik.io/install-config/air-gapped/#required-ports) * [Outpost-specific ports](https://docs.goauthentik.io/install-config/air-gapped/#outpost-specific-ports) --- # Automated install | authentik [Skip to main content](https://docs.goauthentik.io/install-config/automated-install/#__docusaurus_skipToContent_fallback) On this page To install authentik automatically (skipping the Out-of-box experience), you can use the following environment variables on the worker container: ### `AUTHENTIK_BOOTSTRAP_PASSWORD`[​](https://docs.goauthentik.io/install-config/automated-install/#authentik_bootstrap_password "Direct link to authentik_bootstrap_password") Configure the default password for the `akadmin` user. Only read on the first startup. Can be used for any flow executor. ### `AUTHENTIK_BOOTSTRAP_TOKEN`[​](https://docs.goauthentik.io/install-config/automated-install/#authentik_bootstrap_token "Direct link to authentik_bootstrap_token") Create a token for the default `akadmin` user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API. ### `AUTHENTIK_BOOTSTRAP_EMAIL`[​](https://docs.goauthentik.io/install-config/automated-install/#authentik_bootstrap_email "Direct link to authentik_bootstrap_email") Set the email address for the default `akadmin` user. Kubernetes[​](https://docs.goauthentik.io/install-config/automated-install/#kubernetes "Direct link to Kubernetes") -------------------------------------------------------------------------------------------------------------------- In the Helm values, set the `akadmin` user password and token: authentik: bootstrap_token: test bootstrap_password: test To store the password and token in a secret, use: global: envFrom: - secretRef: name: _some-secret_ where _some-secret_ contains the environment variables as in the documentation above. * [`AUTHENTIK_BOOTSTRAP_PASSWORD`](https://docs.goauthentik.io/install-config/automated-install/#authentik_bootstrap_password) * [`AUTHENTIK_BOOTSTRAP_TOKEN`](https://docs.goauthentik.io/install-config/automated-install/#authentik_bootstrap_token) * [`AUTHENTIK_BOOTSTRAP_EMAIL`](https://docs.goauthentik.io/install-config/automated-install/#authentik_bootstrap_email) * [Kubernetes](https://docs.goauthentik.io/install-config/automated-install/#kubernetes) --- # Releases | authentik [Skip to main content](https://docs.goauthentik.io/releases/#__docusaurus_skipToContent_fallback) [📄️ 2025.10\ -----------\ \ Highlights](https://docs.goauthentik.io/releases/2025.10/) [📄️ 2025.8\ ----------\ \ Highlights](https://docs.goauthentik.io/releases/2025.8/) [📄️ 2025.6\ ----------\ \ Highlights](https://docs.goauthentik.io/releases/2025.6/) [🗃️ Previous versions\ ---------------------\ \ 45 items](https://docs.goauthentik.io/releases/2025.4/) --- # AWS installation | authentik [Skip to main content](https://docs.goauthentik.io/install-config/install/aws/#__docusaurus_skipToContent_fallback) On this page You can install authentik to run on AWS with a CloudFormation template. ### Prerequisites[​](https://docs.goauthentik.io/install-config/install/aws/#prerequisites "Direct link to Prerequisites") * An AWS account. * An [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) certificate. Take note of the ARN of the certificate. ### Installation[​](https://docs.goauthentik.io/install-config/install/aws/#installation "Direct link to Installation") Log in to your AWS account and create a CloudFormation stack [with our template](https://console.aws.amazon.com/cloudformation/home#/stacks/create/review?stackName=authentik&templateURL=https://authentik-cloudformation-templates.s3.amazonaws.com/authentik.ecs.latest.yaml) . Under the **Certificate ARN** input, enter the previously created certificate ARN. You can also configure other settings if needed. You can follow the prompts to create the stack. This stack will create the following resources: * AWS SSM secrets for the PostgreSQL user and the authentik secret key * A VPC for all other resources * A RDS PostgreSQL Multi-AZ cluster * An ECS cluster with two tasks: * One for the authentik server * One for the authentik worker * An ALB (Application Load Balancer) pointing to the authentik server ECS task with the configured certificate * An EFS filesystem mounted on both ECS tasks for media file storage The stack will output the endpoint of the ALB that to which you can point your DNS records. ### Further customization[​](https://docs.goauthentik.io/install-config/install/aws/#further-customization "Direct link to Further customization") If you require further customization, we recommend you install authentik via [Docker Compose](https://docs.goauthentik.io/install-config/install/docker-compose/) or [Kubernetes](https://docs.goauthentik.io/install-config/install/kubernetes/) . * [Prerequisites](https://docs.goauthentik.io/install-config/install/aws/#prerequisites) * [Installation](https://docs.goauthentik.io/install-config/install/aws/#installation) * [Further customization](https://docs.goauthentik.io/install-config/install/aws/#further-customization) --- # Reverse-proxy | authentik [Skip to main content](https://docs.goauthentik.io/install-config/reverse-proxy/#__docusaurus_skipToContent_fallback) info Since authentik uses WebSockets to communicate with Outposts, it does not support HTTP/1.0 reverse-proxies. The HTTP/1.0 specification does not officially support WebSockets or protocol upgrades, though some clients may allow it. If you want to access authentik behind a reverse proxy, there are a few headers that must be passed upstream: * `X-Forwarded-Proto`: Tells authentik and Proxy Providers if they are being served over an HTTPS connection. * `X-Forwarded-For`: Without this, authentik will not know the IP addresses of clients. * `Host`: Required for various security checks, WebSocket handshake, and Outpost and Proxy Provider communication. * `Connection: Upgrade` and `Upgrade: WebSocket`: Required to upgrade protocols for requests to the WebSocket endpoints under HTTP/1.1. It is also recommended to use a [modern TLS configuration](https://ssl-config.mozilla.org/) and disable SSL/TLS protocols older than TLS 1.3. If your reverse proxy isn't accessing authentik from a private IP address, [trusted proxy CIDRs configuration](https://docs.goauthentik.io/install-config/configuration/#listen-settings) needs to be set on the authentik server to allow client IP address detection. The following nginx configuration can be used as a starting point for your own configuration. # Upstream where your authentik server is hosted.upstream authentik { server :9443; # Improve performance by keeping some connections alive. keepalive 10;}# Upgrade WebSocket if requested, otherwise use keepalivemap $http_upgrade $connection_upgrade_keepalive { default upgrade; '' '';}server { # HTTP server config listen 80; listen [::]:80; server_name sso.domain.tld; # 301 redirect to HTTPS return 301 https://$host$request_uri;}server { # HTTPS server config listen 443 ssl http2; listen [::]:443 ssl http2; server_name sso.domain.tld; # TLS certificates ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem; add_header Strict-Transport-Security "max-age=63072000" always; # Proxy site # Location can be set to a subpath if desired, see documentation linked below: # https://docs.goauthentik.io/docs/install-config/configuration/#authentik_web__path location / { proxy_pass https://authentik; proxy_http_version 1.1; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade_keepalive; }} --- # Beta and release candidate versions | authentik [Skip to main content](https://docs.goauthentik.io/install-config/beta/#__docusaurus_skipToContent_fallback) On this page You can test upcoming authentik versions before they are released as stable. There are two types of pre-release versions available: * **Release Candidates (RC)**: Near-final versions that are feature-complete and undergoing final testing before a stable release. RCs are more stable than Beta versions and are recommended for testing in staging environments. * **Beta versions**: Early builds that include new, or experimental features and may introduce bugs or breaking changes. It is recommended to upgrade your installation to the latest stable release before switching from stable to an RC or Beta version. warning Downgrading from RC or Beta versions is not supported. It is recommended to take a backup before upgrading, or test these versions on a separate installation. Upgrading from RC or Beta versions to the next stable release generally works, but is not officially supported. Release Candidate (RC) versions[​](https://docs.goauthentik.io/install-config/beta/#release-candidate-rc-versions "Direct link to Release Candidate (RC) versions") -------------------------------------------------------------------------------------------------------------------------------------------------------------------- Release candidates are available for testing before major version releases. To use an RC version, you need to specify the exact RC tag (e.g., `2025.10.0-rc3`). * Docker Compose * Kubernetes Add the following block to your `.env` file, replacing `2025.10.0-rc3` with the desired RC version: AUTHENTIK_TAG=2025.10.0-rc3 Next, pull the image and redeploy: docker compose pulldocker compose up -d Add the following block to your `values.yaml` file, replacing `2025.10.0-rc3` with the desired RC version: image: tag: 2025.10.0-rc3 # pullPolicy: Always to ensure you always get the latest version pullPolicy: Always Next, run the upgrade commands: helm repo updatehelm upgrade authentik authentik/authentik -f values.yaml Beta versions[​](https://docs.goauthentik.io/install-config/beta/#beta-versions "Direct link to Beta versions") ---------------------------------------------------------------------------------------------------------------- Beta versions provide early access to major new features that are still in active development. * Docker Compose * Kubernetes Add the following block to your `.env` file: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-serverAUTHENTIK_TAG=gh-nextAUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s Next, run the upgrade commands below. Add the following block to your `values.yml` file: authentik: outposts: container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)simage: repository: ghcr.io/goauthentik/dev-server tag: gh-next # pullPolicy: Always to ensure you always get the latest version pullPolicy: Always Next, run the upgrade commands below. * Docker Compose * Kubernetes docker compose pulldocker compose up -d helm repo updatehelm upgrade authentik authentik/authentik -f values.yaml info If you are upgrading from an older Beta release to the most recent Beta release, you might need to run `kubectl rollout restart deployment`, because Helm needs to recreate the pods in order to pick up the new image (the tag doesn't change). Verifying the installation[​](https://docs.goauthentik.io/install-config/beta/#verifying-the-installation "Direct link to Verifying the installation") ------------------------------------------------------------------------------------------------------------------------------------------------------- To verify whether the upgrade was successful, go to your Admin panel and navigate to the Overview dashboard. There, you can check the version number to ensure that you are using the RC or Beta version you intended. * [Release Candidate (RC) versions](https://docs.goauthentik.io/install-config/beta/#release-candidate-rc-versions) * [Beta versions](https://docs.goauthentik.io/install-config/beta/#beta-versions) * [Verifying the installation](https://docs.goauthentik.io/install-config/beta/#verifying-the-installation) --- # High availability | authentik [Skip to main content](https://docs.goauthentik.io/install-config/high-availability/#__docusaurus_skipToContent_fallback) On this page High availability refers to system design that minimizes downtime even in the event of failures or disruptions. authentik supports high availability in several ways: * Multiple instances of the server and worker can be run in parallel, allowing for redundancy. * The authentik database is PostgreSQL, which has extensive support for different [highly available setups](https://www.postgresql.org/docs/current/high-availability.html) . * Both authentik and PostgreSQL support active-passive deployments. Parallel server and worker instances[​](https://docs.goauthentik.io/install-config/high-availability/#parallel-server-and-worker-instances "Direct link to Parallel server and worker instances") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- authentik server and worker instances are stateless. All session state and configuration data is stored in the database. This statelessness makes it easy to horizontally scale authentik deployments by adding more server and worker instances, ensuring resilience and fault tolerance. If a server or worker instance goes offline, another instance can continue to serve traffic. If these instances are distributed among multiple hosts, it can provide even higher levels of resilience and fault tolerance. PostgreSQL high availability[​](https://docs.goauthentik.io/install-config/high-availability/#postgresql-high-availability "Direct link to PostgreSQL high availability") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- PostgreSQL provides high availability through _replication_ and _clustering_. Refer to the [PostgreSQL High Availability, Load Balancing, and Replication documentation](https://www.postgresql.org/docs/current/high-availability.html) for more details. authentik also has built-in support for [PostgreSQL Read Replicas](https://docs.goauthentik.io/install-config/configuration/#read-replicas) and using [PostgreSQL Connection Poolers](https://docs.goauthentik.io/install-config/configuration/#using-a-postgresql-connection-pooler) like PgBouncer or PgPool. Active-passive authentik deployment[​](https://docs.goauthentik.io/install-config/high-availability/#active-passive-authentik-deployment "Direct link to Active-passive authentik deployment") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- In an active-passive deployment, one authentik instance actively serves all requests while the other is on standby, prepared to assume control in the event of a failure. The components of an active-passive authentik deployment include: * **Active Instance**: Handles all user authentication requests, API calls, and background tasks. It is fully operational and serves live traffic. * **Passive Instance**: Runs as a hot/warm standby. Does not handle incoming traffic or processing. Does not actively write to the database. * **Shared Database**: Both instances connect to the same PostgreSQL database which ensures data consistency. Because authentik is stateless, there are no data conflicts. * **Load Balancer**: A load balancer monitors the active instance's health. Upon detecting failure, it promotes the passive instance to active by redirecting all traffic to it. This failover can be triggered automatically or manually, depending on your failover strategy. When the original active authentik instance is restored, it can either remain passive or be promoted back to active (failback). For more information on monitoring the health of an authentik instance, refer to the [Monitoring documentation](https://docs.goauthentik.io/sys-mgmt/ops/monitoring/) . The following diagram shows a typical active-passive configuration: This setup provides several advantages: * **Resilient hosting options**: The ability to host each authentik deployment in separate environments. Different hardware, datacenters, or providers can be utilized for each deployment to increase resiliency and fault tolerance. * **Continuity of service**: During maintenance windows, continuity of service can be assured by switching between active and passive instances. * **Automatic failover**: A load balancer allows for automatic failover based on health monitoring, rather than waiting for administrators to detect an issue and manually failover. * **Possibility of blue-green deployment**: The use of a load balancer also allows for blue-green methodology, assuming that appropriate changes are made to the database. * [Parallel server and worker instances](https://docs.goauthentik.io/install-config/high-availability/#parallel-server-and-worker-instances) * [PostgreSQL high availability](https://docs.goauthentik.io/install-config/high-availability/#postgresql-high-availability) * [Active-passive authentik deployment](https://docs.goauthentik.io/install-config/high-availability/#active-passive-authentik-deployment) --- # Full development environment | authentik [Skip to main content](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#__docusaurus_skipToContent_fallback) On this page Prerequisites[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#prerequisites "Direct link to Prerequisites") -------------------------------------------------------------------------------------------------------------------------------------- Before you begin, ensure you have the following tools installed: * [Python](https://www.python.org/) (3.13 or later) * [uv](https://docs.astral.sh/uv/getting-started/installation/) (Latest stable release) * [Go](https://go.dev/) (1.24 or later) * [Node.js](https://nodejs.org/en) (24 or later) * [PostgreSQL](https://www.postgresql.org/) (16 or later) * [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop) * [Docker Compose](https://docs.docker.com/compose/) (Compose v2) * [Make](https://www.gnu.org/software/make/) (3 or later) 1\. Setting Up Required Services[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#1-setting-up-required-services "Direct link to 1. Setting Up Required Services") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- authentik depends on several external services: * [PostgreSQL](https://www.postgresql.org/) for database storage * [Zenko CloudServer (S3)](https://www.zenko.io/cloudserver/) for object storage * [Sentry Spotlight](https://spotlightjs.com/) for error tracking and visualization ### Option A: Using Docker Compose (Recommended)[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#option-a-using-docker-compose-recommended "Direct link to Option A: Using Docker Compose (Recommended)") The easiest way to set up these services is using the provided Docker Compose configuration: docker compose -f scripts/docker-compose.yml up -d ### Option B: Using local installations[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#option-b-using-local-installations "Direct link to Option B: Using local installations") Alternatively, you can install and run these services directly on your system. info If using locally installed databases, ensure the PostgreSQL credentials provided to authentik have `CREATE DATABASE` and `DROP DATABASE` permissions, because authentik creates temporary databases for testing. 2\. Installing Platform-Specific Dependencies[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#2-installing-platform-specific-dependencies "Direct link to 2. Installing Platform-Specific Dependencies") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * macOS * Linux * Windows Install the required native dependencies on macOS using Homebrew: brew install \libxmlsec1 \libpq \pkg-config \uv \postgresql \node@24 \golangci-lint \krb5 For Debian/Ubuntu-based distributions: pip install uvsudo apt-get install -y \libgss-dev \krb5-config \libkrb5-dev \postgresql-server-dev-all \postgresql For other distributions (Red Hat, SUSE, Arch), adjust the package names as needed. Install `golangci-lint` by following the [official installation instructions](https://golangci-lint.run/welcome/install/#other-ci) . We're currently seeking community input on running the full development environment on Windows. If you have experience with this setup, please consider contributing to this documentation. 3\. Set up the backend[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#3-set-up-the-backend "Direct link to 3. Set up the backend") -------------------------------------------------------------------------------------------------------------------------------------------------------------- info All `make` commands must be executed from the root directory of your local authentik Git repository. ### Install dependencies[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#install-dependencies "Direct link to Install dependencies") Install all required JavaScript and Python dependencies and create an isolated Python environment: make install ### Generate development configuration[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#generate-development-configuration "Direct link to Generate development configuration") Create a local configuration file that uses the local databases for development: make gen-dev-config ### Initialize the database[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#initialize-the-database "Direct link to Initialize the database") Run all migrations with the following command: make migrate info If you ever want to start over, use `make dev-reset` which drops and restores the authentik PostgreSQL database to the state after `make migrate`. ### Understanding the architecture[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#understanding-the-architecture "Direct link to Understanding the architecture") authentik is primarily a Django application running under gunicorn, proxied by a Go application that serves static files. Most functions and classes have type hints and docstrings. For better code navigation, we recommend installing a Python Type-checking Extension in your IDE. 4\. Set up the frontend[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#4-set-up-the-frontend "Direct link to 4. Set up the frontend") ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Even if you're not planning to develop the UI, you need to build the frontend as no compiled bundle is included by default. ### Building the UI[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#building-the-ui "Direct link to Building the UI") #### Live development mode[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#live-development-mode "Direct link to Live development mode") For real-time feedback as you make changes: make web-watch Or instead, if you just want to build it once: make web-build 5\. Running authentik[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#5-running-authentik "Direct link to 5. Running authentik") ----------------------------------------------------------------------------------------------------------------------------------------------------------- Now that the backend and frontend have been set up and built, you can start authentik. Start the server: make run-server In a separate process, start the worker: make run-worker info The very first time a worker runs, it might need some time to clear the initial task queue. Adjust [`AUTHENTIK_WORKER__THREADS`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__threads) as required. Both processes need to run to get a fully functioning authentik development environment. authentik will be accessible at [http://localhost:9000](http://localhost:9000/) . ### Initial setup[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#initial-setup "Direct link to Initial setup") To set a password for the default admin user (**akadmin**): 1. Navigate to [http://localhost:9000/if/flow/initial-setup/](http://localhost:9000/if/flow/initial-setup/) in your browser. 2. Follow the prompts to set up your admin account. ### Hot-reloading[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#hot-reloading "Direct link to Hot-reloading") When `AUTHENTIK_DEBUG` is set to `true` (the default for the development environment), the authentik server automatically reloads whenever changes are made to the code. However, due to instabilities in the reloading process of the worker, that behavior is turned off for the worker. You can enable code reloading in the worker by manually running `uv run ak worker --watch`. End-to-End (E2E) Setup[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#end-to-end-e2e-setup "Direct link to End-to-End (E2E) Setup") --------------------------------------------------------------------------------------------------------------------------------------------------------------- Start the E2E test services with the following command: docker compose -f tests/e2e/docker-compose.yml up -d You can then view the Selenium Chrome browser via [http://localhost:7900/](http://localhost:7900/) using the password: `secret`. Alternatively, you can connect directly via VNC on port `5900` using the password: `secret`. info When using Docker Desktop, host networking needs to be enabled via **Docker Settings** > **Resources** > **Network** > **Enable host networking**. 6\. Contributing code[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#6-contributing-code "Direct link to 6. Contributing code") ----------------------------------------------------------------------------------------------------------------------------------------------------------- ### Before submitting a pull request[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#before-submitting-a-pull-request "Direct link to Before submitting a pull request") Ensure your code meets our quality standards by running: 1. **Code linting**: make lint-fixmake lint 2. **Generate updated API documentation**: make gen 3. **Format frontend code**: make web 4. **Run tests**: make test You can run all these checks at once with: make all ### Submitting your changes[​](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#submitting-your-changes "Direct link to Submitting your changes") After your code passes all checks, submit a pull request on [GitHub](https://github.com/goauthentik/authentik/pulls) . Be sure to: * Provide a clear description of your changes * Reference any related issues * Follow our code style guidelines * Update any related documentation * Include tests for your changes where appropriate Thank you for contributing to authentik! * [Prerequisites](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#prerequisites) * [1\. Setting Up Required Services](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#1-setting-up-required-services) * [Option A: Using Docker Compose (Recommended)](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#option-a-using-docker-compose-recommended) * [Option B: Using local installations](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#option-b-using-local-installations) * [2\. Installing Platform-Specific Dependencies](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#2-installing-platform-specific-dependencies) * [3\. Set up the backend](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#3-set-up-the-backend) * [Install dependencies](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#install-dependencies) * [Generate development configuration](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#generate-development-configuration) * [Initialize the database](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#initialize-the-database) * [Understanding the architecture](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#understanding-the-architecture) * [4\. Set up the frontend](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#4-set-up-the-frontend) * [Building the UI](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#building-the-ui) * [5\. Running authentik](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#5-running-authentik) * [Initial setup](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#initial-setup) * [Hot-reloading](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#hot-reloading) * [End-to-End (E2E) Setup](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#end-to-end-e2e-setup) * [6\. Contributing code](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#6-contributing-code) * [Before submitting a pull request](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#before-submitting-a-pull-request) * [Submitting your changes](https://docs.goauthentik.io/developer-docs/setup/full-dev-environment/#submitting-your-changes) --- # Kubernetes installation | authentik [Skip to main content](https://docs.goauthentik.io/install-config/install/kubernetes/#__docusaurus_skipToContent_fallback) On this page You can install authentik to run on Kubernetes using a Helm Chart. info You can also [view a video walk-through](https://www.youtube.com/watch?v=O1qUbrk4Yc8) of the installation process on Kubernetes (with bonus details about email configuration and other important options). Requirements[​](https://docs.goauthentik.io/install-config/install/kubernetes/#requirements "Direct link to Requirements") --------------------------------------------------------------------------------------------------------------------------- * Kubernetes * Helm Video[​](https://docs.goauthentik.io/install-config/install/kubernetes/#video "Direct link to Video") ------------------------------------------------------------------------------------------------------ Generate Passwords[​](https://docs.goauthentik.io/install-config/install/kubernetes/#generate-passwords "Direct link to Generate Passwords") --------------------------------------------------------------------------------------------------------------------------------------------- Start by generating passwords for the database and cache. You can use either of the following commands: pwgen -s 50 1openssl rand 60 | base64 -w 0 Set Values[​](https://docs.goauthentik.io/install-config/install/kubernetes/#set-values "Direct link to Set Values") --------------------------------------------------------------------------------------------------------------------- Create a `values.yaml` file with a minimum of these settings: authentik: secret_key: "PleaseGenerateASecureKey" # This sends anonymous usage-data, stack traces on errors and # performance data to sentry.io, and is fully opt-in error_reporting: enabled: true postgresql: password: "ThisIsNotASecurePassword"server: ingress: # Specify kubernetes ingress controller class name ingressClassName: nginx | traefik | kong enabled: true hosts: - authentik.domain.tldpostgresql: enabled: true auth: password: "ThisIsNotASecurePassword" See all configurable values on [ArtifactHub](https://artifacthub.io/packages/helm/goauthentik/authentik) . Install authentik Helm Chart[​](https://docs.goauthentik.io/install-config/install/kubernetes/#install-authentik-helm-chart "Direct link to Install authentik Helm Chart") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now, execute the following commands to install authentik: helm repo add authentik https://charts.goauthentik.iohelm repo updatehelm upgrade --install authentik authentik/authentik -f values.yaml During the installation process, the database migrations will be applied automatically on startup. Accessing authentik[​](https://docs.goauthentik.io/install-config/install/kubernetes/#accessing-authentik "Direct link to Accessing authentik") ------------------------------------------------------------------------------------------------------------------------------------------------ After the installation is complete, access authentik at `https:///if/flow/initial-setup/`. Here, you can set a password for the default `akadmin` user. info You will get a `Not Found` error if initial setup URL doesn't include the trailing forward slash `/`. Make sure you use the complete url (`http:///if/flow/initial-setup/`) including the trailing forward slash. PostgreSQL production setup[​](https://docs.goauthentik.io/install-config/install/kubernetes/#postgresql-production-setup "Direct link to PostgreSQL production setup") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ We recommend using another installation method for PostgreSQL than the one provided that is only intended for demonstration and testing purposes. We recommend the following operators: * [CloudNativePG](https://github.com/cloudnative-pg/cloudnative-pg) * [Zalando Postgres Operator](https://github.com/zalando/postgres-operator) Email configuration (optional but recommended)[​](https://docs.goauthentik.io/install-config/install/kubernetes/#email-configuration-optional-but-recommended "Direct link to Email configuration (optional but recommended)") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- It is also recommended to configure global email settings. These are used by authentik to notify administrators about alerts, configuration issues and new releases. They can also be used by [Email stages](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) to send verification/recovery emails. For more information, refer to our [Email configuration](https://docs.goauthentik.io/install-config/email/) documentation. * [Requirements](https://docs.goauthentik.io/install-config/install/kubernetes/#requirements) * [Video](https://docs.goauthentik.io/install-config/install/kubernetes/#video) * [Generate Passwords](https://docs.goauthentik.io/install-config/install/kubernetes/#generate-passwords) * [Set Values](https://docs.goauthentik.io/install-config/install/kubernetes/#set-values) * [Install authentik Helm Chart](https://docs.goauthentik.io/install-config/install/kubernetes/#install-authentik-helm-chart) * [Accessing authentik](https://docs.goauthentik.io/install-config/install/kubernetes/#accessing-authentik) * [PostgreSQL production setup](https://docs.goauthentik.io/install-config/install/kubernetes/#postgresql-production-setup) * [Email configuration (optional but recommended)](https://docs.goauthentik.io/install-config/install/kubernetes/#email-configuration-optional-but-recommended) --- # Email | authentik [Skip to main content](https://docs.goauthentik.io/install-config/email/#__docusaurus_skipToContent_fallback) On this page This page covers both configuring authentik to send emails and testing that email delivery is working. authentik can be configured with global email settings used to notify administrators about alerts, configuration issues, and new releases. They can also be used alongside [notification rules](https://docs.goauthentik.io/sys-mgmt/events/notifications/) to send emails based on any event that occurs within authentik. authentik also provides [Email stages](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) , which are used to send emails to users for actions such as account recovery and verification. Email stages can be configured to use the global email settings or their own specific email settings. warning Some hosting providers block outgoing SMTP ports, in which case you will need to host an SMTP relay on a different port with a different provider. Global email settings[​](https://docs.goauthentik.io/install-config/email/#global-email-settings "Direct link to Global email settings") ----------------------------------------------------------------------------------------------------------------------------------------- * Docker * Kubernetes To configure global email settings, append the following block to your `.env` file: # SMTP Host Emails are sent toAUTHENTIK_EMAIL__HOST=localhostAUTHENTIK_EMAIL__PORT=25# Optionally authenticate (don't add quotation marks to your password)AUTHENTIK_EMAIL__USERNAME=AUTHENTIK_EMAIL__PASSWORD=# Use StartTLSAUTHENTIK_EMAIL__USE_TLS=false# Use SSLAUTHENTIK_EMAIL__USE_SSL=falseAUTHENTIK_EMAIL__TIMEOUT=10# Email address authentik will send from, should have a correct @domainAUTHENTIK_EMAIL__FROM=authentik@localhost To configure global email settings, append the following block to your `values.yaml` file: # add this block under the `authentik:` block in your values.yaml file# authentik:email: # -- SMTP Server emails are sent from, fully optional host: "" port: 587 # -- SMTP credentials. When left empty, no authentication will be done. username: "" # -- SMTP credentials. When left empty, no authentication will be done. password: "" # -- Enable either use_tls or use_ssl. They can't be enabled at the same time. use_tls: false # -- Enable either use_tls or use_ssl. They can't be enabled at the same time. use_ssl: false # -- Connection timeout in seconds timeout: 30 # -- Email 'from' address can either be in the format "[email protected]" or "authentik <[email protected]>" from: "" Testing email configuration[​](https://docs.goauthentik.io/install-config/email/#testing-email-configuration "Direct link to Testing email configuration") ----------------------------------------------------------------------------------------------------------------------------------------------------------- To test whether the global email settings are configured correctly, you can use the following command on your authentik server: ak test_email To test the email settings of a specific email stage, you can optionally provide the `-S` parameter: ak test_email [-S ] * Docker * Kubernetes To run this command with Docker Compose: docker compose exec worker ak test_email [...] To run this command with Kubernetes: kubectl exec -it deployment/authentik-worker -c worker -- ak test_email [...] Google Workspace SMTP relay configuration[​](https://docs.goauthentik.io/install-config/email/#google-workspace-smtp-relay-configuration "Direct link to Google Workspace SMTP relay configuration") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To send email through Google SMTP servers, the easiest and most reliable method is often to use [Google's SMTP relay service](https://support.google.com/a/answer/2956491) . Google provides detailed guidance in their documentation: [Send email from a printer, scanner, or app](https://support.google.com/a/answer/176600?hl=en) . First, confirm the outbound IP address that authentik uses to send emails. [Follow Google's documentation](https://support.google.com/a/answer/2956491) to add the IP address or addresses to the **SMTP relay service** options in your workspace's Gmail settings. * Set **Allowed Senders** to `Only addresses in my domains`. * Set **Authentication** to `Only accept mail from the specified IP addresses`. * Do not set **Require SMTP Authentication**. * Select **Require TLS encryption**. * Docker * Kubernetes If you are using Docker Compose, set the following environment variables for authentik: AUTHENTIK_EMAIL__HOST=smtp-relay.gmail.comAUTHENTIK_EMAIL__PORT=587AUTHENTIK_EMAIL__USE_TLS=trueAUTHENTIK_EMAIL__USE_SSL=falseAUTHENTIK_EMAIL__TIMEOUT=30 Redeploy the authentik containers, then use the `ak test_email` command to confirm that email delivery works. If you are using the Kubernetes Helm chart, set the following variables in the `email` section: email: host: "smtp-relay.gmail.com" port: 587 use_tls: true use_ssl: false timeout: 30 Redeploy the authentik containers, then use the `ak test_email` command to confirm that email delivery works. SMTP server with TLS verification[​](https://docs.goauthentik.io/install-config/email/#smtp-server-with-tls-verification "Direct link to SMTP server with TLS verification") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If you're configuring authentik to send email via an SMTP server with TLS enabled, you must mount the certificate used for authentication in your authentik worker and server containers: * Docker * Kubernetes 1. Add the following configuration to the server and worker containers in your Docker Compose file: volumes: - /path/to/.crt:/etc/ssl/certs/.crt:roenvironment: - SSL_CERT_FILE="/etc/ssl/certs/.crt" 2. Redeploy the containers for the changes to take effect. 1. Create a `ConfigMap` with your certificate by running the following command on the Kubernetes host: kubectl create configmap my-custom-cert --from-file=.crt -n 2. Create a volume by adding the following configuration to your Kubernetes `values.yaml` file: volumes: - name: custom-ca configMap: # or use secret if preferred name: my-custom-cert 3. Add a `volumeMount` and environment variable to your server and worker containers by adding the following configuration to your Kubernetes `values.yaml` file in the appropriate locations: volumeMounts: - name: custom-ca mountPath: /etc/ssl/certs/ca-certificates.crt subPath: ca-certificates.crt readOnly: trueenv: - name: SSL_CERT_FILE value: /etc/ssl/certs/ca-certificates.crt 4. Recreate the pods for the changes to take effect. * [Global email settings](https://docs.goauthentik.io/install-config/email/#global-email-settings) * [Testing email configuration](https://docs.goauthentik.io/install-config/email/#testing-email-configuration) * [Google Workspace SMTP relay configuration](https://docs.goauthentik.io/install-config/email/#google-workspace-smtp-relay-configuration) * [SMTP server with TLS verification](https://docs.goauthentik.io/install-config/email/#smtp-server-with-tls-verification) --- # Docker Compose installation | authentik [Skip to main content](https://docs.goauthentik.io/install-config/install/docker-compose/#__docusaurus_skipToContent_fallback) On this page This installation method is for test setups and small-scale production setups. Requirements[​](https://docs.goauthentik.io/install-config/install/docker-compose/#requirements "Direct link to Requirements") ------------------------------------------------------------------------------------------------------------------------------- * A host with at least 2 CPU cores and 2 GB of RAM * Docker * Docker Compose (Compose v2, see [instructions for upgrade](https://docs.docker.com/compose/migrate/) ) Video[​](https://docs.goauthentik.io/install-config/install/docker-compose/#video "Direct link to Video") ---------------------------------------------------------------------------------------------------------- Preparation[​](https://docs.goauthentik.io/install-config/install/docker-compose/#preparation "Direct link to Preparation") ---------------------------------------------------------------------------------------------------------------------------- To download the latest `docker-compose.yml` open your terminal and navigate to the directory of your choice. Run the following command: * Linux * macOS wget https://docs.goauthentik.io/docker-compose.yml curl -O https://docs.goauthentik.io/docker-compose.yml If this is a fresh authentik installation, you need to generate a password and a secret key. Use a secure password generator of your choice such as pwgen, or you can use `openssl` as below. Run the following commands to generate a password and secret key and write them to your `.env` file: echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .envecho "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env info Because of a PostgreSQL limitation, only passwords up to 99 chars are supported. See: [https://www.postgresql.org/message-id/\[email protected\]](https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com) To enable error reporting, run the following command: echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env Email configuration (optional but recommended)[​](https://docs.goauthentik.io/install-config/install/docker-compose/#email-configuration-optional-but-recommended "Direct link to Email configuration (optional but recommended)") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- It is also recommended to configure global email settings. These are used by authentik to notify administrators about alerts, configuration issues and new releases. They can also be used by [Email stages](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) to send verification/recovery emails. For more information, refer to our [Email configuration](https://docs.goauthentik.io/install-config/email/) documentation. Startup[​](https://docs.goauthentik.io/install-config/install/docker-compose/#startup "Direct link to Startup") ---------------------------------------------------------------------------------------------------------------- warning All internal operations use UTC. Times displayed in the UI are automatically localized for the user. Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers; it will cause problems with OAuth and SAML authentication, as seen this [GitHub issue](https://github.com/goauthentik/authentik/issues/3005) . Afterward, run these commands to finish: docker compose pulldocker compose up -d The `docker-compose.yml` file statically references the latest version available at the time of downloading the compose file. Each time you upgrade to a newer version of authentik, you download a new `docker-compose.yml` file, which points to the latest available version. For more information, refer to the **Upgrading** section in the [Release Notes](https://docs.goauthentik.io/releases/) . To start the initial setup, navigate to `http://:9000/if/flow/initial-setup/`. info You will get a `Not Found` error if initial setup URL doesn't include the trailing forward slash `/`. Make sure you use the complete url (`http://:9000/if/flow/initial-setup/`) including the trailing forward slash. There you are prompted to set a password for the `akadmin` user (the default user). For an explanation about what each service in the docker compose file does, see [Architecture](https://docs.goauthentik.io/core/architecture/) . Configure custom ports[​](https://docs.goauthentik.io/install-config/install/docker-compose/#configure-custom-ports "Direct link to Configure custom ports") ------------------------------------------------------------------------------------------------------------------------------------------------------------- By default, authentik listens internally on port 9000 for HTTP and 9443 for HTTPS. To use different exposed ports such as 80 and 443, you can set the following variables in `.env`: COMPOSE_PORT_HTTP=80COMPOSE_PORT_HTTPS=443 See [Configuration](https://docs.goauthentik.io/install-config/configuration/) to change the internal ports. Be sure to run `docker compose up -d` to rebuild with the new port numbers. Docker socket[​](https://docs.goauthentik.io/install-config/install/docker-compose/#docker-socket "Direct link to Docker socket") ---------------------------------------------------------------------------------------------------------------------------------- By default, the authentik Docker Compose file mounts the Docker socket to the authentik worker container: - /var/run/docker.sock:/var/run/docker.sock This is used for [automatic deployment and management of authentik Outposts](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/) . Mounting the Docker socket to a container comes with some inherent security risks. To reduce these risks, you can utilize a [Docker Socket Proxy](https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/#docker-socket-proxy) as an additional layer of protection. Alternatively, you can remove this mount and instead [manually deploy and manage outposts](https://docs.goauthentik.io/add-secure-apps/outposts/manual-deploy-docker-compose/) . * [Requirements](https://docs.goauthentik.io/install-config/install/docker-compose/#requirements) * [Video](https://docs.goauthentik.io/install-config/install/docker-compose/#video) * [Preparation](https://docs.goauthentik.io/install-config/install/docker-compose/#preparation) * [Email configuration (optional but recommended)](https://docs.goauthentik.io/install-config/install/docker-compose/#email-configuration-optional-but-recommended) * [Startup](https://docs.goauthentik.io/install-config/install/docker-compose/#startup) * [Configure custom ports](https://docs.goauthentik.io/install-config/install/docker-compose/#configure-custom-ports) * [Docker socket](https://docs.goauthentik.io/install-config/install/docker-compose/#docker-socket) --- # Upgrade authentik | authentik [Skip to main content](https://docs.goauthentik.io/install-config/upgrade/#__docusaurus_skipToContent_fallback) On this page Upgrading to the latest version of authentik, whether a new major release or a patch, involves running a few commands to pull down the latest images and then restarting the servers and databases. Important considerations[​](https://docs.goauthentik.io/install-config/upgrade/#important-considerations "Direct link to Important considerations") ---------------------------------------------------------------------------------------------------------------------------------------------------- danger authentik does not support downgrading. Make sure to back up your database in case you need to revert an upgrade. **Preview the release notes**: Be sure to carefully read the [Release Notes](https://docs.goauthentik.io/releases/) for the specific version to which you plan to upgrade. The release might have special requirements or actions or contain breaking changes. **Database backup**: Before upgrading, make a backup of your PostgreSQL database. You can create a backup by dumping your existing database. For detailed instructions, refer to the relevant guide for your deployment method ([Docker Compose](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/) or [Kubernetes](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/) ). **Upgrade sequence**: Upgrades must follow the sequence of major releases; **do not skip** directly from an older major version to the most recent version. Always upgrade to the latest minor version (`.x`) within each `major.minor` version before upgrading to the next major version. For example, if you're currently running `2025.2.1`, upgrade in the following order: 1. Upgrade to the latest `2025.2.x`. 2. Then to the latest `2025.4.x`. 3. Finally to the latest `2025.6.x`. **Outposts**: The version of the authentik server and all authentik outposts must match. Ensure that all [outposts are upgraded](https://docs.goauthentik.io/add-secure-apps/outposts/upgrading/) at the same time as the core authentik instance. Upgrade authentik[​](https://docs.goauthentik.io/install-config/upgrade/#upgrade-authentik "Direct link to Upgrade authentik") ------------------------------------------------------------------------------------------------------------------------------- * Docker Compose * Kubernetes * AWS Cloudformation ECS In your terminal, navigate to your installation directory and follow these steps: #### 1\. Retrieve latest `docker-compose.yml` file[​](https://docs.goauthentik.io/install-config/upgrade/#1-retrieve-latest-docker-composeyml-file "Direct link to 1-retrieve-latest-docker-composeyml-file") Download the `docker-compose.yml` file using either `wget -O docker-compose.yml https://docs.goauthentik.io/docker-compose.yml` or `curl -O https://docs.goauthentik.io/docker-compose.yml` or a similar process. **2\. Run upgrade commands** docker compose pulldocker compose up -d In your terminal, navigate to your installation directory and run the following commands: helm repo updatehelm upgrade --install authentik authentik/authentik -f values.yaml Navigate to your authentik AWS Cloudformation stack. Click on the **Changesets** tab and **Create changeset**. Select **Use existing template** and follow the prompts to upgrade. To upgrade to a specific version, select **Replace existing template** and use the following URL: `https://authentik-cloudformation-templates.s3.amazonaws.com/authentik.ecs.VERSION.yaml` replacing `VERSION` with the version you want to upgrade to. You can use `latest` to upgrade to the latest version. Upgrade any outposts[​](https://docs.goauthentik.io/install-config/upgrade/#upgrade-any-outposts "Direct link to Upgrade any outposts") ---------------------------------------------------------------------------------------------------------------------------------------- Be sure to also [upgrade any outposts](https://docs.goauthentik.io/add-secure-apps/outposts/upgrading/) when you upgrade your authentik instance. Verify your upgrade[​](https://docs.goauthentik.io/install-config/upgrade/#verify-your-upgrade "Direct link to Verify your upgrade") ------------------------------------------------------------------------------------------------------------------------------------- You can view the current version of your authentik instance by logging in to the Admin interface, and then navigating to **Dashboards > Overview**. ![](https://docs.goauthentik.io/assets/images/version1-7c609784e0def9a5808362354e345128.png) Troubleshooting your upgrade[​](https://docs.goauthentik.io/install-config/upgrade/#troubleshooting-your-upgrade "Direct link to Troubleshooting your upgrade") ---------------------------------------------------------------------------------------------------------------------------------------------------------------- If you run the upgrade commands but your version on the Dashboard doesn’t change, follow this steps: 1. Look at the server logs and search for an entry of `migration inconsistency`. 2. If you see this entry, revert to your database backup. 3. Now, upgrade to each subsequent higher version. That is, upgrade in sequence, do not skip directly to the most recent version. * [Important considerations](https://docs.goauthentik.io/install-config/upgrade/#important-considerations) * [Upgrade authentik](https://docs.goauthentik.io/install-config/upgrade/#upgrade-authentik) * [Upgrade any outposts](https://docs.goauthentik.io/install-config/upgrade/#upgrade-any-outposts) * [Verify your upgrade](https://docs.goauthentik.io/install-config/upgrade/#verify-your-upgrade) * [Troubleshooting your upgrade](https://docs.goauthentik.io/install-config/upgrade/#troubleshooting-your-upgrade) --- # Configuration | authentik [Skip to main content](https://docs.goauthentik.io/install-config/configuration/#__docusaurus_skipToContent_fallback) On this page This page details all the authentik configuration options that you can set via environment variables. About authentik configurations[​](https://docs.goauthentik.io/install-config/configuration/#about-authentik-configurations "Direct link to About authentik configurations") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- info The double-underscores are intentional, as all these settings are translated to YAML internally, and a double-underscore indicates the next level (a subsetting). All of these variables can be set to values, but you can also use a URI-like format to load values from other places: * `env://` Loads the value from the environment variable ``. Fallback can be optionally set like `env://?` * `file://` Loads the value from the file ``. Fallback can be optionally set like `file://?` Set your environment variables[​](https://docs.goauthentik.io/install-config/configuration/#set-your-environment-variables "Direct link to Set your environment variables") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Docker Compose * Kubernetes If you are using Docker Compose, edit your `.env` file to append any keys that you want to add, and then run the following command to apply them: docker compose up -d If you are running in Kubernetes, edit your `values.yaml` file to append any keys that you want to add, and then run the following commands to apply: helm repo updatehelm upgrade --install authentik authentik/authentik -f values.yaml Verify your configuration settings[​](https://docs.goauthentik.io/install-config/configuration/#verify-your-configuration-settings "Direct link to Verify your configuration settings") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To check if your config has been applied correctly, you can run the following command to output the full config: * Docker Compose * Kubernetes docker compose run --rm worker ak dump_config kubectl exec -it deployment/authentik-worker -c worker -- ak dump_config PostgreSQL Settings[​](https://docs.goauthentik.io/install-config/configuration/#postgresql-settings "Direct link to PostgreSQL Settings") ------------------------------------------------------------------------------------------------------------------------------------------- authentik requires a PostgreSQL database to store its configuration and data. Below are the settings to configure the database connection. ### Connection settings[​](https://docs.goauthentik.io/install-config/configuration/#connection-settings "Direct link to Connection settings") * `AUTHENTIK_POSTGRESQL__HOST`: Hostname or IP address of your PostgreSQL server. * `AUTHENTIK_POSTGRESQL__PORT`: Port on which PostgreSQL is listening. Defaults to the standard PostgreSQL port `5432`. * `AUTHENTIK_POSTGRESQL__USER`: Username that authentik will use to authenticate with PostgreSQL. * `AUTHENTIK_POSTGRESQL__PASSWORD`: Password for PostgreSQL authentication. If not set, it defaults to the value of the `POSTGRES_PASSWORD` environment variable (this fallback is specific to the default Docker Compose setup). * `AUTHENTIK_POSTGRESQL__NAME`: The name of the database for authentik to use. Hot-reloading The `AUTHENTIK_POSTGRESQL__HOST`, `AUTHENTIK_POSTGRESQL__PORT`, `AUTHENTIK_POSTGRESQL__USER`, and `AUTHENTIK_POSTGRESQL__PASSWORD` settings support hot-reloading and can be changed without restarting authentik. However, adding or removing read replicas requires a restart. ### SSL/TLS settings[​](https://docs.goauthentik.io/install-config/configuration/#ssltls-settings "Direct link to SSL/TLS settings") Configure SSL/TLS to secure the connection to your PostgreSQL server. * `AUTHENTIK_POSTGRESQL__SSLMODE`: Controls the SSL verification mode. Defaults to `verify-ca`. * `disable`: No SSL is used. * `allow`: Use SSL if available, but don't perform verification. * `prefer`: Attempt an SSL connection first, fall back to non-SSL if it fails. * `require`: Require an SSL connection, but without certificate verification. * `verify-ca`: Require SSL and verify that the server certificate is signed by a trusted CA. * `verify-full`: Require SSL, verify the CA, and verify that the server hostname matches the certificate. * `AUTHENTIK_POSTGRESQL__SSLROOTCERT`: Path to the CA certificate file for verifying the server's certificate. Required for `verify-ca` and `verify-full` modes. * `AUTHENTIK_POSTGRESQL__SSLCERT`: Path to the client SSL certificate file. Required if the PostgreSQL server is configured for mutual TLS and requires client certificates. * `AUTHENTIK_POSTGRESQL__SSLKEY`: Path to the private key for the client certificate (`SSLCERT`). For more details, see [Django's PostgreSQL documentation](https://docs.djangoproject.com/en/stable/ref/databases/#postgresql-connection-settings) or the [PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION) . ### Connection management[​](https://docs.goauthentik.io/install-config/configuration/#connection-management "Direct link to Connection management") These settings control connection persistence and behavior, which is particularly important when using a connection pooler like PgBouncer. * `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE`: The maximum age of a database connection in seconds. * `0` (default): Connections are closed after each request. * greater than `0`: Enables persistent connections, with the value defining the maximum lifetime. * `None`: Unlimited persistence. Use with caution, especially with connection poolers. See [Django's documentation on persistent connections](https://docs.djangoproject.com/en/stable/ref/databases/#persistent-connections) for more details. * `AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS`: Enables health checks on persistent connections before reuse. Defaults to `false`. This helps prevent errors from stale connections that may have been terminated by the database or a pooler. See [Django's documentation](https://docs.djangoproject.com/en/stable/ref/settings/#conn-health-checks) for details. * `AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS`: Disables server-side cursors. Defaults to `false`. Server-side cursors can improve performance for large result sets but are incompatible with connection poolers in transaction pooling mode (like PgBouncer). **Set this to `true` if you use a transaction-based pooler or encounter cursor-related errors.** See [Django's documentation](https://docs.djangoproject.com/en/stable/ref/databases/#transaction-pooling-and-server-side-cursors) for more details. ### Advanced Settings[​](https://docs.goauthentik.io/install-config/configuration/#advanced-settings "Direct link to Advanced Settings") * `AUTHENTIK_POSTGRESQL__DEFAULT_SCHEMA` authentik: 2024.12.0+ The name of the database schema for authentik to use. Defaults to `public`. This can only be set before authentik is started for the first time. If you specify a custom schema, it must already exist in the database, and the user that authentik connects with must have permissions to access it. The `search_path` for the database user must also be configured to include this schema. * `AUTHENTIK_POSTGRESQL__CONN_OPTIONS` Arbitrary `libpq` parameter key words for the database connection. A list of parameter key words can be found [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS) . * Parameters passed with this setting will override those passed with other settings. * These parameters are not applied to read replicas. * Parameter keywords should be formatted as a base64-encoded JSON dictionary. ### Read Replicas[​](https://docs.goauthentik.io/install-config/configuration/#read-replicas "Direct link to Read Replicas") You can configure additional read replica databases to distribute database load and improve performance. When read replicas are configured, authentik automatically routes query operations between the primary database (for writes) and read replica databases (for queries). By default, the primary database won't be used for queries when read replicas are available. If you want the primary database to also handle queries, add it as a read replica. To configure authentik to use read replicas, add the settings below to your [configuration file](https://docs.goauthentik.io/install-config/configuration/#set-your-environment-variables) . If you have multiple read replicas, add settings for each one by using a unique index starting from `0` (e.g., `0`, `1`, `2`, etc.). The same PostgreSQL settings as described above are used for each read replica. For example, for the first read replica (index `0`): * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLMODE` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLROOTCERT` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLCERT` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLKEY` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_MAX_AGE` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_HEALTH_CHECKS` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__DISABLE_SERVER_SIDE_CURSORS` * `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_OPTIONS` Additionally, you can set arbitrary connection parameters on all read replicas with: * `AUTHENTIK_POSTGRESQL__REPLICA_CONN_OPTIONS` Arbitrary `libpq` parameter key words for all read replicas database connections. A list of options can be found [in the PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS) . * Parameters passed with this setting will override those passed with other settings. * Parameter key words should be formatted as a base64-encoded JSON dictionary. ### Using a PostgreSQL Connection Pooler[​](https://docs.goauthentik.io/install-config/configuration/#using-a-postgresql-connection-pooler "Direct link to Using a PostgreSQL Connection Pooler") When your PostgreSQL databases are running behind a connection pooler (like PgBouncer or PgPool), you need to adjust several settings to ensure compatibility: * `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE`: A connection pooler running in session pool mode (which is the default for PgBouncer) can be incompatible with unlimited persistent connections (`null` setting). When the connection from the pooler to the database is dropped, the pooler will wait for the client to disconnect before releasing the connection. However, this will _never_ happen as authentik keeps the connection indefinitely. To address this incompatibility, either configure the connection pooler to run in transaction pool mode or set this value lower than any timeout that might cause the connection to be dropped (down to `0` to disable persistent connections). * `AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS`: When using a connection pooler in transaction pool mode (e.g., PgPool, or PgBouncer in transaction or statement pool mode), you must set this option to `true`. This is required because server-side cursors maintain state across multiple queries, which is incompatible with transaction-based pooling where connections may change between queries. ### Deprecated Settings[​](https://docs.goauthentik.io/install-config/configuration/#deprecated-settings "Direct link to Deprecated Settings") * `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjusts the database configuration to support connections to a PgBouncer connection pooler. This setting is deprecated and will be removed in a future version. Instead, use the configuration described in the [Using a PostgreSQL Connection Pooler](https://docs.goauthentik.io/install-config/configuration/#using-a-postgresql-connection-pooler) section. * `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjusts the database configuration to support connections to a Pgpool connection pooler. This setting is deprecated and will be removed in a future version. Instead, use the configuration described in the [Using a PostgreSQL Connection Pooler](https://docs.goauthentik.io/install-config/configuration/#using-a-postgresql-connection-pooler) section. Cache Settings[​](https://docs.goauthentik.io/install-config/configuration/#cache-settings "Direct link to Cache Settings") ---------------------------------------------------------------------------------------------------------------------------- * `AUTHENTIK_CACHE__TIMEOUT`: Timeout for cached data until it expires in seconds, defaults to 300 * `AUTHENTIK_CACHE__TIMEOUT_FLOWS`: Timeout for cached flow plans until they expire in seconds, defaults to 300 * `AUTHENTIK_CACHE__TIMEOUT_POLICIES`: Timeout for cached policies until they expire in seconds, defaults to 300 Worker settings[​](https://docs.goauthentik.io/install-config/configuration/#worker-settings "Direct link to Worker settings") ------------------------------------------------------------------------------------------------------------------------------- ##### `AUTHENTIK_WORKER__PROCESSES`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__processes "Direct link to authentik_worker__processes") Configure how many worker processes should be started for Dramatiq to use. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads. Defaults to 1. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads. ##### `AUTHENTIK_WORKER__THREADS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__threads "Direct link to authentik_worker__threads") Configure how many Dramatiq threads are started per worker. In environments where scaling with multiple replicas of the authentik worker is not possible, this number can be increased to handle higher loads. Defaults to 2. A value below 2 threads is not recommended, unless you have multiple worker replicas. ##### `AUTHENTIK_WORKER__CONSUMER_LISTEN_TIMEOUT`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__consumer_listen_timeout "Direct link to authentik_worker__consumer_listen_timeout") Configure how long a worker waits for a PostgreSQL `LISTEN` notification. Defaults to `seconds=30`. ##### `AUTHENTIK_WORKER__TASK_MAX_RETRIES`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_max_retries "Direct link to authentik_worker__task_max_retries") Configure how many times a failing task will be retried before abandoning. Defaults to 5. ##### `AUTHENTIK_WORKER__TASK_DEFAULT_TIME_LIMIT`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_default_time_limit "Direct link to authentik_worker__task_default_time_limit") Configure the default duration a task can run for before it is aborted. Some tasks will override this setting based on other settings, such as LDAP source synchronization tasks. Defaults to `minutes=10`. ##### `AUTHENTIK_WORKER__TASK_PURGE_INTERVAL`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_purge_interval "Direct link to authentik_worker__task_purge_interval") Configure the interval at which old tasks are cleaned up. Defaults to `days=1`. ##### `AUTHENTIK_WORKER__TASK_EXPIRATION`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_expiration "Direct link to authentik_worker__task_expiration") Configure how long tasks are kept in the database before they are deleted. Defaults to `days=30`. ##### `AUTHENTIK_WORKER__SCHEDULER_INTERVAL`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__scheduler_interval "Direct link to authentik_worker__scheduler_interval") Configure how often the task scheduler runs. Defaults to `seconds=60`. Listen Settings[​](https://docs.goauthentik.io/install-config/configuration/#listen-settings "Direct link to Listen Settings") ------------------------------------------------------------------------------------------------------------------------------- ##### `AUTHENTIK_LISTEN__HTTP`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__http "Direct link to authentik_listen__http") Listening address:port for HTTP. Applies to the Server, the Worker, and Proxy outposts. Defaults to `0.0.0.0:9000`. ##### `AUTHENTIK_LISTEN__HTTPS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__https "Direct link to authentik_listen__https") Listening address:port for HTTPS. Applies to the Server and Proxy outposts. Defaults to `0.0.0.0:9443`. ##### `AUTHENTIK_LISTEN__LDAP`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__ldap "Direct link to authentik_listen__ldap") Listening address:port for LDAP. Applies to LDAP outposts. Defaults to `0.0.0.0:3389`. ##### `AUTHENTIK_LISTEN__LDAPS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__ldaps "Direct link to authentik_listen__ldaps") Listening address:port for LDAPS. Applies to LDAP outposts. Defaults to `0.0.0.0:6636`. ##### `AUTHENTIK_LISTEN__METRICS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__metrics "Direct link to authentik_listen__metrics") Listening address:port for Prometheus metrics. Applies to all. Defaults to `0.0.0.0:9300`. ##### `AUTHENTIK_LISTEN__DEBUG`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__debug "Direct link to authentik_listen__debug") Listening address:port for Go Debugging metrics. Applies to all, except the worker. Defaults to `0.0.0.0:9900`. ##### `AUTHENTIK_LISTEN__DEBUG_PY`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__debug_py "Direct link to authentik_listen__debug_py") Listening address:port for Python debugging server, see [Debugging](https://docs.goauthentik.io/developer-docs/setup/debugging/) . Applies to the Server and the Worker. Defaults to `0.0.0.0:9901`. ##### `AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__trusted_proxy_cidrs "Direct link to authentik_listen__trusted_proxy_cidrs") List of comma-separated CIDRs that proxy headers should be accepted from. Applies to the Server. Requests directly coming from one an address within a CIDR specified here are able to set proxy headers, such as `X-Forwarded-For`. Requests coming from other addresses will not be able to set these headers. Defaults to `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `fe80::/10`, `::1/128`. Media Storage Settings[​](https://docs.goauthentik.io/install-config/configuration/#media-storage-settings "Direct link to Media Storage Settings") ---------------------------------------------------------------------------------------------------------------------------------------------------- These settings affect where media files are stored. Those files include applications and sources icons. By default, they are stored on disk in the `/media` directory of the authentik container. S3 storage is also supported. * `AUTHENTIK_STORAGE__MEDIA__BACKEND`: Where to store files. Valid values are `file` and `s3`. For `file` storage, files are stored in a `/media` directory in the container. For `s3`, see below. * `AUTHENTIK_STORAGE__MEDIA__S3__REGION`: S3 region where the bucket has been created. May be omitted depending on which S3 provider you use. No default. * `AUTHENTIK_STORAGE__MEDIA__S3__USE_SSL`: Whether to use HTTPS when talking to the S3 storage providers. Defaults to `true`. * `AUTHENTIK_STORAGE__MEDIA__S3__ENDPOINT`: Endpoint to use to talk to the S3 storage provider. Override the previous region and use\_ssl settings. Must be a valid URL in the form of `https://s3.provider`. No default. * `AUTHENTIK_STORAGE__MEDIA__S3__SESSION_PROFILE`: Profile to use when using AWS SDK authentication. No default. Supports hot-reloading. * `AUTHENTIK_STORAGE__MEDIA__S3__ACCESS_KEY`: Access key to authenticate to S3. May be omitted if using AWS SDK authentication. Supports hot-reloading. * `AUTHENTIK_STORAGE__MEDIA__S3__SECRET_KEY`: Secret key to authenticate to S3. May be omitted if using AWS SDK authentication. Supports hot-reloading. * `AUTHENTIK_STORAGE__MEDIA__S3__SECURITY_TOKEN`: Security token to authenticate to S3. May be omitted. Supports hot-reloading. * `AUTHENTIK_STORAGE__MEDIA__S3__BUCKET_NAME`: Name of the bucket to use to store files. * `AUTHENTIK_STORAGE__MEDIA__S3__CUSTOM_DOMAIN`: Domain to use to create URLs for users. Mainly useful for non-AWS providers. May include a port. Must include the bucket. Example: `s3.company:8080/authentik-media`. * `AUTHENTIK_STORAGE__MEDIA__S3__SECURE_URLS`: Whether URLs created use HTTPS (set to `true` by default) or HTTP. authentik Settings[​](https://docs.goauthentik.io/install-config/configuration/#authentik-settings "Direct link to authentik Settings") ---------------------------------------------------------------------------------------------------------------------------------------- ### `AUTHENTIK_SECRET_KEY`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_secret_key "Direct link to authentik_secret_key") Secret key used for cookie signing. Changing this will invalidate active sessions. caution Prior to 2023.6.0 the secret key was also used for unique user IDs. When running a pre-2023.6.0 version of authentik the key should _not_ be changed after the first install. ### `AUTHENTIK_LOG_LEVEL`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_log_level "Direct link to authentik_log_level") Log level for the server and worker containers. Possible values: `debug`, `info`, `warning`, `error`. Starting with 2021.12.3, you can also set the log level to `trace`. This has no effect on the core authentik server, but shows additional messages for the embedded outpost. danger Setting the log level to `trace` will include sensitive details in logs, so it shouldn't be used in most cases. Logs generated with `trace` should be treated with care as they can give others access to your instance, and can potentially include things like session cookies to authentik **and other pages**. Defaults to `info`. ### `AUTHENTIK_COOKIE_DOMAIN`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_cookie_domain "Direct link to authentik_cookie_domain") Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under. ### `AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__GEOIP`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_events__context_processors__geoip "Direct link to authentik_events__context_processors__geoip") Path to the GeoIP City database. Defaults to `/geoip/GeoLite2-City.mmdb`. If the file is not found, authentik will skip GeoIP support. ### `AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__ASN`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_events__context_processors__asn "Direct link to authentik_events__context_processors__asn") Path to the GeoIP ASN database. Defaults to `/geoip/GeoLite2-ASN.mmdb`. If the file is not found, authentik will skip GeoIP support. ### `AUTHENTIK_DISABLE_UPDATE_CHECK`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_disable_update_check "Direct link to authentik_disable_update_check") Disable the inbuilt update-checker. Defaults to `false`. ### `AUTHENTIK_ERROR_REPORTING`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_error_reporting "Direct link to authentik_error_reporting") * `AUTHENTIK_ERROR_REPORTING__ENABLED` Enable error reporting. Defaults to `false`. Error reports are sent to [https://sentry.io](https://sentry.io/) and are used for debugging and general feedback. Anonymous performance data is also sent. * `AUTHENTIK_ERROR_REPORTING__SENTRY_DSN` Sets the DSN for the Sentry API endpoint. When error reporting is enabled, the default Sentry DSN will allow the authentik developers to receive error reports and anonymous performance data, which is used for general feedback about authentik, and in some cases, may be used for debugging purposes. Users can create their own hosted Sentry account (or self-host Sentry) and opt to collect this data themselves. * `AUTHENTIK_ERROR_REPORTING__ENVIRONMENT` The environment tag associated with all data sent to Sentry. Defaults to `customer`. When error reporting has been enabled to aid in debugging issues, this should be set to a unique value, such as an email address. * `AUTHENTIK_ERROR_REPORTING__SEND_PII` Whether or not to send personal data, like usernames. Defaults to `false`. * `AUTHENTIK_ERROR_REPORTING__EXTRA_ARGS` Base64-encoded sentry\_init arguments. See [Sentry's documentation](https://docs.sentry.io/platforms/python/configuration/options/) for available options. ### `AUTHENTIK_EMAIL`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_email "Direct link to authentik_email") * `AUTHENTIK_EMAIL__HOST` Default: `localhost` * `AUTHENTIK_EMAIL__PORT` Default: `25` * `AUTHENTIK_EMAIL__USERNAME` Default: \`\` (Don't add quotation marks) * `AUTHENTIK_EMAIL__PASSWORD` Default: \`\` (Don't add quotation marks) * `AUTHENTIK_EMAIL__USE_TLS` Default: `false` * `AUTHENTIK_EMAIL__USE_SSL` Default: `false` * `AUTHENTIK_EMAIL__TIMEOUT` Default: `10` * `AUTHENTIK_EMAIL__FROM` Default: `authentik@localhost` Email address authentik will send from, should have a correct [**@domain**](https://github.com/domain) To change the sender's display name, use a format like `Name `. ### `AUTHENTIK_OUTPOSTS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_outposts "Direct link to authentik_outposts") * `AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE` Placeholders: * `%(type)s`: Outpost type; proxy, ldap, etc * `%(version)s`: Current version; 2021.4.1 * `%(build_hash)s`: Build hash if you're running a beta version Placeholder for outpost docker images. Default: `ghcr.io/goauthentik/%(type)s:%(version)s`. * `AUTHENTIK_OUTPOSTS__DISCOVER` Configure the automatic discovery of integrations. Defaults to `true`. By default, the following is discovered: * Kubernetes in-cluster config * Kubeconfig * Existence of a docker socket ### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_ldap__task_timeout_hours "Direct link to authentik_ldap__task_timeout_hours") Timeout in hours for LDAP synchronization tasks. Defaults to `2`. ### `AUTHENTIK_LDAP__PAGE_SIZE`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_ldap__page_size "Direct link to authentik_ldap__page_size") Page size for LDAP synchronization. Controls the number of objects created in a single task. Defaults to `50`. ### `AUTHENTIK_LDAP__TLS__CIPHERS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_ldap__tls__ciphers "Direct link to authentik_ldap__tls__ciphers") Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources. Defaults to `null`. ### `AUTHENTIK_REPUTATION__EXPIRY`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_reputation__expiry "Direct link to authentik_reputation__expiry") Configure how long reputation scores should be saved for in seconds. Defaults to `86400`. ### `AUTHENTIK_SESSION_STORAGE`authentik: 2024.4.0+[​](https://docs.goauthentik.io/install-config/configuration/#authentik_session_storage "Direct link to authentik_session_storage") Deprecated This setting is removed as of version 2025.4. Sessions are now exclusively stored in the database. See our [2025.4 release notes](https://docs.goauthentik.io/releases/2025.4/#sessions-are-now-stored-in-the-database) for more information. If you are running a version earlier than 2025.4, you can configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions. ### `AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE`authentik: 2025.4.0+[​](https://docs.goauthentik.io/install-config/configuration/#authentik_sessions__unauthenticated_age "Direct link to authentik_sessions__unauthenticated_age") Configure how long unauthenticated sessions last for. Does not impact how long authenticated sessions are valid for. See the [user login stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_login/) for session validity. Defaults to `days=1`. ### `AUTHENTIK_WEB__WORKERS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_web__workers "Direct link to authentik_web__workers") Configure how many gunicorn worker processes should be started (see [https://docs.gunicorn.org/en/stable/design.html](https://docs.gunicorn.org/en/stable/design.html) ). Defaults to 2. A value below 2 workers is not recommended. In environments where scaling with multiple replicas of the authentik server is not possible, this number can be increased to handle higher loads. ### `AUTHENTIK_WEB__THREADS`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_web__threads "Direct link to authentik_web__threads") Configure how many gunicorn threads a worker processes should have (see [https://docs.gunicorn.org/en/stable/design.html](https://docs.gunicorn.org/en/stable/design.html) ). Defaults to 4. ### `AUTHENTIK_WEB__PATH`[​](https://docs.goauthentik.io/install-config/configuration/#authentik_web__path "Direct link to authentik_web__path") info Requires authentik 2024.8 Configure the path under which authentik is serverd. For example to access authentik under `https://my.domain/authentik/`, set this to `/authentik/`. Value _must_ contain both a leading and trailing slash. Defaults to `/`. System settingsauthentik: 2024.2.0+[​](https://docs.goauthentik.io/install-config/configuration/#system-settings "Direct link to system-settings") --------------------------------------------------------------------------------------------------------------------------------------------------- Additional settings are configurable using the Admin interface, under **System** > **Settings** or using the API. Custom python settings[​](https://docs.goauthentik.io/install-config/configuration/#custom-python-settings "Direct link to Custom python settings") ---------------------------------------------------------------------------------------------------------------------------------------------------- To modify additional settings further than the options above allow, you can create a custom Python file and mount it to `/data/user_settings.py`. This file will be loaded on startup by both the server and the worker. All default settings are [here](https://github.com/goauthentik/authentik/blob/main/authentik/root/settings.py) caution Using these custom settings is not supported and can prevent your authentik instance from starting. Use with caution. * [About authentik configurations](https://docs.goauthentik.io/install-config/configuration/#about-authentik-configurations) * [Set your environment variables](https://docs.goauthentik.io/install-config/configuration/#set-your-environment-variables) * [Verify your configuration settings](https://docs.goauthentik.io/install-config/configuration/#verify-your-configuration-settings) * [PostgreSQL Settings](https://docs.goauthentik.io/install-config/configuration/#postgresql-settings) * [Connection settings](https://docs.goauthentik.io/install-config/configuration/#connection-settings) * [SSL/TLS settings](https://docs.goauthentik.io/install-config/configuration/#ssltls-settings) * [Connection management](https://docs.goauthentik.io/install-config/configuration/#connection-management) * [Advanced Settings](https://docs.goauthentik.io/install-config/configuration/#advanced-settings) * [Read Replicas](https://docs.goauthentik.io/install-config/configuration/#read-replicas) * [Using a PostgreSQL Connection Pooler](https://docs.goauthentik.io/install-config/configuration/#using-a-postgresql-connection-pooler) * [Deprecated Settings](https://docs.goauthentik.io/install-config/configuration/#deprecated-settings) * [Cache Settings](https://docs.goauthentik.io/install-config/configuration/#cache-settings) * [Worker settings](https://docs.goauthentik.io/install-config/configuration/#worker-settings) * [Listen Settings](https://docs.goauthentik.io/install-config/configuration/#listen-settings) * [Media Storage Settings](https://docs.goauthentik.io/install-config/configuration/#media-storage-settings) * [authentik Settings](https://docs.goauthentik.io/install-config/configuration/#authentik-settings) * [`AUTHENTIK_SECRET_KEY`](https://docs.goauthentik.io/install-config/configuration/#authentik_secret_key) * [`AUTHENTIK_LOG_LEVEL`](https://docs.goauthentik.io/install-config/configuration/#authentik_log_level) * [`AUTHENTIK_COOKIE_DOMAIN`](https://docs.goauthentik.io/install-config/configuration/#authentik_cookie_domain) * [`AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__GEOIP`](https://docs.goauthentik.io/install-config/configuration/#authentik_events__context_processors__geoip) * [`AUTHENTIK_EVENTS__CONTEXT_PROCESSORS__ASN`](https://docs.goauthentik.io/install-config/configuration/#authentik_events__context_processors__asn) * [`AUTHENTIK_DISABLE_UPDATE_CHECK`](https://docs.goauthentik.io/install-config/configuration/#authentik_disable_update_check) * [`AUTHENTIK_ERROR_REPORTING`](https://docs.goauthentik.io/install-config/configuration/#authentik_error_reporting) * [`AUTHENTIK_EMAIL`](https://docs.goauthentik.io/install-config/configuration/#authentik_email) * [`AUTHENTIK_OUTPOSTS`](https://docs.goauthentik.io/install-config/configuration/#authentik_outposts) * [`AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS`](https://docs.goauthentik.io/install-config/configuration/#authentik_ldap__task_timeout_hours) * [`AUTHENTIK_LDAP__PAGE_SIZE`](https://docs.goauthentik.io/install-config/configuration/#authentik_ldap__page_size) * [`AUTHENTIK_LDAP__TLS__CIPHERS`](https://docs.goauthentik.io/install-config/configuration/#authentik_ldap__tls__ciphers) * [`AUTHENTIK_REPUTATION__EXPIRY`](https://docs.goauthentik.io/install-config/configuration/#authentik_reputation__expiry) * [`AUTHENTIK_SESSION_STORAGE`](https://docs.goauthentik.io/install-config/configuration/#authentik_session_storage) * [`AUTHENTIK_SESSIONS__UNAUTHENTICATED_AGE`](https://docs.goauthentik.io/install-config/configuration/#authentik_sessions__unauthenticated_age) * [`AUTHENTIK_WEB__WORKERS`](https://docs.goauthentik.io/install-config/configuration/#authentik_web__workers) * [`AUTHENTIK_WEB__THREADS`](https://docs.goauthentik.io/install-config/configuration/#authentik_web__threads) * [`AUTHENTIK_WEB__PATH`](https://docs.goauthentik.io/install-config/configuration/#authentik_web__path) * [System settings](https://docs.goauthentik.io/install-config/configuration/#system-settings) * [Custom python settings](https://docs.goauthentik.io/install-config/configuration/#custom-python-settings) --- # Providers | authentik [Skip to main content](https://docs.goauthentik.io/providers/#__docusaurus_skipToContent_fallback) A Provider is an authentication method, a service that is used by authentik to authenticate the user for the associated application. Common Providers are OpenID Connect (OIDC)/OAuth2, LDAP, SAML, a generic proxy provider, and others. Providers are the "other half" of [applications](https://docs.goauthentik.io/add-secure-apps/applications/) . They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application. You can create a new provider in the Admin interface, or you can use the [**Create with Provider** option](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#create-an-application-and-provider-pair) to create a new application and its provider at the same time. Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](https://docs.goauthentik.io/add-secure-apps/applications/manage_apps/#backchannel-providers) . When you create certain types of providers, you need to select specific [flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/default_flows/) . You can also create a SAML provider by uploading an SP metadata XML file that contains the service provider's configuration data. SAML metadata is used to share configuration information between the Identity Provider (IdP) and the Service Provider (SP). An SP metadata XML file typically contains the SP certificate, the entity ID, the Assertion Consumer Service URL (ACS URL), and a log out URL (SingleLogoutService). To learn more about each provider type, refer to the documentation for each provider: [🗃️ Property Mappings\ ---------------------\ \ 1 item](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/) [📄️ Single Logout\ -----------------\ \ Single Logout (SLO) is a security feature that logs users out of all active applications when they log out of authentik. It uses the OAuth2/OpenID Connect front-channel and back-channel logout specifications in combination with SAML's Single Logout specification.](https://docs.goauthentik.io/add-secure-apps/providers/single-logout/) [🗃️ Google Workspace Provider\ -----------------------------\ \ 2 items](https://docs.goauthentik.io/add-secure-apps/providers/gws/) [🗃️ LDAP Provider\ -----------------\ \ 1 item](https://docs.goauthentik.io/add-secure-apps/providers/ldap/) [🗃️ Microsoft Entra ID Provider\ -------------------------------\ \ 2 items](https://docs.goauthentik.io/add-secure-apps/providers/entra/) [🗃️ OAuth2 Provider\ -------------------\ \ 6 items](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/) [🗃️ Proxy Provider\ ------------------\ \ 3 items](https://docs.goauthentik.io/add-secure-apps/providers/proxy/) [🗃️ RAC (Remote Access Control) Provider\ ----------------------------------------\ \ 3 items](https://docs.goauthentik.io/add-secure-apps/providers/rac/) [📄️ RADIUS Provider\ -------------------\ \ You can configure a Radius provider for applications that don't support any other protocols or that require Radius.](https://docs.goauthentik.io/add-secure-apps/providers/radius/) [🗃️ SAML Provider\ -----------------\ \ 2 items](https://docs.goauthentik.io/add-secure-apps/providers/saml/) [📄️ SCIM Provider\ -----------------\ \ SCIM (System for Cross-domain Identity Management) is a set of APIs to provision users and groups. The SCIM provider in authentik supports SCIM 2.0 and can be used to provision and sync users from authentik into other applications.](https://docs.goauthentik.io/add-secure-apps/providers/scim/) [🗃️ SSF Provider\ ----------------\ \ 1 item](https://docs.goauthentik.io/add-secure-apps/providers/ssf/) --- # Security | authentik [Skip to main content](https://docs.goauthentik.io/security/#__docusaurus_skipToContent_fallback) [📄️ Security Policy\ -------------------](https://docs.goauthentik.io/security/policy/) [📄️ Hardening authentik\ -----------------------\ \ While authentik is secure out of the box, you can take steps to further increase the security of an authentik instance. As everyone knows, there is a consequential tradeoff between security and convenience. All of these hardening practices have an impact on the user experience and should only be applied knowing this tradeoff.](https://docs.goauthentik.io/security/security-hardening/) [🗃️ Audits and Certificates\ ---------------------------\ \ 2 items](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/) [🗃️ CVEs\ --------\ \ 4 items](https://docs.goauthentik.io/security/cves/CVE-2025-64708/) --- # 2023-06 Cure53 Code audit | authentik [Skip to main content](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#__docusaurus_skipToContent_fallback) On this page In May/June of 2023, we had a pentest conducted by [Cure53](https://cure53.de/) . The following security updates, 2023.4.2 and 2023.5.3 were released as a response to the found issues. From the [complete report](https://cure53.de/pentest-report_authentik.pdf) , these are the points we're addressing with this update: ### ATH-01-001: Path traversal on blueprints allows arbitrary file-read (Medium)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-001-path-traversal-on-blueprints-allows-arbitrary-file-read-medium "Direct link to ATH-01-001: Path traversal on blueprints allows arbitrary file-read (Medium)") This had accidentally been patched by a previous commit already; and was also only possible for users with superuser permissions. ### ATH-01-003: CSS injection via faulty string replacement in Mermaid (Low)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-003-css-injection-via-faulty-string-replacement-in-mermaid-low "Direct link to ATH-01-003: CSS injection via faulty string replacement in Mermaid (Low)") This is an unrelated issue that was found with a third-party dependency ([Mermaid](https://mermaid.js.org/) ), fixed with [https://github.com/mermaid-js/mermaid/releases/tag/v10.2.2](https://github.com/mermaid-js/mermaid/releases/tag/v10.2.2) Additionally we've also taken steps to further mitigate possible issues that could be caused in this way. ### ATH-01-008: User-passwords disclosed to third-party service (High)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-008-user-passwords-disclosed-to-third-party-service-high "Direct link to ATH-01-008: User-passwords disclosed to third-party service (High)") In certain circumstances, using the Enter key to submit some forms instead of clicking submit would cause the frontend to change the URL instead of calling the API, which could lead to sensitive data being disclosed. ### ATH-01-009: Lack of CSRF protection in impersonate feature (Low)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-009-lack-of-csrf-protection-in-impersonate-feature-low "Direct link to ATH-01-009: Lack of CSRF protection in impersonate feature (Low)") Previous the URL to start an impersonation was a simple GET URL request, which was susceptible to CSRF. This has been changed to an API Post request. ### ATH-01-010: Web authentication bypass via key confusion (High)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-010-web-authentication-bypass-via-key-confusion-high "Direct link to ATH-01-010: Web authentication bypass via key confusion (High)") When using WebAuthn to authenticate, the owner of the WebAuthn device wasn't checked. However to exploit this, an attacker would need to be able to already intercept HTTP traffic and read the data. ### ATH-01-014: Authentication challenges abused by foreign flow (Medium)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-014-authentication-challenges-abused-by-foreign-flow-medium "Direct link to ATH-01-014: Authentication challenges abused by foreign flow (Medium)") Previously it was possible to use an MFA authenticator class that wasn't allowed in a flow, if another flow existed that allowed this class. The patch changes data to be isolated per flow to prevent this issue. ### ATH-01-004: Information disclosure on system endpoint (Info)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-004-information-disclosure-on-system-endpoint-info "Direct link to ATH-01-004: Information disclosure on system endpoint (Info)") The `/api/v3/admin/system/` (only accessible to superusers) endpoint returns a large amount of system info (mostly used for debugging), like the HTTP headers sent to the server. It also included all environment variables set for authentik. The environment variables have been removed. ### ATH-01-005: Timing-unsafe comparison in API authentication (Info)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-005-timing-unsafe-comparison-in-api-authentication-info "Direct link to ATH-01-005: Timing-unsafe comparison in API authentication (Info)") In the API authentication that is used by the embedded outpost (API authentication via Secret key), a timing-unsafe comparison was used. ### ATH-01-012: Unintended diagram created due to unescaped quotes (Info)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-012-unintended-diagram-created-due-to-unescaped-quotes-info "Direct link to ATH-01-012: Unintended diagram created due to unescaped quotes (Info)") Related to ATH-01-003, it was possible to insert unintended diagrams into generated diagrams. Additional info[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#additional-info "Direct link to Additional info") ------------------------------------------------------------------------------------------------------------------------------------------- In addition to the points above, several of the findings are classified as intended features (such as the expression policies). However, we have published additional [hardening documentation](https://docs.goauthentik.io/security/security-hardening/) to provide guidance for further measures that can be taken to limit any possible risks associated with these features. ### ATH-01-002: Stored XSS in help text of prompt module (Medium)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-002-stored-xss-in-help-text-of-prompt-module-medium "Direct link to ATH-01-002: Stored XSS in help text of prompt module (Medium)") Prompt help texts can use HTML to add markup, which also includes the option to include JavaScript. This is only possible to configure for superusers. To mitigate the risk of a rogue superuser creating a stage with a malicious script, requests to the `/api/v3/stages/captcha*` and `/api/v3/managed/blueprints*` endpoints can be blocked. With these restrictions in place, Captcha stages can only be edited using Blueprints on the file system. It is also recommended to use the RBAC system to restrict which users can edit these objects. ### ATH-01-006: Arbitrary code execution via expressions (Critical)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-006-arbitrary-code-execution-via-expressions-critical "Direct link to ATH-01-006: Arbitrary code execution via expressions (Critical)") This is the intended function of expression policies/property mappings, which also requires superuser permissions to edit. To mitigate the risk of a rogue superuser creating a malicious expression, requests to the `/api/v3/policies/expression*`, `/api/v3/propertymappings*`, and `/api/v3/managed/blueprints*` endpoints can be blocked. With these restrictions in place, expression can only be edited using Blueprints on the file system. It is also recommended to use the RBAC system to restrict which users can edit these objects. ### ATH-01-007: SSRF via blueprints feature for fetching manifests (Medium)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-007-ssrf-via-blueprints-feature-for-fetching-manifests-medium "Direct link to ATH-01-007: SSRF via blueprints feature for fetching manifests (Medium)") Superusers can fetch blueprints via OCI registries, which could be potentially used for server-side request forgery. To mitigate the risk of a rogue superuser sending malicious requests, requests to the `/api/v3/managed/blueprints*` endpoint can be blocked. With these restrictions in place, blueprints can only be edited using YAML files on the file system. It is also recommended to use the RBAC system to restrict which users can edit these objects. ### ATH-01-013: XSS via CAPTCHA JavaScript URL (Medium)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-013-xss-via-captcha-javascript-url-medium "Direct link to ATH-01-013: XSS via CAPTCHA JavaScript URL (Medium)") Similar to ATH-01-002, any arbitrary JavaScript can be loaded using the Captcha stage. This is also limited to superusers. In order to prevent potential exploitation, it is recommended to limit the setting to allow-listed JavaScript URLs only. ### ATH-01-011: Weak default configs in logout/change password flows (Info)[​](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-011-weak-default-configs-in-logoutchange-password-flows-info "Direct link to ATH-01-011: Weak default configs in logout/change password flows (Info)") The default logout flow does not do any additional validation and logs the user out with a single GET request. The default password-change flow does not verify the users current password, nor does it show the current users info. * [ATH-01-001: Path traversal on blueprints allows arbitrary file-read (Medium)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-001-path-traversal-on-blueprints-allows-arbitrary-file-read-medium) * [ATH-01-003: CSS injection via faulty string replacement in Mermaid (Low)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-003-css-injection-via-faulty-string-replacement-in-mermaid-low) * [ATH-01-008: User-passwords disclosed to third-party service (High)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-008-user-passwords-disclosed-to-third-party-service-high) * [ATH-01-009: Lack of CSRF protection in impersonate feature (Low)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-009-lack-of-csrf-protection-in-impersonate-feature-low) * [ATH-01-010: Web authentication bypass via key confusion (High)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-010-web-authentication-bypass-via-key-confusion-high) * [ATH-01-014: Authentication challenges abused by foreign flow (Medium)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-014-authentication-challenges-abused-by-foreign-flow-medium) * [ATH-01-004: Information disclosure on system endpoint (Info)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-004-information-disclosure-on-system-endpoint-info) * [ATH-01-005: Timing-unsafe comparison in API authentication (Info)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-005-timing-unsafe-comparison-in-api-authentication-info) * [ATH-01-012: Unintended diagram created due to unescaped quotes (Info)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-012-unintended-diagram-created-due-to-unescaped-quotes-info) * [Additional info](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#additional-info) * [ATH-01-002: Stored XSS in help text of prompt module (Medium)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-002-stored-xss-in-help-text-of-prompt-module-medium) * [ATH-01-006: Arbitrary code execution via expressions (Critical)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-006-arbitrary-code-execution-via-expressions-critical) * [ATH-01-007: SSRF via blueprints feature for fetching manifests (Medium)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-007-ssrf-via-blueprints-feature-for-fetching-manifests-medium) * [ATH-01-013: XSS via CAPTCHA JavaScript URL (Medium)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-013-xss-via-captcha-javascript-url-medium) * [ATH-01-011: Weak default configs in logout/change password flows (Info)](https://docs.goauthentik.io/security/audits-and-certs/2023-06-cure53/#ath-01-011-weak-default-configs-in-logoutchange-password-flows-info) --- # CVE-2022-46145 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#__docusaurus_skipToContent_fallback) On this page _Reported by [@sdimovv](https://github.com/sdimovv) _ Unauthorized user creation and potential account takeover[​](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#unauthorized-user-creation-and-potential-account-takeover "Direct link to Unauthorized user creation and potential account takeover") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#impact "Direct link to Impact") With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#patches "Direct link to Patches") authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#workarounds "Direct link to Workarounds") A policy can be created and bound to the `default-user-settings-flow` flow with the following contents return request.user.is_authenticated * [Unauthorized user creation and potential account takeover](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#unauthorized-user-creation-and-potential-account-takeover) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#impact) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2022-46145/#workarounds) --- # CVE-2022-23555 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#__docusaurus_skipToContent_fallback) On this page _Reported by [@fuomag9](https://github.com/fuomag9) _ Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow[​](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#token-reuse-in-invitation-urls-leads-to-access-control-bypass-via-the-use-of-a-different-enrollment-flow "Direct link to Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#summary "Direct link to Summary") Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one provided. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#patches "Direct link to Patches") authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue, for other versions the workaround can be used. ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#impact "Direct link to Impact") Only configurations using both invitations and have multiple enrollment flows with invitation stages that grant different permissions are affected. The default configuration is not vulnerable, and neither are configurations with a single enrollment flow. ### Details[​](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#details "Direct link to Details") The vulnerability allows an attacker that knows different invitation flows names (e.g. `enrollment-invitation-test` and `enrollment-invitation-admin`) via either different invite links or via brute forcing to signup via a single invitation url for any valid invite link received (it can even be a url for a third flow as long as it's a valid invite) as the token used in the `Invitations` section of the Admin interface does NOT change when a different `enrollment flow` is selected via the interface and it is NOT bound to the selected flow, so it will be valid for any flow when used. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#workarounds "Direct link to Workarounds") As a workaround, fixed data can be added to invitations which can be checked in the flow to deny requests. Alternatively, an identifier with high entropy (like a UUID) can be used as flow slug, mitigating the attack vector by exponentially decreasing the possibility of discovering other flows. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#2e5d4b4d5b5c475a576e49414f5b5a464b405a4745004741) * [Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#token-reuse-in-invitation-urls-leads-to-access-control-bypass-via-the-use-of-a-different-enrollment-flow) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#patches) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#impact) * [Details](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#details) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2022-23555/#for-more-information) --- # 2024-11 Cobalt pentest | authentik [Skip to main content](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#__docusaurus_skipToContent_fallback) On this page We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. In August-September of 2024, we had a pentest conducted by [Cobalt](https://www.cobalt.io/) . This document covers the findings of the audit, how we addressed the noted issues, and the subsequent [re-testing](https://goauthentik.io/resources/fullReport_authentik-cobalt-test-instance-august-2024-pt26135.pdf) by Cobalt to confirm that all issues were resolved. Cobalt described their process for testing: > This pentest was a manual assessment of the security of the application’s functionality, business logic, and vulnerabilities, such as those cataloged in the Open Web Application Security Project OWASP) Top 10. The assessment also included a review of security controls and requirements listed in the OWASP Application Security Verification Standard (ASVS). Summary of findings[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#summary-of-findings "Direct link to Summary of findings") ------------------------------------------------------------------------------------------------------------------------------------------------------- Overall, we are pleased with the report's findings and grateful for the opportunity to improve in every area we can. > Cobalt reported "The pentesters found that the Authentik Security team implemented robust and up-to-date security practices throughout the application." In total, there were 5 low-level and one info-level vulnerabilities reported. By early November 2024, all 6 vulnerabilities were addressed and released in the [2024.10.4 patch release](https://docs.goauthentik.io/docs/releases/2024.10#fixed-in-2024103) . Responses to specific findings[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#responses-to-specific-findings "Direct link to Responses to specific findings") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- From the audit, this is the complete list of findings, with information about how we addressed each. ### HTML Injection[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#html-injection "Direct link to HTML Injection") **Issue**: A vulnerability existed through user-supplied names in our Flow diagrams, where the application did not properly sanitize or escape HTML input when parsing user-entered names. As a result, an attacker could inject arbitrary HTML or JavaScript code into the application, potentially leading to manipulation of the web page or execution of malicious scripts in the context of the user's session. (This action could only be performed by an authenticated admin user, and thus had little practical value as an attack vector.) **Fix**: We added strict [DOMpurify](https://github.com/cure53/DOMPurify) configurations for any user-defined names in our diagrams. For details, refer to [Pull Request #11783](https://github.com/goauthentik/authentik/pull/11783) . ### SVG images for icons possible XSS vulnerability[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#svg-images-for-icons-possible-xss-vulnerability "Direct link to SVG images for icons possible XSS vulnerability") **Issue**: The pentesters discovered that the application was susceptible to insecure file upload and stored Cross-Site Scripting (XSS) vulnerabilities by uploading crafted SVG files that were used as application icons. (This action could only be performed by an authenticated admin user, and thus had little practical value as an attack vector.) **Fix**: The fix was to add a CSP header to files that are stored in the `/media` directory of the installation. For details, refer to [Pull Request #12092](https://github.com/goauthentik/authentik/pull/12092) . ### Vulnerability through footer links on website[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#vulnerability-through-footer-links-on-website "Direct link to Vulnerability through footer links on website") **Issue**: It was found that the application was vulnerable to stored XSS through footer links. The footer section of the application accepted and displayed user-provided links without proper sanitization. This could allow an attacker to inject malicious scripts into these links, which would then stored and executed when other users access the footer links, leading to potential script execution in the context of the victim's session. (This action could only be performed by an authenticated admin user, and thus had little practical value as an attack vector.) **Fix**: Again, as with the diagram issue above, we added strict [DOMpurify](https://github.com/cure53/DOMPurify) configurations. For more details, refer to [Pull Request #11773](https://github.com/goauthentik/authentik/pull/11773) . ### Password policy weakness[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#password-policy-weakness "Direct link to Password policy weakness") **Issue**: It was determined that the password policy in place on the testing environment was weak, allowing users to create passwords that lacked complexity and were easily guessable. This made the application more susceptible to brute-force and dictionary attacks. **Fix**: This was not a vulnerability in authentik, but rather a poor configuration of our provided test environment. Rather than simply improve our test instance’s configuration once, to make this issue easier to avoid for all our users and customers, we added a strong default password policy that applies to all new instances. (As always, admins can still configure their own custom policies.) For more details, refer to [Pull Request #11793](https://github.com/goauthentik/authentik/pull/11793) . ### Lack of a CSP header[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#lack-of-a-csp-header "Direct link to Lack of a CSP header") The absence of Content Security Policy (CSP) headers means that the application may lack a mechanism to restrict sources of content and scripts, which can potentially expose it to XSS attacks and other forms of content injection. **Fix**: We added CSP headers to control the sources of content and scripts that the application can load for our provided test instance. Again, this is not a direct vulnerability in authentik itself. Given the variety of architectures in which authentik is deployed, adding our own CSP headers would be more likely to break functionality than to provide improved security. ### API endpoints strengthened[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#api-endpoints-strengthened "Direct link to API endpoints strengthened") **Issue**: Finally, the only informational level finding was the potential for the unauthenticated download of private key and certificate values via a direct URL. (Guessing the URL required the knowledge of the UUID of an object.) We had already fixed this issue in 2024.8.0, but the instance tested against was the immediately preceding version. **Fix**: For more details, refer to [CVE-2024-42490](https://docs.goauthentik.io/docs/security/cves/CVE-2024-42490) . Retest results[​](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#retest-results "Direct link to Retest results") ---------------------------------------------------------------------------------------------------------------------------------------- The subsequent retest conducted by Cobalt deemed all issues resolved. See page 17 of the [report](https://goauthentik.io/resources/fullReport_authentik-cobalt-test-instance-august-2024-pt26135.pdf) for the mitigation status ("fixed") for each of the issues discovered in September. We are pleased to share this pentest and the final results of the retest. We encourage an open and ongoing communication with our users and community. For more information abut our security stance, read our [Security Policy](https://docs.goauthentik.io/docs/security/policy) , [Hardening authentik](https://docs.goauthentik.io/docs/security/security-hardening) , and our other [security-related documentation](https://docs.goauthentik.io/docs/security) . If you have any questions or feedback you can reach us on [GitHub](https://github.com/goauthentik/authentik) , [Discord](https://discord.com/channels/809154715984199690/809154716507963434) , or via email to [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#38505d545457785f57594d4c505d564c5153165157) . * [Summary of findings](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#summary-of-findings) * [Responses to specific findings](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#responses-to-specific-findings) * [HTML Injection](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#html-injection) * [SVG images for icons possible XSS vulnerability](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#svg-images-for-icons-possible-xss-vulnerability) * [Vulnerability through footer links on website](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#vulnerability-through-footer-links-on-website) * [Password policy weakness](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#password-policy-weakness) * [Lack of a CSP header](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#lack-of-a-csp-header) * [API endpoints strengthened](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#api-endpoints-strengthened) * [Retest results](https://docs.goauthentik.io/security/audits-and-certs/2024-11-cobalt/#retest-results) --- # CVE-2023-36456 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#__docusaurus_skipToContent_fallback) On this page _Reported by [@thijsa](https://github.com/thijsa) _ Lack of Proxy IP headers validation[​](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#lack-of-proxy-ip-headers-validation "Direct link to Lack of Proxy IP headers validation") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#summary "Direct link to Summary") authentik does not verify the source of the X-Forwarded-For and X-Real-IP headers, both in the Python code and the go code. ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#impact "Direct link to Impact") Only authentik setups that are directly accessible by users without a reverse proxy are susceptible to this. Possible spoofing of IP addresses in logs, downstream applications proxied by (built in) outpost, IP bypassing in custom flows if used. ### Details[​](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#details "Direct link to Details") This poses a possible security risk when you have flows or policies that check the user's IP address, e.g. when you want to ignore the user's 2 factor authentication when the user is connected to the company network. Another security risk is that the IP addresses in the logfiles and user sessions is not reliable anymore, anybody can spoof this address and you cannot verify that the user has logged in from the IP address that is in their account's log. And the third risk is that this header is passed on to the proxied application behind an outpost. The application may do any kind of verification, logging, blocking or rate limiting based on the IP address, and this IP address can be overridden by anybody that want to. * [Lack of Proxy IP headers validation](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#lack-of-proxy-ip-headers-validation) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#summary) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#impact) * [Details](https://docs.goauthentik.io/security/cves/CVE-2023-36456/#details) --- # CVE-2022-46172 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#__docusaurus_skipToContent_fallback) On this page _Reported by [@DreamingRaven](https://github.com/DreamingRaven) _ Existing Authenticated Users can Create Arbitrary Accounts[​](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#existing-authenticated-users-can-create-arbitrary-accounts "Direct link to Existing Authenticated Users can Create Arbitrary Accounts") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#summary "Direct link to Summary") Any authenticated user can create an arbitrary number of accounts through the default flows. This would circumvent any policy in a situation where it is undesirable for users to create new accounts by themselves. This may also have carry over consequences to other applications being how these new basic accounts would exist throughout the SSO infrastructure. By default the newly created accounts cannot be logged into as no password reset exists by default. However password resets are likely to be enabled by most installations. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#patches "Direct link to Patches") authentik 2022.11.4, 2022.10.4 and 2022.12.0 fix this issue. ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#impact "Direct link to Impact") This vulnerability could make it much easier for name and email collisions to occur, making it harder for user to log in. This also makes it more difficult for admins to properly administer users since more and more confusing users will exist. This paired with password reset flows if enabled would mean a circumvention of on-boarding policies. Say for instance a company wanted to invite a limited number of beta testers, those beta testers would be able to create an arbitrary number of accounts themselves. ### Details[​](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#details "Direct link to Details") This vulnerability has already been submitted over email, this security advisory serves as formalization towards broader information dissemination. This vulnerability pertains to the user context used in the default-user-settings-flow. /api/v3/flows/instances/default-user-settings-flow/execute/ ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#5526303620273c212c15323a3420213d303b213c3e7b3c3a) * [Existing Authenticated Users can Create Arbitrary Accounts](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#existing-authenticated-users-can-create-arbitrary-accounts) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#patches) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#impact) * [Details](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#details) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2022-46172/#for-more-information) --- # Release 2025.6 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2025.6/#__docusaurus_skipToContent_fallback) On this page Highlights[​](https://docs.goauthentik.io/releases/2025.6/#highlights "Direct link to Highlights") --------------------------------------------------------------------------------------------------- * **mTLS Stage**: Enterprise The Mutual TLS stage provides support for mTLS, a standard protocol that uses certificates for mutual authentication between a client and a server. * **Email verification compatibility with link scanners**: We have improved compatibility for environments that have automated scanning software that inadvertently invalidated one-time links sent by authentik. * **LDAP source sync forward deletions**: This option synchronizes the deletion of users and groups from LDAP sources to authentik. Breaking changes[​](https://docs.goauthentik.io/releases/2025.6/#breaking-changes "Direct link to Breaking changes") --------------------------------------------------------------------------------------------------------------------- * **Helm chart dependencies upgrades**: * The PostgreSQL chart has been updated to version 16.7.4. The PostgreSQL image is no longer pinned in authentik's default values and has been upgraded from version 15 to 17. Follow our [PostgreSQL upgrade instructions](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/) to update to the latest PostgreSQL version. * The Redis chart has been updated to version 21.1.6. There are no breaking changes and Redis has been upgraded from version 7 to 8. * **Deprecated and frozen `:latest` container image tag after 2025.2** Using the `:latest` tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. The tag will not be removed, however it will also not be updated past 2025.2. We strongly recommended the use of a specific version tag for authentik instances' container images, such as `:2025.6`. * **CSS**: We’ve made some improvements to our theming system. If your authentik instance uses custom CSS, you might need to review flow and user interfaces for any visual changes. New features and improvements[​](https://docs.goauthentik.io/releases/2025.6/#new-features-and-improvements "Direct link to New features and improvements") ------------------------------------------------------------------------------------------------------------------------------------------------------------ * **mTLS stage**: Enterprise The Mutual TLS stage enables authentik to use client certificates to enroll and authenticate users. These certificates can be local to the device or available via PIV Smart Cards, Yubikeys, etc. For environments where certificates are already rolled out, this can make authentication a lot more seamless. Refer to our [technical documentation](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/) for more information. * **Email verification compatibility with link scanners**: We have improved compatibility for environments with automated scanning software that inadvertently invalidated one-time links sent by authentik. * **LDAP source sync forward deletions**: With this option enabled, users or groups created in authentik via LDAP sources will also be removed from authentik if they are deleted from the LDAP source. For more information, please refer to our [LDAP source documentation](https://docs.goauthentik.io/users-sources/sources/protocols/ldap/) . * **Provider sync performance**: We have implemented parallel scheduling for outgoing syncs to provide faster synchronization. * **Branding**: Custom branding should now be more consistent on initial load, without flickering. * **Remote Access Control (RAC) improved [documentation](https://docs.goauthentik.io/docs/add-secure-apps/providers/rac/) **: Added content about how to authenticate using a public key and improved the wording and formatting throughout the topic. New integration guides[​](https://docs.goauthentik.io/releases/2025.6/#new-integration-guides "Direct link to New integration guides") --------------------------------------------------------------------------------------------------------------------------------------- An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added to our documentation: * [Atlassian Cloud (Jira, Confluence, etc)](https://integrations.goauthentik.io/services/atlassian/) * [Coder](https://integrations.goauthentik.io/services/coder/) * [FileRise](https://integrations.goauthentik.io/services/filerise/) * [Komodo](https://integrations.goauthentik.io/services/komodo/) * [Pangolin](https://integrations.goauthentik.io/services/pangolin/) * [Push Security](https://integrations.goauthentik.io/services/push-security/) * [Stripe](https://integrations.goauthentik.io/services/stripe/) * [Tailscale](https://integrations.goauthentik.io/services/tailscale/) * [YouTrack](https://integrations.goauthentik.io/services/youtrack/) Upgrading[​](https://docs.goauthentik.io/releases/2025.6/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](https://docs.goauthentik.io/install-config/upgrade/) . warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. ### Docker Compose[​](https://docs.goauthentik.io/releases/2025.6/#docker-compose "Direct link to Docker Compose") To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands: wget -O docker-compose.yml https://goauthentik.io/version/2025.6/docker-compose.ymldocker compose up -d The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name. ### Kubernetes[​](https://docs.goauthentik.io/releases/2025.6/#kubernetes "Direct link to Kubernetes") Upgrade the Helm Chart to the new version, using the following commands: helm repo updatehelm upgrade authentik authentik/authentik -f values.yaml --version ^2025.6 Minor changes/fixes[​](https://docs.goauthentik.io/releases/2025.6/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * brands: fix CSS Migration not updating brands ([#14306](https://github.com/goauthentik/authentik/issues/14306) ) * core: fix session migration when old session can't be loaded ([#14466](https://github.com/goauthentik/authentik/issues/14466) ) * core: fix unable to create group if no enable\_group\_superuser permission is given ([#14510](https://github.com/goauthentik/authentik/issues/14510) ) * core: Migrate permissions before deleting OldAuthenticatedSession ([#14788](https://github.com/goauthentik/authentik/issues/14788) ) * core: Publish web packages. ([#14648](https://github.com/goauthentik/authentik/issues/14648) ) * core: remove `OldAuthenticatedSession` content type ([#14507](https://github.com/goauthentik/authentik/issues/14507) ) * enterprise: fix expired license's users being counted ([#14451](https://github.com/goauthentik/authentik/issues/14451) ) * enterprise/stages: Add MTLS stage ([#14296](https://github.com/goauthentik/authentik/issues/14296) ) * enterprise/stages/mtls: improve certificate validation ([#14582](https://github.com/goauthentik/authentik/issues/14582) ) * enterprise/stages/mtls: update go & web client, fix py client generation ([#14576](https://github.com/goauthentik/authentik/issues/14576) ) * lib/sync: fix static incorrect label of pages ([#14851](https://github.com/goauthentik/authentik/issues/14851) ) * lib/sync/outgoing: reduce number of db queries made ([#14177](https://github.com/goauthentik/authentik/issues/14177) ) * lib/sync/outgoing: sync in parallel ([#14697](https://github.com/goauthentik/authentik/issues/14697) ) * lifecycle: fix ak dump\_config ([#14445](https://github.com/goauthentik/authentik/issues/14445) ) * lifecycle: fix test-all in docker ([#14244](https://github.com/goauthentik/authentik/issues/14244) ) * outposts: fix tmpdir in containers not being set ([#14444](https://github.com/goauthentik/authentik/issues/14444) ) * providers/ldap: retain binder and update users instead of re-creating ([#14735](https://github.com/goauthentik/authentik/issues/14735) ) * providers/proxy: kubernetes outpost: fix reconcile when ingress class name changed ([#14612](https://github.com/goauthentik/authentik/issues/14612) ) * providers/rac: apply ConnectionToken scoped-settings last ([#14838](https://github.com/goauthentik/authentik/issues/14838) ) * rbac: add `name` to Permissions search ([#14269](https://github.com/goauthentik/authentik/issues/14269) ) * rbac: fix RoleObjectPermissionTable not showing `add_user_to_group` ([#14312](https://github.com/goauthentik/authentik/issues/14312) ) * root: backport SFE Build fix ([#14495](https://github.com/goauthentik/authentik/issues/14495) ) * root: do not use /bin/bash directly ([#14698](https://github.com/goauthentik/authentik/issues/14698) ) * root: improve sentry distributed tracing ([#14468](https://github.com/goauthentik/authentik/issues/14468) ) * root: move forked dependencies to goauthentik org ([#14590](https://github.com/goauthentik/authentik/issues/14590) ) * root: pin package version in pyproject for dependabot ([#14469](https://github.com/goauthentik/authentik/issues/14469) ) * root: readme: use right contribution guide link ([#14250](https://github.com/goauthentik/authentik/issues/14250) ) * root: replace raw.githubusercontent.com by checking out repo ([#14567](https://github.com/goauthentik/authentik/issues/14567) ) * root: temporarily deactivate database pool option ([#14443](https://github.com/goauthentik/authentik/issues/14443) ) * sources/kerberos: resolve logger warnings ([#14540](https://github.com/goauthentik/authentik/issues/14540) ) * sources/ldap: add forward deletion option ([#14718](https://github.com/goauthentik/authentik/issues/14718) ) * stages/email: fix email scanner voiding token ([#14325](https://github.com/goauthentik/authentik/issues/14325) ) * tests/e2e: Add E2E tests for Flow SFE ([#14484](https://github.com/goauthentik/authentik/issues/14484) ) * tests/e2e: add test for authentication flow in compatibility mode ([#14392](https://github.com/goauthentik/authentik/issues/14392) ) * tests/e2e: fix flaky SAML Source test ([#14708](https://github.com/goauthentik/authentik/issues/14708) ) * web, website: update browserslist ([#14386](https://github.com/goauthentik/authentik/issues/14386) ) * web: Add specific Storybook dependency. ([#14719](https://github.com/goauthentik/authentik/issues/14719) ) * web: Clean up browser-only module imports that crash WebDriverIO. ([#14330](https://github.com/goauthentik/authentik/issues/14330) ) * web: cleanup/loading attribute always true ([#14288](https://github.com/goauthentik/authentik/issues/14288) ) * web: Controller refinements, error handling ([#14700](https://github.com/goauthentik/authentik/issues/14700) ) * Web: Controllers cleanup ([#14616](https://github.com/goauthentik/authentik/issues/14616) ) * web: fix bug that was causing charts to be too tall ([#14253](https://github.com/goauthentik/authentik/issues/14253) ) * web: fix description for signing responses in SAML provider ([#14573](https://github.com/goauthentik/authentik/issues/14573) ) * web: Fix issue where dual select type is not specific. ([#14783](https://github.com/goauthentik/authentik/issues/14783) ) * web: Fix issue where Storybook cannot resolve styles. ([#14553](https://github.com/goauthentik/authentik/issues/14553) ) * web: Fix missing Enterprise sidebar entries. ([#14615](https://github.com/goauthentik/authentik/issues/14615) ) * web: fix regression in subpath support ([#14646](https://github.com/goauthentik/authentik/issues/14646) ) * web: NPM workspaces ([#14274](https://github.com/goauthentik/authentik/issues/14274) ) * web: Type Tidy ([#14647](https://github.com/goauthentik/authentik/issues/14647) ) * web: Use engine available on Github Actions. ([#14699](https://github.com/goauthentik/authentik/issues/14699) ) * web: Use monorepo package utilities to build packages ([#14159](https://github.com/goauthentik/authentik/issues/14159) ) * web/admin: Dual select state management, custom event dispatching. ([#14490](https://github.com/goauthentik/authentik/issues/14490) ) * web/admin: fix enterprise menu display ([#14447](https://github.com/goauthentik/authentik/issues/14447) ) * web/admin: fix permissions modal button missing for PolicyBindings and FlowStageBindings ([#14619](https://github.com/goauthentik/authentik/issues/14619) ) * web/admin: Fix sidebar toggle synchronization. ([#14487](https://github.com/goauthentik/authentik/issues/14487) ) * web/admin: prevent default logo flashing in admin interface ([#13960](https://github.com/goauthentik/authentik/issues/13960) ) * web/flows: update default flow background ([#14769](https://github.com/goauthentik/authentik/issues/14769) ) * web/flows/sfe: fix global background image not being loaded ([#14442](https://github.com/goauthentik/authentik/issues/14442) ) Fixed in 2025.6.1[​](https://docs.goauthentik.io/releases/2025.6/#fixed-in-202561 "Direct link to Fixed in 2025.6.1") ---------------------------------------------------------------------------------------------------------------------- * providers/proxy: add option to override host header with property mappings (cherry-pick [#14927](https://github.com/goauthentik/authentik/issues/14927) ) ([#14945](https://github.com/goauthentik/authentik/issues/14945) ) * tenants: fix tenant aware celery scheduler (cherry-pick [#14921](https://github.com/goauthentik/authentik/issues/14921) ) * web/user: fix user settings flow not loading (cherry-pick [#14911](https://github.com/goauthentik/authentik/issues/14911) ) ([#14930](https://github.com/goauthentik/authentik/issues/14930) ) Fixed in 2025.6.2[​](https://docs.goauthentik.io/releases/2025.6/#fixed-in-202562 "Direct link to Fixed in 2025.6.2") ---------------------------------------------------------------------------------------------------------------------- * brands: fix custom\_css being escaped (cherry-pick [#14994](https://github.com/goauthentik/authentik/issues/14994) ) ([#14996](https://github.com/goauthentik/authentik/issues/14996) ) * core: bump django from 5.1.10 to 5.1.11 (cherry-pick [#14997](https://github.com/goauthentik/authentik/issues/14997) ) ([#15010](https://github.com/goauthentik/authentik/issues/15010) ) * core: bump django from 5.1.9 to 5.1.10 (cherry-pick [#14951](https://github.com/goauthentik/authentik/issues/14951) ) ([#15008](https://github.com/goauthentik/authentik/issues/15008) ) * internal/outpost: fix incorrect usage of golang SHA API (cherry-pick [#14981](https://github.com/goauthentik/authentik/issues/14981) ) ([#14982](https://github.com/goauthentik/authentik/issues/14982) ) * providers/rac: fixes prompt data not being merged with connection\_settings (cherry-pick [#15037](https://github.com/goauthentik/authentik/issues/15037) ) ([#15038](https://github.com/goauthentik/authentik/issues/15038) ) * stages/email: Only attach logo to email if used (cherry-pick [#14835](https://github.com/goauthentik/authentik/issues/14835) ) ([#14969](https://github.com/goauthentik/authentik/issues/14969) ) * web/elements: fix dual select without sortBy (cherry-pick [#14977](https://github.com/goauthentik/authentik/issues/14977) ) ([#14979](https://github.com/goauthentik/authentik/issues/14979) ) * web/elements: fix typo in localeComparator (cherry-pick [#15054](https://github.com/goauthentik/authentik/issues/15054) ) ([#15055](https://github.com/goauthentik/authentik/issues/15055) ) Fixed in 2025.6.3[​](https://docs.goauthentik.io/releases/2025.6/#fixed-in-202563 "Direct link to Fixed in 2025.6.3") ---------------------------------------------------------------------------------------------------------------------- * ci: fix CodeQL failing on cherry-pick PRs (cherry-pick [#15205](https://github.com/goauthentik/authentik/issues/15205) ) ([#15206](https://github.com/goauthentik/authentik/issues/15206) ) * ci: fix post-release e2e builds failing (cherry-pick [#15082](https://github.com/goauthentik/authentik/issues/15082) ) ([#15092](https://github.com/goauthentik/authentik/issues/15092) ) * core: bump goauthentik/fips-python from 3.13.3-slim-bookworm-fips to 3.13.5-slim-bookworm-fips in 2025.6 ([#15274](https://github.com/goauthentik/authentik/issues/15274) ) * core: bump protobuf from 6.30.2 to v6.31.1 (cherry-pick [#14894](https://github.com/goauthentik/authentik/issues/14894) ) ([#15173](https://github.com/goauthentik/authentik/issues/15173) ) * core: bump requests from 2.32.3 to v2.32.4 (cherry-pick [#15129](https://github.com/goauthentik/authentik/issues/15129) ) ([#15135](https://github.com/goauthentik/authentik/issues/15135) ) * core: bump tornado from 6.4.2 to v6.5.1 (cherry-pick [#15100](https://github.com/goauthentik/authentik/issues/15100) ) ([#15116](https://github.com/goauthentik/authentik/issues/15116) ) * core: bump urllib3 from 2.4.0 to v2.5.0 (cherry-pick [#15131](https://github.com/goauthentik/authentik/issues/15131) ) ([#15174](https://github.com/goauthentik/authentik/issues/15174) ) * security: fix CVE-2025-52553 (cherry-pick [#15289](https://github.com/goauthentik/authentik/issues/15289) ) ([#15290](https://github.com/goauthentik/authentik/issues/15290) ) * sources/ldap: fix sync on empty groups (cherry-pick [#15158](https://github.com/goauthentik/authentik/issues/15158) ) ([#15171](https://github.com/goauthentik/authentik/issues/15171) ) * stages/user\_login: fix session binding logging ([#15175](https://github.com/goauthentik/authentik/issues/15175) ) * web/elements: Add light mode custom css handling (cherry-pick [#14944](https://github.com/goauthentik/authentik/issues/14944) ) ([#15096](https://github.com/goauthentik/authentik/issues/15096) ) * web/elements: typing error when variables are not converted to string (cherry-pick [#15169](https://github.com/goauthentik/authentik/issues/15169) ) ([#15222](https://github.com/goauthentik/authentik/issues/15222) ) * web/user: fix infinite loop when no user settings flow is set (cherry-pick [#15188](https://github.com/goauthentik/authentik/issues/15188) ) ([#15192](https://github.com/goauthentik/authentik/issues/15192) ) Fixed in 2025.6.4[​](https://docs.goauthentik.io/releases/2025.6/#fixed-in-202564 "Direct link to Fixed in 2025.6.4") ---------------------------------------------------------------------------------------------------------------------- * web/elements: fix table search not resetting page when query changes (cherry-pick [#15324](https://github.com/goauthentik/authentik/issues/15324) ) ([#15326](https://github.com/goauthentik/authentik/issues/15326) ) * core: fix missing serializer on AuthenticatedSession (cherry-pick [#15323](https://github.com/goauthentik/authentik/issues/15323) ) ([#15365](https://github.com/goauthentik/authentik/issues/15365) ) * core: fix set\_token\_key permission not declared (cherry-pick [#15384](https://github.com/goauthentik/authentik/issues/15384) ) ([#15391](https://github.com/goauthentik/authentik/issues/15391) ) * providers/proxy: fix ingress-nginx proxy buffer size annotations (cherry-pick [#15506](https://github.com/goauthentik/authentik/issues/15506) ) by ([#15507](https://github.com/goauthentik/authentik/issues/15507) ) * providers/radius: set message authenticator (cherry-pick [#15635](https://github.com/goauthentik/authentik/issues/15635) ) ([#15665](https://github.com/goauthentik/authentik/issues/15665) ) API Changes[​](https://docs.goauthentik.io/releases/2025.6/#api-changes "Direct link to API Changes") ------------------------------------------------------------------------------------------------------ #### What's New[​](https://docs.goauthentik.io/releases/2025.6/#whats-new "Direct link to What's New") * * * ##### `GET` /stages/mtls/[​](https://docs.goauthentik.io/releases/2025.6/#get-stagesmtls "Direct link to get-stagesmtls") ##### `POST` /stages/mtls/[​](https://docs.goauthentik.io/releases/2025.6/#post-stagesmtls "Direct link to post-stagesmtls") ##### `GET` /stages/mtls/{stage\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#get-stagesmtlsstage_uuid "Direct link to get-stagesmtlsstage_uuid") ##### `PUT` /stages/mtls/{stage\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#put-stagesmtlsstage_uuid "Direct link to put-stagesmtlsstage_uuid") ##### `DELETE` /stages/mtls/{stage\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#delete-stagesmtlsstage_uuid "Direct link to delete-stagesmtlsstage_uuid") ##### `PATCH` /stages/mtls/{stage\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#patch-stagesmtlsstage_uuid "Direct link to patch-stagesmtlsstage_uuid") ##### `GET` /stages/mtls/{stage\_uuid}/used\_by/[​](https://docs.goauthentik.io/releases/2025.6/#get-stagesmtlsstage_uuidused_by "Direct link to get-stagesmtlsstage_uuidused_by") #### What's Changed[​](https://docs.goauthentik.io/releases/2025.6/#whats-changed "Direct link to What's Changed") * * * ##### `GET` /core/brands/{brand\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#get-corebrandsbrand_uuid "Direct link to get-corebrandsbrand_uuid") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `client_certificates` (array) > Certificates used for client authentication. Items (string): ##### `PUT` /core/brands/{brand\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#put-corebrandsbrand_uuid "Direct link to put-corebrandsbrand_uuid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request "Direct link to Request:") Changed content type : `application/json` * Added property `client_certificates` (array) > Certificates used for client authentication. ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-1 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `client_certificates` (array) > Certificates used for client authentication. ##### `PATCH` /core/brands/{brand\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#patch-corebrandsbrand_uuid "Direct link to patch-corebrandsbrand_uuid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-1 "Direct link to Request:") Changed content type : `application/json` * Added property `client_certificates` (array) > Certificates used for client authentication. ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-2 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `client_certificates` (array) > Certificates used for client authentication. ##### `GET` /policies/event\_matcher/{policy\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#get-policiesevent_matcherpolicy_uuid "Direct link to get-policiesevent_matcherpolicy_uuid") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-3 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: * `authentik.enterprise.stages.mtls` * Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `PUT` /policies/event\_matcher/{policy\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#put-policiesevent_matcherpolicy_uuid "Direct link to put-policiesevent_matcherpolicy_uuid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-2 "Direct link to Request:") Changed content type : `application/json` * Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: * `authentik.enterprise.stages.mtls` * Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum value: * `authentik_stages_mtls.mutualtlsstage` ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-4 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: * `authentik.enterprise.stages.mtls` * Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `PATCH` /policies/event\_matcher/{policy\_uuid}/[​](https://docs.goauthentik.io/releases/2025.6/#patch-policiesevent_matcherpolicy_uuid "Direct link to patch-policiesevent_matcherpolicy_uuid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-3 "Direct link to Request:") Changed content type : `application/json` * Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: * `authentik.enterprise.stages.mtls` * Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum value: * `authentik_stages_mtls.mutualtlsstage` ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-5 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: * `authentik.enterprise.stages.mtls` * Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `POST` /core/brands/[​](https://docs.goauthentik.io/releases/2025.6/#post-corebrands "Direct link to post-corebrands") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-4 "Direct link to Request:") Changed content type : `application/json` * Added property `client_certificates` (array) > Certificates used for client authentication. ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-6 "Direct link to Return Type:") Changed response : **201 Created** * Changed content type : `application/json` * Added property `client_certificates` (array) > Certificates used for client authentication. ##### `GET` /core/brands/[​](https://docs.goauthentik.io/releases/2025.6/#get-corebrands "Direct link to get-corebrands") ###### Parameters:[​](https://docs.goauthentik.io/releases/2025.6/#parameters "Direct link to Parameters:") Added: `client_certificates` in `query` ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-7 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `results` (array) Changed items (object): > Brand Serializer * Added property `client_certificates` (array) > Certificates used for client authentication. ##### `POST` /policies/event\_matcher/[​](https://docs.goauthentik.io/releases/2025.6/#post-policiesevent_matcher "Direct link to post-policiesevent_matcher") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-5 "Direct link to Request:") Changed content type : `application/json` * Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: * `authentik.enterprise.stages.mtls` * Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum value: * `authentik_stages_mtls.mutualtlsstage` ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-8 "Direct link to Return Type:") Changed response : **201 Created** * Changed content type : `application/json` * Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: * `authentik.enterprise.stages.mtls` * Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `GET` /policies/event\_matcher/[​](https://docs.goauthentik.io/releases/2025.6/#get-policiesevent_matcher "Direct link to get-policiesevent_matcher") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-9 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `results` (array) Changed items (object): > Event Matcher Policy Serializer * Changed property `app` (string) > Match events created by selected application. When left empty, all applications are matched. Added enum value: * `authentik.enterprise.stages.mtls` * Changed property `model` (string) > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched. Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `POST` /rbac/permissions/assigned\_by\_roles/{uuid}/assign/[​](https://docs.goauthentik.io/releases/2025.6/#post-rbacpermissionsassigned_by_rolesuuidassign "Direct link to post-rbacpermissionsassigned_by_rolesuuidassign") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-6 "Direct link to Request:") Changed content type : `application/json` * Changed property `model` (string) Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `PATCH` /rbac/permissions/assigned\_by\_roles/{uuid}/unassign/[​](https://docs.goauthentik.io/releases/2025.6/#patch-rbacpermissionsassigned_by_rolesuuidunassign "Direct link to patch-rbacpermissionsassigned_by_rolesuuidunassign") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-7 "Direct link to Request:") Changed content type : `application/json` * Changed property `model` (string) Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `POST` /rbac/permissions/assigned\_by\_users/{id}/assign/[​](https://docs.goauthentik.io/releases/2025.6/#post-rbacpermissionsassigned_by_usersidassign "Direct link to post-rbacpermissionsassigned_by_usersidassign") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-8 "Direct link to Request:") Changed content type : `application/json` * Changed property `model` (string) Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `PATCH` /rbac/permissions/assigned\_by\_users/{id}/unassign/[​](https://docs.goauthentik.io/releases/2025.6/#patch-rbacpermissionsassigned_by_usersidunassign "Direct link to patch-rbacpermissionsassigned_by_usersidunassign") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-9 "Direct link to Request:") Changed content type : `application/json` * Changed property `model` (string) Added enum value: * `authentik_stages_mtls.mutualtlsstage` ##### `GET` /sources/ldap/{slug}/[​](https://docs.goauthentik.io/releases/2025.6/#get-sourcesldapslug "Direct link to get-sourcesldapslug") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-10 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `delete_not_found_objects` (boolean) > Delete authentik users and groups which were previously supplied by this source, but are now missing from it. ##### `PUT` /sources/ldap/{slug}/[​](https://docs.goauthentik.io/releases/2025.6/#put-sourcesldapslug "Direct link to put-sourcesldapslug") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-10 "Direct link to Request:") Changed content type : `application/json` * Added property `delete_not_found_objects` (boolean) > Delete authentik users and groups which were previously supplied by this source, but are now missing from it. ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-11 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `delete_not_found_objects` (boolean) > Delete authentik users and groups which were previously supplied by this source, but are now missing from it. ##### `PATCH` /sources/ldap/{slug}/[​](https://docs.goauthentik.io/releases/2025.6/#patch-sourcesldapslug "Direct link to patch-sourcesldapslug") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-11 "Direct link to Request:") Changed content type : `application/json` * Added property `delete_not_found_objects` (boolean) > Delete authentik users and groups which were previously supplied by this source, but are now missing from it. ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-12 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `delete_not_found_objects` (boolean) > Delete authentik users and groups which were previously supplied by this source, but are now missing from it. ##### `GET` /rbac/permissions/assigned\_by\_roles/[​](https://docs.goauthentik.io/releases/2025.6/#get-rbacpermissionsassigned_by_roles "Direct link to get-rbacpermissionsassigned_by_roles") ###### Parameters:[​](https://docs.goauthentik.io/releases/2025.6/#parameters-1 "Direct link to Parameters:") Changed: `model` in `query` ##### `GET` /rbac/permissions/assigned\_by\_users/[​](https://docs.goauthentik.io/releases/2025.6/#get-rbacpermissionsassigned_by_users "Direct link to get-rbacpermissionsassigned_by_users") ###### Parameters:[​](https://docs.goauthentik.io/releases/2025.6/#parameters-2 "Direct link to Parameters:") Changed: `model` in `query` ##### `POST` /sources/ldap/[​](https://docs.goauthentik.io/releases/2025.6/#post-sourcesldap "Direct link to post-sourcesldap") ###### Request:[​](https://docs.goauthentik.io/releases/2025.6/#request-12 "Direct link to Request:") Changed content type : `application/json` * Added property `delete_not_found_objects` (boolean) > Delete authentik users and groups which were previously supplied by this source, but are now missing from it. ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-13 "Direct link to Return Type:") Changed response : **201 Created** * Changed content type : `application/json` * Added property `delete_not_found_objects` (boolean) > Delete authentik users and groups which were previously supplied by this source, but are now missing from it. ##### `GET` /sources/ldap/[​](https://docs.goauthentik.io/releases/2025.6/#get-sourcesldap "Direct link to get-sourcesldap") ###### Parameters:[​](https://docs.goauthentik.io/releases/2025.6/#parameters-3 "Direct link to Parameters:") Added: `delete_not_found_objects` in `query` ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.6/#return-type-14 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `results` (array) Changed items (object): > LDAP Source Serializer * Added property `delete_not_found_objects` (boolean) > Delete authentik users and groups which were previously supplied by this source, but are now missing from it. * [Highlights](https://docs.goauthentik.io/releases/2025.6/#highlights) * [Breaking changes](https://docs.goauthentik.io/releases/2025.6/#breaking-changes) * [New features and improvements](https://docs.goauthentik.io/releases/2025.6/#new-features-and-improvements) * [New integration guides](https://docs.goauthentik.io/releases/2025.6/#new-integration-guides) * [Upgrading](https://docs.goauthentik.io/releases/2025.6/#upgrading) * [Docker Compose](https://docs.goauthentik.io/releases/2025.6/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2025.6/#kubernetes) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2025.6/#minor-changesfixes) * [Fixed in 2025.6.1](https://docs.goauthentik.io/releases/2025.6/#fixed-in-202561) * [Fixed in 2025.6.2](https://docs.goauthentik.io/releases/2025.6/#fixed-in-202562) * [Fixed in 2025.6.3](https://docs.goauthentik.io/releases/2025.6/#fixed-in-202563) * [Fixed in 2025.6.4](https://docs.goauthentik.io/releases/2025.6/#fixed-in-202564) * [API Changes](https://docs.goauthentik.io/releases/2025.6/#api-changes) --- # CVE-2023-26481 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#__docusaurus_skipToContent_fallback) On this page _Reported by [@fuomag9](https://github.com/fuomag9) _ Insufficient user check in FlowTokens by Email stage[​](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#insufficient-user-check-in-flowtokens-by-email-stage "Direct link to Insufficient user check in FlowTokens by Email stage") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#summary "Direct link to Summary") Due to an insufficient access check, a recovery flow link that is created by an admin (or sent via email by an admin) can be used to set the password for any arbitrary user. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#patches "Direct link to Patches") authentik 2022.12.3, 2023.1.3, 2023.2.3 fix this issue. ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#impact "Direct link to Impact") This attack is only possible if a recovery flow exists, which has both an Identification and an Email stage bound to it. If the flow has policies on the identification stage to skip it when the flow is restored (by checking `request.context['is_restored']`), the flow is not affected by this. With this flow in place, an administrator must create a recovery Link or send a recovery URL to the attacker, who can, due to the improper validation of the token create, set the password for any account. ### Workaround[​](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#workaround "Direct link to Workaround") It is recommended to upgrade to the patched version of authentik. Regardless, for custom recovery flows it is recommended to add a policy that checks if the flow is restored, and skips the identification stage. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#780b1d1b0d0a110c01381f17190d0c101d160c1113561117) * [Insufficient user check in FlowTokens by Email stage](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#insufficient-user-check-in-flowtokens-by-email-stage) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#patches) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#impact) * [Workaround](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#workaround) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2023-26481/#for-more-information) --- # CVE-2023-39522 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#__docusaurus_skipToContent_fallback) On this page _Reported by [@markrassamni](https://github.com/markrassamni) _ Username enumeration attack[​](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#username-enumeration-attack "Direct link to Username enumeration attack") ------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#summary "Direct link to Summary") Using a recovery flow with an identification stage an attacker is able to determine if a username exists. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#patches "Direct link to Patches") authentik 2023.5.6 and 2023.6.2 fix this issue. ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#impact "Direct link to Impact") Only setups configured with a recovery flow are impacted by this. ### Details[​](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#details "Direct link to Details") An attacker can easily enumerate and check users' existence using the recovery flow, as a clear message is shown when a user doesn't exist. Depending on configuration this can either be done by username, email, or both. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#e497818791968d909da4838b8591908c818a908d8fca8d8b) * [Username enumeration attack](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#username-enumeration-attack) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#patches) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#impact) * [Details](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#details) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2023-39522/#for-more-information) --- # CVE-2023-48228 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#__docusaurus_skipToContent_fallback) On this page _Reported by [@Sapd](https://github.com/Sapd) _ OAuth2: Insufficient PKCE check[​](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#oauth2-insufficient-pkce-check "Direct link to OAuth2: Insufficient PKCE check") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#summary "Direct link to Summary") When initializing a OAuth2 flow with a `code_challenge` and `code_method` (thus requesting PKCE), the SSO provider (authentik) **must** check if there is a matching **and** existing `code_verifier` during the token step. authentik checks if the contents of code_verifier is matching \*\*\_ONLY_\*\* when it is provided. When it is left out completely, authentik simply accepts the token request without it; even when the flow was started with a `code_challenge`. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#patches "Direct link to Patches") authentik 2023.8.5 and 2023.10.4 fix this issue. ### Details[​](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#details "Direct link to Details") The `code_verifier` is only checked when the user provides it. Note that in line 209 there is a check if the code\_parameter is left out. But there is no check if the PKCE parameter simply was omitted WHEN the request was started with a `code_challenge_method`. This oversight likely did not stem from a coding error but from a misinterpretation of the RFC, where the backward compatibility section may be somewhat confusing. [https://datatracker.ietf.org/doc/html/rfc7636#section-4.5](https://datatracker.ietf.org/doc/html/rfc7636#section-4.5) RFC7636 explicitly says in Section 4.5: > The "code\_challenge\_method" is bound to the Authorization Code when the Authorization Code is issued. That is the method that the token endpoint MUST use to verify the "code\_verifier". Section 5, Compatibility > Server implementations of this specification MAY accept OAuth2.0 clients that do not implement this extension. If the "code\_verifier" is not received from the client in the Authorization Request, servers supporting backwards compatibility revert to the OAuth 2.0 \[[RFC6749](https://datatracker.ietf.org/doc/html/rfc6749)\ > \] protocol without this extension. Section 5, Compatibility, allows server implementations of this specification to accept OAuth 2.0 clients that do not implement this extension. However, if a `code_verifier` is not received from the client in the Authorization Request, servers that support backward compatibility should revert to the standard OAuth 2.0 protocol sans this extension (including all steps). It should be noted that this does not mean that the `code_verifier` check can be disregarded at any point if the initial request included `code_challenge` or `code_challenge_method`. Since Authentik supports PKCE, it **MUST** verify the code\_verifier as described in Section 4.5 **AND** fail if it was not provided. Ofc verification can be skipped if the original authorization request did not invoke PKCE (no `code_challenge_method` and no `code_challenge`). Failure to check the `code_verifier` renders the PKCE flow ineffective. This vulnerability particularly endangers public or hybrid clients, as their `code` is deemed non-confidential. While not explicitly stated in the standard, it is generally recommended that OAuth2 flows accepting public clients should enforce PKCE - at least when redirecting to a non HTTPS URL (like http or an app link). ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#impact "Direct link to Impact") The vulnerability poses a high risk to both public and hybrid clients. When for example a mobile app implements oauth2, a malicious app can simply also register the same in-app-link (e.g. `mycoolapp://oauth2`) for the redirect callback URL, possibly receiving `code` during callback. With PKCE working, a malicious app would still receive a `code` but the `code` would not work without the correct unhashed code-challenge. This is especially problematic, because authentik claims to support PKCE, and a developer can expect that the proper checks are in place. Note that app-links cannot be protected by HTTPS or similar mechanisms. Note also that this vulnerability poses a threat to confidential clients. Many confidential clients act as a proxy for OAuth2 API requests, typically from mobile apps or single-page applications. These proxies relay `code_challenge`, `code_challenge_method` (in auth request, which most libraries force and provide on default settings) and `code_verifier` in the token request unchanged and supplement the CLIENT\_SECRET which only the relay knows. The relay can but does not have to check for an existing `code_verifier` as the standard does not define that PKCE can be ignored on confidential clients during the token request when the client requested PKCE during the authorization request. An attacker could potentially gain full access to the application. If the code grants access to an admin account, the confidentiality, integrity, and availability of that application are compromised. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#dba8beb8aea9b2afa29bbcb4baaeafb3beb5afb2b0f5b2b4) * [OAuth2: Insufficient PKCE check](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#oauth2-insufficient-pkce-check) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#patches) * [Details](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#details) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#impact) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2023-48228/#for-more-information) --- # CVE-2025-52553 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#__docusaurus_skipToContent_fallback) On this page _Reported by [SPIEGEL-Verlag](https://gruppe.spiegel.de/) _ Insufficient Session verification for Remote Access Control endpoint access[​](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#insufficient-session-verification-for-remote-access-control-endpoint-access "Direct link to Insufficient Session verification for Remote Access Control endpoint access") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#summary "Direct link to Summary") After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is currently missing. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#patches "Direct link to Patches") authentik 2025.4.3 and 2025.6.3 fix this issue. ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#impact "Direct link to Impact") When for example using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#workarounds "Direct link to Workarounds") As a workaround it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set **Connection expiry** to `minutes=5` for example). We also recommend enabling the option **Delete authorization on disconnect**. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#e596808690978c919ca5828a8490918d808b918c8ecb8c8a) . * [Insufficient Session verification for Remote Access Control endpoint access](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#insufficient-session-verification-for-remote-access-control-endpoint-access) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#patches) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#impact) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2025-52553/#for-more-information) --- # CVE-2025-29928 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#__docusaurus_skipToContent_fallback) On this page Deletion of sessions did not revoke sessions when using database session storage[​](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#deletion-of-sessions-did-not-revoke-sessions-when-using-database-session-storage "Direct link to Deletion of sessions did not revoke sessions when using database session storage") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### ADDENDUM May 30, 2025[​](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#addendum-may-30-2025 "Direct link to ADDENDUM May 30, 2025") As of version 2025.4, the option to store sessions in cache has been removed; sessions are now exclusively stored in the database. See our [2025.4 release notes](https://docs.goauthentik.io/releases/2025.4/#sessions-are-now-stored-in-the-database) for more information. ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#summary "Direct link to Summary") When authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. This also affects automatic session deletion when a user is set to inactive or a user is deleted. The session backend was configured via the `AUTHENTIK_SESSION_STORAGE` setting, which was removed in version 2025.4. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#patches "Direct link to Patches") authentik 2025.2.3 and 2024.12.4 fix this issue. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#workarounds "Direct link to Workarounds") Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#5d2e383e282f3429241d3a323c2829353833293436733432) . * [Deletion of sessions did not revoke sessions when using database session storage](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#deletion-of-sessions-did-not-revoke-sessions-when-using-database-session-storage) * [ADDENDUM May 30, 2025](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#addendum-may-30-2025) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2025-29928/#for-more-information) --- # Release 0.11 | authentik [Skip to main content](https://docs.goauthentik.io/releases/0.11/#__docusaurus_skipToContent_fallback) On this page This update brings these headline features: * Add Backup and Restore, currently only externally schedulable, documented [here](https://github.com/goauthentik/authentik/blob/version-2022.1/website/docs/maintenance/backups/index.md) * New Admin Dashboard with more metrics and Charts Shows successful and failed logins from the last 24 hours, as well as the most used applications * Add search to all table views * Outpost now supports a Docker Controller, which installs the Outpost on the same host as authentik, updates and manages it * Add Token Identifier Tokens now have an identifier which is used to reference to them, so the Primary key is not shown in URLs * `core/applications/list` API now shows applications the user has access to via policies Upgrading[​](https://docs.goauthentik.io/releases/0.11/#upgrading "Direct link to Upgrading") ---------------------------------------------------------------------------------------------- This upgrade can be done as any other patch upgrade, the only external change is the new docker-compose file, which enabled the Docker Integration for Outposts. To use this feature, please download the latest docker-compose from [here](https://docs.goauthentik.io/docker-compose.yml) . Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`. * [Upgrading](https://docs.goauthentik.io/releases/0.11/#upgrading) --- # CVE-2024-21637 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#__docusaurus_skipToContent_fallback) On this page _Reported by [@lauritzh](https://github.com/lauritzh) _ XSS in Authentik via JavaScript-URI as Redirect URI and form\_post Response Mode[​](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#xss-in-authentik-via-javascript-uri-as-redirect-uri-and-form_post-response-mode "Direct link to XSS in Authentik via JavaScript-URI as Redirect URI and form_post Response Mode") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#summary "Direct link to Summary") Given an OAuth2 provider configured with allowed redirect URIs set to `*` or `.*`, an attacker can send an OAuth Authorization request using `response_mode=form_post` and setting `redirect_uri` to a malicious URI, to capture authentik's session token. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#patches "Direct link to Patches") authentik 2023.8.6 and 2023.10.6 fix this issue. ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#impact "Direct link to Impact") The impact depends on the attack scenario. In the following I will describe the two scenario that were identified for Authentik. #### Redirect URI Misconfiguration[​](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#redirect-uri-misconfiguration "Direct link to Redirect URI Misconfiguration") While advising that this may cause security issues, Authentik generally allows wildcards as Redirect URI. Therefore, using a wildcard-only effectively allowing arbitrary URLS is possible misconfiguration that may be present in real-world instances. In such cases, unauthenticated and unprivileged attackers can perform the above described actions. ### User with (only) App Administration Permissions[​](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#user-with-only-app-administration-permissions "Direct link to User with (only) App Administration Permissions") A more likely scenario is an administrative user (e.g. a normal developer) having only permissions to manage applications. This relatively user could use the described attacks to perform a privilege escalation. ### Workaround[​](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#workaround "Direct link to Workaround") It is recommended to upgrade to the patched version of authentik. If not possible, ensure that OAuth2 providers do not use a wildcard (`*` or `.*`) value as allowed redirect URI setting. (This is _not_ exploitable if part of the redirect URI has a wildcard, for example `https://foo-.*\.bar\.com`) ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#d9aabcbaacabb0ada099beb6b8acadb1bcb7adb0b2f7b0b6) * [XSS in Authentik via JavaScript-URI as Redirect URI and form\_post Response Mode](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#xss-in-authentik-via-javascript-uri-as-redirect-uri-and-form_post-response-mode) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#patches) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#impact) * [User with (only) App Administration Permissions](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#user-with-only-app-administration-permissions) * [Workaround](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#workaround) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-21637/#for-more-information) --- # CVE-2024-23647 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#__docusaurus_skipToContent_fallback) On this page _Reported by [@pieterphilippaerts](https://github.com/pieterphilippaerts) _ PKCE downgrade attack in authentik[​](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#pkce-downgrade-attack-in-authentik "Direct link to PKCE downgrade attack in authentik") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#summary "Direct link to Summary") ------------------------------------------------------------------------------------------------------- PKCE is a very important countermeasure in OAuth2 , both for public and confidential clients. It protects against CSRF attacks and code injection attacks. Because of this bug, an attacker can circumvent the protection PKCE offers. Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#patches "Direct link to Patches") ------------------------------------------------------------------------------------------------------- authentik 2023.8.7 and 2023.10.7 fix this issue. Details[​](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#details "Direct link to Details") ------------------------------------------------------------------------------------------------------- There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the `code_challenge` parameter to the authorization request and adds the `code_verifier` parameter to the token request. We recently fixed a downgrade attack (in v2023.8.5 and 2023.10.4) where if the attacker removed the `code_verifier` parameter in the token request, authentik would allow the request to pass, thus circumventing PKCE’s protection. However, in the latest version of the software, another downgrade scenario is still possible: if the attacker removes the \`code\_challenge’ parameter from the authorization request, authentik will also not do the PKCE check. Note that this type of downgrade enables an attacker to perform a code injection attack, even if the OAuth client is using PKCE (which is supposed to protect against code injection attacks). To start the attack, the attacker must initiate the authorization process without that `code_challenge` parameter in the authorization request. But this is easy to do (just use a phishing site or email to trick the user into clicking on a link that the attacker controls – the authorization link without that `code_challenge` parameter). The OAuth BCP ([https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) ) explicitly mentions this particular attack in section 2.1.1: “Authorization servers MUST mitigate PKCE Downgrade Attacks by ensuring that a token request containing a code\_verifier parameter is accepted only if a code\_challenge parameter was present in the authorization request, see Section 4.8.2 for details.” For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#for-more-information "Direct link to For more information") ---------------------------------------------------------------------------------------------------------------------------------------------- If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#bccfd9dfc9ced5c8c5fcdbd3ddc9c8d4d9d2c8d5d792d5d3) * [PKCE downgrade attack in authentik](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#pkce-downgrade-attack-in-authentik) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#patches) * [Details](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#details) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-23647/#for-more-information) --- # CVE-2025-53942 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#__docusaurus_skipToContent_fallback) On this page _Reported by [@pascalwei](https://github.com/pascalwei) _ Insufficient check for account active status when authenticating with OAuth/SAML Sources[​](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#insufficient-check-for-account-active-status-when-authenticating-with-oauthsaml-sources "Direct link to Insufficient check for account active status when authenticating with OAuth/SAML Sources") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#summary "Direct link to Summary") Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#patches "Direct link to Patches") authentik 2025.4.4 and 2025.6.4 fix this issue. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#workarounds "Direct link to Workarounds") Adding an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active This expression will only activate the user login stage when the user is active. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#790a1c1a0c0b100d00391e16180c0d111c170d1012571016) . * [Insufficient check for account active status when authenticating with OAuth/SAML Sources](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#insufficient-check-for-account-active-status-when-authenticating-with-oauthsaml-sources) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2025-53942/#for-more-information) --- # CVE-2024-42490 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#__docusaurus_skipToContent_fallback) On this page _Reported by [@m2a2](https://github.com/m2a2) _ Insufficient Authorization for several API endpoints[​](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#insufficient-authorization-for-several-api-endpoints "Direct link to Insufficient Authorization for several API endpoints") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#summary "Direct link to Summary") Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this: * `/api/v3/crypto/certificatekeypairs//view_certificate/` * `/api/v3/crypto/certificatekeypairs//view_private_key/` * `/api/v3/.../used_by/` Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#patches "Direct link to Patches") authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#workarounds "Direct link to Workarounds") Access to the API endpoints can be blocked at a Reverse-proxy/Load balancer level to prevent this issue from being exploited. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#1a697f796f68736e635a7d757b6f6e727f746e7371347375) * [Insufficient Authorization for several API endpoints](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#insufficient-authorization-for-several-api-endpoints) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-42490/#for-more-information) --- # CVE-2024-37905 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#__docusaurus_skipToContent_fallback) On this page _Reported by [@m2a2](https://github.com/m2a2) _ Improper Authorization for Token modification[​](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#improper-authorization-for-token-modification "Direct link to Improper Authorization for Token modification") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#summary "Direct link to Summary") Due to insufficient permission checks it was possible for any authenticated user to elevate their permissions to a superuser by creating an API token and changing the user the token belonged to. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#patches "Direct link to Patches") authentik 2024.6.0, 2024.4.3 and 2024.2.4 fix this issue, for other versions the workaround can be used. ### Details[​](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#details "Direct link to Details") By setting a token's user ID to the ID of a higher privileged user, the token will inherit the higher privileged access to the API. This can be used to change the password of the affected user or to modify the authentik configuration in a potentially malicious way. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#workarounds "Direct link to Workarounds") As a workaround it is possible to block any requests to `/api/v3/core/tokens*` at the reverse-proxy/load-balancer level. Doing so prevents this issue from being exploited. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#92e1f7f1e7e0fbe6ebd2f5fdf3e7e6faf7fce6fbf9bcfbfd) * [Improper Authorization for Token modification](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#improper-authorization-for-token-modification) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#patches) * [Details](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#details) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-37905/#for-more-information) --- # Release 2025.10 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2025.10/#__docusaurus_skipToContent_fallback) On this page Highlights[​](https://docs.goauthentik.io/releases/2025.10/#highlights "Direct link to Highlights") ---------------------------------------------------------------------------------------------------- * **SAML and OAuth2 provider Single Logout support**: This release adds support for back-channel and front-channel SLO for SAML and front-channel for OAuth2/OIDC. * **Removed Redis dependency**: authentik no longer uses Redis at all. * **Telegram source**: Telegram can now be used for social login. * **SCIM provider OAuth support**: Enterprise SCIM providers can use OAuth providers to authenticate to SCIM endpoints. * **RADIUS EAP-TLS Support**: Enterprise The RADIUS provider now supports EAP-TLS, which can be used to authenticate WiFi clients. Breaking changes[​](https://docs.goauthentik.io/releases/2025.10/#breaking-changes "Direct link to Breaking changes") ---------------------------------------------------------------------------------------------------------------------- ### Redis removal[​](https://docs.goauthentik.io/releases/2025.10/#redis-removal "Direct link to Redis removal") In previous versions, authentik used Redis for caching, tasks, the embedded proxy outpost's session store, and WebSocket connections. Since [2025.8](https://docs.goauthentik.io/releases/2025.8/) , tasks were migrated to use Postgres. With this release we've also migrated caching, the embedded outpost, and WebSocket to Postgres, fully removing the need for Redis. As a result of this change, it is expected that authentik will use roughly 50% more database connections to Postgres. Redis-related settings have also been removed and can be deleted from your configuration. If your Postgres instance requires a TLS connection, authentik now requires TLS 1.3 or the Extended Master Secret extension to connect to Postgres. ### Default OAuth scope mappings[​](https://docs.goauthentik.io/releases/2025.10/#default-oauth-scope-mappings "Direct link to Default OAuth scope mappings") In previous releases with the default scope mappings, we set the `email_verified` claim to `true`. As we don't have a single source of whether a users' email is verified or not, and claiming that it is verified could lead to security implications, this claim has been corrected to `false`. Some applications may require this claim to be `true` to successfully authenticate users, in which case you can create a custom `email` scope mapping that returns `email_verified` as `true`. New features and improvements[​](https://docs.goauthentik.io/releases/2025.10/#new-features-and-improvements "Direct link to New features and improvements") ------------------------------------------------------------------------------------------------------------------------------------------------------------- ### SCIM provider OAuth support Enterprise[​](https://docs.goauthentik.io/releases/2025.10/#scim-provider-oauth-support- "Direct link to scim-provider-oauth-support-") SCIM providers can now use OAuth sources to authenticate to SCIM endpoints. This requires support in the remote system for OAuth authentication. Using an OAuth source provides improved security due to not requiring long-lived static tokens. This is supported by applications such as Slack and Salesforce. See [SCIM Provider documentation](https://docs.goauthentik.io/add-secure-apps/providers/scim/#oauth-authentication-for-a-scim-provider--) for more details. ### RADIUS EAP-TLS support Enterprise[​](https://docs.goauthentik.io/releases/2025.10/#radius-eap-tls-support- "Direct link to radius-eap-tls-support-") The RADIUS outpost can now support EAP-TLS which allows for client authentication using certificates with the [Mutual TLS stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/mtls/) . See [RADIUS Provider documentation](https://docs.goauthentik.io/add-secure-apps/providers/radius/) . ### SAML and OAuth2 provider Single Logout support[​](https://docs.goauthentik.io/releases/2025.10/#saml-and-oauth2-provider-single-logout-support "Direct link to SAML and OAuth2 provider Single Logout support") In [2025.8](https://docs.goauthentik.io/releases/2025.8/) we've introduced support for back-channel logout in the OAuth2 Provider. This release adds support for front-channel logout in the OAuth2 Provider and both back- and front-channel logout support in the SAML Provider. See [OAuth2 Provider documentation](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/) and [SAML Provider documentation](https://docs.goauthentik.io/add-secure-apps/providers/saml/) . ### Telegram source[​](https://docs.goauthentik.io/releases/2025.10/#telegram-source "Direct link to Telegram source") Being one of the most upvoted GitHub issues, we've finally done it. Telegram can now be used as a federated identity provider in authentik. This allows users to authenticate with their Telegram credentials. See [Telegram Source documentation](https://docs.goauthentik.io/users-sources/sources/social-logins/telegram/) . ### Refined flow and user library[​](https://docs.goauthentik.io/releases/2025.10/#refined-flow-and-user-library "Direct link to Refined flow and user library") The flow interface now fits better on mobile devices/small viewports and looks sharper on HiDPi devices. There are also improvements for auto-completion during credential input (thanks to [**@cjoshmartin**](https://github.com/cjoshmartin) !). The user library has improved scaling and makes better use of space with a higher density. ### Additional noteworthy improvements[​](https://docs.goauthentik.io/releases/2025.10/#additional-noteworthy-improvements "Direct link to Additional noteworthy improvements") * Credential provider: Alpha releases of desktop integrations are now available for testing; reach out to [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#7e161b1212113e19111f0b0a161b100a1715501711) if you are interested in providing early feedback for any of these: * Windows: a custom credential provider allowing custom authentication flows. * macOS: a Platform SSO integration allowing seamless authentication. * Linux: accessing Linux servers via an authentik identity. * Add `ak_send_email`: Allow for easier sending of emails in expressions; see [ak\_send\_email](https://docs.goauthentik.io/customize/policies/expression/#ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none---bool) . * Change recovery token duration: When using `ak create_recovery_key`, the duration is now set in minutes instead of years. * Add OIDC `ui_locales` support: The OAuth2 provider now accepts `ui_locales` to set the locale of authentik. * Add support for separate labels and values in prompt choice inputs, see [Prompt stage documentation](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/prompt/) ; thanks to [**@ErikAhlund**](https://github.com/ErikAhlund) ! New integration guides[​](https://docs.goauthentik.io/releases/2025.10/#new-integration-guides "Direct link to New integration guides") ---------------------------------------------------------------------------------------------------------------------------------------- An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. * [Cloudflare](https://integrations.goauthentik.io/platforms/cloudflare/) * [Digital Ocean](https://integrations.goauthentik.io/cloud-providers/digitalocean/) * [Entra ID SCIM](https://docs.goauthentik.io/users-sources/sources/social-logins/entra-id/scim/) * [osTicket](https://integrations.goauthentik.io/infrastructure/osticket/) * [Terraform Cloud](https://integrations.goauthentik.io/infrastructure/terraform-cloud/) * [Termix](https://integrations.goauthentik.io/infrastructure/termix/) * [Zendesk](https://integrations.goauthentik.io/infrastructure/zendesk/) * [Zoom](https://integrations.goauthentik.io/chat-communication-collaboration/zoom/) * [Zot](https://integrations.goauthentik.io/infrastructure/zot/) Upgrading[​](https://docs.goauthentik.io/releases/2025.10/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------- Following the upgrade instructions below will remove Redis from your installation. If you use authentik with an externally configured Redis, you can simply remove the Redis configuration from authentik; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](https://docs.goauthentik.io/install-config/upgrade/) . warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. ### Docker Compose[​](https://docs.goauthentik.io/releases/2025.10/#docker-compose "Direct link to Docker Compose") To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands: wget -O docker-compose.yml https://goauthentik.io/version/2025.10/docker-compose.ymldocker compose up -d --remove-orphans The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name. The `--remove-orphans` flag removes the Redis container as its no longer needed. ### Kubernetes[​](https://docs.goauthentik.io/releases/2025.10/#kubernetes "Direct link to Kubernetes") Upgrade the Helm Chart to the new version, using the following commands: helm repo updatehelm upgrade authentik authentik/authentik -f values.yaml --version ^2025.10 If you had persistence for Redis configured, you can delete the PVC and PV after the upgrade. Minor changes/fixes[​](https://docs.goauthentik.io/releases/2025.10/#minor-changesfixes "Direct link to Minor changes/fixes") ------------------------------------------------------------------------------------------------------------------------------ * \*: add ruff BLE rules ([#16943](https://github.com/goauthentik/authentik/issues/16943) ) * \*: Fix dead doc link ([#16288](https://github.com/goauthentik/authentik/issues/16288) ) * \*: remove Redis leftovers ([#17146](https://github.com/goauthentik/authentik/issues/17146) ) * \*/bindings: order by pk ([#17027](https://github.com/goauthentik/authentik/issues/17027) ) * api: Clean schema up more ([#17055](https://github.com/goauthentik/authentik/issues/17055) ) * api: Fix locale propagation from ?locale parameter in frontend ([#16857](https://github.com/goauthentik/authentik/issues/16857) ) * api: optimise schemas' common query parameters ([#16884](https://github.com/goauthentik/authentik/issues/16884) ) * blueprints: ensure tasks retry on database errors ([#17333](https://github.com/goauthentik/authentik/issues/17333) ) * blueprints: exclude exporting UserConsent ([#16640](https://github.com/goauthentik/authentik/issues/16640) ) * blueprints: fix email address verified by default ([#16206](https://github.com/goauthentik/authentik/issues/16206) ) * blueprints: fix typo in sources-google-ldap-mappings ([#16955](https://github.com/goauthentik/authentik/issues/16955) ) * blueprints: regenerate schema ([#17365](https://github.com/goauthentik/authentik/issues/17365) ) * brands: revert sort matched brand by match length (revert [#15413](https://github.com/goauthentik/authentik/issues/15413) ) ([#16233](https://github.com/goauthentik/authentik/issues/16233) ) * cmd/server/healthcheck: info log success instead of debug ([#17093](https://github.com/goauthentik/authentik/issues/17093) ) * core, events: reduce memory usage when batch deleting objects ([#12436](https://github.com/goauthentik/authentik/issues/12436) ) * core: Add ak\_send\_email function in expression context ([#16941](https://github.com/goauthentik/authentik/issues/16941) ) * core: Add email template selector ([#16170](https://github.com/goauthentik/authentik/issues/16170) ) * core: add index on Group.is\_superuser ([#17011](https://github.com/goauthentik/authentik/issues/17011) ) * core: Add input validation for service account creation ([#16964](https://github.com/goauthentik/authentik/issues/16964) ) * core: add QL for groups ([#17527](https://github.com/goauthentik/authentik/issues/17527) ) * core: Block usage of Django's createsuperuser ([#16215](https://github.com/goauthentik/authentik/issues/16215) ) * core: fix absolute and relative path file uploads ([#17269](https://github.com/goauthentik/authentik/issues/17269) ) * core: fix application and source's fa:// icon ([#17416](https://github.com/goauthentik/authentik/issues/17416) ) * core: fix client-side only validation allowing admin to set blank user password ([#16467](https://github.com/goauthentik/authentik/issues/16467) ) * core: fix description on remove\_user\_from\_group ([#16694](https://github.com/goauthentik/authentik/issues/16694) ) * core: Fix middleware race condition induced crash ([#16705](https://github.com/goauthentik/authentik/issues/16705) ) * core: Fix typo ([#16560](https://github.com/goauthentik/authentik/issues/16560) ) * core: Include region comments in VSCode Minimap. ([#16667](https://github.com/goauthentik/authentik/issues/16667) ) * core: Mark impersonation reason field as required in UI and fix status codes ([#16065](https://github.com/goauthentik/authentik/issues/16065) ) * core: Normalize NPM script arguments. ([#16725](https://github.com/goauthentik/authentik/issues/16725) ) * core: update\_attributes: only update the model if attributes changed ([#16322](https://github.com/goauthentik/authentik/issues/16322) ) * core: use email backend for test\_email management command ([#16311](https://github.com/goauthentik/authentik/issues/16311) ) * core/api: Better naming for partial user/group serializer, optimise bindings ([#17022](https://github.com/goauthentik/authentik/issues/17022) ) * enterprise/providers/gws+entra: fix group integrity error during discovery ([#17355](https://github.com/goauthentik/authentik/issues/17355) ) * enterprise/providers/gws+entra: fix integrity error during discovery ([#17341](https://github.com/goauthentik/authentik/issues/17341) ) * enterprise/providers/radius: add EAP-TLS support ([#15702](https://github.com/goauthentik/authentik/issues/15702) ) * enterprise/providers/scim: Add SCIM OAuth support ([#16903](https://github.com/goauthentik/authentik/issues/16903) ) * enterprise/stages/mtls: Improve Email address extraction ([#17068](https://github.com/goauthentik/authentik/issues/17068) ) * events: remove deprecated models ([#15823](https://github.com/goauthentik/authentik/issues/15823) ) * flows: redirect to next when accessing an unapplicable authentication flow while already authenticated ([#17243](https://github.com/goauthentik/authentik/issues/17243) ) * flows: SessionEndStage: only show page if user is still authenticated ([#17003](https://github.com/goauthentik/authentik/issues/17003) ) * lib: import ExceptionDictTransformer from structlog.tracebacks ([#17526](https://github.com/goauthentik/authentik/issues/17526) ) * lib: match exception\_to\_dict locals behaviour ([#17006](https://github.com/goauthentik/authentik/issues/17006) ) * lib: small type hinting improvements ([#17528](https://github.com/goauthentik/authentik/issues/17528) ) * lib/config: fix listen settings ([#17005](https://github.com/goauthentik/authentik/issues/17005) ) * lib/logging: only show locals when in debug mode ([#16772](https://github.com/goauthentik/authentik/issues/16772) ) * lib/sync: fix missing f for string ([#16423](https://github.com/goauthentik/authentik/issues/16423) ) * lib/sync: revert breaking type change ([#17553](https://github.com/goauthentik/authentik/issues/17553) ) * lib/sync/outgoing: fix single object sync timeout ([#16447](https://github.com/goauthentik/authentik/issues/16447) ) * lib/sync/outgoing: revert reduce number of db queries made (revert [#14177](https://github.com/goauthentik/authentik/issues/14177) ) ([#17306](https://github.com/goauthentik/authentik/issues/17306) ) * lifecycle: fix permission error when running worker as root ([#16735](https://github.com/goauthentik/authentik/issues/16735) ) * lifecycle: fix PROMETHEUS\_MULTIPROC\_DIR missing suffix ([#16401](https://github.com/goauthentik/authentik/issues/16401) ) * lifecycle: set PROMETHEUS\_MULTIPROC\_DIR as early as possible ([#16298](https://github.com/goauthentik/authentik/issues/16298) ) * outpost: proxyv2: Use Postgres for the Embedded Outpost ([#16628](https://github.com/goauthentik/authentik/issues/16628) ) * outpost/proxyv2: postgresstore: credential refresh ([#17414](https://github.com/goauthentik/authentik/issues/17414) ) * outpost/proxyv2: postgresstore: db/pool/misc cleanup and enhancement ([#17511](https://github.com/goauthentik/authentik/issues/17511) ) * outposts: allow ingress path type configuration ([#16339](https://github.com/goauthentik/authentik/issues/16339) ) * outposts: fix flow executor when using subpath ([#16947](https://github.com/goauthentik/authentik/issues/16947) ) * outposts: fix service connection update task arguments ([#16312](https://github.com/goauthentik/authentik/issues/16312) ) * outposts/ldap: add pwdChangeTime attribute ([#17010](https://github.com/goauthentik/authentik/issues/17010) ) * packages/django-channels-postgres: compression and connection pool ([#17303](https://github.com/goauthentik/authentik/issues/17303) ) * packages/django-channels-postgres: init ([#17247](https://github.com/goauthentik/authentik/issues/17247) ) * packages/django-channels-postgres/layer: fix connection deadlock ([#17270](https://github.com/goauthentik/authentik/issues/17270) ) * packages/django-dramatiq-postgres: broker: fix new messages not being picked up when too many messages are waiting ([#17106](https://github.com/goauthentik/authentik/issues/17106) )version-2025.8) ([#17108](https://github.com/goauthentik/authentik/issues/17108) ) * packages/django-dramatiq-postgres: broker: fix task expiration ([#17178](https://github.com/goauthentik/authentik/issues/17178) ) * packages/django-dramatiq-postgres: broker: fix various timing issues ([#16340](https://github.com/goauthentik/authentik/issues/16340) ) * packages/django-dramatiq-postgres: broker: task retrieval fixes and improvements ([#17335](https://github.com/goauthentik/authentik/issues/17335) ) * packages/django-dramatiq-postgres: fix error when updating task with no changes ([#16728](https://github.com/goauthentik/authentik/issues/16728) ) * packages/django-dramatiq-postgres: middleware: fix listening on hosts where ipv6 is not supported ([#16308](https://github.com/goauthentik/authentik/issues/16308) ) * packages/django-dramatiq-postgres: typing ([#16978](https://github.com/goauthentik/authentik/issues/16978) ) * packages/django-postgres-cache: Initial implementation of postgres cache ([#16653](https://github.com/goauthentik/authentik/issues/16653) ) * policies: remove object pk from authentik\_policies\_execution\_time to reduce cardinality ([#16500](https://github.com/goauthentik/authentik/issues/16500) ) * policies/password: Fix amount\_uppercase in password policy check ([#16197](https://github.com/goauthentik/authentik/issues/16197) ) * policies/reputation: update reputation in a single query ([#17529](https://github.com/goauthentik/authentik/issues/17529) ) * providers/ldap: add include\_children parameter to cached search mode ([#16918](https://github.com/goauthentik/authentik/issues/16918) ) * providers/oauth2: add missing exp claim for logout token ([#16593](https://github.com/goauthentik/authentik/issues/16593) ) * providers/oauth2: add ui\_locales support for OIDC ([#17140](https://github.com/goauthentik/authentik/issues/17140) ) * providers/oauth2: allow setting logout method always ([#17470](https://github.com/goauthentik/authentik/issues/17470) ) * providers/oauth2: avoid deadlock during session migration ([#16361](https://github.com/goauthentik/authentik/issues/16361) ) * providers/oauth2: fix authentication error with identical app passwords ([#17100](https://github.com/goauthentik/authentik/issues/17100) ) * providers/oauth2: fix logout token missing sid, fix wrong sub mode used ([#16295](https://github.com/goauthentik/authentik/issues/16295) ) * providers/oauth2: include scope in JWT ([#16454](https://github.com/goauthentik/authentik/issues/16454) ) * providers/oauth2: only issue new refresh token if old one is about to expire ([#16905](https://github.com/goauthentik/authentik/issues/16905) ) * providers/proxy: fix missing postgres import ([#17582](https://github.com/goauthentik/authentik/issues/17582) ) * providers/rac: bump guacd to 1.6 ([#17392](https://github.com/goauthentik/authentik/issues/17392) ) * providers/rac: fix `AuthenticatedSession` migration ([#16400](https://github.com/goauthentik/authentik/issues/16400) ) * providers/rac: remove autobahn import ([#17224](https://github.com/goauthentik/authentik/issues/17224) ) * providers/saml: add frontchannel idp slo, backchannel post idp slo ([#15863](https://github.com/goauthentik/authentik/issues/15863) ) * providers/saml: fix timezone naive warning ([#17382](https://github.com/goauthentik/authentik/issues/17382) ) * providers/scim: add salesforce support ([#16976](https://github.com/goauthentik/authentik/issues/16976) ) * providers/scim: fix string formatting for SCIM user filter ([#16465](https://github.com/goauthentik/authentik/issues/16465) ) * providers/scim: improve error message when object fails to sync ([#16625](https://github.com/goauthentik/authentik/issues/16625) ) * rbac: assign `InitialPermission`s in a middleware ([#16138](https://github.com/goauthentik/authentik/issues/16138) ) * rbac: fix role search fields ([#17305](https://github.com/goauthentik/authentik/issues/17305) ) * rbac: fix typo ([#16476](https://github.com/goauthentik/authentik/issues/16476) ) * rbac: optimize rbac assigned by users query ([#17015](https://github.com/goauthentik/authentik/issues/17015) ) * readme: Remove Docker pulls badge ([#16707](https://github.com/goauthentik/authentik/issues/16707) ) * recovery: Default to 60 minutes ([#16005](https://github.com/goauthentik/authentik/issues/16005) ) * router: fix missing response headers on compressed 404 for static files ([#16216](https://github.com/goauthentik/authentik/issues/16216) ) * sources: add Telegram source ([#15749](https://github.com/goauthentik/authentik/issues/15749) ) * sources/ldap: fix malformed filter error with special characters in group DN ([#16243](https://github.com/goauthentik/authentik/issues/16243) ) * sources/oauth: add support for login support if source was started within a flow executor ([#16982](https://github.com/goauthentik/authentik/issues/16982) ) * sources/oauth: configurable PKCE mode ([#17487](https://github.com/goauthentik/authentik/issues/17487) ) * sources/oauth/entra\_id: do not assume group\_id comes from entra ([#16456](https://github.com/goauthentik/authentik/issues/16456) ) * sources/saml: add default error messages to exceptions ([#15562](https://github.com/goauthentik/authentik/issues/15562) ) * sources/saml: add location selection for Signature node ([#15626](https://github.com/goauthentik/authentik/issues/15626) ) * stages: update friendly\_name model from null to blank ([#16672](https://github.com/goauthentik/authentik/issues/16672) ) * stages/authenticator\_duo: Add test to fix codecov error ([#16257](https://github.com/goauthentik/authentik/issues/16257) ) * stages/authenticator\_duo: return generic error message ([#16194](https://github.com/goauthentik/authentik/issues/16194) ) * stages/email\_authenticator: Fix email mfa loop ([#16579](https://github.com/goauthentik/authentik/issues/16579) ) * stages/identification: fix mismatched error messages ([#17090](https://github.com/goauthentik/authentik/issues/17090) ) * stages/prompt: add ability to set separate labels and values for choices ([#16693](https://github.com/goauthentik/authentik/issues/16693) ) * stages/user\_login: add user to query ([#17171](https://github.com/goauthentik/authentik/issues/17171) ) * stages/user\_write: fix attribute path replacement ([#17507](https://github.com/goauthentik/authentik/issues/17507) ) * tasks: add preprocess, running and postprocess statuses ([#17297](https://github.com/goauthentik/authentik/issues/17297) ) * tasks: add rel\_obj to system task exception event ([#16270](https://github.com/goauthentik/authentik/issues/16270) ) * tasks: add sentry dramatiq integration ([#16167](https://github.com/goauthentik/authentik/issues/16167) ) * tasks: add task status summary ([#17302](https://github.com/goauthentik/authentik/issues/17302) ) * tasks: fix errors found in tests ([#17062](https://github.com/goauthentik/authentik/issues/17062) ) * tasks: fix logger name ([#17009](https://github.com/goauthentik/authentik/issues/17009) ) * tasks: fix status and healthcheck breaking with connection issues ([#16504](https://github.com/goauthentik/authentik/issues/16504) ) * tasks: only set tenant on task creation ([#17358](https://github.com/goauthentik/authentik/issues/17358) ) * tasks: reduce default number of retries and max backoff ([#17107](https://github.com/goauthentik/authentik/issues/17107) ) * tasks: set uid early ([#17356](https://github.com/goauthentik/authentik/issues/17356) ) * tasks: show number of retries and planned execution time ([#17295](https://github.com/goauthentik/authentik/issues/17295) ) * tasks: store messages in separate table ([#17359](https://github.com/goauthentik/authentik/issues/17359) ) * tasks/middlewares/messages: make sure exceptions are always logged ([#17237](https://github.com/goauthentik/authentik/issues/17237) ) * tasks/schedules: fix api search fields ([#16405](https://github.com/goauthentik/authentik/issues/16405) ) * tasks/schedules: upsert instead of update\_or\_create ([#17534](https://github.com/goauthentik/authentik/issues/17534) ) * tests/e2e: fix ldap tests following [#17010](https://github.com/goauthentik/authentik/issues/17010) ([#17021](https://github.com/goauthentik/authentik/issues/17021) ) * tests/e2e: less hardcoded names ([#17047](https://github.com/goauthentik/authentik/issues/17047) ) * tests/e2e: switch chrome for chromium ([#17407](https://github.com/goauthentik/authentik/issues/17407) ) * web: Add disabled radio styles. ([#17026](https://github.com/goauthentik/authentik/issues/17026) ) * web: Additional text field properties, ARIA fixes ([#17115](https://github.com/goauthentik/authentik/issues/17115) ) * web: ak-status-label: add neutral status ([#16064](https://github.com/goauthentik/authentik/issues/16064) ) * web: Apply consistent background color when input is disabled or readonly. ([#17105](https://github.com/goauthentik/authentik/issues/17105) ) * web: Automatic reload during server start up. ([#16030](https://github.com/goauthentik/authentik/issues/16030) ) * web: Clean up render interfaces. ([#16031](https://github.com/goauthentik/authentik/issues/16031) ) * web: Do not mark Attributes as a mandatory field ([#16004](https://github.com/goauthentik/authentik/issues/16004) ) * web: Docker versioning compatibility ([#16139](https://github.com/goauthentik/authentik/issues/16139) ) * web: fix "Explore integrations" link in Quick actions ([#16274](https://github.com/goauthentik/authentik/issues/16274) ) * web: Fix ak-flow-card footer alignment. ([#16236](https://github.com/goauthentik/authentik/issues/16236) ) * web: Fix avatar image load flash. ([#17220](https://github.com/goauthentik/authentik/issues/17220) ) * web: Fix behavior for modals configured with closeAfterSuccessfulSubmit ([#17277](https://github.com/goauthentik/authentik/issues/17277) ) * web: Fix card alignment, slotting, labeling ([#17307](https://github.com/goauthentik/authentik/issues/17307) ) * web: Fix default RADIUS EAP-TLS cert without license. ([#17152](https://github.com/goauthentik/authentik/issues/17152) ) * web: Fix docs links, a11y input descriptors ([#16671](https://github.com/goauthentik/authentik/issues/16671) ) * web: Fix flow autofocus element targeting. ([#17255](https://github.com/goauthentik/authentik/issues/17255) ) * web: Fix flow view title setter. ([#17245](https://github.com/goauthentik/authentik/issues/17245) ) * web: Fix hidden textarea `required` attribute. ([#16168](https://github.com/goauthentik/authentik/issues/16168) ) * web: Fix issue where clicking a list item scrolls container. ([#16174](https://github.com/goauthentik/authentik/issues/16174) ) * web: Fix issue where form group uses unknown slot. ([#16276](https://github.com/goauthentik/authentik/issues/16276) ) * web: Fix layout class for 'row' in LibraryPage ([#16752](https://github.com/goauthentik/authentik/issues/16752) ) * web: Fix low DPI on QR Codes. ([#17251](https://github.com/goauthentik/authentik/issues/17251) ) * web: Fix native icon colors when using dark theme. ([#17118](https://github.com/goauthentik/authentik/issues/17118) ) * web: Fix nested table column span behavior. ([#17177](https://github.com/goauthentik/authentik/issues/17177) ) * web: Fix numeric values in search select inputs, search input fixes ([#16928](https://github.com/goauthentik/authentik/issues/16928) ) * web: Fix Recent Events toolbar height. ([#17172](https://github.com/goauthentik/authentik/issues/17172) ) * web: Fix reported error precedence ([#16231](https://github.com/goauthentik/authentik/issues/16231) ) * web: Fix skip-to-content element target, order. ([#17030](https://github.com/goauthentik/authentik/issues/17030) ) * web: Fix tab theme consistency, table overflow. ([#17222](https://github.com/goauthentik/authentik/issues/17222) ) * web: Fix table child alignment ([#17114](https://github.com/goauthentik/authentik/issues/17114) ) * web: Fix table column updates, template parsing ([#17254](https://github.com/goauthentik/authentik/issues/17254) ) * web: Fixed null lastUsed and autofocus on TOTP login field ([#16739](https://github.com/goauthentik/authentik/issues/16739) ) * web: Flow fixes -- Captchas, form states, compatibility mode. ([#17226](https://github.com/goauthentik/authentik/issues/17226) ) * web: Flush logs on SIGINT. ([#16723](https://github.com/goauthentik/authentik/issues/16723) ) * web: Ignore spellchecking of Playwright output. ([#16862](https://github.com/goauthentik/authentik/issues/16862) ) * web: Improvements to ReCaptcha resizing ([#16171](https://github.com/goauthentik/authentik/issues/16171) ) * web: Minimal mobile flow ([#17280](https://github.com/goauthentik/authentik/issues/17280) ) * web: Minimal mobile flow, revisions ([#17310](https://github.com/goauthentik/authentik/issues/17310) ) * web: Remove brand column. ([#17173](https://github.com/goauthentik/authentik/issues/17173) ) * web: Remove CSS constructor polyfill. ([#16920](https://github.com/goauthentik/authentik/issues/16920) ) * web: Remove deprecated `node:path` polyfill. ([#16702](https://github.com/goauthentik/authentik/issues/16702) ) * web: Replace Github Slugger package with change-case. ([#16921](https://github.com/goauthentik/authentik/issues/16921) ) * web: Report unregistered elements. ([#17025](https://github.com/goauthentik/authentik/issues/17025) ) * web: Responsive toolbar flow ([#17278](https://github.com/goauthentik/authentik/issues/17278) ) * web: revert bump the swc group across 1 directory with 11 updates ([#17113](https://github.com/goauthentik/authentik/issues/17113) ) * web: revise ak-page-navbar to use standard event handlers ([#16898](https://github.com/goauthentik/authentik/issues/16898) ) * web: saml provider view: fix state refresh issues ([#14474](https://github.com/goauthentik/authentik/issues/14474) ) * web: Table refresh timestamp. ([#17145](https://github.com/goauthentik/authentik/issues/17145) ) * web: Use curated dictionary for e2e fixtures. ([#16750](https://github.com/goauthentik/authentik/issues/16750) ) * web: Use embedded layout. ([#16481](https://github.com/goauthentik/authentik/issues/16481) ) * web: Use Pino console logger, reduce live reload noise. ([#16703](https://github.com/goauthentik/authentik/issues/16703) ) * web: User library UI fixes ([#17376](https://github.com/goauthentik/authentik/issues/17376) ) * web: Username truncation, field alignment. ([#16283](https://github.com/goauthentik/authentik/issues/16283) ) * web/a11y: Accessible scrollbars. ([#17253](https://github.com/goauthentik/authentik/issues/17253) ) * web/a11y: Admin overview regions. ([#17170](https://github.com/goauthentik/authentik/issues/17170) ) * web/a11y: Associating labels with inputs ([#16119](https://github.com/goauthentik/authentik/issues/16119) ) * web/a11y: Brand form ([#16011](https://github.com/goauthentik/authentik/issues/16011) ) * web/a11y: Codemirror ([#16010](https://github.com/goauthentik/authentik/issues/16010) ) * web/a11y: File Inputs ([#16038](https://github.com/goauthentik/authentik/issues/16038) ) * web/a11y: Fix "skip to content" target. ([#17510](https://github.com/goauthentik/authentik/issues/17510) ) * web/a11y: Fix dark theme color contrast ([#17144](https://github.com/goauthentik/authentik/issues/17144) ) * web/a11y: Fix missing screen reader class on fieldset legends. ([#17298](https://github.com/goauthentik/authentik/issues/17298) ) * web/a11y: Flow inspector. ([#17271](https://github.com/goauthentik/authentik/issues/17271) ) * web/a11y: Flow Search ([#15876](https://github.com/goauthentik/authentik/issues/15876) ) * web/a11y: Flow Stages ([#17273](https://github.com/goauthentik/authentik/issues/17273) ) * web/a11y: Notifications drawer ([#17031](https://github.com/goauthentik/authentik/issues/17031) ) * web/a11y: QL Search Input ([#16198](https://github.com/goauthentik/authentik/issues/16198) ) * web/a11y: Status label ([#17148](https://github.com/goauthentik/authentik/issues/17148) ) * web/a11y: Table header -- Fix pagination jitter, prepare alignment ([#17116](https://github.com/goauthentik/authentik/issues/17116) ) * web/a11y: Table header -- Search input ([#17117](https://github.com/goauthentik/authentik/issues/17117) ) * web/a11y: Tables -- labels, input handlers, selection and expanded state ([#16207](https://github.com/goauthentik/authentik/issues/16207) ) * web/a11y: Text Input ([#16041](https://github.com/goauthentik/authentik/issues/16041) ) * web/a11y: Tree view ([#17147](https://github.com/goauthentik/authentik/issues/17147) ) * web/a11y: User library ([#17311](https://github.com/goauthentik/authentik/issues/17311) ) * web/a11y: User settings flow. ([#17219](https://github.com/goauthentik/authentik/issues/17219) ) * web/admin: Add link to the docs in the import flow dialog ([#17436](https://github.com/goauthentik/authentik/issues/17436) ) * web/admin: allow blank value for User path template in User Write Stage ([#16347](https://github.com/goauthentik/authentik/issues/16347) ) * web/admin: Fix disappearing "Create" button in service account modal ([#16963](https://github.com/goauthentik/authentik/issues/16963) ) * web/admin: fix federation sources automatically selected ([#17069](https://github.com/goauthentik/authentik/issues/17069) ) * web/admin: fix incorrect placeholder for scim provider ([#17308](https://github.com/goauthentik/authentik/issues/17308) ) * web/admin: fix settings saving ([#16184](https://github.com/goauthentik/authentik/issues/16184) ) * web/admin: providers/rac: improve host field hint ([#16443](https://github.com/goauthentik/authentik/issues/16443) ) * web/admin: remove maxlength on user display name ([#17412](https://github.com/goauthentik/authentik/issues/17412) ) * web/admin: rework task status summary ([#17337](https://github.com/goauthentik/authentik/issues/17337) ) * web/e2e: Playwright end-to-end test runner ([#16014](https://github.com/goauthentik/authentik/issues/16014) ) * web/e2e: User creation ([#17149](https://github.com/goauthentik/authentik/issues/17149) ) * web/flow: small layout fixes ([#17551](https://github.com/goauthentik/authentik/issues/17551) ) * web/flows: fix card alignment ([#17332](https://github.com/goauthentik/authentik/issues/17332) ) * web/flows: only disable login button when interactive captcha is configured and not loaded ([#16586](https://github.com/goauthentik/authentik/issues/16586) ) * web/flows: update default flow background ([#17315](https://github.com/goauthentik/authentik/issues/17315) ) * web/maintenance: typo in icon class ([#16371](https://github.com/goauthentik/authentik/issues/16371) ) Fixed in 2025.10.1[​](https://docs.goauthentik.io/releases/2025.10/#fixed-in-2025101 "Direct link to Fixed in 2025.10.1") -------------------------------------------------------------------------------------------------------------------------- * internal: fix Go deprecation for +build (cherry-pick [#17806](https://github.com/goauthentik/authentik/issues/17806) to version-2025.10) ([#17824](https://github.com/goauthentik/authentik/issues/17824) ) * internal: full openssl path (cherry-pick [#17856](https://github.com/goauthentik/authentik/issues/17856) to version-2025.10) ([#17860](https://github.com/goauthentik/authentik/issues/17860) ) * internal/web/proxy: fix return status code during startup (cherry-pick [#17827](https://github.com/goauthentik/authentik/issues/17827) to version-2025.10) ([#17832](https://github.com/goauthentik/authentik/issues/17832) ) * outpost: revert breaking signals change (cherry-pick [#17847](https://github.com/goauthentik/authentik/issues/17847) to version-2025.10) ([#17848](https://github.com/goauthentik/authentik/issues/17848) ) * outposts: update permissions more eagerly (cherry-pick [#17783](https://github.com/goauthentik/authentik/issues/17783) to version-2025.10) ([#17841](https://github.com/goauthentik/authentik/issues/17841) ) * packages/django-postgres-cache: use upsert instead of select/update in a transaction (cherry-pick [#17760](https://github.com/goauthentik/authentik/issues/17760) to version-2025.10) ([#17767](https://github.com/goauthentik/authentik/issues/17767) ) * providers/oauth2: fix kid always required for federation (cherry-pick [#17914](https://github.com/goauthentik/authentik/issues/17914) to version-2025.10) ([#17917](https://github.com/goauthentik/authentik/issues/17917) ) * providers/oauth2: move encryption key field (cherry-pick [#17722](https://github.com/goauthentik/authentik/issues/17722) to version-2025.10) ([#17729](https://github.com/goauthentik/authentik/issues/17729) ) * providers/proxy: fix missing JWT/claims header (cherry-pick [#17759](https://github.com/goauthentik/authentik/issues/17759) to version-2025.10) ([#17764](https://github.com/goauthentik/authentik/issues/17764) ) * providers/radius: fix inverted message authenticator validation (cherry-pick [#17855](https://github.com/goauthentik/authentik/issues/17855) to version-2025.10) ([#17888](https://github.com/goauthentik/authentik/issues/17888) ) * providers/radius: fix panic when no cert is configured (cherry-pick [#17762](https://github.com/goauthentik/authentik/issues/17762) to version-2025.10) ([#17766](https://github.com/goauthentik/authentik/issues/17766) ) * providers/radius: revert fix inverted message authenticator validation ([#17855](https://github.com/goauthentik/authentik/issues/17855) ) (cherry-pick [#17915](https://github.com/goauthentik/authentik/issues/17915) to version-2025.10) ([#17916](https://github.com/goauthentik/authentik/issues/17916) ) * root: Add Dockerfile label org.opencontainers.image.source (cherry-pick [#17756](https://github.com/goauthentik/authentik/issues/17756) to version-2025.10) ([#17757](https://github.com/goauthentik/authentik/issues/17757) ) * root: use hashes for dockerfile FROM (cherry-pick [#17795](https://github.com/goauthentik/authentik/issues/17795) to version-2025.10) ([#17798](https://github.com/goauthentik/authentik/issues/17798) ) * sources/oauth: Make PKCE verifier 128 characters (cherry-pick [#17763](https://github.com/goauthentik/authentik/issues/17763) to version-2025.10) ([#17765](https://github.com/goauthentik/authentik/issues/17765) ) * tasks: delay startup signals (cherry-pick [#17769](https://github.com/goauthentik/authentik/issues/17769) to version-2025.10) ([#17775](https://github.com/goauthentik/authentik/issues/17775) ) * tasks: sanitize log attributes (cherry-pick [#17833](https://github.com/goauthentik/authentik/issues/17833) to version-2025.10) ([#17842](https://github.com/goauthentik/authentik/issues/17842) ) * web: Consistent Tab Panel URL Parameters (cherry-pick [#17804](https://github.com/goauthentik/authentik/issues/17804) to version-2025.10) ([#17859](https://github.com/goauthentik/authentik/issues/17859) ) * web/a11y: User library -- fix issues surrounding element focus, ARIA labeling. (cherry-pick [#17522](https://github.com/goauthentik/authentik/issues/17522) to version-2025.10) ([#17828](https://github.com/goauthentik/authentik/issues/17828) ) * web/admin: fix SCIM provider form (cherry-pick [#17831](https://github.com/goauthentik/authentik/issues/17831) to version-2025.10) ([#17834](https://github.com/goauthentik/authentik/issues/17834) ) Fixed in 2025.10.2[​](https://docs.goauthentik.io/releases/2025.10/#fixed-in-2025102 "Direct link to Fixed in 2025.10.2") -------------------------------------------------------------------------------------------------------------------------- * brands: add more matching tests (cherry-pick [#16185](https://github.com/goauthentik/authentik/issues/16185) to version-2025.10) ([#17924](https://github.com/goauthentik/authentik/issues/17924) ) * brands: sort matched brand by match length (cherry-pick [#17920](https://github.com/goauthentik/authentik/issues/17920) to version-2025.10) ([#17935](https://github.com/goauthentik/authentik/issues/17935) ) * cmd/server/healthcheck: remove worker HTTP healthcheck (cherry-pick [#18090](https://github.com/goauthentik/authentik/issues/18090) to version-2025.10) ([#18091](https://github.com/goauthentik/authentik/issues/18091) ) * core: bump django from 5.2.7 to 5.2.8 (cherry-pick [#17967](https://github.com/goauthentik/authentik/issues/17967) to version-2025.10) ([#18003](https://github.com/goauthentik/authentik/issues/18003) ) * core: improve app launch URL formatting (cherry-pick [#18076](https://github.com/goauthentik/authentik/issues/18076) to version-2025.10) ([#18087](https://github.com/goauthentik/authentik/issues/18087) ) * events: fix timezone not set for log events (cherry-pick [#18067](https://github.com/goauthentik/authentik/issues/18067) to version-2025.10) ([#18071](https://github.com/goauthentik/authentik/issues/18071) ) * internal: Automated internal backport: 1487-invitation-expiry.sec.patch to authentik-2025.10 ([#18258](https://github.com/goauthentik/authentik/issues/18258) ) * internal: Automated internal backport: 1498-oauth2-cc-user-active.sec.patch to authentik-2025.10 ([#18259](https://github.com/goauthentik/authentik/issues/18259) ) * internal: Automated internal backport: 5000-sidebar.sec.patch to authentik-2025.10 ([#18260](https://github.com/goauthentik/authentik/issues/18260) ) * packages/django-channels-postgres/layer: fix query when subscribed to multiple channels (cherry-pick [#18152](https://github.com/goauthentik/authentik/issues/18152) to version-2025.10) ([#18153](https://github.com/goauthentik/authentik/issues/18153) ) * packages/django-dramatiq-postgres: broker: ensure locking happens with the same connection (cherry-pick [#18095](https://github.com/goauthentik/authentik/issues/18095) to version-2025.10) ([#18119](https://github.com/goauthentik/authentik/issues/18119) ) * providers/scim: allow custom schema data (cherry-pick [#18073](https://github.com/goauthentik/authentik/issues/18073) to version-2025.10) ([#18075](https://github.com/goauthentik/authentik/issues/18075) ) * stages/prompt: fix choices with labels causing error on submit (cherry-pick [#18183](https://github.com/goauthentik/authentik/issues/18183) to version-2025.10) ([#18236](https://github.com/goauthentik/authentik/issues/18236) ) * tasks/schedules: fix rel obj not being associated or updated (cherry-pick [#17934](https://github.com/goauthentik/authentik/issues/17934) to version-2025.10) ([#17936](https://github.com/goauthentik/authentik/issues/17936) ) * web: Disable library `` on Firefox. (cherry-pick [#18103](https://github.com/goauthentik/authentik/issues/18103) to version-2025.10) ([#18135](https://github.com/goauthentik/authentik/issues/18135) ) * web: Fix RAC modal visibility. (cherry-pick [#17941](https://github.com/goauthentik/authentik/issues/17941) to version-2025.10) ([#18097](https://github.com/goauthentik/authentik/issues/18097) ) * web: Fix tab activation, blank provider URLs (cherry-pick [#18031](https://github.com/goauthentik/authentik/issues/18031) to version-2025.10) ([#18101](https://github.com/goauthentik/authentik/issues/18101) ) * web/admin: link to user on invitation list page (cherry-pick [#18132](https://github.com/goauthentik/authentik/issues/18132) to version-2025.10) ([#18134](https://github.com/goauthentik/authentik/issues/18134) ) * web/flows: improvements for hCaptcha (cherry-pick [#16882](https://github.com/goauthentik/authentik/issues/16882) to version-2025.10) ([#18128](https://github.com/goauthentik/authentik/issues/18128) ) * web/sfe: downgrade bootstrap that was accidentally upgraded (cherry-pick [#18157](https://github.com/goauthentik/authentik/issues/18157) to version-2025.10) ([#18171](https://github.com/goauthentik/authentik/issues/18171) ) Fixed in 2025.10.3[​](https://docs.goauthentik.io/releases/2025.10/#fixed-in-2025103 "Direct link to Fixed in 2025.10.3") -------------------------------------------------------------------------------------------------------------------------- * core: list applications fix (cherry-pick [#18798](https://github.com/goauthentik/authentik/issues/18798) to version-2025.10) ([#18827](https://github.com/goauthentik/authentik/issues/18827) ) * core: optimize list applications (cherry-pick [#18330](https://github.com/goauthentik/authentik/issues/18330) to version-2025.10) ([#18791](https://github.com/goauthentik/authentik/issues/18791) ) * enterprise/stages/mtls: fix traefik certificate parsing (cherry-pick [#18607](https://github.com/goauthentik/authentik/issues/18607) to version-2025.10) ([#18645](https://github.com/goauthentik/authentik/issues/18645) ) * flows: refresh unauthenticated tabs (cherry-pick [#18621](https://github.com/goauthentik/authentik/issues/18621) to version-2025.10) ([#18633](https://github.com/goauthentik/authentik/issues/18633) ) * lib/sync/outgoing: check if there is a provider before creating tasks (cherry-pick [#18394](https://github.com/goauthentik/authentik/issues/18394) to version-2025.10) ([#18397](https://github.com/goauthentik/authentik/issues/18397) ) * outpost/proxyv2: more tests, fix pg password with spaces, and existing session on restart (cherry-pick [#18211](https://github.com/goauthentik/authentik/issues/18211) to version-2025.10) ([#18742](https://github.com/goauthentik/authentik/issues/18742) ) * outposts: set container healthcheck inline (cherry-pick [#18298](https://github.com/goauthentik/authentik/issues/18298) to version-2025.10) ([#18370](https://github.com/goauthentik/authentik/issues/18370) ) * packages/django-channels-postgres: fix notify size check (cherry-pick [#18347](https://github.com/goauthentik/authentik/issues/18347) to version-2025.10) ([#18409](https://github.com/goauthentik/authentik/issues/18409) ) * packages/django-dramatiq-postgres: broker: close django connections on consumer close (cherry-pick [#18833](https://github.com/goauthentik/authentik/issues/18833) to version-2025.10) ([#18835](https://github.com/goauthentik/authentik/issues/18835) ) * providers/scim: compare users/groups before sending update request (cherry-pick [#18456](https://github.com/goauthentik/authentik/issues/18456) to version-2025.10) ([#18465](https://github.com/goauthentik/authentik/issues/18465) ) * root: fix missing authentik\_device cookie causing error (cherry-pick [#18642](https://github.com/goauthentik/authentik/issues/18642) to version-2025.10) ([#18644](https://github.com/goauthentik/authentik/issues/18644) ) * root: skip current tab when refreshing others (cherry-pick [#18674](https://github.com/goauthentik/authentik/issues/18674) to version-2025.10) ([#18675](https://github.com/goauthentik/authentik/issues/18675) ) * sources/ldap: make server info optional (cherry-pick [#18648](https://github.com/goauthentik/authentik/issues/18648) to version-2025.10) ([#18654](https://github.com/goauthentik/authentik/issues/18654) ) * stages/prompt: set allow\_blank for \_read\_only fields (cherry-pick [#18297](https://github.com/goauthentik/authentik/issues/18297) to version-2025.10) ([#18406](https://github.com/goauthentik/authentik/issues/18406) ) * web: Fix row expansion on modal trigger buttons. (cherry-pick [#18412](https://github.com/goauthentik/authentik/issues/18412) to version-2025.10) ([#18647](https://github.com/goauthentik/authentik/issues/18647) ) * web: Fix stale table rows (cherry-pick [#17940](https://github.com/goauthentik/authentik/issues/17940) to version-2025.10) ([#18373](https://github.com/goauthentik/authentik/issues/18373) ) * web: Fix stale table rows (cherry-pick [#17940](https://github.com/goauthentik/authentik/issues/17940) to version-2025.10) ([#18408](https://github.com/goauthentik/authentik/issues/18408) ) * web: Hide device picker when challenges are not present. (cherry-pick [#18611](https://github.com/goauthentik/authentik/issues/18611) to version-2025.10) ([#18681](https://github.com/goauthentik/authentik/issues/18681) ) * web: Improved table selection behavior (cherry-pick [#18622](https://github.com/goauthentik/authentik/issues/18622) to version-2025.10) ([#18685](https://github.com/goauthentik/authentik/issues/18685) ) * web: revert Fix stale table rows (cherry-pick [#17940](https://github.com/goauthentik/authentik/issues/17940) to version-2025.10) ([#18407](https://github.com/goauthentik/authentik/issues/18407) ) * web/admin: add entitlement search (cherry-pick [#18291](https://github.com/goauthentik/authentik/issues/18291) to version-2025.10) ([#18390](https://github.com/goauthentik/authentik/issues/18390) ) * web/admin: fix brands default switch label (cherry-pick [#18518](https://github.com/goauthentik/authentik/issues/18518) to version-2025.10) ([#18522](https://github.com/goauthentik/authentik/issues/18522) ) * web/admin: fix event volume chart not updating with query (cherry-pick [#18649](https://github.com/goauthentik/authentik/issues/18649) to version-2025.10) ([#18653](https://github.com/goauthentik/authentik/issues/18653) ) * web/admin: fix wording in password stage (cherry-pick [#18393](https://github.com/goauthentik/authentik/issues/18393) to version-2025.10) ([#18395](https://github.com/goauthentik/authentik/issues/18395) ) * web/admin: fixes capitalization in application wizard title (cherry-pick [#17959](https://github.com/goauthentik/authentik/issues/17959) to version-2025.10) ([#17962](https://github.com/goauthentik/authentik/issues/17962) ) API Changes[​](https://docs.goauthentik.io/releases/2025.10/#api-changes "Direct link to API Changes") ------------------------------------------------------------------------------------------------------- #### What's Changed[​](https://docs.goauthentik.io/releases/2025.10/#whats-changed "Direct link to What's Changed") * * * ##### `GET` /providers/google\_workspace/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#get-providersgoogle_workspaceid "Direct link to get-providersgoogle_workspaceid") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `PUT` /providers/google\_workspace/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#put-providersgoogle_workspaceid "Direct link to put-providersgoogle_workspaceid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-1 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `PATCH` /providers/google\_workspace/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#patch-providersgoogle_workspaceid "Direct link to patch-providersgoogle_workspaceid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-1 "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-2 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `GET` /providers/microsoft\_entra/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#get-providersmicrosoft_entraid "Direct link to get-providersmicrosoft_entraid") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-3 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `PUT` /providers/microsoft\_entra/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#put-providersmicrosoft_entraid "Direct link to put-providersmicrosoft_entraid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-2 "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-4 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `PATCH` /providers/microsoft\_entra/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#patch-providersmicrosoft_entraid "Direct link to patch-providersmicrosoft_entraid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-3 "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-5 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `GET` /providers/scim/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#get-providersscimid "Direct link to get-providersscimid") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-6 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `PUT` /providers/scim/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#put-providersscimid "Direct link to put-providersscimid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-4 "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-7 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `PATCH` /providers/scim/{id}/[​](https://docs.goauthentik.io/releases/2025.10/#patch-providersscimid "Direct link to patch-providersscimid") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-5 "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-8 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `POST` /providers/google\_workspace/[​](https://docs.goauthentik.io/releases/2025.10/#post-providersgoogle_workspace "Direct link to post-providersgoogle_workspace") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-6 "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-9 "Direct link to Return Type:") Changed response : **201 Created** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `GET` /providers/google\_workspace/[​](https://docs.goauthentik.io/releases/2025.10/#get-providersgoogle_workspace "Direct link to get-providersgoogle_workspace") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-10 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `results` (array) Changed items (object): > GoogleWorkspaceProvider Serializer * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `POST` /providers/microsoft\_entra/[​](https://docs.goauthentik.io/releases/2025.10/#post-providersmicrosoft_entra "Direct link to post-providersmicrosoft_entra") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-7 "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-11 "Direct link to Return Type:") Changed response : **201 Created** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `GET` /providers/microsoft\_entra/[​](https://docs.goauthentik.io/releases/2025.10/#get-providersmicrosoft_entra "Direct link to get-providersmicrosoft_entra") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-12 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `results` (array) Changed items (object): > MicrosoftEntraProvider Serializer * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `POST` /providers/scim/[​](https://docs.goauthentik.io/releases/2025.10/#post-providersscim "Direct link to post-providersscim") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-8 "Direct link to Request:") Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-13 "Direct link to Return Type:") Changed response : **201 Created** * Changed content type : `application/json` * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `GET` /providers/scim/[​](https://docs.goauthentik.io/releases/2025.10/#get-providersscim "Direct link to get-providersscim") ###### Return Type:[​](https://docs.goauthentik.io/releases/2025.10/#return-type-14 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `results` (array) Changed items (object): > SCIMProvider Serializer * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page ##### `PUT` /core/transactional/applications/[​](https://docs.goauthentik.io/releases/2025.10/#put-coretransactionalapplications "Direct link to put-coretransactionalapplications") ###### Request:[​](https://docs.goauthentik.io/releases/2025.10/#request-9 "Direct link to Request:") Changed content type : `application/json` * Changed property `provider` (object) Updated `authentik_providers_microsoft_entra.microsoftentraprovider` provider\_model: * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page Updated `authentik_providers_google_workspace.googleworkspaceprovider` provider\_model: * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page Updated `authentik_providers_scim.scimprovider` provider\_model: * Added property `sync_page_size` (integer) > Controls the number of objects synced in a single task * Added property `sync_page_timeout` (string) > Timeout for synchronization of a single page * [Highlights](https://docs.goauthentik.io/releases/2025.10/#highlights) * [Breaking changes](https://docs.goauthentik.io/releases/2025.10/#breaking-changes) * [Redis removal](https://docs.goauthentik.io/releases/2025.10/#redis-removal) * [Default OAuth scope mappings](https://docs.goauthentik.io/releases/2025.10/#default-oauth-scope-mappings) * [New features and improvements](https://docs.goauthentik.io/releases/2025.10/#new-features-and-improvements) * [SCIM provider OAuth support](https://docs.goauthentik.io/releases/2025.10/#scim-provider-oauth-support-) * [RADIUS EAP-TLS support](https://docs.goauthentik.io/releases/2025.10/#radius-eap-tls-support-) * [SAML and OAuth2 provider Single Logout support](https://docs.goauthentik.io/releases/2025.10/#saml-and-oauth2-provider-single-logout-support) * [Telegram source](https://docs.goauthentik.io/releases/2025.10/#telegram-source) * [Refined flow and user library](https://docs.goauthentik.io/releases/2025.10/#refined-flow-and-user-library) * [Additional noteworthy improvements](https://docs.goauthentik.io/releases/2025.10/#additional-noteworthy-improvements) * [New integration guides](https://docs.goauthentik.io/releases/2025.10/#new-integration-guides) * [Upgrading](https://docs.goauthentik.io/releases/2025.10/#upgrading) * [Docker Compose](https://docs.goauthentik.io/releases/2025.10/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2025.10/#kubernetes) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2025.10/#minor-changesfixes) * [Fixed in 2025.10.1](https://docs.goauthentik.io/releases/2025.10/#fixed-in-2025101) * [Fixed in 2025.10.2](https://docs.goauthentik.io/releases/2025.10/#fixed-in-2025102) * [Fixed in 2025.10.3](https://docs.goauthentik.io/releases/2025.10/#fixed-in-2025103) * [API Changes](https://docs.goauthentik.io/releases/2025.10/#api-changes) --- # CVE-2024-47070 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#__docusaurus_skipToContent_fallback) On this page _Reported by [@efpi-bot](https://github.com/efpi-bot) from [LogicalTrust](https://logicaltrust.net/en/) _ Password authentication bypass via X-Forwarded-For HTTP header[​](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#password-authentication-bypass-via-x-forwarded-for-http-header "Direct link to Password authentication bypass via X-Forwarded-For HTTP header") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#summary "Direct link to Summary") The vulnerability allows bypassing policies by adding X-Forwarded-For header with unparsable IP address, e.g. "a". This results in a possibility to authenticate/authorize to any account with known login or email address. Since the default authentication flow uses a policy to enable the password stage only when there is no password stage selected on the Identification stage, this vulnerability can be used to skip this policy and continue without the password stage. ### Am I affected[​](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#am-i-affected "Direct link to Am I affected") This can be exploited for the following configurations: * An attacker can access authentik without a reverse proxy (and `AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS` is not configured properly) * The reverse proxy configuration does not correctly overwrite X-Forwarded-For * Policies (User and group bindings do _not_ apply) are bound to authentication/authorization flows ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#patches "Direct link to Patches") authentik 2024.6.5 and 2024.8.3 fix this issue. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#workarounds "Direct link to Workarounds") Ensure the X-Forwarded-For header is always set by the reverse proxy, and is always set to a correct IP. In addition you can manually change the _Failure result_ option on policy bindings to _Pass_, which will prevent any stages from being skipped if a malicious request is received. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#0c7f696f797e6578754c6b636d7978646962786567226563) * [Password authentication bypass via X-Forwarded-For HTTP header](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#password-authentication-bypass-via-x-forwarded-for-http-header) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#summary) * [Am I affected](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#am-i-affected) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-47070/#for-more-information) --- # CVE-2024-38371 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#__docusaurus_skipToContent_fallback) On this page _Reported by Stefan Zwanenburg_ Insufficient access control for OAuth2 Device Code flow[​](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#insufficient-access-control-for-oauth2-device-code-flow "Direct link to Insufficient access control for OAuth2 Device Code flow") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#impact "Direct link to Impact") Due to a bug, access restrictions assigned to an application were not checked when using the OAuth2 Device code flow. This could potentially allow users without the correct authorization to get OAuth tokens for an application, and access the application. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#patches "Direct link to Patches") authentik 2024.6.0, 2024.4.3 and 2024.2.4 fix this issue, for other versions the workaround can be used. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#workarounds "Direct link to Workarounds") As authentik flows are still used as part of the OAuth2 Device code flow, it is possible to add access control to the configured flows. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#a7d4c2c4d2d5ced3dee7c0c8c6d2d3cfc2c9d3cecc89cec8) * [Insufficient access control for OAuth2 Device Code flow](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#insufficient-access-control-for-oauth2-device-code-flow) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#impact) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-38371/#for-more-information) --- # CVE-2025-64708 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#__docusaurus_skipToContent_fallback) On this page _Reported by [@melizeche](https://github.com/melizeche) _ Invitation expiry is delayed by at least 5 minutes[​](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#invitation-expiry-is-delayed-by-at-least-5-minutes "Direct link to Invitation expiry is delayed by at least 5 minutes") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#summary "Direct link to Summary") In previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#patches "Direct link to Patches") authentik 2025.8.5 and 2025.10.2 fix this issue; for other versions the workaround below can be used. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#workarounds "Direct link to Workarounds") You can create a policy that explicitly checks whether the invitation is still valid, and then bind it to the invitation stage on your invitation flow, and deny access if the invitation is not valid. return not context['flow_plan'].context['invitation'].is_expired ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#1467717761667d606d54737b7561607c717a607d7f3a7d7b) . * [Invitation expiry is delayed by at least 5 minutes](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#invitation-expiry-is-delayed-by-at-least-5-minutes) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2025-64708/#for-more-information) --- # CVE-2025-64521 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#__docusaurus_skipToContent_fallback) On this page Deactivated service account can authenticate to OAuth[​](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#deactivated-service-account-can-authenticate-to-oauth "Direct link to Deactivated service account can authenticate to OAuth") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#summary "Direct link to Summary") When authenticating with `client_id` and `client_secret` to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and federation with other providers still take assigned policies correctly into account. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#patches "Direct link to Patches") authentik 2025.8.5 and 2025.10.2 fix this issue, for other versions the workaround below can be used. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#workarounds "Direct link to Workarounds") You can add a policy to your application that explicitly checks if the service account is still valid, and deny access if not. return request.user.is_active ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#cebdabadbbbca7bab78ea9a1afbbbaa6aba0baa7a5e0a7a1) . * [Deactivated service account can authenticate to OAuth](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#deactivated-service-account-can-authenticate-to-oauth) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2025-64521/#for-more-information) --- # GHSA-rjvp-29xq-f62w | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#__docusaurus_skipToContent_fallback) On this page _Reported by [@devSparkle](https://github.com/devSparkle) _ Potential Installation takeover when default admin user is deleted[​](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#potential-installation-takeover-when-default-admin-user-is-deleted "Direct link to Potential Installation takeover when default admin user is deleted") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#summary "Direct link to Summary") In the affected versions, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication. ### Patches[​](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#patches "Direct link to Patches") authentik 2023.8.4 and 2023.10.2 fix this issue, for other versions the workaround can be used. ### Impact[​](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#impact "Direct link to Impact") authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again. ### Workarounds[​](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#workarounds "Direct link to Workarounds") Ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin. ### For more information[​](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#51223432242338252811363e30242539343f25383a7f383e) * [Potential Installation takeover when default admin user is deleted](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#potential-installation-takeover-when-default-admin-user-is-deleted) * [Summary](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#summary) * [Patches](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#patches) * [Impact](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#impact) * [Workarounds](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/GHSA-rjvp-29xq-f62w/#for-more-information) --- # Release 0.12 | authentik [Skip to main content](https://docs.goauthentik.io/releases/0.12/#__docusaurus_skipToContent_fallback) On this page This update brings these headline features: * Rewrite Outpost state Logic, which now supports multiple concurrent Outpost instances. * Add Kubernetes Integration for Outposts, which deploys and maintains Outposts with High Availability in a Kubernetes Cluster * Add System Task Overview to see all background tasks, their status, the log output, and retry them * Alerts now disappear automatically * Audit Logs are now searchable * Users can now create their own Tokens to access the API * docker-compose deployment now uses traefik 2.3 Fixes: * Fix high CPU Usage of the proxy when Websocket connections fail Upgrading[​](https://docs.goauthentik.io/releases/0.12/#upgrading "Direct link to Upgrading") ---------------------------------------------------------------------------------------------- ### docker-compose[​](https://docs.goauthentik.io/releases/0.12/#docker-compose "Direct link to docker-compose") Docker-compose users should download the latest docker-compose file from [here](https://docs.goauthentik.io/docker-compose.yml) . This includes the new traefik 2.3. Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`. ### Kubernetes[​](https://docs.goauthentik.io/releases/0.12/#kubernetes "Direct link to Kubernetes") For Kubernetes users, there are some changes to the helm values. The values change from config: # Optionally specify fixed secret_key, otherwise generated automatically # secret_key: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o # Enable error reporting error_reporting: enabled: false environment: customer send_pii: false # Log level used by web and worker # Can be either debug, info, warning, error log_level: warning to config: # Optionally specify fixed secret_key, otherwise generated automatically # secretKey: _k*@6h2u2@q-dku57hhgzb7tnx*ba9wodcb^s9g0j59@=y(@_o # Enable error reporting errorReporting: enabled: false environment: customer sendPii: false # Log level used by web and worker # Can be either debug, info, warning, error logLevel: warning in order to be consistent with the rest of the settings. There is also a new setting called `kubernetesIntegration`, which controls the Kubernetes integration for authentik. When enabled (the default), a Service Account is created, which allows authentik to deploy and update Outposts. * [Upgrading](https://docs.goauthentik.io/releases/0.12/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/0.12/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/0.12/#kubernetes) --- # Release 0.13 (passbook -> authentik) | authentik [Skip to main content](https://docs.goauthentik.io/releases/0.13/#__docusaurus_skipToContent_fallback) On this page After a long back and forth, we've finally switched to a more permanent name. Whilst the upgrade is pretty much seamless, there are some things you have to change before upgrading. * New name ([#361](https://github.com/goauthentik/authentik/pull/361) ) * The web interface is now a semi-SPA Experience. This means that most operations are done through Asynchronous requests In this initial release, this brings features such as a refresh button, a generally better User experience due to shorter loading times and fewer visual context changes. * The web interface now has a darkmode, which is enabled automatically based on your Operating system darkmode. * Application Icons can now be uploaded directly to authentik, rather than just being loaded from a URL Smaller changes[​](https://docs.goauthentik.io/releases/0.13/#smaller-changes "Direct link to Smaller changes") ---------------------------------------------------------------------------------------------------------------- * Add better support for Docker Service Connections with Certificates * Fix application API not returning the same format as other APIs Upgrading[​](https://docs.goauthentik.io/releases/0.13/#upgrading "Direct link to Upgrading") ---------------------------------------------------------------------------------------------- ### docker-compose[​](https://docs.goauthentik.io/releases/0.13/#docker-compose "Direct link to docker-compose") Docker-compose users should download the latest docker-compose file from [here](https://goauthentik.io/version/0.13/docker-compose.yml) . caution If you decided to rename the folder you're running the docker-compose file from, be aware that this will also change the name, that docker-compose will give the database volume. To mitigate this, either * Keep the original directory name * Move the directory and set `COMPOSE_PROJECT_NAME` to the name of the old directory (see [here](https://docs.docker.com/compose/reference/envvars/#compose_project_name) ) * Create a backup, rename the directory and restore from backup. The only manual change you have to do is replace the `PASSBOOK_` prefix in your `.env` file, so `PASSBOOK_SECRET_KEY` gets changed to `AUTHENTIK_SECRET_KEY`. Additionally, the database name and username have to be changed, so add this block to your `.env` file: PG_USER=passbookPG_DB=passbook Afterwards, you can simply run `docker-compose up -d` and then the normal upgrade command of `docker-compose run --rm server migrate`. ### Kubernetes[​](https://docs.goauthentik.io/releases/0.13/#kubernetes "Direct link to Kubernetes") The helm repository changes from passbook to authentik. To update your repository, execute these commands: helm repo remove passbookhelm repo add authentik https://docker.beryju.org/chartrepo/authentik info If you've set any custom image names in your values file, make sure to change them to authentik before upgrading. Additionally, you need to change the database name that authentik uses, as the database name doesn't change. Add this snippet to your `values.yaml` file: postgresql: postgresqlDatabase: passbook Afterwards you can upgrade as usual from the new repository: helm upgrade authentik authentik/authentik --devel -f values.yaml Post-upgrade notes[​](https://docs.goauthentik.io/releases/0.13/#post-upgrade-notes "Direct link to Post-upgrade notes") ------------------------------------------------------------------------------------------------------------------------- * Some default values change, for example the SAML Provider's default issuer. This only makes a difference for newly created providers. * Expression Policies variables change Anything prefixed with `pb_` changes to `ak_`, this change is done **automatically** * [Smaller changes](https://docs.goauthentik.io/releases/0.13/#smaller-changes) * [Upgrading](https://docs.goauthentik.io/releases/0.13/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/0.13/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/0.13/#kubernetes) * [Post-upgrade notes](https://docs.goauthentik.io/releases/0.13/#post-upgrade-notes) --- # Release 0.14 | authentik [Skip to main content](https://docs.goauthentik.io/releases/0.14/#__docusaurus_skipToContent_fallback) On this page Headline features[​](https://docs.goauthentik.io/releases/0.14/#headline-features "Direct link to Headline features") ---------------------------------------------------------------------------------------------------------------------- * Flows are now graphically shown as diagrams, to visualise which stages and policies are bound. This diagram makes it significantly easier to understand how a flow works, as well as helping you design a flow that does exactly what you need. * Events now have a more general purpose, rather than just logging audit actions. The following new events are now logged: * Policy Execution (Has to be enabled on a per-policy basis) * Policy Exceptions * Property Mapping Exceptions * Configuration Errors (currently these events are created by incorrectly configured providers, but will be used further in the future.) * Update availability * The OAuth2 Provider has been updated to closer match the OpenID Connect Specifications Response type no longer has to be configured manually. The issuer field can be configured now (the default behaviour is the same as pre-0.14) Authorization Codes are now generated as a JWT Token, which is not specified as spec, but seems to be a quasi-standard. * SAML Providers can now be created from SAML Metadata * The authentik proxy is now using the currently latest version of oauth2\_proxy (6.1.1) * The license has been changed to GNU/GPL 3.0 Fixes[​](https://docs.goauthentik.io/releases/0.14/#fixes "Direct link to Fixes") ---------------------------------------------------------------------------------- * admin: fix policy test button in dark theme * core: fix anonymous user being included in User API * core: fix token update/delete not working * core: fix User's token creation not working * core: make application's provider not required * core: show multi-select notice for SelectMultiple Widgets * outposts: allow blank kubeconfig * outposts: validate kubeconfig before saving * proxy: update to latest stable oauth2\_proxy version * root: update license * web: fix sidebar being overlaid over modal backdrop * web: fix table styling on mobile * web: use displyname in sidebar for user Upgrading[​](https://docs.goauthentik.io/releases/0.14/#upgrading "Direct link to Upgrading") ---------------------------------------------------------------------------------------------- This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/0.14/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 0.14 from  [here](https://goauthentik.io/version/0.14/docker-compose.yml) . Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`. ### Kubernetes[​](https://docs.goauthentik.io/releases/0.14/#kubernetes "Direct link to Kubernetes") Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`. * [Headline features](https://docs.goauthentik.io/releases/0.14/#headline-features) * [Fixes](https://docs.goauthentik.io/releases/0.14/#fixes) * [Upgrading](https://docs.goauthentik.io/releases/0.14/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/0.14/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/0.14/#kubernetes) --- # Release 0.10 | authentik [Skip to main content](https://docs.goauthentik.io/releases/0.10/#__docusaurus_skipToContent_fallback) On this page This update brings a lot of big features, such as: * New OAuth2/OpenID Provider This new provider merges both OAuth2 and OpenID. It is based on the codebase of the old provider, which has been simplified and cleaned from the ground up. Support for Property Mappings has also been added. Because of this change, OpenID and OAuth2 Providers will have to be re-created. * Proxy Provider Due to this new OAuth2 Provider, the Application Gateway Provider, now simply called "Proxy Provider" has been revamped as well. The new authentik Proxy integrates more tightly with authentik via the new Outposts system. The new proxy also supports multiple applications per proxy instance, can configure TLS based on authentik Keypairs, and more. See [Proxy](https://docs.goauthentik.io/add-secure-apps/providers/proxy/) * Outpost System This is a new Object type, currently used only by the Proxy Provider. It manages the creation and permissions of service accounts, which are used by the outposts to communicate with authentik. See [Outposts](https://docs.goauthentik.io/add-secure-apps/outposts/) * Flow Import/Export Flows can now be imported and exported. This feature can be used as a backup system, or to share complex flows with other people. Example flows have also been added to the documentation to help you get going with authentik. Under the hood[​](https://docs.goauthentik.io/releases/0.10/#under-the-hood "Direct link to Under the hood") ------------------------------------------------------------------------------------------------------------- * authentik now runs on Django 3.1 and Channels with complete ASGI enabled * uwsgi has been replaced with Gunicorn and uvicorn * Elastic APM has been replaced with Sentry Performance metrics * Flow title is now configurable separately from the name * All logging output is now json Upgrading[​](https://docs.goauthentik.io/releases/0.10/#upgrading "Direct link to Upgrading") ---------------------------------------------------------------------------------------------- ### docker-compose[​](https://docs.goauthentik.io/releases/0.10/#docker-compose "Direct link to docker-compose") The docker-compose file has been updated, please download the latest from `https://docs.goauthentik.io/docker-compose.yml`. By default, the new compose file uses a fixed version to prevent unintended updates. Before updating the file, stop all containers. Then download the file, pull the new containers and start the database. docker-compose downdocker-compose pulldocker-compose up --no-startdocker-compose start redis postgrseqldocker-compose run --rm server migratedocker-compose up -d ### Helm[​](https://docs.goauthentik.io/releases/0.10/#helm "Direct link to Helm") A few options have changed: * `error_reporting` was changed from a simple boolean to a dictionary: error_reporting: enabled: false environment: customer send_pii: false * The `apm` and `monitoring` blocks have been removed. * `serverReplicas` and `workerReplicas` have been added ### Upgrading[​](https://docs.goauthentik.io/releases/0.10/#upgrading-1 "Direct link to Upgrading") This upgrade only applies if you are upgrading from a running 0.9 instance. authentik detects this on startup, and automatically executes this upgrade. Because this upgrade brings the new OAuth2 Provider, the old providers will be lost in the process. Make sure to take note of the providers you want to bring over. Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/) . * [Under the hood](https://docs.goauthentik.io/releases/0.10/#under-the-hood) * [Upgrading](https://docs.goauthentik.io/releases/0.10/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/0.10/#docker-compose) * [Helm](https://docs.goauthentik.io/releases/0.10/#helm) * [Upgrading](https://docs.goauthentik.io/releases/0.10/#upgrading-1) --- # Release 0.9 | authentik [Skip to main content](https://docs.goauthentik.io/releases/0.9/#__docusaurus_skipToContent_fallback) Due to some database changes that had to be rather sooner than later, there is no possibility to directly upgrade. You must extract the data before hand and import it again. It is recommended to spin up a second instance of authentik to do this. To export data from your old instance, run this command: * docker-compose docker-compose exec server ./manage.py dumpdata -o /tmp/authentik_dump.json authentik_core.User authentik_core.Group authentik_crypto.CertificateKeyPair authentik_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictokendocker cp authentik_server_1:/tmp/authentik_dump.json authentik_dump.json * kubernetes kubectl exec -it authentik-web-... -- ./manage.py dumpdata -o /tmp/authentik_dump.json authentik_core.User authentik_core.Group authentik_crypto.CertificateKeyPair authentik_audit.Event otp_totp.totpdevice otp_static.staticdevice otp_static.statictokenkubectl cp authentik-web-...:/tmp/authentik_dump.json authentik_dump.json After that, create a new authentik instance in a different namespace (kubernetes) or in a different folder (docker-compose). Once this instance is running, you can use the following commands to restore the data. On docker-compose, you still have to run the `migrate` command, to create all database structures. * docker-compose docker cp authentik_dump.json new_authentik_server_1:/tmp/authentik_dump.jsondocker-compose exec server ./manage.py loaddata /tmp/authentik_dump.json * kubernetes kubectl cp authentik_dump.json authentik-web-...:/tmp/authentik_dump.jsonkubectl exec -it authentik-web-... -- ./manage.py loaddata /tmp/authentik_dump.json Now, you should be able to login to the new authentik instance, and migrate the rest of the data over. --- # CVE-2024-52287 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#__docusaurus_skipToContent_fallback) On this page _Reported by [@matt1097](https://github.com/matt1097) _ Insufficient validation of OAuth scopes for client\_credentials and device\_code grants[​](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#insufficient-validation-of-oauth-scopes-for-client_credentials-and-device_code-grants "Direct link to Insufficient validation of OAuth scopes for client_credentials and device_code grants") --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#summary "Direct link to Summary") When using the `client_credentials` or `device_code` OAuth grants, it was possible for an attacker to get a token from authentik with scopes that haven't been configured in authentik. ### Details[​](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#details "Direct link to Details") With the `device_code` grant, it was possible to have a user authorize a set of permitted scopes, and then acquire a token with a different set of scopes, including scopes not configured. This token could potentially be used to send requests to another system which trusts tokens signed by authentik and execute malicious actions on behalf of the user. With the `client_credentials` grant, because there is no user authorization process, authentik would not validate the scopes requested for the token, allowing tokens to be issued with scopes not configured in authentik. These could similarly be used to execute malicious actions in other systems. There is no workaround for this issue; however this issue could only be exploited if an attacker possesses a valid set of OAuth2 `client_id` and `client_secret` credentials, and has the knowledge of another system that trusts tokens issued by authentik and what scopes it checks for. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#patches "Direct link to Patches") authentik 2024.8.5 and 2024.10.3 fix this issue. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#61120402141308151821060e00141509040f15080a4f080e) * [Insufficient validation of OAuth scopes for client\_credentials and device\_code grants](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#insufficient-validation-of-oauth-scopes-for-client_credentials-and-device_code-grants) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#summary) * [Details](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#details) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#patches) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-52287/#for-more-information) --- # CVE-2024-52289 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#__docusaurus_skipToContent_fallback) On this page _Reported by [@PontusHanssen](https://github.com/PontusHanssen) _ Insecure default configuration for OAuth2 Redirect URIs[​](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#insecure-default-configuration-for-oauth2-redirect-uris "Direct link to Insecure default configuration for OAuth2 Redirect URIs") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#summary "Direct link to Summary") Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will automatically use the first `redirect_uri` value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either. Given a provider with the Redirect URIs set to `https://foo.example.com`, an attacker can register a domain `fooaexample.com`, and it will correctly pass validation. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#patches "Direct link to Patches") authentik 2024.8.5 and 2024.10.3 fix this issue. The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change. Manual action _is required_ if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#workarounds "Direct link to Workarounds") When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace `.` with `\.`. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#8af9efe9fff8e3fef3caede5ebfffee2efe4fee3e1a4e3e5) * [Insecure default configuration for OAuth2 Redirect URIs](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#insecure-default-configuration-for-oauth2-redirect-uris) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#patches) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-52289/#for-more-information) --- # CVE-2024-47077 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#__docusaurus_skipToContent_fallback) On this page _Reported by [@quentinmit](https://github.com/quentinmit) _ Insufficient cross-provider token validation during introspection[​](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#insufficient-cross-provider-token-validation-during-introspection "Direct link to Insufficient cross-provider token validation during introspection") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#summary "Direct link to Summary") Access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued for one application and use it to access another application that they aren't allowed to access. ### Details[​](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#details "Direct link to Details") The proxy provider uses `/application/o/introspect/` to validate bearer tokens provided in the `Authorization` header: The implementation of this endpoint separately validates the `client_id` and `client_secret` (which are that of the proxy provider) and the `token` without validating that they correspond to the same provider. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#patches "Direct link to Patches") authentik 2024.6.5 and 2024.8.3 fix this issue. ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#6211070117100b161b22050d0317160a070c160b094c0b0d) * [Insufficient cross-provider token validation during introspection](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#insufficient-cross-provider-token-validation-during-introspection) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#summary) * [Details](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#details) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#patches) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-47077/#for-more-information) --- # CVE-2024-52307 | authentik [Skip to main content](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#__docusaurus_skipToContent_fallback) On this page _Reported by [@mgerstner](https://github.com/mgerstner) _ Timing attack due to a lack of constant time comparison for metrics view[​](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#timing-attack-due-to-a-lack-of-constant-time-comparison-for-metrics-view "Direct link to Timing attack due to a lack of constant time comparison for metrics view") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Summary[​](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#summary "Direct link to Summary") Due to the usage of a non-constant time comparison for the `/-/metrics/` endpoint it was possible to brute-force the `SECRET_KEY`, which is used to authenticate the endpoint. The `/-/metrics/` endpoint returns Prometheus metrics and is not intended to be accessed directly, as the Go proxy running in the authentik server container fetches data from this endpoint and serves it on a separate port (9300 by default), which can be scraped by Prometheus without being exposed publicly. ### Patches[​](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#patches "Direct link to Patches") authentik 2024.8.5 and 2024.10.3 fix this issue, for other versions the workaround below can be used. ### Impact[​](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#impact "Direct link to Impact") With enough attempts the `SECRET_KEY` of the authentik installation can be brute-forced, which can be used to sign new or modify existing cookies. ### Workarounds[​](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#workarounds "Direct link to Workarounds") Since the `/-/metrics/` endpoint is not intended to be accessed publicly, requests to the endpoint can be blocked by the reverse proxy/load balancer used in conjunction with authentik. For example for nginx: location /-/metrics/ { deny all; return 404;} ### For more information[​](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#for-more-information "Direct link to For more information") If you have any questions or comments about this advisory: * Email us at [\[email protected\]](https://docs.goauthentik.io/cdn-cgi/l/email-protection#2d5e484e585f4459546d4a424c5859454843594446034442) . * [Timing attack due to a lack of constant time comparison for metrics view](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#timing-attack-due-to-a-lack-of-constant-time-comparison-for-metrics-view) * [Summary](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#summary) * [Patches](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#patches) * [Impact](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#impact) * [Workarounds](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#workarounds) * [For more information](https://docs.goauthentik.io/security/cves/CVE-2024-52307/#for-more-information) --- # Release 2021.3 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.3/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.3/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * WebAuthn support This release introduces support for [WebAuthn](https://webauthn.io/) , an open standard for the use of hardware authentication keys like YubiKeys on the web. You can configure a WebAuthn device using the "WebAuthn Authenticator Setup Stage" stage. Afterwards, it can be used as an n-th factor, just like TOTP authenticators. * Simplify role-based access Instead of having to create a Group Membership policy for every group you want to use, you can now select a Group and even a User directly in a binding. When a group is selected, the binding behaves the same as if a Group Membership policy exists. When a user is selected, the binding checks the user of the request, and denies the request when the user doesn't match. Group Membership policies are automatically migrated to use this simplified access. * Invisible reCAPTCHA The checkbox-based reCAPTCHA has been replaced with [reCAPTCHA v2 Invisible](https://developers.google.com/recaptcha/docs/invisible) . This is a breaking change, as a set of reCAPTCHA keys are only valid for a single type. For this, go to [https://www.google.com/recaptcha/admin](https://www.google.com/recaptcha/admin) and create a new set of keys with the "reCAPTCHA v2" type and "Invisible reCAPTCHA badge" mode. * Migration of Flow Executor to SPA/API The flow executor has been migrated to a full SPA/API architecture. This was required for WebAuthn, but also allows for greater customizability. It also allows other services to use the flow executor via an API, which will be used by the outpost further down the road. * Deny stage A new stage which simply denies access. This can be used to conditionally deny access to users during a flow. Authorization flows for example required an authenticated user, but there was no previous way to block access for un-authenticated users. If you conditionally include this stage in a flow, make sure to disable "Evaluate on plan", as that will always include the stage in the flow, regardless of the inputs. Fixed in 2021.3.2[​](https://docs.goauthentik.io/releases/2021.3/#fixed-in-202132 "Direct link to Fixed in 2021.3.2") ---------------------------------------------------------------------------------------------------------------------- * sources/ldap: fix sync for Users without pwdLastSet * web: fix date display issue * web: fix submit in Modal reloading page in firefox Fixed in 2021.3.3[​](https://docs.goauthentik.io/releases/2021.3/#fixed-in-202133 "Direct link to Fixed in 2021.3.3") ---------------------------------------------------------------------------------------------------------------------- * providers/oauth2: allow protected\_resource\_view when method is OPTIONS * stages/authenticator\_static: fix error when disable static tokens * stages/authenticator\_webauthn: add missing migration * web: fix Colours for user settings in dark mode * web: fix Flow executor not showing spinner when redirecting * web: fix Source icons not being displayed on firefox * web: fix styling for static token list Fixed in 2021.3.4[​](https://docs.goauthentik.io/releases/2021.3/#fixed-in-202134 "Direct link to Fixed in 2021.3.4") ---------------------------------------------------------------------------------------------------------------------- * admin: include git build hash in gh-\* tags and show build hash in admin overview * events: don't fail on boot when geoip can't be opened * helm: add initial geoip * outposts: improve logs for outpost connection * policies: fix error when clearing policy cache when no policies are cached * root: add comment for error reporting to compose * root: add geoip config to docker-compose * sources/oauth: fix error on user enrollment when no enrollment flow is defined * web: add close button to messages * web: backport fix: add missing background filter * web: fix outpost health display * web: fix path for fallback flow view * web: fix system task index * web: improve compatibility with password managers * web: improve layout of expanded event info * web: improve styling for application list * web: prevent duplicate messages * web: show related edit button for bound stages and policies * web: use chunking for vendor and api * web: use loadingState for autosubmitStage * web: use sections in sidebar, adjust colouring Upgrading[​](https://docs.goauthentik.io/releases/2021.3/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.3/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.3 from [here](https://goauthentik.io/version/2021.3/docker-compose.yml) . Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.3/#kubernetes "Direct link to Kubernetes") Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`. * [Headline Changes](https://docs.goauthentik.io/releases/2021.3/#headline-changes) * [Fixed in 2021.3.2](https://docs.goauthentik.io/releases/2021.3/#fixed-in-202132) * [Fixed in 2021.3.3](https://docs.goauthentik.io/releases/2021.3/#fixed-in-202133) * [Fixed in 2021.3.4](https://docs.goauthentik.io/releases/2021.3/#fixed-in-202134) * [Upgrading](https://docs.goauthentik.io/releases/2021.3/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.3/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.3/#kubernetes) --- # Release 2021.2 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.2/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.2/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * Managed objects Objects like property mappings can now be marked as managed, which means that they will be created, updated and deleted by authentik. Currently, this is used to update default property mappings, and mark tokens and users generated by outposts. * Improved support for different LDAP Servers The LDAP source has improved support for non-Active Directory LDAP setups. This includes the following changes: * Switch to sync membership from groups to users rather than user to group * Fix users, which were removed from a group in LDAP not being removed from said group * Add support for LDAP servers which have core fields declared as lists * Add property-mappings for groups, to map attributes like `name` or `is_superuser` * Add test view to debug property-mappings. Fixes[​](https://docs.goauthentik.io/releases/2021.2/#fixes "Direct link to Fixes") ------------------------------------------------------------------------------------ * admin: add test view for property mappings * core: Fix application cache not being cleared correctly (and not being ignored for searches) * events: add send\_once flag to send webhooks only once * events: allow searching by event id * events: don't log successful system tasks * events: improve information sent in notification emails * providers/oauth2: pass application to configuration error event * providers/saml: fix imported provider not saving properties correctly * root: use filtering\_bound\_logger for speed improvements * stages/consent: fix wrong widget for expire * web: migrate Provider List to SPA Fixed in 2021.2.1-rc2[​](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202121-rc2 "Direct link to Fixed in 2021.2.1-rc2") ---------------------------------------------------------------------------------------------------------------------------------- * admin: add Certificate-Keypair generation * admin: fix property-mapping views redirecting to invalid URL * admin: improve layout for policy testing * admin: remove old provider list view * outpost: cap reconnect backoff at 60 seconds, reset backoff on successful connection * policies: add debug flag to PolicyRequest to prevent alerts from testing policies * providers/saml: force-set friendly\_name to empty string for managed mappings * root: add dedicated live and readiness healthcheck views * web: fix link to provider list on overview page * web: fix outpost item in sidebar being active on service connection views Fixed in 2021.2.1-stable[​](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202121-stable "Direct link to Fixed in 2021.2.1-stable") ------------------------------------------------------------------------------------------------------------------------------------------- * admin: fix link in source list * web: rebuild Outposts list in SPA * outposts: Fix reconnect not working reliably * providers/oauth2: add authorized scopes to AUTHORIZE\_APPLICATION event * providers/oauth2: add unofficial groups attribute to default profile claim * web: fix sidebar being active when stage prompts is selected Fixed in 2021.2.2-stable[​](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202122-stable "Direct link to Fixed in 2021.2.2-stable") ------------------------------------------------------------------------------------------------------------------------------------------- * crypto: move certificate and key data to separate api calls to create events * events: rename context.token to context.secret * events: rename token\_view to secret\_view * lib: fix stacktrace for general expressions * outposts: fix ProxyProvider update not triggering outpost update * policies: skip cache on debug request * providers/proxy: fix certificates without key being selectable * root: log runtime in milliseconds * sources/\*: switch API to use slug in URL * sources/ldap: add API for sync status * sources/oauth: add callback URL to api * web: fix ModalButton working in global scope, causing issues on 2nd use Fixed in 2021.2.3-stable[​](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202123-stable "Direct link to Fixed in 2021.2.3-stable") ------------------------------------------------------------------------------------------------------------------------------------------- * core: fix tokens using wrong lookup * web: fix missing source create button Fixed in 2021.2.4-stable[​](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202124-stable "Direct link to Fixed in 2021.2.4-stable") ------------------------------------------------------------------------------------------------------------------------------------------- * admin: fix missing success\_urls causing errors on create/update forms * core: fix typo in user settings causing sources to not show Fixed in 2021.2.5-stable[​](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202125-stable "Direct link to Fixed in 2021.2.5-stable") ------------------------------------------------------------------------------------------------------------------------------------------- * admin: fix policy list not having a refresh button * events: pass Event's user to Notification policy engine when present * helm: add initial wait for healthcheck * outpost: improve logging output, ensure fields match api server * root: fix request\_id not being logged for actual asgi requests * sources/oauth: fix buttons not being ak-root-link * web: fix library not being full height, again * web: fix outpost edit/delete buttons * web: fix SiteShell breaking links when handlers are updated twice Fixed in 2021.2.6-stable[​](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202126-stable "Direct link to Fixed in 2021.2.6-stable") ------------------------------------------------------------------------------------------------------------------------------------------- * admin: fix missing success\_url for Cache clean views * events: fix error when event can't be loaded in rule task * flows: handle error when app cannot be found during flow import * policies: sort groups in GroupMembershipPolicy policy and binding * providers/oauth2: fix error when no login event could be found * sources/ldap: fix API error when source has not synced yet * sources/ldap: fix password setter on users which are not LDAP * web: add sentry CaptureConsole * web: fix colourstyles not being included in common\_styles Upgrading[​](https://docs.goauthentik.io/releases/2021.2/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. Due to the switch to managed objects, some default property mappings are changing. This affects only the SAML Provider. The change affects the "SAML Name" property, which has been changed from an oid to a Schema URI to aid readability. The integrations affected are: * [Ansible Tower/AWX](https://integrations.goauthentik.io/services/awx-tower/) * [GitLab](https://integrations.goauthentik.io/services/gitlab/) * [NextCloud](https://integrations.goauthentik.io/services/nextcloud/) * [Rancher](https://integrations.goauthentik.io/services/rancher/) * [Sentry](https://integrations.goauthentik.io/services/sentry/) ### docker-compose[​](https://docs.goauthentik.io/releases/2021.2/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.2 from [here](https://goauthentik.io/version/2021.2/docker-compose.yml) . Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.2/#kubernetes "Direct link to Kubernetes") Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`. * [Headline Changes](https://docs.goauthentik.io/releases/2021.2/#headline-changes) * [Fixes](https://docs.goauthentik.io/releases/2021.2/#fixes) * [Fixed in 2021.2.1-rc2](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202121-rc2) * [Fixed in 2021.2.1-stable](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202121-stable) * [Fixed in 2021.2.2-stable](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202122-stable) * [Fixed in 2021.2.3-stable](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202123-stable) * [Fixed in 2021.2.4-stable](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202124-stable) * [Fixed in 2021.2.5-stable](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202125-stable) * [Fixed in 2021.2.6-stable](https://docs.goauthentik.io/releases/2021.2/#fixed-in-202126-stable) * [Upgrading](https://docs.goauthentik.io/releases/2021.2/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.2/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.2/#kubernetes) --- # Release 2021.1 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.1/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.1/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * New versioning schema (year.month.release) * Add global email settings In previous versions, you had to configure email connection details per [Email Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) . Now, you can (and should) configure global settings. This is documented under the [Docker Compose](https://docs.goauthentik.io/install-config/install/docker-compose/) and [Kubernetes](https://docs.goauthentik.io/install-config/install/kubernetes/) sections. * New notification system More info can be found under [Notifications](https://docs.goauthentik.io/sys-mgmt/events/notifications/) and [Transports](https://docs.goauthentik.io/sys-mgmt/events/transports/) . During the update, some default rules will be created. These rules notify you about policy exceptions, configuration errors and updates. These notifications will be sent using a default transport, which uses the global email transport. Fixes[​](https://docs.goauthentik.io/releases/2021.1/#fixes "Direct link to Fixes") ------------------------------------------------------------------------------------ * events: create event when system task fails * helm: fix old reference to static secret\_key * helm: fix s3 secret key and email password not being base64 encoded * policies: fix logic error for sync mode * stages/email: fix email task not falling back to use\_global\_settings ### Fixed in 2021.1.2[​](https://docs.goauthentik.io/releases/2021.1/#fixed-in-202112 "Direct link to Fixed in 2021.1.2") * sources/\*: Add source to flow context, so source is logged during login * outposts: Fix outpost not correctly updating on outpost modification * outposts: Improve drift detection on kubernetes * providers/saml: Fix metadata not being signed when signature is enabled * policies: Improve error handling, ensure original stacktrace is preserved ### Fixed in 2021.1.3[​](https://docs.goauthentik.io/releases/2021.1/#fixed-in-202113 "Direct link to Fixed in 2021.1.3") * admin: handle FlowNonApplicableException during flow plan * flows: fix FlowNonApplicableException not being Sentry Ignored * lifecycle: fix typo causing single process in docker-compose ### Fixed in 2021.1.4[​](https://docs.goauthentik.io/releases/2021.1/#fixed-in-202114 "Direct link to Fixed in 2021.1.4") * admin: fix providers not showing SAML Import on empty state * core: only cache Applications API when no filtering is done * events: fix email template for notifications * lib: fix ak\_is\_group\_member checking wrong groups * providers/saml: add support for WindowsDomainQualifiedName, add docs for NameID * providers/saml: import SAML Provider with all autogenerated mappings * providers/saml: make NameID configurable using a Property Mapping * providers/saml: update default OIDs for default property mappings * web: fix site-shell being cut off when not full height Upgrading[​](https://docs.goauthentik.io/releases/2021.1/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### Docker Compose[​](https://docs.goauthentik.io/releases/2021.1/#docker-compose "Direct link to Docker Compose") Download the docker-compose file for 2021.1 from [here](https://goauthentik.io/version/2021.1/docker-compose.yml) . Afterwards, simply run `docker-compose up -d` and then the standard upgrade command of `docker-compose run --rm server migrate`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.1/#kubernetes "Direct link to Kubernetes") Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik --devel -f values.yaml`. * [Headline Changes](https://docs.goauthentik.io/releases/2021.1/#headline-changes) * [Fixes](https://docs.goauthentik.io/releases/2021.1/#fixes) * [Fixed in 2021.1.2](https://docs.goauthentik.io/releases/2021.1/#fixed-in-202112) * [Fixed in 2021.1.3](https://docs.goauthentik.io/releases/2021.1/#fixed-in-202113) * [Fixed in 2021.1.4](https://docs.goauthentik.io/releases/2021.1/#fixed-in-202114) * [Upgrading](https://docs.goauthentik.io/releases/2021.1/#upgrading) * [Docker Compose](https://docs.goauthentik.io/releases/2021.1/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.1/#kubernetes) --- # Release 2021.7 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.7/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.7/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * SSL Support for LDAP Providers You can now configure certificates for your LDAP Providers, meaning that all communication will be done encrypted. Currently, only SSL on port 636 is supported, not StartTLS. * Add bundled docs You can now browse the authentik docs for your version by browsing to `/help`. This means you don't have to rely on an internet connection to check the docs, and you also have the correct docs for your currently running version. Minor changes[​](https://docs.goauthentik.io/releases/2021.7/#minor-changes "Direct link to Minor changes") ------------------------------------------------------------------------------------------------------------ * api: Tunnel Sentry requests through authentik to prevent them being blocked by ad-blockers * core: fix error when setting icon/background to url longer than 100 chars * events: fix error when slack notification request failed without a response * flows: allow variable substitution in flow titles * outposts/ldap: Fix LDAP outpost missing a `member` field on groups with all member DNs * outposts/ldap: Fix LDAP outpost not parsing arrays from user and group attributes correctly * providers/oauth2: allow blank redirect\_uris to allow any redirect\_uri * providers/saml: fix parsing of POST bindings * root: add PROXY protocol support for http, https, ldap and ldaps servers * root: Allow configuration of Redis port * root: set samesite to None for SAML POST flows * root: subclass SessionMiddleware to set Secure and SameSite flag depending on context * web: fix error when showing error message of request Fixed in 2021.7.1-rc2[​](https://docs.goauthentik.io/releases/2021.7/#fixed-in-202171-rc2 "Direct link to Fixed in 2021.7.1-rc2") ---------------------------------------------------------------------------------------------------------------------------------- * core: add email filter for user * core: add group filter by member username and pk * core: broaden error catching for propertymappings * lib: fix outpost fake-ip not working, add tests * outpost: fix 100% CPU Usage when not connected to websocket * outposts: ensure outpost SAs always have permissions to fake IP * outposts: fix git hash not being set in outposts * outposts: save certificate fingerprint and check before re-fetching to cleanup logs * outposts/ldap: add tracing for LDAP bind and search * outposts/ldap: improve parsing of LDAP filters * outposts/ldap: optimise backend Search API requests * outposts/proxy: add X-Auth-Groups header to pass groups * providers/oauth2: handler PropertyMapping exceptions and create event * providers/saml: improve error handling for property mappings * sources/ldap: improve error handling for property mappings * web: fix icon flashing in header, fix notification header icon in dark mode * web: separate websocket connection from messages * web/admin: fix missing dark theme for notifications * web/admin: fix negative count for policies when more cached than total policies * web/admin: improve UI for notification toggle * website/docs: clear up outpost uuids * website/docs: remove duplicate proxy docs Fixed in 2021.7.1[​](https://docs.goauthentik.io/releases/2021.7/#fixed-in-202171 "Direct link to Fixed in 2021.7.1") ---------------------------------------------------------------------------------------------------------------------- * core: add tests for flow\_manager * core: fix CheckApplication's for\_user flag not being checked correctly * core: fix pagination not working correctly with applications API * providers/oauth2: fix blank redirect\_uri not working with TokenView * root: add code of conduct and PR template * root: add contributing file * tenants: make event retention configurable on tenant level * tenants: set tenant uuid in sentry * web/admin: add notice for event\_retention * web/admin: add status card for https and timedrift * web/admin: default to authentication flow for LDAP provider * web/admin: fix ApplicationView's CheckAccess not sending UserID correctly * website/docs: add go requirement * website/docs: update terminology for dark mode Fixed in 2021.7.2[​](https://docs.goauthentik.io/releases/2021.7/#fixed-in-202172 "Direct link to Fixed in 2021.7.2") ---------------------------------------------------------------------------------------------------------------------- * ci: fix sentry sourcemap path * e2e: fix broken selenium by locking images * events: ensure fallback result is set for on\_failure * events: remove default result for MonitoredTasks, only save when result was set * flows: don't check redirect URL when set from flow plan (set from authentik or policy) * flows: fix unhandled error in stage execution not being logged as SYSTEM\_EXCEPTION event * outpost: bump timer for periodic config reloads * outposts: catch invalid ServiceConnection error in outpost controller * providers/oauth2: fix error when requesting jwks keys with no rs256 aet * providers/proxy: fix hosts for ingress not being compared correctly * providers/saml: fix Error when getting metadata for invalid ID * providers/saml: fix metadata being inaccessible without authentication * sources/ldap: improve ms-ad password complexity checking * sources/plex: add background task to monitor validity of plex token * stages/email: fix error when re-requesting email after token has expired * stages/invitation: delete invite only after full enrollment flow is completed * web/admin: add re-authenticate button for plex * web/admin: add UI to copy invitation link * web/admin: fix empty column when no invitation expiry was set * web/admin: fix LDAP Provider bind flow list being empty * web/admin: fully remove response cloning due to errors Fixed in 2021.7.3[​](https://docs.goauthentik.io/releases/2021.7/#fixed-in-202173 "Direct link to Fixed in 2021.7.3") ---------------------------------------------------------------------------------------------------------------------- * core: fix users not being able to update their profile * lifecycle: decrease default worker count on compose * providers/saml: fix error when WantAssertionsSigned is missing * providers/saml: fix error when PropertyMapping return value isn't string * web/admin: fix user's email field being required * web/admin: fix source form's userMatchingMode being swapped Upgrading[​](https://docs.goauthentik.io/releases/2021.7/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.7/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.7 from [here](https://goauthentik.io/version/2021.7/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.7/#kubernetes "Direct link to Kubernetes") Upgrade to the latest chart version to get the new images. * [Headline Changes](https://docs.goauthentik.io/releases/2021.7/#headline-changes) * [Minor changes](https://docs.goauthentik.io/releases/2021.7/#minor-changes) * [Fixed in 2021.7.1-rc2](https://docs.goauthentik.io/releases/2021.7/#fixed-in-202171-rc2) * [Fixed in 2021.7.1](https://docs.goauthentik.io/releases/2021.7/#fixed-in-202171) * [Fixed in 2021.7.2](https://docs.goauthentik.io/releases/2021.7/#fixed-in-202172) * [Fixed in 2021.7.3](https://docs.goauthentik.io/releases/2021.7/#fixed-in-202173) * [Upgrading](https://docs.goauthentik.io/releases/2021.7/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.7/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.7/#kubernetes) --- # Release 2021.10 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.10/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.10/#headline-changes "Direct link to Headline Changes") ---------------------------------------------------------------------------------------------------------------------- * Flow Inspector To better understand how a flow works, and why things might not be working as intended, you can now launch Flows with an inspector enabled. This is simply triggered by adding a `?inspector` to the URL. Currently, only superuser have the permission to access the Inspector. The inspector shows the current stage, previous stages, next planned stages, and the current flow context. * SMS Authenticator You can now use SMS-based TOTP authenticators. This new Stage supports both Twilio, and a generic API endpoint, if using another provider. This stage does not have to be used for authentication, it can simply be used during enrollment to verify your users phone numbers. * Sign in with Apple It is now possible to add an Apple OAuth Source, to allow your users to authenticate with their Apple ID. A huge shoutout to all the people that contributed, helped test and also translated authentik. This is the first release that has as full French translation! Minor changes[​](https://docs.goauthentik.io/releases/2021.10/#minor-changes "Direct link to Minor changes") ------------------------------------------------------------------------------------------------------------- * \*: Squash Migrations ([#1593](https://github.com/goauthentik/authentik/issues/1593) ) * admin: clear update notification when notification's version matches current version * cmd: prevent outposts from panicking when failing to get their config * core: add default for user's settings attribute * core: add settings serializer to user/me and update\_self endpoints, saved in a key in attributes * core: improve detection for s3 settings to trigger backup * core: include group uuids in self serializer * core: make user's name field fully optional * flows: inspector ([#1469](https://github.com/goauthentik/authentik/issues/1469) ) * internal: add internal healthchecking to prevent websocket errors * internal/proxyv2: improve error handling when configuring app * lifecycle: bump celery healthcheck to 5s timeout * lifecycle: only lock database when system migrations need to be applied, and during django migrations, and don't double unlock * lifecycle: only set prometheus\_multiproc\_dir in ak wrapper to prevent full disk on worker * managed: don't run managed reconciler in foreground on startup * outpost/proxy: fix missing negation for internal host ssl verification * outposts: add additional error checking for docker controller * outposts: Adding more flexibility to outposts in Kubernetes. ([#1617](https://github.com/goauthentik/authentik/issues/1617) ) * outposts: allow disabling of docker controller port mapping * outposts: check ports of deployment in kubernetes outpost controller * outposts: don't always build permissions on outpost.user access, only in signals and tasks * outposts: fallback to known-good outpost image if configured image cannot be pulled * outposts: fix error when comparing ports in docker controller when port mapping is disabled * outposts: handle k8s 422 response code by recreating objects * outposts: rename docker\_image\_base to container\_image\_base, since its not docker specific * outposts/ldap: Support hard coded `uidNumber` and `gidNumber`. ([#1582](https://github.com/goauthentik/authentik/issues/1582) ) * outposts/proxy: add new headers with unified naming * outposts/proxy: fix duplicate protocol in domain auth mode * outposts/proxy: show full error message when user is authenticated * policies: add additional filters to create flow charts on frontend * policies/password: add extra sub\_text field in tests * providers/ldap: use RDN when using posixGroup's memberUid attribute ([#1514](https://github.com/goauthentik/authentik/issues/1514) ) * providers/proxy: always check ingress secret in kubernetes controller * providers/proxy: update ingress controller to work with k8s 1.22 * recovery: handle error when user doesn't exist * root: add docker-native healthcheck for web and celery * root: add translation for backend strings * root: coverage with toml support * root: fix error with sentry proxy * root: migrate docker images to netlify proxy ([#1603](https://github.com/goauthentik/authentik/issues/1603) ) * root: remove redundant internal network from compose * root: remove structlog.processors.format\_exc\_info for new structlog version * root: Use fully qualified names for docker bases base images. ([#1490](https://github.com/goauthentik/authentik/issues/1490) ) * sources/ldap: add support for Active Directory `userAccountControl` attribute * sources/ldap: don't sync ldap source when no property mappings are set * sources/ldap: fix logic error in Active Directory account disabled status * sources/oauth: add Sign in with Apple ([#1635](https://github.com/goauthentik/authentik/issues/1635) ) * stages/authenticator\_sms: add generic provider ([#1595](https://github.com/goauthentik/authentik/issues/1595) ) * stages/authenticator\_sms: Add SMS Authenticator Stage ([#1577](https://github.com/goauthentik/authentik/issues/1577) ) * stages/authenticator\_validate: create a default authenticator validate stage with sensible defaults * stages/email: add activate\_user\_on\_success flag, add for all example flows * stages/prompt: add sub\_text field to add HTML below prompt fields * stages/prompt: fix sub\_text not allowing blank * stages/prompt: fix wrong field type of field\_key * stages/user\_login: add check for user.is\_active and tests * stages/user\_write: allow recursive writing to user.attributes * web: add locale detection * web: ensure fallback locale is loaded * web: fix rendering of token copy button in dark mode * web: fix strings not being translated at all when matching browser locale not found * web: make table pagination size user-configurable * web: new default flow background * web: Translate /web/src/locales/en.po in fr\_FR ([#1506](https://github.com/goauthentik/authentik/issues/1506) ) * web/admin: add fallback font for doughnut charts * web/admin: default to warning state for backup task * web/admin: don't require username nor name for activate/deactivate toggles * web/admin: fix description for flow import * web/admin: fix LDAP Source form not exposing syncParentGroup * web/admin: fix search group label * web/admin: fix SMS Authenticator stage not loading state correctly * web/admin: improve visibility of oauth rsa key * web/admin: only show outpost deployment info when not embedded * web/admin: truncate prompt label when too long * web/elements: fix initialLoad not being done when viewportCheck was disabled * web/elements: fix model form always loading when viewport check is disabled * web/elements: use dedicated button for search clear instead of webkit exclusive one * web/flows: adjust message for email stage * web/user: don't show managed tokens in user interface * web/user: initial optimisation for smaller screens * web/user: load interface settings from user settings Fixed in 2021.10.1-rc2[​](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021101-rc2 "Direct link to Fixed in 2021.10.1-rc2") -------------------------------------------------------------------------------------------------------------------------------------- * core: add user flag to prevent users from changing their usernames * core: log user for http requests * flows: clear cache when deleting bindings * outpost/ldap: fix logging for mismatched provider * root: add cookie domain setting * sources/oauth: add choices to oauth provider\_type * web: disable Sentry.showReportDialog * web/flows: showing of authentik logo in flow executor * web/flows: fix authenticator device selection not updating * web/flows: show cancel link when choosing authenticator challenge Fixed in 2021.10.1-rc3[​](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021101-rc3 "Direct link to Fixed in 2021.10.1-rc3") -------------------------------------------------------------------------------------------------------------------------------------- * api: fix error when connection to websocket via secret\_key * core: add toggle to completely disable backup mechanism * core: add USER\_ATTRIBUTE\_CHANGE\_EMAIL * events: fix error when notification transport doesn't exist anymore * outposts: fix docker controller not using object\_naming\_template * providers/oauth2: fallback to uid if UPN was selected but isn't available * providers/oauth2: fix events being created from /application/o/authorize/ * sources/ldap: prevent key `users` from being set as this is an M2M relation * sources/ldap: skip values which are of type bytes Fixed in 2021.10.1[​](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021101 "Direct link to Fixed in 2021.10.1") -------------------------------------------------------------------------------------------------------------------------- * core: add API for all user-source connections * core: add API to list all authenticator devices * core: add created field to source connection * flows: optimise stage user\_settings API * outposts: separate websocket re-connection logic to decrease requests on reconnect * root: pin node images to v16 * root: update golang ldap server package * web/user: fix wrong device being selected in user's mfa update form * web/user: rework MFA Device UI to support multiple devices * web/user: update form to update mfa devices Fixed in 2021.10.2[​](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021102 "Direct link to Fixed in 2021.10.2") -------------------------------------------------------------------------------------------------------------------------- * api: replace django sentry proxy with go proxy to prevent login issues * providers/proxy: allow configuring of additional scope mappings for proxy * providers/saml: fix error on missing AssertionConsumerServiceURL, fall back to default ACS * root: fix Detection of S3 settings for backups * root: fix postgres install on bullseye * root: update base images for outposts * root: update to buster * stages/identification: add show\_source\_labels option, to show labels for sources * stages/invitation: don't throw 404 error in stage * stages/invitation: remove invitation from plan context after deletion * stages/prompt: fix type in Prompt not having enum set * web/flows: fix invalid validation for static tokens * web/flows: fix sub\_text not rendering for static fields * web/user: fix configureUrl not being passed to `` Fixed in 2021.10.3[​](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021103 "Direct link to Fixed in 2021.10.3") -------------------------------------------------------------------------------------------------------------------------- * admin: improve check to remove version notifications * cmd/server: improve cleanup on shutdown * core: add command to output full config * core: fix auth\_method for tokens * core: include parent group name * core: make group membership lookup respect parent groups (upwards) * events: ignore creation/deletion of AuthenticatedSession objects * internal: start embedded outpost directly after backend is healthy instead of waiting * lifecycle: revert to non-h11 worker * outpost/ldap: don't cleanup user info as it is overwritten on bind * providers/\*: include list of outposts * providers/ldap: add/squash migrations * providers/ldap: memory Query ([#1681](https://github.com/goauthentik/authentik/issues/1681) ) * recovery: add create\_admin\_group management command * root: fix defaults for EMAIL\_USE\_TLS * root: improve compose detection, add anonymous stats * root: keep last 30 backups * sources/ldap: remove deprecated default * sources/oauth: set prompt=none for Discord provider * sources/plex: allow users to connect their plex account without login flow * sources/plex: use exception\_to\_string in tasks * stages/authenticator\_\*: add default name for authenticators * stages/identification: only allow limited challenges for login sources * stages/identification: use random sleep * stages/prompt: add text\_read\_only field * stages/prompt: default prompts to the current value of the context * stages/prompt: only set placeholder when in context * stages/prompt: set field placeholder based on plan context * stages/prompt: use initial instead of default * web: fix linting errors by adding a wrapper for next param * web/admin: only show flows with an invitation stage configured instead of all enrollment flows * web/admin: show warning on invitation list when no stage exists or is bound * web/admin: show warning on provider when not used with outpost * web/flows: fix authenticator\_validate not allowing alphanumeric codes due to empty pattern * web/flows: improve display of static tokens * web/user: fix ak-user-settings-password getting wrong configureUrl * web/user: fix device type for static tokens * web/user: fix empty page when no sources to connect exist * web/user: fix redirect after starting configuration flow from user interface Fixed in 2021.10.4[​](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021104 "Direct link to Fixed in 2021.10.4") -------------------------------------------------------------------------------------------------------------------------- * core: force lowercase emails for gravatar usage * outposts: fix MFA Challenges not working with outpost * outposts/ldap: fix logic error in cached ldap searcher * outposts/proxy: fix static files not being served in proxy mode * providers/proxy: return list of configured scope names so outpost requests custom scopes * root: use python slim-bullseye as base * sources/ldap: fix user/group sync overwriting attributes instead of merging them * sources/ldap: set connect/receive timeout (default to 15s) * stages/\*: disable trim\_whitespace on important fields * stages/authenticator\_duo: fix devices created with name * stages/authenticator\_validate: enable all device classes by default * web: write interfaces to different folders and remove custom chunk names * web/admin: fix display issues with flow execute buttons * web/admin: show warnings above tab bar * web/admin: use more natural default ordering for objects Upgrading[​](https://docs.goauthentik.io/releases/2021.10/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------- This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.10/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.10 from [here](https://goauthentik.io/version/2021.10/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.10/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2021.10.1 * [Headline Changes](https://docs.goauthentik.io/releases/2021.10/#headline-changes) * [Minor changes](https://docs.goauthentik.io/releases/2021.10/#minor-changes) * [Fixed in 2021.10.1-rc2](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021101-rc2) * [Fixed in 2021.10.1-rc3](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021101-rc3) * [Fixed in 2021.10.1](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021101) * [Fixed in 2021.10.2](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021102) * [Fixed in 2021.10.3](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021103) * [Fixed in 2021.10.4](https://docs.goauthentik.io/releases/2021.10/#fixed-in-2021104) * [Upgrading](https://docs.goauthentik.io/releases/2021.10/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.10/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.10/#kubernetes) --- # Release 2021.5 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.5/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.5/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * LDAP Provider info This feature is still in technical preview, so please report any Bugs you run into on [GitHub](https://github.com/goauthentik/authentik/issues) You can now configure an LDAP Provider for applications that don't support any newer protocols or require LDAP. All users and groups in authentik's database are searchable. Currently, there is a limited support for filters (you can only search for objectClass), but this will be expanded in further releases. Binding against the LDAP Server uses a flow in the background. This allows you to use the same policies and flows as you do for web-based logins. The only limitation is that currently only identification and password stages are supported, due to how LDAP works. * Compatibility with forwardAuth/auth\_request The authentik proxy is now compatible with forwardAuth (traefik) / auth\_request (nginx). All that is required is the latest version of the outpost, and the correct config from [here](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/) . * Docker images for ARM Docker images are now built for amd64 and arm64. * Reduced setup complexity The authentik server now requires less containers. The static container (as well as the traefik when using docker-compose) are no longer required. As the first stage of a migration to Golang instead of Python, authentik now runs behind an in-container reverse proxy, which hosts the static files. * New Plex authentication source The plex source (previously a provider for the OAuth Source) has been rewritten to a dedicated Source. You can now limit access to authentik based on which servers a Plex user is member of. * Configurable source behaviour You can now configure how a source behaves after the user has authenticated themselves to the source. Previously, authentik always checked the unique identifier from the source, enrolled the user when the identifier didn't exist and authenticated the user otherwise. Now you can configure how the matching should be done: * Identifier: Keeps the old behaviour, can lead to duplicate user accounts * Email (link): If a user with the same Email address exists, they are linked. Can have security implications when a source doesn't validate email addresses. * Email (deny): Deny the flow if the Email address is already used. * Username (link): If a user with the same username address exists, they are linked. Can have security implications when a username is used with another source. * Username (deny): Deny the flow if the username address is already used. Minor changes[​](https://docs.goauthentik.io/releases/2021.5/#minor-changes "Direct link to Minor changes") ------------------------------------------------------------------------------------------------------------ * Improved compatibility of the flow interface with password managers. * Improved compatibility when using SAML Sources with a redirect binding. * Improved configurability of outpost docker image name for managed Outposts. * Add customization of access code validity for OAuth2 Providers. * Add ability to configure no login fields on identification stage to only allow logins with Sources. * Add single-use flag for invitations to delete token after use. * Fix sidebar not collapsible on mobile. Fixed in 2021.5.2[​](https://docs.goauthentik.io/releases/2021.5/#fixed-in-202152 "Direct link to Fixed in 2021.5.2") ---------------------------------------------------------------------------------------------------------------------- * core: fix application's slug field not being set to unique * flows: fix error when using cancel flow * lib: Fix config loading of secrets from files ([#887](https://github.com/goauthentik/authentik/issues/887) ) * lib: fix parsing of remote IP header when behind multiple reverse proxies * lifecycle: check if group of docker socket exists * lifecycle: fix error when worker is not running as root * outposts: fix error when controller loads from cache but cache has expired * outposts: fix missing default for OutpostState.for\_channel * outposts: fix reload notification not working due to wrong ID being cached * outposts/ldap: fix AUTHENTIK\_INSECURE not being respected for API client during bind * outposts/proxy: fix error redeeming code when using non-standard ports * outposts/proxy: fix insecure TLS Skip * providers/ldap: use username instead of name for user dn ([#883](https://github.com/goauthentik/authentik/issues/883) ) * providers/proxy: connect ingress to https instead of http * root: only load debug secret key when debug is enabled * web: fix chunks overwriting each other * web/admin: add notice for LDAP Provider's group selection * web/admin: fix PropertyMappings not loading correctly * website/docs: add example ldapsearch command Fixed in 2021.5.3[​](https://docs.goauthentik.io/releases/2021.5/#fixed-in-202153 "Direct link to Fixed in 2021.5.3") ---------------------------------------------------------------------------------------------------------------------- * outposts: fix update signal not being sent to correct instances * providers/oauth2: fix double login required when prompt=login * providers/proxy: fix redirect\_uris not always being set on save * sources/plex: force setting of plex token * web: fix t.reset is not a function * web: remove nginx config, add caching headers to static files * web/admin: fix flow form not loading data Fixed in 2021.5.4[​](https://docs.goauthentik.io/releases/2021.5/#fixed-in-202154 "Direct link to Fixed in 2021.5.4") ---------------------------------------------------------------------------------------------------------------------- * providers/oauth2: add missing kid header to JWT Tokens * stages/authenticator\_\*: fix Permission Error when disabling Authenticator as non-superuser * web: fix missing flow and policy cache clearing UI * web: set x-forwarded-proto based on upstream TLS Status Upgrading[​](https://docs.goauthentik.io/releases/2021.5/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.5/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.5 from [here](https://goauthentik.io/version/2021.5/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. warning The public port of the compose stack has been changed from 443 to 9000 and 9443 to prevent port contention. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.5/#kubernetes "Direct link to Kubernetes") The helm chart has been rewritten by [@dirtycajunrice](https://github.com/dirtycajunrice) and now lives on `https://charts.goauthentik.io`. Please upgrade to the new chart using values from [ArtifactHub](https://artifacthub.io/packages/helm/goauthentik/authentik) . The old repository will still exist for backwards-compatibility. * [Headline Changes](https://docs.goauthentik.io/releases/2021.5/#headline-changes) * [Minor changes](https://docs.goauthentik.io/releases/2021.5/#minor-changes) * [Fixed in 2021.5.2](https://docs.goauthentik.io/releases/2021.5/#fixed-in-202152) * [Fixed in 2021.5.3](https://docs.goauthentik.io/releases/2021.5/#fixed-in-202153) * [Fixed in 2021.5.4](https://docs.goauthentik.io/releases/2021.5/#fixed-in-202154) * [Upgrading](https://docs.goauthentik.io/releases/2021.5/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.5/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.5/#kubernetes) --- # Release 2021.4 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.4/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.4/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * Configurable Policy engine mode In the past, all objects, which could have policies attached to them, required _all_ policies to pass to consider an action successful. You can now configure if _all_ policies need to pass, or if _any_ policy needs to pass. This can now be configured for the following objects: * Applications (access restrictions) * Sources * Flows * Flow-stage bindings For backwards compatibility, this is set to _all_, but new objects will default to _any_. * Expiring Events Previously, events would stay in the database forever, and had to eventually be cleaned up manually. This version add expiry to events with a default timeout of 1 Year. This also applies to existing events, and their expiry will be set during the migration. * New UI While the UI mostly looks the same, under the hood a lot has changed. The Web UI is now a Single-page application based on rollup and lit-html. This has several consequences and new features, for example: * You can now see a user's OAuth Access/Refresh tokens and the consents they've given * You can now see a per-object changelog based on the model\_create/update/delete events being created. * A new API Browser is available under `https://authentink.company/api/v2beta/` * Several new charts, new pages and quality-of-life improvements * Credentials of objects are no longer shown while editing them * Deprecated Group membership has been removed. Minor changes[​](https://docs.goauthentik.io/releases/2021.4/#minor-changes "Direct link to Minor changes") ------------------------------------------------------------------------------------------------------------ * You can now specify the amount of processes started in docker-compose using the `WORKERS` environment variable. Fixed in 2021.4.2[​](https://docs.goauthentik.io/releases/2021.4/#fixed-in-202142 "Direct link to Fixed in 2021.4.2") ---------------------------------------------------------------------------------------------------------------------- * core: fix propertymapping API returning invalid value for components ([#746](https://github.com/goauthentik/authentik/issues/746) ) * core: improve messaging when creating a recovery link for a user when no recovery flow exists * flows: annotate flows executor 404 error * flows: include configure\_flow in stages API * helm: make storage class, size and mode configurable * helm: turn off monitoring by default ([#741](https://github.com/goauthentik/authentik/issues/741) ) * outposts: fix errors when creating multiple outposts * root: add restart: unless-stopped to compose * root: base Websocket message storage on Base not fallback * root: fix healthcheck part in docker-compose * root: fix setting of EMAIL\_USE\_TLS and EMAIL\_USE\_SSL * sources/ldap: improve error handling during sync * sources/oauth: fix error when creating an oauth source which has fixed URLs * sources/oauth: fix resolution of sources' provider type * web: fix background-color on router outlet on light mode * web/admin: fix error when user doesn't have permissions to read source * web/admin: fix errors in user profile when non-superuser Fixed in 2021.4.3[​](https://docs.goauthentik.io/releases/2021.4/#fixed-in-202143 "Direct link to Fixed in 2021.4.3") ---------------------------------------------------------------------------------------------------------------------- * \*: add model\_name to TypeCreate API to distinguish between models sharing a component * api: fix CSRF error when using POST/PATCH/PUT in API Browser * api: make 401 messages clearer * api: mount outposts under outposts/instances to match flows * core: add parameter to output property mapping test result formatted * core: add superuser\_full\_list to applications list, shows all applications when superuser * core: fix Tokens being created with incorrect intent by default * outposts: don't run outpost\_controller when no service connection is set * providers/oauth2: Set CORS Headers for token endpoint, check Origin header against redirect URLs * root: auto-migrate on startup, lock database using pg\_advisory\_lock * sources/oauth: add login with plex support * sources/oauth: fix redirect loop for source with non-configurable URLs * sources/oauth: save null instead of empty string for sources without configurable URLs * web/admin: add ability to add users to a group whilst creating a group * web/admin: fix default for codemirror * web/admin: fix group member table order * web/admin: fix non-matching provider type being selected when creating an OAuth Source * web/admin: fix provider type resetting when changing provider type * web/admin: fix undefined being shown when viewing application * web/admin: improve default selection for property-mappings Fixed in 2021.4.4[​](https://docs.goauthentik.io/releases/2021.4/#fixed-in-202144 "Direct link to Fixed in 2021.4.4") ---------------------------------------------------------------------------------------------------------------------- * \*: make tasks run every 60 minutes not :00 every hour * outposts: check for X-Forwarded-Host to switch context * outposts: improve update performance * outposts: move local connection check to task, run every 60 minutes * providers/oauth2: add proper support for non-http schemes as redirect URIs * providers/oauth2: fix TokenView not having CORS headers set even with proper Origin * sources/oauth: fix error whilst fetching user profile when source uses fixed URLs * sources/oauth: handle error in AzureAD when ID Can't be extracted * stages/user\_login: add default backend * web: fix title not being loaded from config * web: only report http errors for 500 and above * web: send response info when response is thrown * web/admin: add description for fields in proxy provider form * web/admin: adjust phrasing of cards on overview page * web/admin: fix display for user supseruser status * web/admin: fix error when me() returns 403 * web/admin: fix error when updating identification stage * web/admin: fix invalid group member count * web/admin: fix link to providers on overview page * web/admin: fix mismatched required tags * web/admin: improve phrasing for Policy bindings * web/admin: only allow policies to be bound to sources as users/groups cannot be checked * web/admin: only pre-select items when creating a new object * web/flows: fix Sentry not being loaded correctly Fixed in 2021.4.5[​](https://docs.goauthentik.io/releases/2021.4/#fixed-in-202145 "Direct link to Fixed in 2021.4.5") ---------------------------------------------------------------------------------------------------------------------- * core: fix text on error pages being hard to read * outposts: only kill docker container if its running * root: add middleware to properly report websocket connection to sentry * root: don't use .error of structlog to not send to sentry * stages/email: catch ValueError when global email settings are invalid * stages/invitation: accept token from prompt\_data * stages/invitation: fix token not being loaded correctly from query string * web: fix text-colour for form help text * web: ignore network errors for sentry * web/admin: don't show docker certs as required * web/flows: fix redirect loop when sentry is enabled on flow views * web/flows: include ShadyDOM, always enable ShadyDOM for flow interface, improve compatibility with password * web/flows/identification: fix phrasing account recovery Upgrading[​](https://docs.goauthentik.io/releases/2021.4/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.4/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.4 from [here](https://goauthentik.io/version/2021.4/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.4/#kubernetes "Direct link to Kubernetes") Run `helm repo update` and then upgrade your release with `helm upgrade authentik authentik/authentik -f values.yaml`. * [Headline Changes](https://docs.goauthentik.io/releases/2021.4/#headline-changes) * [Minor changes](https://docs.goauthentik.io/releases/2021.4/#minor-changes) * [Fixed in 2021.4.2](https://docs.goauthentik.io/releases/2021.4/#fixed-in-202142) * [Fixed in 2021.4.3](https://docs.goauthentik.io/releases/2021.4/#fixed-in-202143) * [Fixed in 2021.4.4](https://docs.goauthentik.io/releases/2021.4/#fixed-in-202144) * [Fixed in 2021.4.5](https://docs.goauthentik.io/releases/2021.4/#fixed-in-202145) * [Upgrading](https://docs.goauthentik.io/releases/2021.4/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.4/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.4/#kubernetes) --- # Release 2021.6 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.6/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.6/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * Duo two-factor support You can now add the new `authenticator_duo` stage to configure Duo authenticators. Duo has also been added as device class to the `authenticator_validation` stage. Currently, only Duo push notifications are supported. Because no additional input is required, Duo also works with the LDAP Outpost. * Multi-tenancy This version adds soft multi-tenancy. This means you can configure different branding settings and different default flows per domain. This also changes how a default flow is determined. Previously, for defaults flow, authentik would pick the first flow that * matches the required designation * comes first sorted by slug * is allowed by policies Now, authentik first checks if the current tenant has a default flow configured for the selected designation. If not, it behaves the same as before, meaning that if you want to select a default flow based on policy, you can just leave the tenant default empty. * Domain-level authorization with proxy providers Instead of simply being able to toggle between forward auth and proxy mode, you can now enable forward auth for an entire domain. This has the downside that you can't do per-application authorization, but also simplifies configuration as you don't have to create each application in authentik. * API Schema now uses OpenAPI v3 The API endpoints are mostly the same, however all the clients are now built from an OpenAPI v3 schema. You can retrieve the schema from `authentik.company.tld/api/v2beta/schema/` * On Kubernetes installs without a /media PVC, you can now set URLs instead of uploading files. * Expanded prometheus metrics for PolicyEngine and FlowPlanner Minor changes[​](https://docs.goauthentik.io/releases/2021.6/#minor-changes "Direct link to Minor changes") ------------------------------------------------------------------------------------------------------------ * You can now specify which sources should be shown on an Identification stage. * Add UI for the reputation of IPs and usernames for reputation policies. * Fix proxy outpost not being able to redeem tokens when using with an un-trusted SSL Certificate * Add UI to check access of any application for any user Fixed in 2021.6.1-rc5[​](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202161-rc5 "Direct link to Fixed in 2021.6.1-rc5") ---------------------------------------------------------------------------------------------------------------------------------- * flows: fix configuration URL being set when no flow is configure * stages/authenticator\_totp: set TOTP issuer based on slug'd tenant title * stages/authenticator\_webauthn: use tenant title as RP\_NAME * stages/identification: add UPN * stages/password: add constants for password backends * web: fix flow download link Fixed in 2021.6.1-rc6[​](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202161-rc6 "Direct link to Fixed in 2021.6.1-rc6") ---------------------------------------------------------------------------------------------------------------------------------- * ci: build and push stable tag when rc not in release name * core: delete real session when AuthenticatedSession is deleted * core: fix impersonation not working with inactive users * core: fix upload api not checking clear properly * core: revert check\_access API to get to prevent CSRF errors * events: add tenant to event * events: catch unhandled exceptions from request as event, add button to open github issue * flows: fix error clearing flow background when no files have been uploaded * outpost: fix syntax error when creating an outpost with connection * outposts: fix integrity error with tokens * outposts/ldap: improve responses for unsuccessful binds * policies/reputation: fix race condition in tests * provider/proxy: mark forward\_auth flag as deprecated * providers/saml: improve error handling for signature errors * root: fix build\_hash being set incorrectly for tagged versions * sources/saml: check sessions before deleting user * stages/authenticator\_duo: don't create default duo stage * stages/authenticator\_validate: add tests for authenticator validation * stages/identification: fix challenges not being annotated correctly and API client not loading data correctly * web: add capabilities to sentry event * web: migrate banner to sidebar * web/admin: fix user enable/disable modal not matching other modals * web/admin: select service connection by default when only one exists * web/flows: fix expiry not shown on consent stage when loading * web/flows: fix IdentificationStage's label not matching fields * web/flows: improve display of allowed fields for identification stage * website/docs: add docs for outpost configuration Fixed in 2021.6.1[​](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202161 "Direct link to Fixed in 2021.6.1") ---------------------------------------------------------------------------------------------------------------------- * core: fix error getting stages when enrollment flow isn't set * core: fix error when creating AuthenticatedSession without key * flows: fix error when stage has incorrect type * providers/saml: add support for NameID type unspecified * providers/saml: fix error when getting transient user identifier * providers/saml: fix NameIDPolicy not being parsed correctly * recovery: fix error when creating multiple keys for the same user * stages/authenticator\_duo: fix error when enrolling an existing user * stages/authenticator\_duo: make Duo-admin viewset writeable * website/docs: remove migrate command Fixed in 2021.6.2[​](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202162 "Direct link to Fixed in 2021.6.2") ---------------------------------------------------------------------------------------------------------------------- * core: add support for custom urls for avatars * core: deepmerge user.group\_attributes, use group\_attributes for user settings * core: fix PropertyMapping's globals not matching Expression policy * core: remove default flow background from default css, set static in base\_full and dynamically in if/flow * crypto: catch error when loading private key * flows: make flow plan cache timeout configurable * outposts: fix port and inner\_port being mixed on docker controller * outposts/proxy: fix additionalHeaders not being set properly * policies: don't use policy cache when checking application access * policies: make policy result cache timeout configurable * root: allow loading local /static files without debug flag * root: make general cache timeouts configurable * root: remove old traefik labels * root: save temporary database dump in /tmp * root: set outposts.docker\_image\_base to gh-master for tests * stages/authenticator\_validate: fix error when using not\_configured\_action=configure * tenants: fix tenant not being queried correctly when using accessing over a child domain * web/admin: fix tenant's default flag not being saved * web/admin: handle elements in slot=form not being forms * web/admin: sort inputs on authenticator validation stage form Fixed in 2021.6.3[​](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202163 "Direct link to Fixed in 2021.6.3") ---------------------------------------------------------------------------------------------------------------------- * api: use partition instead of split for token * core: fix flow background not correctly loading on initial draw * events: add ability to create events via API * events: ignore notification non-existent in transport * events: only create SYSTEM\_EXCEPTION event when error would've been sent to sentry * expressions: fix regex\_match result being inverted * flows: add FlowStageBinding to flow plan instead of just stage * flows: add invalid\_response\_action to configure how the FlowExecutor should handle invalid responses * flows: handle possible errors with FlowPlans received from cache * outposts: check docker container ports match * outposts/ldap: fixed IsActive and IsSuperuser returning swapped incorrect values ([#1078](https://github.com/goauthentik/authentik/issues/1078) ) * providers/oauth2: fix exp of JWT when not using seconds * sources/ldap: improve error handling when checking for password complexity on non-ad setups * stages/authenticator\_duo: fix component not being set in API * stages/prompt: ensure hidden and static fields keep the value they had set * stages/user\_write: add flag to create new users as inactive * tenants: include all default flows in current\_tenant * web/admin: fix deletion of authenticator not reloading the state correctly * web/admin: fix only recovery flows being selectable for unenrollment flow in tenant form * web/admin: fix text color on pf-c-card Fixed in 2021.6.4[​](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202164 "Direct link to Fixed in 2021.6.4") ---------------------------------------------------------------------------------------------------------------------- * core: only show `Reset password` link when recovery flow is configured * crypto: show both sha1 and sha256 fingerprints * flows: handle old cached flow plans better * g: fix static and media caching not working properly * outposts: fix container not being started after creation * outposts: fix docker controller not checking env correctly * outposts: fix docker controller not checking ports correctly * outposts: fix empty message when docker outpost controller has changed nothing * outposts: fix permissions not being set correctly upon outpost creation * outposts/ldap: add support for boolean fields in ldap * outposts/proxy: always redirect to session-end interface on sign\_out * providers/oauth2: add revoked field, create suspicious event when previous token is used * providers/oauth2: deepmerge claims * providers/oauth2: fix CORS headers not being set for unsuccessful requests * providers/oauth2: use self.expires for exp field instead of calculating it again * sources/oauth: create configuration error event when profile can't be parsed as json * stages/user\_write: add wrapper for post to user\_write * web/admin: fix ModelForm not re-loading after being reset * web/admin: show oauth2 token revoked status Upgrading[​](https://docs.goauthentik.io/releases/2021.6/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.6/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.6 from [here](https://goauthentik.io/version/2021.6/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.6/#kubernetes "Direct link to Kubernetes") Upgrade to the latest chart version to get the new images. * [Headline Changes](https://docs.goauthentik.io/releases/2021.6/#headline-changes) * [Minor changes](https://docs.goauthentik.io/releases/2021.6/#minor-changes) * [Fixed in 2021.6.1-rc5](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202161-rc5) * [Fixed in 2021.6.1-rc6](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202161-rc6) * [Fixed in 2021.6.1](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202161) * [Fixed in 2021.6.2](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202162) * [Fixed in 2021.6.3](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202163) * [Fixed in 2021.6.4](https://docs.goauthentik.io/releases/2021.6/#fixed-in-202164) * [Upgrading](https://docs.goauthentik.io/releases/2021.6/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.6/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.6/#kubernetes) --- # Release 2021.12 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.12/#__docusaurus_skipToContent_fallback) On this page Headline changes[​](https://docs.goauthentik.io/releases/2021.12/#headline-changes "Direct link to Headline changes") ---------------------------------------------------------------------------------------------------------------------- This release does not have any headline features, and mostly fixes bugs. Breaking changes[​](https://docs.goauthentik.io/releases/2021.12/#breaking-changes "Direct link to Breaking changes") ---------------------------------------------------------------------------------------------------------------------- * stages/prompt: Before 2021.12, any policy was required to pass for the result to be considered valid. This has been changed, and now all policies are required to be valid. Minor changes[​](https://docs.goauthentik.io/releases/2021.12/#minor-changes "Direct link to Minor changes") ------------------------------------------------------------------------------------------------------------- * core: make defaults for \_change\_email and \_change\_username configurable * core: remove dump\_config, handle directly in config loader without booting django, don't check database * events: add gdpr\_compliance option * internal: fix integrated docs not working * internal: use runserver when debug for code reload * lib: add cli option for lib.config * lib: add improved log to sentry events being sent * lib: fix custom URL schemes being overwritten * lib: load json strings in config env variables * lib: log error for file:// in config * lifecycle: allow custom worker count in k8s * lifecycle: improve backup restore by dropping database before * lifecycle: improve redis connection debug py printing full URL * outpost: configure error reporting based off of main instance config * outposts: don't panic when listening for metrics fails * outposts: reload on signal USR1, fix display of reload offset * outposts/ldap: copy boundUsers map when running refresh instead of using blank map * outposts/ldap: fix panic when attempting to update without locked users mutex * outposts/proxy: continue compiling additional regexes even when one fails * outposts/proxy: show better error when hostname isn't configured * outposts/proxy: use disableIndex for static files * policies/expression: fix ak\_user\_has\_authenticator evaluation when not specifying optional device\_type ([#1849](https://github.com/goauthentik/authentik/issues/1849) ) * providers/saml: fix SessionNotOnOrAfter not being included * root: add lifespan shim to prevent errors * root: fix settings for managed not loaded * root: make sentry sample rate configurable * stages/authenticator\_validate: catch error when attempting to configure user without flow * stages/email: fix missing component in response when retrying email send * stages/email: minify email css template * stages/email: prevent error with duplicate token * web: improve dark theme for vertical tabs * web: only show applications with http link * web/admin: allow flow edit on flow view page * web/admin: fix actions column on ip reputation page * web/admin: fix Forms with file uploads not handling errors correctly * web/admin: make object view pages more consistent * web/admin: make user clickable for bound policies list * web/admin: redesign provider pages to provide more info * web/admin: show changelog on user info page * web/admin: unify rendering and sorting of user lists * web/elements: add new API to store attributes in URL, use for table and tabs * web/elements: allow app.model names for ak-object-changelog * web/elements: allow multiple tabs with different state * web/flows: fix spinner during webauthn not centred * web/flows: update default background * web/user: fix filtering for applications based on launchURL * web/user: fix height issues on user interface Fixed in 2021.12.1-rc2[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121-rc2 "Direct link to Fixed in 2021.12.1-rc2") -------------------------------------------------------------------------------------------------------------------------------------- * \*: don't use go embed to make using custom files easier * crypto: add certificate discovery to automatically import certificates from lets encrypt * crypto: fix default API not having an ordering * outposts: always trigger outpost reconcile on startup * outposts/ldap: Rework/improve LDAP search logic. ([#1687](https://github.com/goauthentik/authentik/issues/1687) ) * outposts/proxy: make logging fields more consistent * outposts/proxy: re-add rs256 support * providers/proxy: fix defaults for traefik integration * providers/proxy: use wildcard for traefik headers copy * providers/saml: fix error when using post bindings and user freshly logged in * providers/saml: fix IndexError in signature check * sources/ldap: add optional tls verification certificate * sources/ldap: allow multiple server URIs for loadbalancing and failover * sources/ldap: don't cache LDAP Connection, use random server * sources/ldap: handle typeerror during creation of objects when using wrong keyword params * sources/plex: fix plex token being included in event log * stages/prompt: fix error when both default and required are set * web/admin: add spinner to table refresh button to show progress * web/admin: don't show disabled http basic as red * web/admin: fix wrong description for reputation policy * web/flows: fix linting errors * web/flows: Revise duo authenticator login prompt text ([#1872](https://github.com/goauthentik/authentik/issues/1872) ) Fixed in 2021.12.1-rc3[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121-rc3 "Direct link to Fixed in 2021.12.1-rc3") -------------------------------------------------------------------------------------------------------------------------------------- * core: add FlowToken which saves the pickled flow plan, replace standard token in email stage to allow finishing flows in different sessions * core: fix missing permission check for group creating when creating service account * outposts/ldap: Fix search case sensitivity. ([#1897](https://github.com/goauthentik/authentik/issues/1897) ) * policies/expression: add ak\_call\_policy * providers/saml: add ?force\_binding to limit bindings for metadata endpoint * root: add request\_id to celery tasks, prefixed with "task-" * sources/\*: Allow creation of source connections via API * stages/prompt: use policyenginemode all * tests/e2e: add post binding test * web: fix duplicate classes, make generic icon clickable * web: fix text colour for bad request on light mode * web/admin: show outpost warning on application page too * web/elements: close dropdown when refresh event is dispatched * web/user: allow custom font-awesome icons for applications Fixed in 2021.12.1-rc4[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121-rc4 "Direct link to Fixed in 2021.12.1-rc4") -------------------------------------------------------------------------------------------------------------------------------------- * core: fix error when using invalid key-values in attributes query * flows: fix error in inspector view * flows: fix error when trying to print FlowToken objects * lib: correctly report "faked" IPs to sentry * outposts: add additional checks for websocket connection * outposts: cleanup logs for failed binds * outposts: don't try to create docker client for embedded outpost * outposts: fix docker controller not stopping containers * outposts: fix unlabeled transaction * outposts: handle RuntimeError during websocket connect * outposts: rewrite re-connect logic without recws * outposts: set display name for outpost service account * outposts/ldap: fix searches with mixed casing * outposts/proxy: use filesystem storage for non-embedded outposts * policies: don't always clear application cache on post\_save * stagse/authenticator\_webauthn: remove pydantic import * web: fix borders of sidebars in dark mode Fixed in 2021.12.1-rc5[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121-rc5 "Direct link to Fixed in 2021.12.1-rc5") -------------------------------------------------------------------------------------------------------------------------------------- * crypto: add additional validation before importing a certificate * events: add flow\_execution event type * events: fix schema for top\_per\_user * flows: fix wrong exception being caught in flow inspector * outposts: reset backoff after successful connect * outposts/proxy: fix securecookie: the value is too long again, since it can happen even with filesystem storage * providers/oauth2: add additional logging to show with token path is taken * providers/oauth2: use generate\_key instead of uuid4 * sources/ldap: fix incorrect task names being referenced, use source native slug * sources/oauth: add initial okta type * sources/oauth: allow oauth types to override their login button challenge * sources/oauth: implement apple native sign-in using the apple JS SDK * sources/oauth: strip parts of custom apple client\_id * stages/authenticator\_webauthn: make user\_verification configurable * stages/identification: fix miscalculated sleep * stages/invitation: use GroupMemberSerializer serializer to prevent all of the user's groups and their users from being returned * web: add link to open API Browser for API Drawer * web/admin: add dashboard with user creation/login statistics * web/admin: fix invalid display for LDAP Source sync status * web/admin: fix rendering for applications on view page * web/admin: fix rendering of applications with custom icon * web/admin: improve wording for froward\_auth, don't show setup when using proxy mode * web/admin: show warning when deleting currently logged in user * web/admin: update overview page * web/flows: fix error when attempting to enroll new webauthn device Fixed in 2021.12.1[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121 "Direct link to Fixed in 2021.12.1") -------------------------------------------------------------------------------------------------------------------------- * core: fix error when attempting to provider from cached application * events: improve app lookup for event creation * internal: cleanup duplicate and redundant code, properly set sentry SDK scope settings * lifecycle: add -Ofair to celery * web/admin: add sidebar to applications * web/admin: fix notification unread colours not matching on user and admin interface * web/admin: fix stage related flows not being shown in a list * web/elements: add Markdown component to improve rendering * web/elements: add support for sidebar on table page * web/elements: close notification drawer when clearing all notifications Fixed in 2021.12.2[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021122 "Direct link to Fixed in 2021.12.2") -------------------------------------------------------------------------------------------------------------------------- * core: don't rotate non-api tokens * crypto: fix private keys not being imported correctly * outposts: release binary outposts ([#1954](https://github.com/goauthentik/authentik/issues/1954) ) * outposts/proxy: match skipPathRegex against full URL on domain auth * policies/password: add minimum digits * providers/oauth2: don't rely on expiry task for access codes and refresh tokens * sources/oauth: allow writing to user in SourceConnection * web: ignore instantSearchSDKJSBridgeClearHighlight error on edge on iOS * web/admin: fix background colour for application sidebar * web/elements: fix border between search buttons Fixed in 2021.12.3[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021123 "Direct link to Fixed in 2021.12.3") -------------------------------------------------------------------------------------------------------------------------- * \*: revert to using GHCR directly * core: fix error when getting launch URL for application with non-existent Provider * internal: fix sentry sample rate not applying to proxy * internal: rework global logging settings, embedded outpost no longer overwrites core * outpost: re-run globalSetup when updating config, allowing for live log level changes * outposts: handle/ignore http Abort handler * outposts/ldap: fix log formatter and level not being set correctly * outposts/proxy: add initial redirect-loop prevention * outposts/proxy: fix allowlist for forward\_auth and traefik * outposts/proxy: fix ping URI not being routed * outposts/proxy: fix session not expiring correctly due to miscalculation * root: allow trace log level to work for core/embedded * root: don't set secure cross opener policy * root: drop redis cache sentry errors * root: fix inconsistent URL quoting of redis URLs * web/admin: add outpost type to list * web/admin: auto set the embedded outpost's authentik\_host on first view * web/admin: don't auto-select certificate for LDAP source verification * web/admin: fix border for outpost health status Fixed in 2021.12.4[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021124 "Direct link to Fixed in 2021.12.4") -------------------------------------------------------------------------------------------------------------------------- * crypto: improve handling for non-rsa private keys * events: create test notification with event with data * internal: add custom proxy certificates support to embedded outpost * policies: fix application cache not being cleared correctly * providers/oauth2: remove jwt\_alg field and set algorithm based on selected keypair, select HS256 when no keypair is selected * stages/authenticator\_validate: add passwordless login * stages/authenticator\_validate: fix prompt not triggering when using in non-authentication context * stages/authenticator\_validate: refuse passwordless flow if flow is not for authentication * tenants: add web certificate field, make authentik's core certificate configurable based on keypair * web/admin: fix explore integration not opening in new tab * web/elements: fix link from notification drawer not working in user interface * web/user: fix user details not rendering when loading to a different user settings tab and then switching Fixed in 2021.12.5[​](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021125 "Direct link to Fixed in 2021.12.5") -------------------------------------------------------------------------------------------------------------------------- * \*: use py3.10 syntax for unions, remove old Type\[\] import when possible * core: add API endpoint to directly set user's password * core: add error handling in source flow manager when flow isn't applicable * core: fix UserSelfSerializer's save() overwriting other user attributes * core: prevent LDAP password being set for internal hash upgrades * crypto: return private key's type (required for some oauth2 providers) * flows: add test helpers to simplify and improve checking of stages, remove force\_str * flows: don't create EventAction.FLOW\_EXECUTION * flows: update default flow titles * flows: use WithUserInfoChallenge for AccessDeniedChallenge * lib: strip values for timedelta from string * outposts: add remote docker integration via SSH * outposts: fix outpost's sentry not sending release * outposts: include outposts build hash in state * outposts/proxy: add support for multiple states, when multiple requests are redirect at once * outposts/proxy: fix error checking for type assertion * policies/reputation: rework reputation to use a single entry, include geo\_ip data * sources/oauth: add additional scopes field to get additional data from provider * sources/oauth: fix github provider not including correct base scopes * stages/identification: add field for passwordless flow * tenants: forbid creation of multiple default tenants * web: add tr to locale * web: remove page header colour, match user navbar to admin sidebar * web/admin: add Admin in titlebar for admin interface * web/admin: fix alignment in outpost list when expanding rows * web/admin: fix display when groups/users don't fit on a single row * web/admin: include key type in list * web/admin: mark additional scopes as non-required * web/admin: show flow title in list * web/elements: fix alignment of chipgroup on modal add * web/elements: fix spacing between chips in chip-group * web/elements: re-enable codemirror line numbers (fixed on firefox) * web/flows: add workaround for autofocus not working in password stage * web/flows: fix duplicate loading spinners when using webauthn * web/flows: fix helper form not being removed from identification stage (improve password manager compatibility) * web/flows: include user in access denied stage * web/flows: only add helper username input if using native shadow dom to prevent browser confusion * web/user: add language selection * web/user: rework user source connection UI Upgrading[​](https://docs.goauthentik.io/releases/2021.12/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------- This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.12/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.12 from [here](https://goauthentik.io/version/2021.12/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.12/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2021.12.1 * [Headline changes](https://docs.goauthentik.io/releases/2021.12/#headline-changes) * [Breaking changes](https://docs.goauthentik.io/releases/2021.12/#breaking-changes) * [Minor changes](https://docs.goauthentik.io/releases/2021.12/#minor-changes) * [Fixed in 2021.12.1-rc2](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121-rc2) * [Fixed in 2021.12.1-rc3](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121-rc3) * [Fixed in 2021.12.1-rc4](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121-rc4) * [Fixed in 2021.12.1-rc5](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121-rc5) * [Fixed in 2021.12.1](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021121) * [Fixed in 2021.12.2](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021122) * [Fixed in 2021.12.3](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021123) * [Fixed in 2021.12.4](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021124) * [Fixed in 2021.12.5](https://docs.goauthentik.io/releases/2021.12/#fixed-in-2021125) * [Upgrading](https://docs.goauthentik.io/releases/2021.12/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.12/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.12/#kubernetes) --- # Release 2021.8 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.8/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.8/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * Embedded Outpost To simplify the setup, an embedded outpost has been added. This outpost runs as part of the main authentik server, and requires no additional setup. You can simply assign providers to the embedded outpost, and either use the integrations to configure reverse proxies, or point your traffic to the main authentik server. Traffic is routed based on host-header, meaning every host that has been configured as a provider and is assigned to the embedded proxy will be sent to the outpost, and every sub-path under `/outpost.goauthentik.io` is sent to the outpost too. The rest is sent to authentik itself. * App passwords You can now create Tokens with the intent `app_password`, and use them when authenticating with a flow. This requires the `User database + app passwords` backend in your password stage (this is done automatically on upgrade). You will also see in the logs which backend was used as the `auth_method` and `auth_method_args` arguments on the Event. Minor changes[​](https://docs.goauthentik.io/releases/2021.8/#minor-changes "Direct link to Minor changes") ------------------------------------------------------------------------------------------------------------ * admin: add API to show embedded outpost status, add notice when its not configured properly * api: ensure all resources can be filtered * api: make all PropertyMappings filterable by multiple managed attributes * core: add API to directly send recovery link to user * core: add UserSelfSerializer and separate method for users to update themselves with limited fields * core: allow changing of groups a user is in from user api * flows: fix unhandled error in stage execution not being logged as SYSTEM\_EXCEPTION event * lifecycle: decrease default worker count on compose * outpost/ldap: Performance improvements, support for (member=) lookup * providers/proxy: don't create ingress when no hosts are defined * sources/plex: add API to get user connections * web: add API Drawer * web/admin: add UI to copy invitation link * web/admin: allow modification of users groups from user view * web/admin: re-name service connection to integration Fixed in 2021.8.1-rc2[​](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202181-rc2 "Direct link to Fixed in 2021.8.1-rc2") ---------------------------------------------------------------------------------------------------------------------------------- * ci: add pipeline to build and push js api package * ci: upgrade web api client when schema changes * core: add new token intent and auth backend ([#1284](https://github.com/goauthentik/authentik/issues/1284) ) * core: add token tests for invalid intent and token auth * core: fix token intent not defaulting correctly * core: handle error when ?for\_user is not numerical * lib: move id and key generators to lib ([#1286](https://github.com/goauthentik/authentik/issues/1286) ) * lifecycle: rename to ak * outpost: handle non-existent permission * outpost: add recursion limit for docker controller * outpost: add repair\_permissions command * root: add alias for akflow files * root: add ASGI Error handler * root: add License to NPM package * root: fix error\_handler for websocket * root: fix mis-matched postgres version for CI * root: remove remainders from gen * root: remove usage of make-gen * root: test schema auto-update * root: update schema * stages/password: auto-enable app password backend * stages/user\_write: fix wrong fallback authentication backend * web: add custom readme to api client * web: add ESM to generated Client * web: build. api in different folder * web: improve api client versioning * web: Merge pull request [#1258](https://github.com/goauthentik/authentik/issues/1258) from goauthentik/publish-api-to-npm * web: migrate to [**@goauthentik/api**](https://github.com/goauthentik/api) * web: Update Web API Client version ([#1283](https://github.com/goauthentik/authentik/issues/1283) ) * web/admin: allow users to create app password tokens * web/admin: display token's intents * web/admin: fix missing app passwords backend * web/admin: improve delete modal for stage bindings and policy bindings * web/admin: select all password stage backends by default * website: add docs for making schema changes * website: make default login-2fa flow ignore 2fa with app passwords * website/docs: add docs for `auth_method` and `auth_method_args` fields Fixed in 2021.8.1[​](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202181 "Direct link to Fixed in 2021.8.1") ---------------------------------------------------------------------------------------------------------------------- * \*: cleanup api schema warnings * core: fix error for asgi error handler with websockets * core: fix error when user updates themselves * core: fix user object for token not be set-able * root: Fix table of contents for CONTRIBUTING.md ([#1302](https://github.com/goauthentik/authentik/issues/1302) ) * root: Require PG\_PASS to be set ([#1303](https://github.com/goauthentik/authentik/issues/1303) ) * web/admin: allow admins to create tokens Fixed in 2021.8.2[​](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202182 "Direct link to Fixed in 2021.8.2") ---------------------------------------------------------------------------------------------------------------------- * root: fix login loop created by old settings stored in cache Fixed in 2021.8.3[​](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202183 "Direct link to Fixed in 2021.8.3") ---------------------------------------------------------------------------------------------------------------------- * outpost: fix FlowExecutor not sending password for identification stage * outpost: fix generated traefik labels containing invalid hosts * outpost: make docker network configurable when using docker integration * web/flow: fix redirects to application being sent multiple times, causing issues with OAuth providers * web/flow: fix rendering of checkboxes in prompt stages Fixed in 2021.8.4[​](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202184 "Direct link to Fixed in 2021.8.4") ---------------------------------------------------------------------------------------------------------------------- * api: add /api/v3 path * api: add basic rate limiting for sentry proxy endpoint * core: fix user\_obj being empty on token API * events: improve logging for task exceptions * outpost/embedded: only send requests for non-akprox paths when we're doing proxy mode * outpost/ldap: delay user information removal upon closing of connection * policies/password: fix PasswordStage not being usable with prompt stages * providers/proxy: fix traefik middleware being generated with wrong ports for embedded outposts * providers/proxy: improve error handling for non-tls ingresses * stages/authenticator\_validate: show single button for multiple webauthn authenticators * stages/invitation: fix invitation not inheriting ExpiringModel * web/admin: fallback for invitation list on first load * web/admin: fix flow executor not opening in new tab * web/admin: fix list of webauthn devices not updating after rename * web/flows: fix FlowExecutor not updating when challenge changes from outside Fixed in 2021.8.5[​](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202185 "Direct link to Fixed in 2021.8.5") ---------------------------------------------------------------------------------------------------------------------- * api: add additional filters for ldap and proxy providers * api: cache schema, fix server urls * core: minor query optimization * events: add mark\_all\_seen * events: remove authentik\_events gauge * internal: disable directory listing on static files * internal: fix font loading errors on safari * internal: fix web requests not having a logger set * outpost: fix spans being sent without parent context * outposts: add expected outpost replica count to metrics * outposts/ldap: improve logging of client IPs * policies/password: fix symbols not being checked correctly * root: fix is\_secure with safari on debug environments * root: include authentik version in backup naming * stages/identification: fix empty user\_fields query returning first user * web/admin: fix user selection in token form * web/admin: show applications instead of providers in outpost form * web/flows: fix display error when using IdentificationStage without input fields Upgrading[​](https://docs.goauthentik.io/releases/2021.8/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.8/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.8 from [here](https://goauthentik.io/version/2021.8/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.8/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2021.8.5 * [Headline Changes](https://docs.goauthentik.io/releases/2021.8/#headline-changes) * [Minor changes](https://docs.goauthentik.io/releases/2021.8/#minor-changes) * [Fixed in 2021.8.1-rc2](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202181-rc2) * [Fixed in 2021.8.1](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202181) * [Fixed in 2021.8.2](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202182) * [Fixed in 2021.8.3](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202183) * [Fixed in 2021.8.4](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202184) * [Fixed in 2021.8.5](https://docs.goauthentik.io/releases/2021.8/#fixed-in-202185) * [Upgrading](https://docs.goauthentik.io/releases/2021.8/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.8/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.8/#kubernetes) --- # Release 2022.1 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.1/#__docusaurus_skipToContent_fallback) On this page Breaking changes[​](https://docs.goauthentik.io/releases/2022.1/#breaking-changes "Direct link to Breaking changes") --------------------------------------------------------------------------------------------------------------------- This release mostly removes legacy fields and features that have been deprecated for several releases. * LDAP Outposts: This release removes the `accountStatus` and `superuser` fields. Use the direct replacements `goauthentik.io/ldap/active` and `goauthentik.io/ldap/superuser`. * Proxy Outposts: This release consolidates headers sent by authentik to have a common prefix. The following headers have been removed: * X-Auth-Username, use `X-authentik-username` * X-Auth-Groups, use `X-authentik-groups` * X-Forwarded-Email, use `X-authentik-email` * X-Forwarded-Preferred-Username, use `X-authentik-username` * X-Forwarded-User, use `X-authentik-uid` The proxy now also sets the host header based on what is configured as upstream in the proxy provider. The original Host is forwarded as `X-Forwarded-Host`. Additionally, the header requirements for nginx have changed. Either a `X-Original-URL` or `X-Original-URI` header are now required. See the [_Proxy provider_](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/) documentation for updated snippets. * API: The deprecated /api/v2beta/ Endpoint is removed. Use `/api/v3/`. * Backup: The integrated backup has been deprecated for the following reasons: * Difficulty with restores not working properly * Inflexible configuration (fixed retention, limited to once a day, only S3 supported) * Most users will already have an existing backup infrastructure Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.1/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * core: dont return 404 when trying to view key of expired token * crypto: fully parse certificate on validation in serializer to prevent invalid certificates from being saved * flows: handle error if flow title contains invalid format string * internal: route traffic to proxy providers based on cookie domain when multiple domain-level providers exist * internal: use math.MaxInt for compatibility * lifecycle: add early check for missing/invalid secret key * outposts/proxyv2: allow access to /outpost.goauthentik.io urls in forward auth mode to make routing in nginx/traefik easier * outposts/proxyv2: fix before-redirect url not being saved in proxy mode * outposts/proxyv2: fix JWKS url pointing to localhost on embedded outpost * providers/oauth2: change default redirect uri behaviour; set first used url when blank and use star for wildcard * root: allow customisation of ports in compose without override * root: decrease to 10 backup history * root: fix backups running every minute instead of once * stages/authenticator\_webauthn: make more WebAuthn options configurable * web: add polyfill for Intl.ListFormat * web: directly read csrf token before injecting into request * web: fix double plural in label * web/admin: also set embedded outpost host when it doesn't include scheme * web/admin: fix missing configure flow setting on webuahtn setup stage form * web/flows: remove node directly instead of using removeChild() Fixed in 2022.1.2[​](https://docs.goauthentik.io/releases/2022.1/#fixed-in-202212 "Direct link to Fixed in 2022.1.2") ---------------------------------------------------------------------------------------------------------------------- * internal/proxyv2: only allow access to /outpost.goauthentik.io in nginx mode when forward url could be extracted * lib: disable backup by default, add note to configuration * lifecycle: replace lowercase, deprecated prometheus\_multiproc\_dir * outposts: allow custom label for docker containers * policies/hibp: ensure password is encodable * providers/proxy: add PathPrefix to auto-traefik labels * root: upgrade python dependencies Fixed in 2022.1.3[​](https://docs.goauthentik.io/releases/2022.1/#fixed-in-202213 "Direct link to Fixed in 2022.1.3") ---------------------------------------------------------------------------------------------------------------------- * internal: add support for X-Original-URL * internal: add optional debug server listening on 9900 * internal: don't override server header * internal: start adding tests to outpost * lifecycle: make secret\_key warning more prominent * lifecycle: wait for db in worker * outposts/ldap: Fix more case sensitivity issues. ([#2144](https://github.com/goauthentik/authentik/issues/2144) ) * outposts/proxy: add more test cases for domain-level auth * outposts/proxy: fix potential empty redirect, add tests * outposts/proxy: trace full headers to debug * providers/proxy: fix traefik label * root: add max-requests for gunicorn and max tasks for celery * root: fix redis passwords not being encoded correctly * web/admin: fix links which look like labels * web/admin: fix SMS Stage form not working Fixed in 2022.1.4[​](https://docs.goauthentik.io/releases/2022.1/#fixed-in-202214 "Direct link to Fixed in 2022.1.4") ---------------------------------------------------------------------------------------------------------------------- * core: fix view\_token permission not being assigned on token creation for non-admin user * lifecycle: remove gunicorn reload option * lifecycle: send analytics in gunicorn config to decrease outgoing requests when workers get restarted * providers/proxy: add support for X-Original-URI in nginx, better handle missing headers and report errors to authentik * providers/proxy: don't include hostname and scheme in redirect when we only got a path and not a full URL * providers/proxy: fix routing for external\_host when using forward\_auth\_domain * providers/proxy: set traefik labels using object\_naming\_template instead of UUID * sources/ldap: add list\_flatten function to property mappings, enable on managed LDAP mappings * web: add es locale * web: add pl locale * web/admin: only check first half of locale when detecting * web/flows: fix width on flow container * web/user: include locale code in locale selection Fixed in 2022.1.5[​](https://docs.goauthentik.io/releases/2022.1/#fixed-in-202215 "Direct link to Fixed in 2022.1.5") ---------------------------------------------------------------------------------------------------------------------- * build(deps): bump uvicorn from 0.17.1 to 0.17.3 ([#2229](https://github.com/goauthentik/authentik/issues/2229) ) * core: allow formatting strings to be used for applications' launch URLs * internal: don't attempt to lookup SNI Certificate if no SNI is sent * internal: fix CSRF error caused by Host header * internal: improve error handling for internal reverse proxy * internal: remove uvicorn server header * internal: trace headers and url for backend requests * outposts: fix channel not always having a logger attribute * outposts: fix compare\_ports to support both service and container ports * outposts: fix service reconciler re-creating services * outposts: remove node\_port on V1ServicePort checks to prevent service creation loops * providers/proxy: fix Host/:Authority not being modified * providers/proxy: fix nil error in claims * providers/proxy: improve error handling for invalid backend\_override * sources/ldap: log entire exception * sources/saml: fix incorrect ProtocolBinding being sent * sources/saml: fix server error * stages/authenticator\_validate: handle non-existent device\_challenges * web/admin: fix mismatched icons in overview and lists Upgrading[​](https://docs.goauthentik.io/releases/2022.1/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.1/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.1 from [here](https://goauthentik.io/version/2022.1/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.1/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.1.1 * [Breaking changes](https://docs.goauthentik.io/releases/2022.1/#breaking-changes) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.1/#minor-changesfixes) * [Fixed in 2022.1.2](https://docs.goauthentik.io/releases/2022.1/#fixed-in-202212) * [Fixed in 2022.1.3](https://docs.goauthentik.io/releases/2022.1/#fixed-in-202213) * [Fixed in 2022.1.4](https://docs.goauthentik.io/releases/2022.1/#fixed-in-202214) * [Fixed in 2022.1.5](https://docs.goauthentik.io/releases/2022.1/#fixed-in-202215) * [Upgrading](https://docs.goauthentik.io/releases/2022.1/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.1/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.1/#kubernetes) --- # Release 2022.4 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.4/#__docusaurus_skipToContent_fallback) On this page Breaking changes[​](https://docs.goauthentik.io/releases/2022.4/#breaking-changes "Direct link to Breaking changes") --------------------------------------------------------------------------------------------------------------------- * Removal of HTTP Basic authentication for API requests For legacy reasons, authentik used to support HTTP-Basic authenticated requests, using the token as a password. This has been removed. * Removal of deprecated context in Expression policies used in prompt stages Before this version, you could use both `context['*field_name*']` and `context['prompt_data']['*field_name*']`. The former one has been removed as it could overwrite other data in the context if the field name is the same as another context value. * Added name field for invitations Invitations now require a name, used to better identify their purpose. New features[​](https://docs.goauthentik.io/releases/2022.4/#new-features "Direct link to New features") --------------------------------------------------------------------------------------------------------- * Application Grouping Applications can now be grouped together to better organise connected applications in the user dashboard. * JWT authentication for `client_credentials` grants Providers can now be configured to accept JWTs signed by configured certificates, which makes it a lot easier to services access to authentik, when an existing machine/service identity is provided (for example, this can be used to let Kubernetes Pods authenticate themselves to authentik via their service account) Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.4/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * core: add method to set key of token * core: add num\_pk to group for applications that need a numerical group id * internal: disable HTML encoding in go-generated log messages * lifecycle: fix password and hostname in redis URI not properly quoted * outposts: check if docker ports should be mapped before comparing ports * policies: add policy log messages to test endpoints * providers/oauth2: map internal groups to GitHub teams in GHE OAuth emulation ([#2497](https://github.com/goauthentik/authentik/issues/2497) ) * providers/oauth2: pass scope and other parameters to access policy request context * stages/email: allow overriding of destination email in plan context * stages/invitation: add invitation name * stages/prompt: filter rest\_framework.fields.empty when field is not required * stages/prompt: fix non-required fields not allowing blank values * stages/prompt: set field default based on placeholder * tenants: add tenant-level attributes, applied to users based on request * web: live-convert to slug in fields where only slugs are allowed * web: migrate dropdowns to wizards ([#2633](https://github.com/goauthentik/authentik/issues/2633) ) * web/admin: allow editing of invitations * web/admin: fix missing protocols on generated nginx config * web/admin: trigger update when provider wizard finishes * web/user: add column layouts Upgrading[​](https://docs.goauthentik.io/releases/2022.4/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.4/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.4 from [here](https://goauthentik.io/version/2022.4/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.4/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.4.1 * [Breaking changes](https://docs.goauthentik.io/releases/2022.4/#breaking-changes) * [New features](https://docs.goauthentik.io/releases/2022.4/#new-features) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.4/#minor-changesfixes) * [Upgrading](https://docs.goauthentik.io/releases/2022.4/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.4/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.4/#kubernetes) --- # Release 2022.6 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.6/#__docusaurus_skipToContent_fallback) On this page New features[​](https://docs.goauthentik.io/releases/2022.6/#new-features "Direct link to New features") --------------------------------------------------------------------------------------------------------- * Added OIDC well-known and JWKS URL in OAuth Source These fields can be used to automatically configure OAuth Sources based on the [OpenID Connect Discovery Spec](https://openid.net/specs/openid-connect-discovery-1_0.html) . Additionally, you can manually define a JWKS URL or raw JWKS data, and this can be used for Machine-to-machine authentication for OAuth2 Providers. * Notifications are no longer created by default Instead of creating a Notification with each transport, there is now a new Transport mode called "Local", which locally creates the Notifications. This also adds the ability to customize the notification using a mapping. * MFA Validation threshold has been migrated to signed cookies Last MFA validation is now saved in a signed cookie, which changes the behavior so that only the current browser is affected by MFA validation, and an attacker cannot exploit the fact that a user has recently authenticated with MFA. * Verification-only SMS Devices SMS authenticator stages can now be configured to hash the phone number. This is useful if you want to require your users to configure and confirm their phone numbers, without saving them in a readable-format. * The LDAP outpost would incorrectly return `groupOfUniqueNames` as a group class when the members where returned in a manner like `groupOfNames` requires. `groupOfNames` has been added as an objectClass for LDAP Groups, and `groupOfUniqueNames` will be removed in the next version. * Preview support for forward auth when using Envoy Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.6/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * api: migrate to openapi generator v6 ([#2968](https://github.com/goauthentik/authentik/issues/2968) ) * api: update API browser to match admin UI and auto-switch theme * core: improve loading speed of flow background * ensure all viewsets have filter and search and add tests ([#2946](https://github.com/goauthentik/authentik/issues/2946) ) * flows: fix re-imports of entries with identical PK re-creating objects * lifecycle: cleanup prometheus metrics, remove PII ([#2972](https://github.com/goauthentik/authentik/issues/2972) ) * policies: fix incorrect bound\_to count * providers/oauth2: add configuration error event when wrong redirect uri is used in token request * providers/oauth2: handle attribute errors when validation JWK contains private key * providers/oauth2: only set expiry on user when it was freshly created * providers/oauth2: regex-escape URLs when set to blank * root: Add docker-compose postgresql and redis healthchecks ([#2958](https://github.com/goauthentik/authentik/issues/2958) ) * root: disable session\_save\_every\_request as it causes race conditions * web/elements: fix top-right dialog close button not resetting form * web/elements: fix used\_by refreshing for all elements when using DeleteBulkForm * web/user: fix static prompt fields being rendered with label * web/user: improve ux for restarting user settings flow Fixed in 2022.6.2[​](https://docs.goauthentik.io/releases/2022.6/#fixed-in-202262 "Direct link to Fixed in 2022.6.2") ---------------------------------------------------------------------------------------------------------------------- * \*: make user logging more consistent * core: add additional filters to source viewset * core: add setting to open application launch URL in a new browser tab ([#3037](https://github.com/goauthentik/authentik/issues/3037) ) * core: add slug to built-in source * events: fix error when attempting to create event with GeoIP City in context * providers/ldap: fix existing binder not being carried forward correctly * providers/oauth2: add JWKS URL to OAuth2ProviderSetupURLs * providers/proxy: use same redirect-save code for all modes * sources/oauth: fix twitter client missing basic auth * stages/authenticator\_validate: fix error in passwordless webauthn * web/elements: add error handler when table fails to fetch objects Fixed in 2022.6.3[​](https://docs.goauthentik.io/releases/2022.6/#fixed-in-202263 "Direct link to Fixed in 2022.6.3") ---------------------------------------------------------------------------------------------------------------------- * core: fix migrations when creating bootstrap token * internal: dont sample gunicorn proxied requests * internal: fix routing to embedded outpost * internal: skip tracing for go healthcheck and metrics endpoints * lifecycle: run bootstrap tasks inline when using automated install * policies: consolidate log user and application * providers/oauth2: add test to ensure capitalised redirect\_uri isn't changed * providers/oauth2: dont lowercase URL for token requests ([#3114](https://github.com/goauthentik/authentik/issues/3114) ) * providers/oauth2: if a redirect\_uri cannot be parsed as regex, compare strict ([#3070](https://github.com/goauthentik/authentik/issues/3070) ) * providers/proxy: only send misconfiguration event once * root: ignore healthcheck routes in sentry tracing * stages/authenticator\_validate: add webauthn tests ([#3069](https://github.com/goauthentik/authentik/issues/3069) ) * web/admin: lint bound group under policies * web/admin: remove invalid requirement for usernames * web/elements: add spinner when loading dynamic routes * web/flows: add divider to identification stage for security key * web/flows: fix error when webauthn operations failed and user retries * web/flows: remove autofocus from password field of identifications stage Upgrading[​](https://docs.goauthentik.io/releases/2022.6/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.6/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.6 from [here](https://goauthentik.io/version/2022.6/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.6/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.6.1 * [New features](https://docs.goauthentik.io/releases/2022.6/#new-features) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.6/#minor-changesfixes) * [Fixed in 2022.6.2](https://docs.goauthentik.io/releases/2022.6/#fixed-in-202262) * [Fixed in 2022.6.3](https://docs.goauthentik.io/releases/2022.6/#fixed-in-202263) * [Upgrading](https://docs.goauthentik.io/releases/2022.6/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.6/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.6/#kubernetes) --- # Release 2022.2 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.2/#__docusaurus_skipToContent_fallback) On this page Breaking changes[​](https://docs.goauthentik.io/releases/2022.2/#breaking-changes "Direct link to Breaking changes") --------------------------------------------------------------------------------------------------------------------- ### Removal of integrated backup[​](https://docs.goauthentik.io/releases/2022.2/#removal-of-integrated-backup "Direct link to Removal of integrated backup") The integrated backup functionality has been removed due to the following reasons: * It caused a lot of issues during restore, with things breaking and difficult to restore backups * Limited compatibility (only supported local and S3 backups) * Most environments already have a solution for backups, so we feel that investing more time into making this feature better should be spent on more important things. If you don't already have a standard backup solution for other applications, you can consider these replacements: * [https://github.com/kartoza/docker-pg-backup](https://github.com/kartoza/docker-pg-backup) for docker-compose and * [https://devtron.ai/blog/creating-a-kubernetes-cron-job-to-backup-postgres-db/](https://devtron.ai/blog/creating-a-kubernetes-cron-job-to-backup-postgres-db/) or [https://cwienczek.com/2020/06/simple-backup-of-postgres-database-in-kubernetes/](https://cwienczek.com/2020/06/simple-backup-of-postgres-database-in-kubernetes/) for Kubernetes ### Changed URLs for forward auth[​](https://docs.goauthentik.io/releases/2022.2/#changed-urls-for-forward-auth "Direct link to Changed URLs for forward auth") `akprox` in URLs has been changed to `outpost.goauthentik.io`. All the documentation now reflects this, and outpost integrations will migrate this automatically for you. New features[​](https://docs.goauthentik.io/releases/2022.2/#new-features "Direct link to New features") --------------------------------------------------------------------------------------------------------- ### Authenticator enrollment picker[​](https://docs.goauthentik.io/releases/2022.2/#authenticator-enrollment-picker "Direct link to Authenticator enrollment picker") In an authenticator validation stage you can now configure multiple configuration stages, which will be present to the user to choose which device they want to enroll. Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.2/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * \*: add placeholder custom.css to easily allow user customisation * \*: rename akprox to outpost.goauthentik.io ([#2266](https://github.com/goauthentik/authentik/issues/2266) ) * internal: don't attempt to lookup SNI Certificate if no SNI is sent * internal: improve error handling for internal reverse proxy * internal: increase logging for no hostname found * internal: remove uvicorn server header * outposts: ensure keypair is set for SSH connections * outposts: fix channel not always having a logger attribute * outposts: fix compare\_ports to support both service and container ports * outposts: fix service reconciler re-creating services * outposts: make local discovery configurable * outposts: remove node\_port on V1ServicePort checks to prevent service creation loops * outposts/proxy: correctly check host in forward domain redirect * outposts/proxy: correctly handle ?rd= param * providers/oauth2: add support for explicit response\_mode * providers/oauth2: fix redirect\_uri being lowercased on successful validation * providers/proxy: enable TLS in ingress via traefik annotation * providers/proxy: improve error handling for invalid backend\_override * providers/proxy: remove leading slash to allow subdirectories in proxy * sources/ldap: log entire exception * sources/ldap: use merger that only appends unique items to list * sources/saml: fix incorrect ProtocolBinding being sent * stages/authenticator\_validate: add ability to select multiple configuration stages which the user can choose * stages/authenticator\_validate: fix handling when single configuration stage is selected * stages/authenticator\_validate: handle non-existent device\_challenges * Translate /web/src/locales/en.po in de ([#2291](https://github.com/goauthentik/authentik/issues/2291) ) * Translate /web/src/locales/en.po in pl ([#2274](https://github.com/goauthentik/authentik/issues/2274) ) * Translate /web/src/locales/en.po in zh\_TW ([#2263](https://github.com/goauthentik/authentik/issues/2263) ) * Translate /web/src/locales/en.po in zh-Hans ([#2262](https://github.com/goauthentik/authentik/issues/2262) ) * Translate /web/src/locales/en.po in zh-Hant ([#2261](https://github.com/goauthentik/authentik/issues/2261) ) * web/admin: fix invalid URLs in example proxy config * web/admin: fix mismatched icons in overview and lists Upgrading[​](https://docs.goauthentik.io/releases/2022.2/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.2/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.2 from [here](https://goauthentik.io/version/2022.2/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. The previous backup directory will persist, and can still be used with other tools. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.2/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.2.1 Backup-related settings can be removed but will not cause any errors either. * [Breaking changes](https://docs.goauthentik.io/releases/2022.2/#breaking-changes) * [Removal of integrated backup](https://docs.goauthentik.io/releases/2022.2/#removal-of-integrated-backup) * [Changed URLs for forward auth](https://docs.goauthentik.io/releases/2022.2/#changed-urls-for-forward-auth) * [New features](https://docs.goauthentik.io/releases/2022.2/#new-features) * [Authenticator enrollment picker](https://docs.goauthentik.io/releases/2022.2/#authenticator-enrollment-picker) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.2/#minor-changesfixes) * [Upgrading](https://docs.goauthentik.io/releases/2022.2/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.2/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.2/#kubernetes) --- # Release 2021.9 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2021.9/#__docusaurus_skipToContent_fallback) On this page Headline Changes[​](https://docs.goauthentik.io/releases/2021.9/#headline-changes "Direct link to Headline Changes") --------------------------------------------------------------------------------------------------------------------- * Split user interface This release splits the administration interface from the end-user interface. This makes things clearer for end-users, as all their options are laid out more clearly. Additionally, the new end-user interface will be more customisable than the admin interface, allowing Administrators to configure what their users can see. The admin interface remains the same, and familiar buttons will redirect you between interfaces. * New proxy The proxy outpost has been rewritten from scratch. This replaces the old proxy, which was based on oauth2\_proxy. The new proxy allows us a much greater degree of flexibility, is much lighter and reports errors better. When using a managed outpost, authentik will automatically upgrade to the new proxy outpost. The embedded outpost also uses the new proxy. authentik also now deploys ServiceMonitor CRDs in your Kubernetes cluster (when possibly), to record the metrics of the outposts. If you're using a manually deployed outpost, keep in mind that the ports change to 9000 and 9443 instead of 4180 and 4443 * New metrics This version introduces new and simplified Prometheus metrics. There is a new common monitoring port across the server and all outposts, 9300. This port requires no authentication, making it easier to configure. For the core application, this endpoint contains metrics for both authentik and the inbuilt outpost. Minor changes[​](https://docs.goauthentik.io/releases/2021.9/#minor-changes "Direct link to Minor changes") ------------------------------------------------------------------------------------------------------------ * \*: use common user agent for all outgoing requests * admin: migrate to new update check, add option to disable update check * api: add additional filters for ldap and proxy providers * core: optimise groups api by removing member superuser status * core: remove ?v from static files * events: add mark\_all\_seen * events: allow setting a mapping for webhook transport to customise request payloads * internal: fix font loading errors on safari * lifecycle: fix worker startup error when docker socket's group is not called docker * outpost: fix spans being sent without parent context * outpost: update global outpost config on refresh * outposts: add expected outpost replica count to metrics * outposts/controllers: re-create service when mismatched ports to prevent errors * outposts/controllers/kubernetes: don't create service monitor for embedded outpost * outposts/ldap: improve logging of client IPs * policies/password: fix symbols not being checked correctly * root: include authentik version in backup naming * root: show location header in logs when redirecting * sources/oauth: prevent potentially confidential data from being logged * stages/authenticator\_duo: add API to "import" devices from duo * stages/identification: fix empty user\_fields query returning first user * tenants: optimise db queries in middleware * web: allow duplicate messages * web: ignore network error * web/admin: fix notification clear all not triggering render * web/admin: fix user selection in token form * web/admin: increase default expiry for refresh tokens * web/admin: show applications instead of providers in outpost form * web/flows: fix display error when using IdentificationStage without input fields Fixed in 2021.9.1-rc2[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202191-rc2 "Direct link to Fixed in 2021.9.1-rc2") ---------------------------------------------------------------------------------------------------------------------------------- * core: fix token expiry for service accounts being only 30 minutes * outposts: add consistent name and type to metrics * outposts/proxy: remove deprecated rs256 * policies: improve error handling when using bindings without policy * providers/saml: improved error handling * stages/email: don't crash when testing stage does not exist * web: update background image Fixed in 2021.9.1-rc3[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202191-rc3 "Direct link to Fixed in 2021.9.1-rc3") ---------------------------------------------------------------------------------------------------------------------------------- * core: allow admins to create tokens with all parameters, re-add user to token form * core: fix tokens not being viewable but superusers * root: log failed celery tasks to event log * sources/ldap: bump timeout, run each sync component in its own task * sources/ldap: improve messages of sync tasks in UI * sources/ldap: prevent error when retrying old system task with no arguments * web: fix datetime-local fields throwing errors on firefox * web: fix text colour in delete form in dark mode * web: improve display of action buttons with non-primary classes * web/admin: fix error in firefox when creating token * web/admin: fix ldap sync status for new API * web/admin: fix settings link on user avatar * web/admin: trigger refresh after syncing ldap * web/user: add auto-focus search for applications * web/user: add missing stop impersonation button * web/user: fix edit button for applications * web/user: fix final redirect after stage setup * web/user: optimise load, fix unread status for notifications Fixed in 2021.9.1[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202191 "Direct link to Fixed in 2021.9.1") ---------------------------------------------------------------------------------------------------------------------- * api: disable include\_format\_suffixes * core: fix token identifier not being slugified when created with user-controller input * outposts: don't map port 9300 on docker, only expose port * outposts: don't restart container when health checks are starting * outposts/ldap: allow custom attributes to shadow built-in attributes * policies/expression: add ak\_user\_has\_authenticator * root: use tagged go client version * stages/email: don't throw 404 when token can't be found * stages/email: slugify token identifier * stages/email: use different query arguments for email and invitation tokens * web: fix notification badge not refreshing after clearing notifications Fixed in 2021.9.2[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202192 "Direct link to Fixed in 2021.9.2") ---------------------------------------------------------------------------------------------------------------------- * api: add logging to sentry proxy * internal: add asset paths for user interface * web: fix import order of polyfills causing shadydom to not work on firefox and safari * web/user: enable sentry Fixed in 2021.9.3[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202193 "Direct link to Fixed in 2021.9.3") ---------------------------------------------------------------------------------------------------------------------- * core: fix api return code for user self-update * events: add additional validation for event transport * outposts: ensure service is always re-created with mismatching ports * outposts: fix outposts not correctly updating central state * outposts: make AUTHENTIK\_HOST\_BROWSER configurable from central config * outposts/proxy: ensure cookies only last as long as tokens * outposts/proxy: Fix failing traefik healthcheck ([#1470](https://github.com/goauthentik/authentik/issues/1470) ) * outposts/proxyv2: fix routing not working correctly for domain auth * providers/proxy: add token\_validity field for outpost configuration * web/admin: add notice for recovery * web/admin: fix NotificationWebhookMapping not loading correctly * web/admin: fix Transport Form not loading mode correctly on edit * web/admin: handle error correctly when creating user recovery link * web/elements: fix token copy error in safari * web/elements: improve error handling on forms * web/user: fix brand not being shown in safari * web/user: search apps when user typed before apps have loaded * website/docs: fix typos and grammar ([#1459](https://github.com/goauthentik/authentik/issues/1459) ) Fixed in 2021.9.4[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202194 "Direct link to Fixed in 2021.9.4") ---------------------------------------------------------------------------------------------------------------------- * outposts: allow disabling of docker controller port mapping * outposts/proxy: fix duplicate protocol in domain auth mode * root: Use fully qualified names for docker bases base images. ([#1490](https://github.com/goauthentik/authentik/issues/1490) ) * sources/ldap: add support for Active Directory `userAccountControl` attribute * sources/ldap: don't sync ldap source when no property mappings are set * web/admin: don't require username nor name for activate/deactivate toggles * web/admin: fix LDAP Source form not exposing syncParentGroup * web/elements: fix initialLoad not being done when viewportCheck was disabled * web/elements: use dedicated button for search clear instead of webkit exclusive one Fixed in 2021.9.5[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202195 "Direct link to Fixed in 2021.9.5") ---------------------------------------------------------------------------------------------------------------------- * events: add missing migration * lifecycle: switch to h11 uvicorn worker for now * outpost/proxy: fix missing negation for internal host ssl verification * outposts: check ports of deployment in kubernetes outpost controller * outposts: don't always build permissions on outpost.user access, only in signals and tasks * outposts: fix circular import in kubernetes controller * outposts/proxy: add new headers with unified naming * outposts/proxy: show full error message when user is authenticated * providers/ldap: use RDN when using posixGroup's memberUid attribute ([#1514](https://github.com/goauthentik/authentik/issues/1514) ) * providers/proxy: always check ingress secret in kubernetes controller * sources/ldap: fix logic error in Active Directory account disabled status * stages/email: add activate\_user\_on\_success flag, add for all example flows * stages/user\_login: add check for user.is\_active and tests * tests/integration: fix tests failing due to incorrect comparison * web/admin: fix search group label Fixed in 2021.9.6[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202196 "Direct link to Fixed in 2021.9.6") ---------------------------------------------------------------------------------------------------------------------- * admin: clear update notification when notification's version matches current version * api: ensure viewsets have default ordering * core: include group uuids in self serializer * core: make user's name field fully options * core: only return group names for user\_self * internal: add internal healthchecking to prevent websocket errors * outposts: fix error when comparing ports in docker controller when port mapping is disabled * root: add docker-native healthcheck for web and celery * root: remove redundant internal network from compose * web: add locale detection * web: fix rendering of token copy button in dark mode * web: fix strings not being translated at all when matching browser locale not found * web/admin: only show outpost deployment info when not embedded * web/elements: fix model form always loading when viewport check is disabled * web/flows: adjust message for email stage * web/user: don't show managed tokens in user interface Fixed in 2021.9.7[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202197 "Direct link to Fixed in 2021.9.7") ---------------------------------------------------------------------------------------------------------------------- * root: fix syntax error in dockerfile healthcheck * web/admin: fix description for flow import Fixed in 2021.9.8[​](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202198 "Direct link to Fixed in 2021.9.8") ---------------------------------------------------------------------------------------------------------------------- * web: fix interface crashing in non-blink browsers Upgrading[​](https://docs.goauthentik.io/releases/2021.9/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2021.9/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2021.9 from [here](https://goauthentik.io/version/2021.9/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2021.9/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2021.9.1 * [Headline Changes](https://docs.goauthentik.io/releases/2021.9/#headline-changes) * [Minor changes](https://docs.goauthentik.io/releases/2021.9/#minor-changes) * [Fixed in 2021.9.1-rc2](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202191-rc2) * [Fixed in 2021.9.1-rc3](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202191-rc3) * [Fixed in 2021.9.1](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202191) * [Fixed in 2021.9.2](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202192) * [Fixed in 2021.9.3](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202193) * [Fixed in 2021.9.4](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202194) * [Fixed in 2021.9.5](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202195) * [Fixed in 2021.9.6](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202196) * [Fixed in 2021.9.7](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202197) * [Fixed in 2021.9.8](https://docs.goauthentik.io/releases/2021.9/#fixed-in-202198) * [Upgrading](https://docs.goauthentik.io/releases/2021.9/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2021.9/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2021.9/#kubernetes) --- # Release 2022.3 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.3/#__docusaurus_skipToContent_fallback) On this page New features[​](https://docs.goauthentik.io/releases/2022.3/#new-features "Direct link to New features") --------------------------------------------------------------------------------------------------------- ### Customizable user settings[​](https://docs.goauthentik.io/releases/2022.3/#customizable-user-settings "Direct link to Customizable user settings") User settings are now configured using flows and stages, allowing administrators to configure fields, add additional fields and run custom validation for user settings. ### `client_credentials` support[​](https://docs.goauthentik.io/releases/2022.3/#client_credentials-support "Direct link to client_credentials-support") authentik now supports the OAuth `client_credentials` grant for machine-to-machine authentication. See [OAuth2 Provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/) Deprecations[​](https://docs.goauthentik.io/releases/2022.3/#deprecations "Direct link to Deprecations") --------------------------------------------------------------------------------------------------------- ### `:stable` tag[​](https://docs.goauthentik.io/releases/2022.3/#stable-tag "Direct link to stable-tag") To simplify the release process we don't publish explicitly tagged release-candidate versions anymore. With this change, the :latest tag will continue to point at the latest tagged release. Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.3/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * core: add initial app launch url ([#2367](https://github.com/goauthentik/authentik/issues/2367) ) * core: customisable user settings ([#2397](https://github.com/goauthentik/authentik/issues/2397) ) * core/api: allow filtering users by uid, add uid to search * internal/ldap: fix panic when parsing lists with mixed types * lib: fix default geoip path * providers/oauth2: fix invalid launch URL being generated * providers/oauth2: initial client\_credentials grant support ([#2437](https://github.com/goauthentik/authentik/issues/2437) ) * providers/proxy: always set rd param in addition to session to prevent wrong url in session * web: cleanup default footer links * web: prioritise ?locale parameter over saved locale * web/admin: improve user and group management by showing related objects * web/admin: use searchable select field for users and groups in policy binding form * web/flows: fix rendering of help text on prompt stages Fixed in 2022.3.2[​](https://docs.goauthentik.io/releases/2022.3/#fixed-in-202232 "Direct link to Fixed in 2022.3.2") ---------------------------------------------------------------------------------------------------------------------- * core: replace uid with uuid search * flows: revert default flow user change * lib: lower default sample rate * sources/ldap: fix parent\_group not being applied * stages/authenticator\_validate: fix passwordless flows not working * web/elements: fix error with blank SearchSelect elements in forms * web/elements: fix search select background in dark mode * web/elements: fix search-select hover background * web/user: filter applications by launch URL lto show empty state * web/user: fix duplicate help text in prompts Fixed in 2022.3.3[​](https://docs.goauthentik.io/releases/2022.3/#fixed-in-202233 "Direct link to Fixed in 2022.3.3") ---------------------------------------------------------------------------------------------------------------------- * core: fix provider launch URL being prioritised over manually configured launch URL * crypto: open files in read-only mode for importing ([#2536](https://github.com/goauthentik/authentik/issues/2536) ) * outposts/ldap: prevent operations error from nil dereference ([#2447](https://github.com/goauthentik/authentik/issues/2447) ) * outposts/proxy: use Prefix in ingress for k8s * web: fix style for selected item in select in dark mode * web/admin: default to not include current session in flow play, add option to start with current session * web/admin: fix user defaulting to 0 when not set in PolicyBindingForm * web/elements: make SearchSelect optionally blankable Upgrading[​](https://docs.goauthentik.io/releases/2022.3/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.3/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.3 from [here](https://goauthentik.io/version/2022.3/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.3/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.3.1 * [New features](https://docs.goauthentik.io/releases/2022.3/#new-features) * [Customizable user settings](https://docs.goauthentik.io/releases/2022.3/#customizable-user-settings) * [`client_credentials` support](https://docs.goauthentik.io/releases/2022.3/#client_credentials-support) * [Deprecations](https://docs.goauthentik.io/releases/2022.3/#deprecations) * [`:stable` tag](https://docs.goauthentik.io/releases/2022.3/#stable-tag) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.3/#minor-changesfixes) * [Fixed in 2022.3.2](https://docs.goauthentik.io/releases/2022.3/#fixed-in-202232) * [Fixed in 2022.3.3](https://docs.goauthentik.io/releases/2022.3/#fixed-in-202233) * [Upgrading](https://docs.goauthentik.io/releases/2022.3/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.3/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.3/#kubernetes) --- # Release 2022.9 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.9/#__docusaurus_skipToContent_fallback) On this page Breaking changes[​](https://docs.goauthentik.io/releases/2022.9/#breaking-changes "Direct link to Breaking changes") --------------------------------------------------------------------------------------------------------------------- * `WORKERS` environment variable has been renamed to match other config options, see [Configuration](https://docs.goauthentik.io/install-config/configuration/#authentik_web__workers) New features[​](https://docs.goauthentik.io/releases/2022.9/#new-features "Direct link to New features") --------------------------------------------------------------------------------------------------------- * UI for Duo device Import Instead of manually having to call an API endpoint, there's now a UI for importing Duo devices. * Duo Admin API integration When using a Duo MFA, Duo Access or Duo Beyond plan, authentik can now automatically import devices from Duo into authentik. More info [here](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_duo/) . API Changes[​](https://docs.goauthentik.io/releases/2022.9/#api-changes "Direct link to API Changes") ------------------------------------------------------------------------------------------------------ #### What's New[​](https://docs.goauthentik.io/releases/2022.9/#whats-new "Direct link to What's New") * * * ##### `POST` /stages/authenticator/duo/{stage\_uuid}/import\_device\_manual/[​](https://docs.goauthentik.io/releases/2022.9/#post-stagesauthenticatorduostage_uuidimport_device_manual "Direct link to post-stagesauthenticatorduostage_uuidimport_device_manual") ##### `POST` /stages/authenticator/duo/{stage\_uuid}/import\_devices\_automatic/[​](https://docs.goauthentik.io/releases/2022.9/#post-stagesauthenticatorduostage_uuidimport_devices_automatic "Direct link to post-stagesauthenticatorduostage_uuidimport_devices_automatic") #### What's Deleted[​](https://docs.goauthentik.io/releases/2022.9/#whats-deleted "Direct link to What's Deleted") * * * ##### `POST` /stages/authenticator/duo/{stage\_uuid}/import\_devices/[​](https://docs.goauthentik.io/releases/2022.9/#post-stagesauthenticatorduostage_uuidimport_devices "Direct link to post-stagesauthenticatorduostage_uuidimport_devices") #### What's Changed[​](https://docs.goauthentik.io/releases/2022.9/#whats-changed "Direct link to What's Changed") * * * ##### `GET` /stages/authenticator/duo/{stage\_uuid}/[​](https://docs.goauthentik.io/releases/2022.9/#get-stagesauthenticatorduostage_uuid "Direct link to get-stagesauthenticatorduostage_uuid") ###### Return Type:[​](https://docs.goauthentik.io/releases/2022.9/#return-type "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `admin_integration_key` (string) ##### `PUT` /stages/authenticator/duo/{stage\_uuid}/[​](https://docs.goauthentik.io/releases/2022.9/#put-stagesauthenticatorduostage_uuid "Direct link to put-stagesauthenticatorduostage_uuid") ###### Request:[​](https://docs.goauthentik.io/releases/2022.9/#request "Direct link to Request:") Changed content type : `application/json` * Added property `admin_integration_key` (string) * Added property `admin_secret_key` (string) ###### Return Type:[​](https://docs.goauthentik.io/releases/2022.9/#return-type-1 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `admin_integration_key` (string) ##### `PATCH` /stages/authenticator/duo/{stage\_uuid}/[​](https://docs.goauthentik.io/releases/2022.9/#patch-stagesauthenticatorduostage_uuid "Direct link to patch-stagesauthenticatorduostage_uuid") ###### Request:[​](https://docs.goauthentik.io/releases/2022.9/#request-1 "Direct link to Request:") Changed content type : `application/json` * Added property `admin_integration_key` (string) * Added property `admin_secret_key` (string) ###### Return Type:[​](https://docs.goauthentik.io/releases/2022.9/#return-type-2 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Added property `admin_integration_key` (string) ##### `GET` /flows/executor/{flow\_slug}/[​](https://docs.goauthentik.io/releases/2022.9/#get-flowsexecutorflow_slug "Direct link to get-flowsexecutorflow_slug") ###### Return Type:[​](https://docs.goauthentik.io/releases/2022.9/#return-type-3 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` Added 'xak-flow-error' component: * Property `type` (string) Enum values: * `native` * `shell` * `redirect` * Property `flow_info` (object) > Contextual flow information for a challenge * Property `title` (string) * Property `background` (string) * Property `cancel_url` (string) * Property `layout` (string) Enum values: * `stacked` * `content_left` * `content_right` * `sidebar_left` * `sidebar_right` * Property `component` (string) * Property `response_errors` (object) * Property `pending_user` (string) * Property `pending_user_avatar` (string) * Property `request_id` (string) * Property `error` (string) * Property `traceback` (string) ##### `POST` /flows/executor/{flow\_slug}/[​](https://docs.goauthentik.io/releases/2022.9/#post-flowsexecutorflow_slug "Direct link to post-flowsexecutorflow_slug") ###### Return Type:[​](https://docs.goauthentik.io/releases/2022.9/#return-type-4 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` Added 'xak-flow-error' component: * Property `type` (string) Enum values: * `native` * `shell` * `redirect` * Property `flow_info` (object) > Contextual flow information for a challenge * Property `title` (string) * Property `background` (string) * Property `cancel_url` (string) * Property `layout` (string) Enum values: * `stacked` * `content_left` * `content_right` * `sidebar_left` * `sidebar_right` * Property `component` (string) * Property `response_errors` (object) * Property `pending_user` (string) * Property `pending_user_avatar` (string) * Property `request_id` (string) * Property `error` (string) * Property `traceback` (string) ##### `POST` /stages/authenticator/duo/[​](https://docs.goauthentik.io/releases/2022.9/#post-stagesauthenticatorduo "Direct link to post-stagesauthenticatorduo") ###### Request:[​](https://docs.goauthentik.io/releases/2022.9/#request-2 "Direct link to Request:") Changed content type : `application/json` * Added property `admin_integration_key` (string) * Added property `admin_secret_key` (string) ###### Return Type:[​](https://docs.goauthentik.io/releases/2022.9/#return-type-5 "Direct link to Return Type:") Changed response : **201 Created** * Changed content type : `application/json` * Added property `admin_integration_key` (string) ##### `GET` /stages/authenticator/duo/[​](https://docs.goauthentik.io/releases/2022.9/#get-stagesauthenticatorduo "Direct link to get-stagesauthenticatorduo") ###### Return Type:[​](https://docs.goauthentik.io/releases/2022.9/#return-type-6 "Direct link to Return Type:") Changed response : **200 OK** * Changed content type : `application/json` * Changed property `results` (array) Changed items (object): > AuthenticatorDuoStage Serializer * Added property `admin_integration_key` (string) Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.9/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * \*: cleanup stray print calls * \*: remove remaining default creation code in squashed migrations * blueprint: fix EntryInvalidError not being handled in tasks * blueprints: add meta model to apply blueprint within blueprint for dependencies ([#3486](https://github.com/goauthentik/authentik/issues/3486) ) * blueprints: don't export events by default and exclude anonymous user * blueprints: OCI registry support ([#3500](https://github.com/goauthentik/authentik/issues/3500) ) * blueprints: use correct log level when re-logging import validation logs * core: fix custom favicon not being set correctly on load * core: improve error template ([#3521](https://github.com/goauthentik/authentik/issues/3521) ) * crypto: add command to import certificates * events: fix MonitoredTasks' save\_on\_success not behaving as expected * events: reset task info when not saving on success * events: save event to test notification transport * flows: fix incorrect diagram for policies bound to flows * flows: migrate FlowExecutor error handler to native challenge instead of shell * internal: fix outposts not logging flow execution errors correctly * internal: optimise outpost's flow executor to use less requests * internal: use config system for workers/threads, document the settings ([#3626](https://github.com/goauthentik/authentik/issues/3626) ) * outposts: fix oauth state when using signature routing ([#3616](https://github.com/goauthentik/authentik/issues/3616) ) * outposts/proxy: fix redirect path when external host is a subdirectory ([#3628](https://github.com/goauthentik/authentik/issues/3628) ) * providers/oauth2: add x5c ([#3556](https://github.com/goauthentik/authentik/issues/3556) ) * providers/proxy: fix routing based on signature in traefik and caddy * root: make redis persistent in docker-compose * root: reuse custom log helper from config and cleanup duplicate functions * root: shorten outpost docker healthcheck intervals * sources/ldap: start\_tls before binding but without reading server info * sources/oauth: use GitHub's dedicated email API when no public email address is configured * sources/oauth: use UPN for username with azure AD source * stages/authenticator\_duo: fix 404 when current user does not have permissions to view stage * stages/authenticator\_duo: improved import ([#3601](https://github.com/goauthentik/authentik/issues/3601) ) * stages/consent: default to expiring consent instead of always\_require * tenants: handle all errors in default\_locale * web: fix checkbox styling on applications form * web: fix scrolling in modals in low-height views ([#3596](https://github.com/goauthentik/authentik/issues/3596) ) * web: use mermaidjs ([#3623](https://github.com/goauthentik/authentik/issues/3623) ) * web/admin: enable blueprint instances by default * web/flows: fix ak-locale prompt being rendered without name attribute * web/flows: update flow background * web/user: justify content on user settings page on desktop Upgrading[​](https://docs.goauthentik.io/releases/2022.9/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.9/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.9 from [here](https://goauthentik.io/version/2022.9/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.9/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.9.1 * [Breaking changes](https://docs.goauthentik.io/releases/2022.9/#breaking-changes) * [New features](https://docs.goauthentik.io/releases/2022.9/#new-features) * [API Changes](https://docs.goauthentik.io/releases/2022.9/#api-changes) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.9/#minor-changesfixes) * [Upgrading](https://docs.goauthentik.io/releases/2022.9/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.9/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.9/#kubernetes) --- # Release 2022.7 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.7/#__docusaurus_skipToContent_fallback) On this page Breaking changes[​](https://docs.goauthentik.io/releases/2022.7/#breaking-changes "Direct link to Breaking changes") --------------------------------------------------------------------------------------------------------------------- * Removal of verification certificates for Machine-to-Machine authentication in OAuth 2 Provider Instead, create an OAuth Source with the certificate configured as JWKS Data, and enable the source in the provider. * Maximum Limit of group recursion In earlier versions, cyclic group relations can lead to a deadlock when one of groups in the relationship are bound to an application/flow/etc. This is now limited to 20 levels of recursion. * Change in context behaviour for policies executed within flows In previous versions, the policy context would be set to a reference to the currently active flow plan context. This makes it so any changes to `context` wre directly reflected in the flow context. The context has been changed to only include the values, and as such updates like this won't be reflected in the flow. Instead, `context['flow_plan']` is now set, which contains a full reference to the flow Plan, allowing for more customisability than previously. Context changes can be mad by modifying `context['flow_plan'].context`. New features[​](https://docs.goauthentik.io/releases/2022.7/#new-features "Direct link to New features") --------------------------------------------------------------------------------------------------------- * User paths To better organize users, they can now be assigned a path. This allows for organization of users based on sources they enrolled with/got imported from, organizational structure or any other structure. Sources now have a path template to specify which path users created by it should be assigned. Additionally, you can set the path in the user\_write stage in any flow, and it can be dynamically overwritten within a flow's context. * API Authentication using JWT OAuth Refresh tokens that have been issued with the scope `goauthentik.io/api` can now be used to authenticate to the API on behalf of the user the token belongs to. * Version-family tagged Container images Instead of having to choose between using the `:latest` tag and explicit versions like `:2022.7.1`, there are now also version-family tags (:2022.7). This allows for sticking with a single version but still getting bugfix updates. * OAuth2 Provider default Scopes Starting with authentik 2022.7, when an OAuth client doesn't specify any scopes, authentik will treat the request as if all the configured scopes of that provider had been requested. Normal consent is still required depending on the configured flow. No special scopes will be added, as those can't be selected in the configuration. Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.7/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * \*: define prometheus metrics in apps to prevent re-import * api: add basic jwt auth support with required scope ([#2624](https://github.com/goauthentik/authentik/issues/2624) ) * ci: add version family ([#3059](https://github.com/goauthentik/authentik/issues/3059) ) * core: add limit of 20 to group recursion * core: create FlowToken instead of regular token for generated recovery links ([#3193](https://github.com/goauthentik/authentik/issues/3193) ) * core: mark session as modified instead of saving it directly to bump expiry * core: re-create anonymous user when repairing permissions * core: user paths ([#3085](https://github.com/goauthentik/authentik/issues/3085) ) * flows: add shortcut to redirect current flow ([#3192](https://github.com/goauthentik/authentik/issues/3192) ) * flows: denied action ([#3194](https://github.com/goauthentik/authentik/issues/3194) ) * flows: show messages from ak\_message when flow is denied * internal: failback with self-signed cert if cert for tenant fails to load * internal: fix nil pointer reference * internal: skip tracing for go healthcheck and metrics endpoints * lifecycle: fix confusing success messages in startup healthiness check * lifecycle: run bootstrap tasks inline when using automated install * lifecycle: Update postgres healthcheck for compose with user information ([#3143](https://github.com/goauthentik/authentik/issues/3143) ) * policies: consolidate log user and application * providers/oauth2: dont lowercase URL for token requests ([#3114](https://github.com/goauthentik/authentik/issues/3114) ) * providers/oauth2: ensure refresh tokens are URL safe * providers/oauth2: fix OAuth form\_post response mode for code response\_type * providers/oauth2: if a redirect\_uri cannot be parsed as regex, compare strict ([#3070](https://github.com/goauthentik/authentik/issues/3070) ) * providers/oauth2: if no scopes are sent in authorize request, select all configured scopes * providers/oauth2: remove deprecated verification\_keys ([#3071](https://github.com/goauthentik/authentik/issues/3071) ) * providers/oauth2: token revoke ([#3077](https://github.com/goauthentik/authentik/issues/3077) ) * providers/proxy: only send misconfiguration event once * root: ignore healthcheck routes in sentry tracing * sources/ldap: add configuration for LDAP Source ciphers * web: fix redirect when accessing authentik URLs authenticated * web: improve detection for locales * web/admin: default to users path in sidebar link * web/admin: link bound group under policies * web/admin: only pre-select oauth2 provider key if creating a new instance * web/admin: remove invalid requirement for usernames * web/elements: add spinner when loading dynamic routes * web/elements: auto-switch themes for codemirror * web/flows: add divider to identification stage for security key * web/flows: fix error when webauthn operations failed and user retries * web/flows: remove autofocus from password field of identifications stage * web/flows: statically import webauthn-related stages for safari issues Fixed in 2022.7.2[​](https://docs.goauthentik.io/releases/2022.7/#fixed-in-202272 "Direct link to Fixed in 2022.7.2") ---------------------------------------------------------------------------------------------------------------------- * flows: fix OOB flow incorrectly setting pending user * stages/prompt: add basic file field ([#3156](https://github.com/goauthentik/authentik/issues/3156) ) * tenants: add default\_locale read only field, pre-hydrate in flows and read in autodetect as first choice Fixed in 2022.7.3[​](https://docs.goauthentik.io/releases/2022.7/#fixed-in-202273 "Direct link to Fixed in 2022.7.3") ---------------------------------------------------------------------------------------------------------------------- * core: delete expired models when filtering instead of excluding them * providers/oauth2: correctly log authenticated user for OAuth views using protected\_resource\_view * sources/oauth: use oidc preferred\_username if set, otherwise nickname * stages/consent: fix permissions for consent API (allow owner to delete) * stages/prompt: force required to false when using readonlyfield * stages/prompt: try to base64 decode file, fallback to keeping value as-is * web/elements: improve contrast for codemirror backgrounds Upgrading[​](https://docs.goauthentik.io/releases/2022.7/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.7/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.7 from [here](https://goauthentik.io/version/2022.7/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.7/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.7.1 * [Breaking changes](https://docs.goauthentik.io/releases/2022.7/#breaking-changes) * [New features](https://docs.goauthentik.io/releases/2022.7/#new-features) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.7/#minor-changesfixes) * [Fixed in 2022.7.2](https://docs.goauthentik.io/releases/2022.7/#fixed-in-202272) * [Fixed in 2022.7.3](https://docs.goauthentik.io/releases/2022.7/#fixed-in-202273) * [Upgrading](https://docs.goauthentik.io/releases/2022.7/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.7/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.7/#kubernetes) --- # Release 2022.8 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.8/#__docusaurus_skipToContent_fallback) On this page Breaking changes[​](https://docs.goauthentik.io/releases/2022.8/#breaking-changes "Direct link to Breaking changes") --------------------------------------------------------------------------------------------------------------------- * Prompt fields with file type are now a full Base64 Data-URI Previously the data was parsed into a string when possible, and when decoding failed, the raw base64 would be saved. Now, the entire URI is parsed, validated and kept in one piece, to make it possible to validate/save the MIME type. New features[​](https://docs.goauthentik.io/releases/2022.8/#new-features "Direct link to New features") --------------------------------------------------------------------------------------------------------- * Blueprints Blueprints allow for the configuration, automation and templating of authentik objects and configurations. They can be used to bootstrap new instances, configure them automatically without external tools, and to template configurations for sharing. See more [here](https://docs.goauthentik.io/customize/blueprints/) . For installations upgrading to 2022.8, if a single flow exists, then the default blueprints will not be activated, to not overwrite user modifications. * Simplified forward auth In previous releases, to use forward auth, the reverse proxy would have to be configured to both send auth requests to the outpost, but also allow access to URLs starting with `/outpost.goauthentik.io`. The second part is now no longer required, with the exception of nginx. Existing setups should continue to function as previously. * Support for Caddy forward auth Based on the traefik support, there is now dedicated support for Caddy with configuration examples, see [here](https://docs.goauthentik.io/add-secure-apps/providers/proxy/forward_auth/) . Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.8/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * \*: improve error handling for startup tasks * core: add API Endpoint to get all MFA devices, add web ui to delete MFA devices of any user * core: add attributes. avatar method to allow custom uploaded avatars * core: pre-hydrate config into templates to directly load correct assets * flows: migrate flows to be yaml ([#3335](https://github.com/goauthentik/authentik/issues/3335) ) * internal: centralise config for listeners to use same config system everywhere ([#3367](https://github.com/goauthentik/authentik/issues/3367) ) * internal: fix outposts not reacting to signals while starting * internal: fix race conditions when accessing settings before bootstrap * internal: walk config in go, check, parse and load from scheme like in python * lifecycle: optimise container lifecycle and process signals ([#3332](https://github.com/goauthentik/authentik/issues/3332) ) * providers/oauth2: don't separate scopes by comma-space in created events * providers/oauth2: fix scopes without descriptions not being saved in consent * providers/proxy: add caddy endpoint ([#3330](https://github.com/goauthentik/authentik/issues/3330) ) * providers/proxy: add is\_superuser to ak\_proxy object, only show full error when superuser * providers/proxy: no exposed urls ([#3151](https://github.com/goauthentik/authentik/issues/3151) ) * root: fix dockerfile for blueprints * sources/oauth: correctly concatenate URLs to allow custom parameters to be passed to authorization server * sources/oauth: only send header authentication for OIDC source * sources/oauth: use mailcow full\_name as username for mailcow source ([#3299](https://github.com/goauthentik/authentik/issues/3299) ) * stages/\*: use stage-bound logger when possible * stages/authenticator\_validate: improve error handling for duo * stages/authenticator\_duo: fix imported Duo Device not having a name * stages/authenticator\_sms: use twilio SDK, improve docs * stages/authenticator\_totp: remove single device per user limit * stages/consent: fix error when requests with identical empty permissions * stages/consent: fix for post requests ([#3339](https://github.com/goauthentik/authentik/issues/3339) ) * stages/prompt: fix tests for file field Fixed in 2022.8.2[​](https://docs.goauthentik.io/releases/2022.8/#fixed-in-202282 "Direct link to Fixed in 2022.8.2") ---------------------------------------------------------------------------------------------------------------------- * blueprints: add generic export next to flow exporter ([#3439](https://github.com/goauthentik/authentik/issues/3439) ) * blueprints: allow for adding remote blueprints ([#3435](https://github.com/goauthentik/authentik/issues/3435) ) * blueprints: fix exporter not ignoring non-SerializerModel objects * blueprints: fix issue in prod setups with encoding dataclasses via json * blueprints: remove \_state from exporter blueprints * core: fix pre-hydrated config not being escaped properly * events: correctly handle lists for cleaning/sanitization * internal: fix routing for requests with querystring signature to embedded outpost * lifecycle: add worker-status command to debug worker cpu usage issues * providers/oauth2: fix oauth2 requests being logged as unauthenticated * sources/oauth: fix missing doseq param for updating URL query string * web/elements: fix automatic slug not working on newly opened forms * web/flows: simplify consent's permission handling Upgrading[​](https://docs.goauthentik.io/releases/2022.8/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.8/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.8 from [here](https://goauthentik.io/version/2022.8/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.8/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.8.1 * [Breaking changes](https://docs.goauthentik.io/releases/2022.8/#breaking-changes) * [New features](https://docs.goauthentik.io/releases/2022.8/#new-features) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.8/#minor-changesfixes) * [Fixed in 2022.8.2](https://docs.goauthentik.io/releases/2022.8/#fixed-in-202282) * [Upgrading](https://docs.goauthentik.io/releases/2022.8/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.8/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.8/#kubernetes) --- # Release 2022.5 | authentik [Skip to main content](https://docs.goauthentik.io/releases/2022.5/#__docusaurus_skipToContent_fallback) On this page Breaking changes[​](https://docs.goauthentik.io/releases/2022.5/#breaking-changes "Direct link to Breaking changes") --------------------------------------------------------------------------------------------------------------------- * Twitter Source has been migrated to OAuth2 This requires some reconfiguration on both Twitter's and authentik's side. Check out the new Twitter integration docs [here](https://docs.goauthentik.io/users-sources/sources/social-logins/twitter/) . * OAuth Provider: Redirect URIs are now checked using regular expressions Allowed Redirect URIs now accepts regular expressions to check redirect URIs to support wildcards. In most cases this will not change anything, however casing is also important now. Meaning if your redirect URI is "[https://Foo.bar](https://foo.bar/) " and allowed is "[https://foo.bar](https://foo.bar/) ", authorization will not be allowed. Additionally, the special handling when _Redirect URIs/Origins_ is set to `*` has been removed. To get the same behaviour, set _Redirect URIs/Origins_ to `.+`. New features[​](https://docs.goauthentik.io/releases/2022.5/#new-features "Direct link to New features") --------------------------------------------------------------------------------------------------------- * LDAP Outpost cached binding Instead of always executing the configured flow when a new Bind request is received, the provider can now be configured to cache the session from the initial flow execution, and directly validate credentials in the outpost. This drastically improves the bind performance. See [LDAP provider](https://docs.goauthentik.io/add-secure-apps/providers/ldap/#cached-bind) * OAuth2: Add support for `form_post` response mode * Don't prompt users for MFA when they've authenticated themselves within a time period You can now configure any [Authenticator Validation Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_validate/) stage to not ask for MFA validation if the user has previously authenticated themselves with an MFA device (of any of the selected classes) in the `Last validation threshold`. * Optimise bundling of web assets Previous versions had the entire frontend bundled in a single file (per interface). This has been revamped to produce smaller bundle sizes for each interface to improve the loading times. Additionally, only the locales configured will be loaded on start, instead of all locales. Certain parts of the application are purposefully still contained in the initial bundle, especially for commonly used pages and default routes. Minor changes/fixes[​](https://docs.goauthentik.io/releases/2022.5/#minor-changesfixes "Direct link to Minor changes/fixes") ----------------------------------------------------------------------------------------------------------------------------- * \*: decrease frequency of background tasks, smear tasks based on name and fqdn * api: fix OwnerFilter filtering out objects for superusers * core: add custom shell command which imports all models and creates events for model events * core: add flag to globally disable impersonation * events: fix created events only being logged as debug level * flows: handle flow title formatting error better, add user to flow title context * internal: add signal handler for SIGTERM * outposts/ldap: cached bind ([#2824](https://github.com/goauthentik/authentik/issues/2824) ) * policies: fix current user not being set in server-side policy deny * providers/oauth2: add support for form\_post response mode ([#2818](https://github.com/goauthentik/authentik/issues/2818) ) * providers/oauth2: allow regex matches for allowed redirect\_uri * providers/oauth2: don't create events before client\_id can be verified to prevent spam * providers/saml: make SAML metadata generation consistent * root: export poetry deps to requirements.txt so we don't need poetry … ([#2823](https://github.com/goauthentik/authentik/issues/2823) ) * root: handle JSON error in metrics * root: set SESSION\_SAVE\_EVERY\_REQUEST to enable sliding sessions * sources/oauth: Fix wording for OAuth source names ([#2732](https://github.com/goauthentik/authentik/issues/2732) ) * stages/authenticator\_validate: remember ([#2828](https://github.com/goauthentik/authentik/issues/2828) ) * stages/identification: redirect with QS to keep next parameters ([#2909](https://github.com/goauthentik/authentik/issues/2909) ) * stages/user\_delete: fix delete stage failing when pending user is not explicitly set * web: fix dateTimeLocal() dropping local timezone * web: lazy load parts of interfaces ([#2864](https://github.com/goauthentik/authentik/issues/2864) ) * web/user: add missing checkbox element in user settings ([#2762](https://github.com/goauthentik/authentik/issues/2762) ) Fixed in 2022.5.2[​](https://docs.goauthentik.io/releases/2022.5/#fixed-in-202252 "Direct link to Fixed in 2022.5.2") ---------------------------------------------------------------------------------------------------------------------- * internal: fix nil pointer dereference in ldap outpost * internal: revert cookie path on proxy causing redirect loops * outposts: allow externally managed SSH Config for outposts ([#2917](https://github.com/goauthentik/authentik/issues/2917) ) * outposts: ensure the user and token are created on initial outpost save * root: fix missing curl in dockerfile * web/admin: improve error handling in TokenCopyButton * web/admin: make external host clickable * web/user: fix use sub-pages not redirecting back to the subpage Fixed in 2022.5.3[​](https://docs.goauthentik.io/releases/2022.5/#fixed-in-202253 "Direct link to Fixed in 2022.5.3") ---------------------------------------------------------------------------------------------------------------------- * api: migrate to openapi generator v6 ([#2968](https://github.com/goauthentik/authentik/issues/2968) ) * api: update API browser to match admin UI and auto-switch theme * core: fix username validator not allowing changes that can be done via flows * crypto: set SAN in default generated Certificate to semi-random domain * ensure all viewsets have filter and search and add tests ([#2946](https://github.com/goauthentik/authentik/issues/2946) ) * events: fix transport not allowing blank values * flows: fix re-imports of entries with identical PK re-creating objects ([#2941](https://github.com/goauthentik/authentik/issues/2941) ) * providers/oauth2: handle attribute errors when validation JWK contains private key * providers/oauth2: improve error handling for invalid regular expressions * providers/oauth2: only set expiry on user when it was freshly created * providers/oauth2: regex-escape URLs when set to blank * providers/oauth2: set related\_name for many-to-many connections so used by detects the connection * providers/saml: handle parse error * root: Add docker-compose postgresql and redis healthchecks ([#2958](https://github.com/goauthentik/authentik/issues/2958) ) * stages/user\_write: fix typo in request context variable * web: decrease elements that refresh on global refresh signal * web/admin: add note that regex is used for redirect URIs * web/admin: add set password button to user view page * web/admin: fix broken flow execute link ([#2940](https://github.com/goauthentik/authentik/issues/2940) ) * web/admin: fix display of LDAP bind mode * web/admin: fix flow diagram not updating on flow changes * web/admin: fix phrasing on LDAP provider form for bind mode * web/admin: refactor table refresh to preserve selected/expanded elements correctly * web/elements: fix missing click handler on wizard close button * web/elements: fix used\_by refreshing for all elements when using DeleteBulkForm * website/docs: Fix misconfiguration causing POST requests behind Nginx to timeout ([#2967](https://github.com/goauthentik/authentik/issues/2967) ) Upgrading[​](https://docs.goauthentik.io/releases/2022.5/#upgrading "Direct link to Upgrading") ------------------------------------------------------------------------------------------------ This release does not introduce any new requirements. ### docker-compose[​](https://docs.goauthentik.io/releases/2022.5/#docker-compose "Direct link to docker-compose") Download the docker-compose file for 2022.5 from [here](https://goauthentik.io/version/2022.5/docker-compose.yml) . Afterwards, simply run `docker-compose up -d`. ### Kubernetes[​](https://docs.goauthentik.io/releases/2022.5/#kubernetes "Direct link to Kubernetes") Update your values to use the new images: image: repository: ghcr.io/goauthentik/server tag: 2022.5.1 * [Breaking changes](https://docs.goauthentik.io/releases/2022.5/#breaking-changes) * [New features](https://docs.goauthentik.io/releases/2022.5/#new-features) * [Minor changes/fixes](https://docs.goauthentik.io/releases/2022.5/#minor-changesfixes) * [Fixed in 2022.5.2](https://docs.goauthentik.io/releases/2022.5/#fixed-in-202252) * [Fixed in 2022.5.3](https://docs.goauthentik.io/releases/2022.5/#fixed-in-202253) * [Upgrading](https://docs.goauthentik.io/releases/2022.5/#upgrading) * [docker-compose](https://docs.goauthentik.io/releases/2022.5/#docker-compose) * [Kubernetes](https://docs.goauthentik.io/releases/2022.5/#kubernetes) --- # Terminology | authentik [Skip to main content](https://docs.goauthentik.io/terminology/#__docusaurus_skipToContent_fallback) On this page ### Application[​](https://docs.goauthentik.io/terminology/#application "Direct link to Application") An application links together Policies with a Provider, allowing you to control access. It also holds Information like UI Name, Icon and more. See [Applications](https://docs.goauthentik.io/add-secure-apps/applications/) . ### Source[​](https://docs.goauthentik.io/terminology/#source "Direct link to Source") Sources are locations from which users can be added to authentik. For example, an LDAP Connection to import Users from Active Directory, or an OAuth2 Connection to allow Social Logins. See [Sources](https://docs.goauthentik.io/users-sources/sources/) . ### Provider[​](https://docs.goauthentik.io/terminology/#provider "Direct link to Provider") A Provider is a way for other applications to authenticate against authentik. Common Providers are OpenID Connect (OIDC) and SAML. See [Providers](https://docs.goauthentik.io/providers/) . ### Policy[​](https://docs.goauthentik.io/terminology/#policy "Direct link to Policy") At a base level a policy is a yes/no gate. It will either evaluate to True or False depending on the Policy type and settings. For example, a GeoIP Policy evaluates to True if the user's IP is geolocated in the specified country or False if not. This can be used to conditionally apply Stages, grant/deny access to various objects, and for other custom logic. See [Policies](https://docs.goauthentik.io/customize/policies/) . ### Flows & Stages[​](https://docs.goauthentik.io/terminology/#flows--stages "Direct link to Flows & Stages") Flows are an ordered sequence of stages. These flows can be used to define how a user authenticates, enrolls, etc. A stage represents a single verification or logic step. They are used to authenticate users, enroll users, and more. These stages can optionally be applied to a flow via policies. #### Dynamic in-memory stage[​](https://docs.goauthentik.io/terminology/#dynamic-in-memory-stage "Direct link to Dynamic in-memory stage") Certain use cases within authentik add steps that are run as part of a flow. These steps are a special type of stage called the "Dynamic in-memory" stage, as they are added to flows dynamically when required, only exist in memory, and are thus not configurable by administrators. See [Flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/) . ### Property Mappings[​](https://docs.goauthentik.io/terminology/#property-mappings "Direct link to Property Mappings") Property Mappings allow you to make information available for external applications, and to modify how information from sources are stored in authentik. For example, if you want to log in to AWS with authentik, you'd use property mappings to set the user's roles in AWS based on their group memberships in authentik. See [Provider Property Mappings](https://docs.goauthentik.io/add-secure-apps/providers/property-mappings/) and [Source Property Mappings](https://docs.goauthentik.io/users-sources/sources/property-mappings/) . ### Outpost[​](https://docs.goauthentik.io/terminology/#outpost "Direct link to Outpost") An outpost is a separate component of authentik, which can be deployed anywhere, regardless of the authentik deployment. The outpost offers services that aren't implemented directly into the authentik core, e.g. Reverse Proxying. See [Outposts](https://docs.goauthentik.io/add-secure-apps/outposts/) . * [Application](https://docs.goauthentik.io/terminology/#application) * [Source](https://docs.goauthentik.io/terminology/#source) * [Provider](https://docs.goauthentik.io/terminology/#provider) * [Policy](https://docs.goauthentik.io/terminology/#policy) * [Flows & Stages](https://docs.goauthentik.io/terminology/#flows--stages) * [Property Mappings](https://docs.goauthentik.io/terminology/#property-mappings) * [Outpost](https://docs.goauthentik.io/terminology/#outpost) --- # Upgrading PostgreSQL on Kubernetes | authentik [Skip to main content](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#__docusaurus_skipToContent_fallback) On this page This guide walks you through upgrading PostgreSQL in your authentik Kubernetes deployment. The process requires a brief downtime period while the database is migrated. info For this guide, we assume the PostgreSQL pod is named `authentik-postgresql-0`, which is the default name in the authentik Helm chart. Prerequisites[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#prerequisites "Direct link to Prerequisites") ---------------------------------------------------------------------------------------------------------------------------------------- * `kubectl` access with permissions to `scale` deployments and `exec` into pods * Your existing `values.yaml` file used for authentik deployment * Basic understanding of Kubernetes and Helm commands Overview of workflow[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#overview-of-workflow "Direct link to Overview of workflow") ------------------------------------------------------------------------------------------------------------------------------------------------------------- The basic steps to upgrades PostgreSQL on Kubernetes are: 1. Stop authentik services 2. Back up the database 3. Prepare the data directory 4. Upgrade PostgreSQL 5. Restore database content 6. Restart authentik services Stop authentik services[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#stop-authentik-services "Direct link to Stop authentik services") ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- Begin by scaling down authentik services to prevent database access during the migration: kubectl scale deploy --replicas 0 authentik-serverkubectl scale deploy --replicas 0 authentik-worker Back up the database[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#back-up-the-database "Direct link to Back up the database") ------------------------------------------------------------------------------------------------------------------------------------------------------------- Connect to your PostgreSQL pod: kubectl exec -it authentik-postgresql-0 -- bash After you are connected, execute these commands to create a database backup: # Navigate to the PostgreSQL data directorycd /bitnami/postgresql/# Set the PostgreSQL password from environment variableexport PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)# Create a full database dumppg_dump -U $POSTGRES_USER $POSTGRES_DATABASE > /bitnami/postgresql/dump.sql tip Consider copying the dump file to a safe location outside the pod: # From a separate terminalkubectl cp authentik-postgresql-0:/bitnami/postgresql/dump.sql ./authentik-db-backup.sql This ensures you have a backup even if something goes wrong with the pod or storage. Prepare the data directory[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#prepare-the-data-directory "Direct link to Prepare the data directory") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- While still connected to the PostgreSQL pod, prepare the data directory for the upgrade: # Ensure you're in the PostgreSQL data directorycd /bitnami/postgresql/# Verify the SQL dump exists and has contentls -lh dump.sql# Preserve the existing data by renaming the directorymv data data-old caution Do not delete the old data directory immediately. Keeping it as `data-old` allows for recovery if the upgrade encounters issues. Upgrade PostgreSQL[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#upgrade-postgresql "Direct link to Upgrade PostgreSQL") ------------------------------------------------------------------------------------------------------------------------------------------------------- Now update your `values.yaml` to specify the new PostgreSQL version: postgresql: image: tag: Apply these changes using Helm to deploy the updated configuration. This will restart the PostgreSQL pod with the new image. When the pod starts, PostgreSQL will initialize a new, empty data directory since the previous directory was renamed. Restore database content[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#restore-database-content "Direct link to Restore database content") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Connect to the PostgreSQL pod again: kubectl exec -it authentik-postgresql-0 -- bash Restore your database from the backup: # Navigate to the PostgreSQL directorycd /bitnami/postgresql/# Verify your dump file is still therels -lh dump.sql# Set the PostgreSQL passwordexport PGPASSWORD=$(cat $POSTGRES_PASSWORD_FILE)# Import the database dumppsql -U $POSTGRES_USER $POSTGRES_DATABASE < dump.sql Restart authentik services[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#restart-authentik-services "Direct link to Restart authentik services") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- After the database restoration completes successfully, restart authentik using Helm with your updated configuration. This will scale your authentik server and worker deployments back to their original replica counts. Troubleshooting[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#troubleshooting "Direct link to Troubleshooting") ---------------------------------------------------------------------------------------------------------------------------------------------- If you encounter issues during the upgrade process: * Check PostgreSQL logs: kubectl logs authentik-postgresql-0 * Verify the values in your `values.yaml` file match the recommended settings * Ensure you have sufficient storage available for both the database dump and the database itself ### Dump file not found[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#dump-file-not-found "Direct link to Dump file not found") If your dump file is missing after upgrading: * You may need to restore from the external backup if you copied it out of the pod * The volume might have been recreated if you're using ephemeral storage ### Restoring the original database[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#restoring-the-original-database "Direct link to Restoring the original database") For persistent problems, you can restore from the `data-old` directory if needed: kubectl exec -it authentik-postgresql-0 -- bashcd /bitnami/postgresql/mv data data-new-failedmv data-old data Then restart PostgreSQL with the original version in your `values.yaml`. * [Prerequisites](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#prerequisites) * [Overview of workflow](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#overview-of-workflow) * [Stop authentik services](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#stop-authentik-services) * [Back up the database](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#back-up-the-database) * [Prepare the data directory](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#prepare-the-data-directory) * [Upgrade PostgreSQL](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#upgrade-postgresql) * [Restore database content](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#restore-database-content) * [Restart authentik services](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#restart-authentik-services) * [Troubleshooting](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#troubleshooting) * [Dump file not found](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#dump-file-not-found) * [Restoring the original database](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/#restoring-the-original-database) --- # About users | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/user/#__docusaurus_skipToContent_fallback) In authentik you can create and manage users with fine-tuned access control, session and event details, group membership, super-user rights, impersonation, and password management and recovery. To learn more about Enterprise licenses with internal and external users, refer to our [Enterprise documentation](https://docs.goauthentik.io/enterprise/manage-enterprise/#about-users-and-licenses) . To learn more about working with users in authentik, refer to the following topics: [📄️ Manage users\ ----------------\ \ The following topics are for the basic management of users: how to create, modify, delete or deactivate users, and using a recovery email.](https://docs.goauthentik.io/users-sources/user/user_basic_operations/) [📄️ User properties and attributes\ ----------------------------------\ \ Object properties](https://docs.goauthentik.io/users-sources/user/user_ref/) [📄️ Invitations\ ---------------\ \ Learn how to create an invitation URL for new users to enroll.](https://docs.goauthentik.io/users-sources/user/invitations/) [📄️ Password reset on login\ ---------------------------\ \ You can require users to reset their password on their next login, using expression policies, custom stages, and a custom user attribute. This guide explains how to configure this with the default-authentication-flow; however, the same steps apply to any authentication flow.](https://docs.goauthentik.io/users-sources/user/password_reset_on_login/) --- # About access control | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/access-control/#__docusaurus_skipToContent_fallback) To comply with important regulations such as PCI-DSS, HIPAA, SOC 2, and GDPR, it's necessary to have the ability to control which users have access to specific areas of the system, what [permissions](https://docs.goauthentik.io/users-sources/access-control/permissions/) they have globally and on certain objects, and a way to monitor [events](https://docs.goauthentik.io/sys-mgmt/events/) related to user activity. In authentik, we provide role-based access control (RBAC), an industry standard for managing access control. By carefully designing roles with appropriate permissions, and then assigning those roles to groups, RBAC provides a fine-tuned approach to controlling user access. RBAC is a way of ensuring the well-known [principal of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) whereby "every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose." To learn more about access control with authentik, refer to these topics: [📄️ About permissions\ ---------------------\ \ Learn about global and object permissions in authentik.](https://docs.goauthentik.io/users-sources/access-control/permissions/) [📄️ Manage permissions\ ----------------------\ \ Learn how to use global and object permissions in authentik.](https://docs.goauthentik.io/users-sources/access-control/manage_permissions/) [📄️ Initial permissions\ -----------------------\ \ Set permissions for object creation.](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/) --- # Troubleshooting | authentik [Skip to main content](https://docs.goauthentik.io/troubleshooting/#__docusaurus_skipToContent_fallback) [🗃️ Forward auth\ ----------------\ \ 1 item](https://docs.goauthentik.io/troubleshooting/forward_auth/) [🗃️ PostgreSQL\ --------------\ \ 2 items](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_kubernetes/) [📄️ I can't access an application\ ---------------------------------\ \ If your user is a superuser, or has the attribute goauthentik.io/user/debug set to true (can also be set on a group level):](https://docs.goauthentik.io/troubleshooting/access/) [📄️ I can't log in to authentik\ -------------------------------\ \ In case you can't login anymore, perhaps due to an incorrectly configured stage or a failed flow import, you can create a recovery key.](https://docs.goauthentik.io/troubleshooting/login/) [📄️ Capturing logs in authentik\ -------------------------------\ \ When troubleshooting issues in authentik, reviewing the event logs can be invaluable. These logs provide continuous output, helping to diagnose problems effectively.](https://docs.goauthentik.io/troubleshooting/logs/) [📄️ Errors when uploading icons\ -------------------------------\ \ This is specific to the Docker Compose installation, if you're running into issues on Kubernetes please open a GitHub issue.](https://docs.goauthentik.io/troubleshooting/image_upload/) [📄️ Missing Permissions system\_exception events\ ------------------------------------------------\ \ This error can occur during initial setup, when authentik bootstraps the embedded Outpost, while the database migrations are not finished yet.](https://docs.goauthentik.io/troubleshooting/missing_permission/) [📄️ Missing admin group\ -----------------------\ \ If all of the Admin groups have been deleted, or misconfigured during sync, you can use the following command to gain access back.](https://docs.goauthentik.io/troubleshooting/missing_admin_group/) [📄️ Troubleshooting CSRF Errors\ -------------------------------\ \ With some proxy setups, you might run into CSRF errors when attempting to create/save objects in authentik. This is usually caused by either the Origin or Host header being incorrect.](https://docs.goauthentik.io/troubleshooting/csrf/) [📄️ Troubleshooting Email sending\ ---------------------------------\ \ Some hosting providers block outgoing SMTP ports, in which case you'll have to host an SMTP relay on a different port with a different provider.](https://docs.goauthentik.io/troubleshooting/emails/) [📄️ Troubleshooting LDAP Synchronization\ ----------------------------------------\ \ To troubleshoot LDAP sources, you can run the command below to run a synchronization in the foreground and see any errors or warnings that might happen directly](https://docs.goauthentik.io/troubleshooting/ldap_source/) --- # Upgrade PostgreSQL on Docker Compose | authentik [Skip to main content](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#__docusaurus_skipToContent_fallback) On this page ### Dump your database[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#dump-your-database "Direct link to Dump your database") Dump your existing database with `docker compose exec postgresql pg_dump -U authentik -d authentik -cC > upgrade_backup_12.sql`. Before continuing, ensure the SQL dump file (`upgrade_backup_12.sql`) includes all your database content. ### Stop your authentik stack[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#stop-your-authentik-stack "Direct link to Stop your authentik stack") Stop all services with `docker compose down`. ### Backup your existing database[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#backup-your-existing-database "Direct link to Backup your existing database") If you use Docker volumes you can run the following command: `docker volume create authentik_database_backup && docker run --rm -v authentik_database:/from -v authentik_database_backup:/to alpine sh -c 'cd /from && cp -a . /to'`. You can find the name of the `authentik_database` volume with `docker volume ls`. If your data is a file path: `cp -a /path/to/v12-data /path/to/v12-backup` ### Delete your old database[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#delete-your-old-database "Direct link to Delete your old database") danger Do not execute this step without checking that the backup (previous step) completed successfully. If you use Docker volumes: `docker volume rm -f authentik_database`. If your data is a file path: `rm -rf /path/to/v12-data` ### Modify your docker-compose.yml file[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#modify-your-docker-composeyml-file "Direct link to Modify your docker-compose.yml file") Update the PostgreSQL service image from `docker.io/library/postgres:12-alpine` to `docker.io/library/postgres:16-alpine`. Add `network_mode: none` to prevent connections being established to the database during the upgrade. ### Recreate the database container[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#recreate-the-database-container "Direct link to Recreate the database container") Pull new images and re-create the PostgreSQL container: `docker compose pull && docker compose up --force-recreate -d postgresql` Apply your backup to the new database: `cat upgrade_backup_12.sql | docker compose exec -T postgresql psql -U authentik` Remove the network configuration setting `network_mode: none` that you added to the Compose file in the previous step. ### Recreate authentik[​](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#recreate-authentik "Direct link to Recreate authentik") Start authentik again: `docker compose up --force-recreate -d` * [Dump your database](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#dump-your-database) * [Stop your authentik stack](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#stop-your-authentik-stack) * [Backup your existing database](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#backup-your-existing-database) * [Delete your old database](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#delete-your-old-database) * [Modify your docker-compose.yml file](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#modify-your-docker-composeyml-file) * [Recreate the database container](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#recreate-the-database-container) * [Recreate authentik](https://docs.goauthentik.io/troubleshooting/postgres/upgrade_docker/#recreate-authentik) --- # Initial permissions | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/#__docusaurus_skipToContent_fallback) On this page Initial permissions automatically assigns [object-level permissions](https://docs.goauthentik.io/users-sources/access-control/permissions/#object-permissions) between a newly created object and its creator. The purpose of initial permissions is to assign a specific user (or role) a set of pre-selected permissions that are required for them to accomplish their tasks. An authentik administrator creates an initial permissions object (a set of selected permissions) and then associates it with either: 1) an individual user 2) a role - in which case everyone in a group with that role will have the same initial permissions. Common use cases[​](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/#common-use-cases "Direct link to Common use cases") ------------------------------------------------------------------------------------------------------------------------------------------------------ Imagine you have a new team tasked with creating [flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/) and [stages](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/) . These team members need the ability to view and manage all the flow and stage objects created by other team members. However, they should not have permissions to perform any other actions within the Admin interface. In the example use case above, the specific objects that the users or role create and manage could be any object. For example, you might have a team responsible for creating new users and managing those user objects, but they should not be able to create flows, blueprints, or brands. High-level workflow[​](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/#high-level-workflow "Direct link to High-level workflow") --------------------------------------------------------------------------------------------------------------------------------------------------------------- The fundamental steps to implement initial permissions are as follows: 1. Create a role. Initial permissions will be assigned whenever a user with this role creates a new object. 2. Create a group, and assign the new role to it, and add any members that you want to use the initial permissions set. You can also create new users later, and add them to the group. 3. Create an initial permissions object, and add all needed permissions to it. 4. Optionally, create additional users and add them to the group to which the role is assigned. Because the new initial permissions object is coupled with the role (and that role is assigned to a group), the initial permissions object is applied automatically to any new objects (users or flows or any object) that the member user creates. info Typically, initial permissions are assigned to a user or role that is not a super-user nor administrator. In this scenario, the administrator needs to verify that the user has the `Can view Admin interface` permission (which allows the user to access the Admin interface). For details, see Step 5 below. Be aware that any rights beyond viewing the Admin interface will need to be assigned as well; for example, if you want a non-administrator user to be able to create flows in the Admin interface, you need to grant those global permissions to add flows. Create and implement initial permissions[​](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/#create-and-implement-initial-permissions "Direct link to Create and implement initial permissions") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ To create a new set of initial permissions and apply them to either a single user or a role (and every user with that role), follow these steps: 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. [Create a new role](https://docs.goauthentik.io/users-sources/roles/manage_roles/) : navigate to **Directory** > **Roles** and click **Create**. 3. [Create a new group](https://docs.goauthentik.io/users-sources/groups/manage_groups/) : navigate to **Directory** > **Groups** and click **Create**. After creating the group: * [assign the new role to the group](https://docs.goauthentik.io/users-sources/groups/manage_groups/#assign-a-role-to-a-group) * [add any members](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#add-a-user-to-a-group) that require the initial permissions. You can add already existing users, or [create new users](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#create-a-user) . 4. Create an initial permissions object: navigate to **Directory** > **Initial Permissions** and click **Create**. Configure the following settings: * **Name**: Provide a descriptive name for the new initial permissions object. * **Role**: Select the role to which you want to apply initial permissions. When a member of a group with this assigned role creates an object, initial permissions will be applied to that object. * **Mode**: select whether you want to attach the initial permission to a _role_ or to a _single user_. * **Role**: select this to allow everyone with that role (i.e. everyone in a group to which this role is assigned) to be able to see each others' objects. * **User**: select this to apply the initial permissions _only_ to a user * **Permissions**: select all permissions to add to the initial permissions object. 5. To ensure that the user or role (whichever you selected in the **Mode** configuration step above) to whom you assign the initial permissions _also_ has access to the Admin interface, check to see if the users also need [the global permission `Can view admin interface`](https://docs.goauthentik.io/users-sources/access-control/manage_permissions/#assign-can-view-admin-interface-permissions) . Furthermore, verify that the user(s) has the global permissions to add specific objects. 6. Optionally, create new users and add them to the group. Each new user added to the group will automatically have the set of permissions included within the initial permissions object. * [Common use cases](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/#common-use-cases) * [High-level workflow](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/#high-level-workflow) * [Create and implement initial permissions](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/#create-and-implement-initial-permissions) --- # Worker | authentik [Skip to main content](https://docs.goauthentik.io/worker/#__docusaurus_skipToContent_fallback) On this page The authentik worker runs [background tasks](https://docs.goauthentik.io/background-tasks/) . The worker also watches for [blueprints](https://docs.goauthentik.io/customize/blueprints/#as-a-local-file) and [certificates](https://docs.goauthentik.io/sys-mgmt/certificates/#external-certificates) that are added to the file system. It runs in a separate container from the server to handle these tasks. How it works[​](https://docs.goauthentik.io/worker/#how-it-works "Direct link to How it works") ------------------------------------------------------------------------------------------------ authentik tasks are stored and managed using its PostgreSQL database (installed with authentik). When authentik needs to run a background task, the following happens, inside a PostgreSQL transaction: * a row is inserted in a dedicated PostgreSQL table, containing all the relevant information needed to run the task. * at the end of the transaction, a PostgreSQL trigger executes a `NOTIFY` command to send a notification to workers that a new task is available. The worker runs a loop to find tasks that need to run: * it tries to `LISTEN` on the tasks channel to pick up new tasks that were just queued. It only does so for a certain period of time (configurable with [`AUTHENTIK_WORKER__CONSUMER_LISTEN_TIMEOUT`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__consumer_listen_timeout) ). * if no task was received, it tries to find tasks that were not registered via a `NOTIFY` command. This happens when no worker is running when a task is created, or if the worker was busy running a different task. This is done by looking into the tasks table for tasks that aren't marked as finished (either successfully or unsuccessfully). On worker start, this is done before `LISTEN`, to process older tasks first. * if a task is found or received, the worker grabs an advisory lock stating that it is responsible for the task. If several workers try to pick up the same task at the same time, only one of them will grab the task, and the others will continue without a task. * if a task was found or received and the lock was properly acquired, the task is executed. * if no task was found or the lock couldn't be acquired: * locks are cleaned up and deleted for tasks that are finished. * old tasks are purged at a regular interval, configurable with [`AUTHENTIK_WORKER__TASK_PURGE_INTERVAL`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_purge_interval) . How long tasks are kept for is configurable with [`AUTHENTIK_WORKER__TASK_EXPIRATION`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_expiration) . * the scheduler is run at a regular interval, configurable with [`AUTHENTIK_WORKER__SCHEDULER_INTERVAL`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__scheduler_interval) . ### Task retries[​](https://docs.goauthentik.io/worker/#task-retries "Direct link to Task retries") When a task throws an exception, the worker will automatically try to re-run the task up to the value configured by [`AUTHENTIK_WORKER__TASK_MAX_RETRIES`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_max_retries) . Those retries are done with an exponential backoff strategy; only after all retries are exhausted is the task marked as failed. Otherwise, the task stays in the "Running" status while the worker retries it. However, logs shown in the Admin interface are updated after each try. ### Time limits[​](https://docs.goauthentik.io/worker/#time-limits "Direct link to Time limits") All tasks have a time limit. If running a task takes longer than than limit, the task is cancelled and marked as failed. The default time limit is configurable with [`AUTHENTIK_WORKER__TASK_DEFAULT_TIME_LIMIT`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__task_default_time_limit) . Some tasks override that time limit for specific purposes, like synchronization. Manage the worker[​](https://docs.goauthentik.io/worker/#manage-the-worker "Direct link to Manage the worker") --------------------------------------------------------------------------------------------------------------- ### Scaling[​](https://docs.goauthentik.io/worker/#scaling "Direct link to Scaling") How many workers are needed will depend on what tasks are expected to run. The number of tasks that can concurrently run is calculated as follows: * workers replicas (1 for Docker Compose, defaults to 1 for the Helm chart but can be configured) _multiplied_ by [`AUTHENTIK_WORKER__PROCESSES`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__processes) _multiplied_ by [`AUTHENTIK_WORKER__THREADS`](https://docs.goauthentik.io/install-config/configuration/#authentik_worker__threads) For example, let's say an LDAP source is configured with 1000 users and 200 groups. The LDAP source syncs the users first, then the groups, and finally memberships. All those steps are done by splitting the objects to synchronize into pages, of size [`AUTHENTIK_LDAP__PAGE_SIZE`](https://docs.goauthentik.io/install-config/configuration/#authentik_ldap__page_size) . Let's say that setting is 50. That means there are `1000 / 50 = 20` pages of users, `200 / 50 = 4` pages of groups. We won't worry about the number of membership pages, because those are usually smaller than the previous ones. This means that in this scenario, the maximum number of concurrent tasks will be 20, plus 1 as there is a "meta" task watching over the synchronization and managing the steps so they are executed in order. Thus, for the synchronization to run as fast as possible, there needs to be 21 available workers when it starts. However, other tasks might also be running at the same time, or might get created while the synchronization is running. Thus, we recommend having more workers than necessary to keep a buffer for those tasks. ### Monitor worker and tasks status[​](https://docs.goauthentik.io/worker/#monitor-worker-and-tasks-status "Direct link to Monitor worker and tasks status") The workers expose metrics about their operation on [`AUTHENTIK_LISTEN__METRICS`](https://docs.goauthentik.io/install-config/configuration/#authentik_listen__metrics) . Those metrics allow monitoring of the number of pending, failed and successful tasks. They also provide insights about tasks durations. The worker also has an available healthcheck endpoint. See [Monitoring](https://docs.goauthentik.io/sys-mgmt/ops/monitoring/#worker-monitoring) for details. * [How it works](https://docs.goauthentik.io/worker/#how-it-works) * [Task retries](https://docs.goauthentik.io/worker/#task-retries) * [Time limits](https://docs.goauthentik.io/worker/#time-limits) * [Manage the worker](https://docs.goauthentik.io/worker/#manage-the-worker) * [Scaling](https://docs.goauthentik.io/worker/#scaling) * [Monitor worker and tasks status](https://docs.goauthentik.io/worker/#monitor-worker-and-tasks-status) --- # Active Directory | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/sources/directory-sync/active-directory/#__docusaurus_skipToContent_fallback) On this page Preparation[​](https://docs.goauthentik.io/users-sources/sources/directory-sync/active-directory/#preparation "Direct link to Preparation") -------------------------------------------------------------------------------------------------------------------------------------------- The following placeholders are used in this guide: * `ad.company` is the name of the Active Directory domain. * `authentik.company` is the FQDN of the authentik install. Active Directory configuration[​](https://docs.goauthentik.io/users-sources/sources/directory-sync/active-directory/#active-directory-configuration "Direct link to Active Directory configuration") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To support the integration of Active Directory with authentik, you need to create a service account in Active Directory. 1. Open **Active Directory Users and Computers** on a domain controller or computer with **Active Directory Remote Server Administration Tools** installed. 2. Navigate to an Organizational Unit, right click on it, and select **New** > **User**. 3. Create a service account, matching your naming scheme, for example: ![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAdMAAAGTCAMAAABEeAjzAAABC1BMVEX////oJTEAe9atsa17e3vO0s6lpaX39/fvECHn5+ftTVjLztLymZ71z9HyhYyMiou9xMH8+N8BAwrh+/u55PT45sO6s6/kypHY4d1LTpf625CEu+Th06ttZYh/n8PEoX2oyN7V6vfg5uXz9vX+/fhvhLH159OuooedelPR+Pk+JBteRjmXsskpZJs3OXSaoaOhl4L46a3RsokIGT5QT35jcKYgBwPq8fFtMGV6f4ad1/eIW0m1kGTm2MXwGUVeam6MZXURNmZUmc3V6cr0qHR4OAtChr35tKqJXClZtO3zbVvIij/yYJb0MiHJyYv1h6+xgYeDdKiwyJrZvVmDxveuZB3FV0gcr/f64/zyicLnAAAACXBIWXMAAAsSAAALEgHS3X78AAAd20lEQVR42u2dCWOa2tqFvV+beNv0VFEQFUSME4rgmDhg6hA1U5v25Db33P//S753b9CYxMyDQ9c6ETeDNocn690vsAefD4Kg9VDNuJKM07EZTLv5fLfbZUgvazgdGyGpKqmyLP+HCT7dGKY5gUmeZ5oLivMHCQfB8PWPZQ7y5XJJXLDnTmVykYK7eKQE71ChRv8USD2FafU2U+EgshOe0dtZQC1DLDMHH8S72L0e04y0LfoyQurho1OgOWMq3WKa29raSj3IlNAv3PW6TIWa+MijwfSK6bQ6nTEljM2tKHuPlIPBfLkUPdjZ2kn5hB1RoJirhz2mmVwwRe8HkUiwybcTsfKHHYrKIovNpRStR7bpXAsH+hxTIVLeTmUkOiBM+0tRWmXY0nJ5W88IEZWtst1BxjSTK3l/Nzn2vYTuMF8W1XK54xY7GQZTiNC3lHV6L5fp+y/KuzV28J/LtFqNM8kzpsJWlLmTuKVcn9Lr05ZI9k3RihBN3WQqslXhQMxFRJcdvVL0F0HM6K+AQKipK6apKeAM/0CGrXp/SwIDrmekUligHWrZZTr1If0C2ykhUvJJBFQq0zGltMC2MKbTN58k0lf4JN3/R/u0Wj39F7R++nw/039D6ycwBVNojZnye4P/xQkCU2iVmeaPSZc4QZvElOsrThCYQmAKgSl0A9/RZ/7+r69HT2b67ad0ypajHwu/2OdTT//97fvRD37o0Y+7f4lv39Uf7gJ6Bf3rS+7z1dtTmaYJ52Kmn4+OfhClU4/pLYjXtoLpG0C9jvTxTI+OThczdaHRLjBdEtTT60gfz3T09eiUMf125BNOv3/5wctf3YDMWX359v2vI59r128/fcKItv3P99cXesB5uoAp7ZPoC32Zo2/fhb+OAOf5UDPXkT6B6eznx+evX7+cUsQ9Pf3CmLIFs+PnnwJBIkRHHOvXU4rHd/r0889Td+Xbz9Pv89Chd2T64/OX058jlg/5JGJ6evTl6/fRj2s+JXqEmdFlB428HV7m5BOOrjHNsVjOnmmPEImXFXt/sDp19Nlz5c+vX7/+nDr0qj6lF2c6+vcV7Ou17OkRy7UI77cj6fTnDDO0hByJpb1HAsVeFlCJDEVeljbxvJeqTtrMrndctN6Vz6LYy4/+zD84jbpguqxrGRZmT//iORJLbo5YycuCWTxm7vuey/nUH16OxA76TtetPz7/73p1SckRy5+OWCxmxyH2LumewxP07fsI53o17w0Kxn4oNH7ON/5EFruqTPt/p57h028/M0eIpJvFFAJTaB3qUwg+hcAUAlMwBVO0R4LWjukXP7Ru+gtMwRQCUwhMITCFHsc0MtMpmK4h02+RW4JPEXshMIXAFAJTML2TZ1pMgelmMU1rEx1MN4ppWhsOwXSjmBLSEzDdKKYM6clwMnTAdFOYNhnSf+i/PphuCNMZUjDdGKZTpP/8A6abwjStKSdE9R8w3aD6NK0o//xz8vv3719gujl5r8KcOhzCp5t0faoov0/EB69P05+C5cDHwHY0jVO5BveRyKgPMt2NBD72SKZZBtR1uN+rDB9iGt0OBDyovQ84l+vwrO3B5zLNDz1PZvFjEydzE56fNtUaKWk4plnsRXEyN4FpTpZVuVbrGmax2AviZK4y0+hM9zJNH8gqMU26TLdwMleGafSWfFe7H2Bao9k0p0x3cDJXhuntbU9gyqpTYuo4Zm8XJ3MTmKpJpq5hGMdmABeom8DUf9DtJrsMqWMaj7HpwfF+yFZe75dPy3bhiR8RjIH4lL8+mjA3fd/enfSmxd6u4SJ1jMdcyRw4ligkW53ruXMyNuMi1GKFFzON38t5ZNu3IcUbd4IbZcV7vu1o0V6pXQqvr09zScPgSI8rj/lzVfviou+IFd7Pp0L/wn6KT4W+fg8f4deS6T2BaWqm+5mmI+RQh3T8KJ8G98Icomna3WLI6uTO9kOD7DhkRZNslfm0kbfNUP23ILdu4N+l7dZxXRHOQvVhWh6HBiJnalIhHafVTpwd4fdftu1zIh23U8yA7DjaUb8Yh+rsE6MJ/0gnHaelQuV9K+q/7Nl5cmq8oceP9+u63DPrbXO/PtDT/tGwltDT1YTOfkOxSruHKu02i6GYyG1aYyV3e9/cD01SUv9jopSjMeAsUTKK9Ym4DKZEbvf669FM/RcOJ2qaxmPuOOgeU1uX+51ccq/AVhr5WFjtd3jYZUzN0kLnRoudWrEjN9SWKNuH4xPhzGJMiyfpM0syiZF9XtTitlhtXVwxFcYa7ZaLWm48bNJOsp0YLw6bZ9ahozTjDfqIbOvVVr7hMg0eZ1NJ67yVPaQCIU6TTVXO9KJVUltlQ0tVExVzT+3TmhYmmx72NSqx7e2Ak4gmE3qtV26XjYQuOe2PAVEKaOHlML2hxzP9FGETaprmsfOxvPton+5FuzSUYWjA/vhDVj4WTfLVDmcaKyysVXdjuzL7ORzXs6IcK6TpxWMvvc7Zx+ttKl+ejKz4FVO2YKsi48leo0kzzumdF92PiOlLrWbVPKZ5wsiXcV7Q06OhWOVMg8fFnq6a9KFQr1FqGrTWZDYVjPntYYlwamo7kGAxWXLY72WJa8aUnswYDOmxkdW0ncfVp4xpsiGySNvSuU/dVb//MUyJ4XH94gZTW/Ryo5F12bmHKdk07TG1KbDy3GhkOYp8B1NWm7pM9bRk0J8AM101UUr7aU2L8tpU6pofG3w7pUZCt90rzZj2s4Ul1acLmAZm+u/99WlU75QdcqqjaYqile63atrLe9t7YdnUKMJGWp2cQT5lq7PYez9Tir0dySzNYq/dYbF3PEy7JKvjQSFuH7Z++5NzsZdgUuwd2SLZlNAqLPaOsyz2EsnqMdW4jYuW1qxNYy/BpMKooctDCtctLSU3LhwtamhOgmxbSZQO+VqNkl7ByUaNANvugqyZli5NYy9bLiX2fgvckm/nkffwCan+kZAaRFTRNK0Uffj6dFBO7oWFGs+RjP39unU+tsXaVY7Eme7ezpE8n0Ypr+I5klVIU91ZL7KC6uZIZNzLCfMr5VE9O1VtiV6ORCYtUo50SDalUpGlVRLPkdg1zOWEqk7xbL9u2ixHGrgmZTlVkCe9VEHQntqYJT08FyKfsrUgtykr6ZLBtrNLGMnZS9G1zLJzpAX38B/JNKorol6uVLZ1RfGgflpuFk8Y77w+rVkLn/BW+3p64fWpvISacPlMdzSlUyqlwqKidDodnUNd6v/MKDThr9syKAdTFl2XjvatFHvd2ExJXP0ktXlMa3Q74b76tBnUFL1UaqZ0pUNBWNc1Lat98kOrzLSbz9/HdLdE1Sj5lNuUkJJPh1oQTVhWmalUlar3jY8U5UyDZFPmU7dCzW7v4vnMajPNfb2fKVWgO6Liiten2UAURl1pptX7mKZdprpIbu0QUYZUy7Z3wHS1mUr35r1BzlTXFO9SRmE+3ULsXW2m8v3jDW4Fsoyp5gVe5tMybLriTKsPjCHZDAY8l3qhN4BWvuvOlGrVnXK7naU7+NlsOxEIIvBuAFPety26EwwGt3AVszlMITCFVvfeIASm0PKZ5ulp9yWY/lnPTyEwhcAUAlMITMEUAlNoNZl+mme6tQ2trCKZxzKNzt/vzfig1VUGsRf1KQSmEJhCYAo9n2kU7Rw2+/oUQuyFwBQCUwhMwRRMwRQC08dp9+NK6EW99SLP/Ve3N5RpYBWeY5VfxjT4vH91C0zBFEz/TKY7gSCYbhhTmo3tjj5QNGgiG+xtCUwzciy8qOVGfOFmML0Vez/07ugDxYcwvRrHVKpkw+/BlAG9xZThjMdUMH1kfRr57z1M51aXzXQJPuVDMz9qyoo1yZE8n34MmDSjYsju0Ti1tF5h5Q6Ly3YpbxbrPRr3NsdmM6CRmBOF5zIVRjRGp0IoM7JNg+We28c0CULGm9aAyie0UWU+rZrKEphW2zRIM43dm157psSt3mh/NBrBX38f9hNt5lPJaNDoxLxUSdCebiOY34v0xVx+L/wyn5I/zxlTtpSLSmYUO3Q6ZM1zXlbd2KuaneX4tNqeOXYjfKo1k0W7dFBxSWbD9DokZ9Z7gexhnn4SLJkK2eILmAoyTSFgXTF1C3xagzKV4x7TYtF659hboZl8Q9ZFr7hfbydK/Le8aJfY5CQ0kL5WWF+mYTZfTKN9xbRdaenk0ynTQKzwwvp0t6Vf86lbsEW3Jp0xtfXxyTszNS3xqF9JzGKvRGPil2lyknmg68g02k2ISScxzzQhHvSnPt3LO8oLY+9uq5PuWjS3gZC8YkozzLg0Z0xpwTi/J1OKvqw2dZmqrDpqJ8pG0dKb6x17w6q5Pygli1ZhGntVZ39/MGWa5VM8vSxHolkNTGuXzVsQU8c0DwljGnanNXCZso0M75kVXhrTcj8RlfjcFTQ5ybCAe4PreB/pFtNsqtYgnzp/R7taCkzXmymFW5qirWaG9gdt/m6vZY4EpnguA6ZgCqZgCqZgCqZgCqZoN4h2g5AfbbYhMAVTMAVTCEwh9IH6Y4V7Dhsn3EcCUzAFUzDdeKY3+la8LVNB3qf2ZGD6zkzfrMMMMc1QM1DqViE+pnsbmK4HU+EPwLc6TNXj/ZDVoU4Fd3eCGrywExTzqTTWUsyZrEWvbJuhOrPtBW/iW1fczlBg+oo+lQKBwKJOUPlX6gTF6tOMSr3XOhL1eqI+FUVduBwKZ5bbFF9t6bwzVBhMX4mpxHo7ZfOLO0FVXqUTlJf3CknrqteTzHq18b4zrMsM39wB09dhKnSptxMVFnWCyicqr9IJymNKhrzgvZ5Y3ZpzLli3GY/pm3WS+TOZ/toT1QT1EbnRCSrPO0FVXqUTFO8vY4XJpyzUuiCFM3OYmcVe3hkKsfd1+hSH6gmTejsN7+gEVXmVTlA8RzpmwdvLkVg/f7nY8bpBUY6kIkfCfSQwBVMwBVMwBVMwBVMwBVMwBVMwBVO0G0S7QQhMITAFUwhMITCF0AcK1zK454B7DmAKpmAKpmAKpr7HzgMVp+bFv8H0We0G3bm9pEA7kA2/D9NHzQMltDq+W61+47EUmD66D9RKMJ336ca09t1gpk+dB0oYZ5knvQNYlymy7UUsJVHxJB03Q4PfYHrfHHyMKGd6rU9bxZvYS3rZxF7PnAdKYl2mBIdQ0kxCiu9y4juz4rHoeJiWWiW+OQWmd87tNc900cReedan7UUmfuY8UP+x1KJ7QIEQRh2ateSck4zzzQqYPs6nrz+x1/PngRLcLlPEs+ATqMtUYcZ0jbpMrQjT153Y63nzQLGZg/5jUajluwq0wZykZ7GXloi9D/RrM24wvT2x14tj7xPngRIMuswSfZJ7QIHFW16HujmShBzp3ryXKjrqeXot9r7qxF64j4R7g2AKpmAKpmAKpmAKpmAKpmAKpmg3iHaDkB/teyEwhcAUTMEUTCEwhcAUAlMITMEUAlMITCEwhcAUTMEUTCEwhVaSqfDr74K7uK43mzMTAlMwBVMwnTG9oPlsdemsWLeCFdO0Cm6v4joVWN/iCethbB3S7LbUbdDvp/kXWUdBifoeDpSkO+WtkmNd3zqC3BLBYiWYtvl8tpW2SD1Pqe8/92ne0VVjWHNovsw9Xp502cAONLNirmsrvEB0E7QxST+xi35HqL246zH0ekwrbD5b3sPf9GbLpD7iYW/J5kAN52i5R1OkMqZJXmCdUkNWhd7pp9FlH2YuhpbNNBkQ/dP5bD/uFaY16SOYJvItnZZTpvkGgu6KXJ/WDN2vtstdms/2Y5vibMUdJOla7O16sTd/g2mic2BMfRq7MDXE3tVgKlCOY2thNp+tkuvyHMljynKkSZgPtjPh5cPrTPe2jP39+pTp3m4NOdL63Ec6aA9xejeJqcrGqYL1cL8XAlMITMEUTP8spsr/rZmaYPog0/UYLXUml2nkw3ppB0wfZrr7aZ20tUFMt4pgCqabyTS6VkyFSHbR3BJCbS8MpqvoUyGvhR8A2rzFlHA2a7EImK6nT+9iGn4nn9JjJJrmYBhdfCLlhr77h/uU7tXbHYE9bOPNjmhQ7V+JgNZMsnlJBD7Ktnsca4Rk64SSPaSrW3nWMokarbADaqycpUliIsynak95W6a5sUXUVDMWfTRTOVHa/XN8Sm1YDn8l8gFRyAeMhigbimpk89mkowjJVrkvzlecQiRBY+PzZTNpU+OyPZUOqMXyNh1MOFnsjUV64hv71Ji4MI3FnJbs0+jO1duSfJqpUYOknDvlCM02I+SzkcBhvl1mNarQdWci8WIrtSO0ZkyZYWuJPG+LFNijsss0WSxO3jj2EjN5HCra+lmP5oiynPokekaP6KM0tn+dUZZ75j4VZFoOz6k80D/RkZUGbeJulY/365raM+s9Kgy0V+a/u92L0NtOIBBdYo4k1HiDJDc1ytSMtpabMv3FJo2YHtUS533qMW0U3Jp0xrQRcX6/LdPRpGYru2TWs15Rk+mncdEqyXb5OBs9s3Ri1ppEu1bQ0aJyo2Lu1VoltVVpzJjmjtti0qqYiR2jrb9BTOZQdz4ypMtiSrWnmAxU+jrFXgZSNSxFmMbeCi292EsAxVzfitCyO2O6d0EH8GR3ypQtGoU3Zpq0ompLS5L3dGbaRvC43mMlZmE39hJNNl1UqEckz7JJi5rJTZmyhZyoJEpqYurcV4dadpEuL0dyqEGSlyMRU6HboKp1QY5E8Xl/MDmgmdQae+dju8yZNt0ciTM9Hw/KDG/uzAq+KVOLZqahufxsRfaY6p9Up96+wdTmcZZIjiynfP6OTAmq6SLFfaTHMlVNZXeWDfGfi5Z26JTNWezVWOw93tuRecRVjwclOVGmrbXGVexNlA7fJvYyqNHosq5lfvFZ8PYKD12NJnkYixVW5d6gXByK15jqPJxQjkTpENWdrCMIQ8lyJEbxrMfY0TGmTVWrxna4JqWk6tVzpI293/vGz2VU5757Djel9u+OsbVeCfeR1u9Z26ho6ex1ew/r5OU5Hj7F81P4FM9lwBRM0R4J7ZHQbhDteyEwhcAUAlMwBVMwhcAUAlMITMEUTMEUAlMITF/wfyXeXILpMsZkFtTArWEHc5eKP2cMxLTcmhs6NC3fOUDhZSg0oWV930r7DVo2+TJniGkwXQLTXPf37W1nw7RqmtRbyr644ng305FVEMYncbsgmL/jdmq2HE2aYPr+TBcOIykkrYLaMob07n+UT0lnkxGZ9PJkRCadLnP9P8moqzF2OrNk0qrx3o412xzkWTt+Rk9tURNpeUJ+lRvnNjXjP0mzLkxWgZYDUbbFaov9nFEbvumvNj45mzCyZ5M0XzZp2bw8oaPSYPq+Y6fn6EN2J2dYSbOkOt7GtOroZ4qaOHSocfV5URFGscOx0kxah+OT5pklmZ1R6ES2D1sMr2fTQWEB07M/KfiuzNjpjGmsINQa+Vg0ydv4l6ifMRnU6ahOmaA1zmOFtLe03WX08sQIWKOJNK5np0jtgh9MV2Ts9Hmmtanp6B+yE4XcWW8iLGJaGPVahy3nhMaWPa6LnktZpnSzPk2D6TLGTmf1KY+9tKbOBlRPy0XLL5yFhlOmLPYKZ17sTVeLk/TxgGrUDoVhOjzO/xhu573pyxMwfeex0928t1KkcpS71cuRqEI1h352dTpjuivvh8wYy5Gsgl8an6RHlj9NEXzCjr5k/a0mt65Pm0JfRI60hLHTKcK+2lwHN+8jsQgMn77/2OnCOV2ivM3/pID7SLiHD6YQmEJgCoEpmD6HaeTjmolfygTW7Jfefl+mkfXqfxpwmabX6pfeem+mmXUKRmAKpmAKppvClN+lt0TJHei15L7p8jbdEPwrWaInbdloMkEPWWnBnrDSjcKc+6z0t58NDlvPhg8ihbViWk3oCze39Y1h2t8r/NXXDukhqt97fErjMR8a9FQlmaCHq1dMaRsNB9oQ3Yczxt5hNyb6DwKTgwWNypbGNB4THwJ6mynhlNr5xEYxZcNszzEVkn8X2LPTnuKfZ0rjbbMDhpwpjfpa7ne8VmV/F9bGp3cx/QN8SsO2mrbmn2faavNH3t3YoetT1u7B/ZZ3M+pNpiMaILIZpwZvSpUNq62k461yTJTYuJHhKi0Vb8D3+JgeAquEstor7g/KPYceB6fYASdqn0YttJzioEzP+HXByIqbUp/S02z+RqP3um/MkAZ/CjrPlDFkMZjXp9YOoZXOqFB4N6PeYCpQW0M76CgUcM9bGrVrSY0sakBxnG1KrbKjpKtzcbiaiMSIKSNXbU1S8UTQKIVplZX7tJHF3m1DK2yMT+k159NckgVVr4nvHT4Van0l6TYdpFZM72XUm0wv6xMxzsagrbcJXzx26ChVmmCBkayO2eYT16hVh5qt5mdME7xg8iG42ca2y9Sh0fU3qD5NBoJzsZcanbkl1oQln92tUUWay+9F5utTKT+R+x2P6XsZ9VZ9Khn1C7vjpUaCcxETZ0xbV3wER2vO+9Rl2iqF3Rx4yrSlvUnoXQmf8hyJl8icQWMSlqkhGrVgkVjea3h5L+VILO+loZpZo4Z3Muqt2KsITmlMVWrsnIEcmRRIp7H3OJuaxl6hpYVrVpCW8hXToJEQOeIZU1r075/6ah3r09Cg7DJti55jjX1qwUf5UtGkten1KWdKLmXXp3abtSB9J6PeypGKoUlT4jkSwxdvUZY0zZGkuRypRk3+BzR+b91sBA2K04ypLvEciTP9YBTbHO+ooeA+Eu4jgelrMWUZUKjeeeh0CibvCaCAKXwKpmAKpmAKpmAKpn86U7RH2jimaDe4ce0GIT/abENgCoEpBKZgCoEpBKYQmEJgCqZgCqYQmEJgCoEpmIIpmEJgCoEpBKYQmIIpmIIpBKYQmEJgCqZgCqYQmEKrxnRrG1pdzfUIfgLTjA9aYWUQexF7ITCFwBQCUwhMwRRMwRQCUwhMITAFUzAFUwhMl6rga+mTf/h/ryRl7veLfnglBf8gpluvozdjuvPpVRQF0+cx1V/j7CvzTNNgunFM4VP4FEzh0z+N6Y4aIJWubSkHn8hUdvbET2pf231Nn6o0R6dduuPzB/lYFEzvEiN4neIzmJp1bfca04cAP+xT2bHEg1+tDpg+iWmktIjpc3yaMLP6IqZqoLT7PJ/u0tzA9/xNgGlwsUHLO1dMZRaBd9Q8LWlNzZd2nsQ0kNAIo0ozaE4iPU11ivt1BjWX7E3EZ/lUDexxaCpNKToodc0izemZS9KydNClScxLYLrIpK4bvfrUo5svk0s/lCPlhUjvYVrqZi/6bKpiItvt9fY+TE170G0sisIP+vTAY8qKlYRhlw4MmvFay/1qBfr6Qb5RAdNbkss71+pT5lDtgnNWywEt+MTYW1LblUSAzzJuHToDbS4Q1wL6C3zKXFlv0AqRrbBNB3z+YJpbF0zv9il7zzNnquUp01L+yT7dTTp2oKWxE61SxqS+1KdefZrLt3SiOc+02xBRnz6qPi2XtiLaNPYG70iT7mOqOnXNSLBMyUgYibLL9Pn1qZf39tqJjtr3fOrG3rapIfY+kPe69WmEllpwmiMxvk9k+ilJ59qhHCnfK6lOzylmoy/Je93r0wF91f6+F3v3ojxHYpkSciTcRwJT3O8FU/gUTOFTtHMA0/Vrj5RGeyTIj3aDYAqmYAqBKQSmEJhCYAqmEJhCYAq9E9N/Qeun+5muyzinN56i+H2BtN8fwOi0YAqmYLrJTIX4f5hkAUw3gKmgJkk1WfKJJ2VZBdMNYCrJ8Wq1KtfiTFOmAjVDDVniE3wu0wfqJ2C6GkzjVU6zy+06Y5oQJWMSfgLTlkhcJx4gWgPT92T6aSd6mykzK9lVvmLKXk9i6hNqjQKYLoVpNBKZg5qLz+km02TLjEW71E2g4xO61E2gJdZoS3Acqk+EWsugfpqXoboyZZpRnd+5cSg0YYF4wktg+k6x9xpU6S6mFHubSVMRkq2OkGwQzI50bNMbR1gjukUrd1ZXcl27MMfUNanr04z6eLuC6Qvr03moOXkhU3JarODaNVbwqYYeyYY5ScKUOwuFGF2RbeA0PaYHjijQvgFn6pbA9L1ypOh2sOkVDxjT6gKfzkLwTaZsi9pfwJTVp/RDZFnG5JbAdAk+PZDviL0zpiz2xgqz2CvmulaTB+MbTOn1W0hazZrNmVJJtsF0GfXpQ0xZckSR1icZITdHEjPyODTo3WRa5JE2o/J9lB9N3BKYLiHvdZnK/GfG9I4LFhaGcR9pSfp/zdx6DvrI7UsAAAAASUVORK5CYII=) 4. Set the password for the service account. Ensure that the **Reset user password and force password change at next logon** option is not checked. Either one of the following commands can be used to generate the password: pwgen 64 1 openssl rand 36 | base64 -w 0 5. Open the **Delegation of Control Wizard** by right-clicking the domain Active Directory Users and Computers, and selecting **All Tasks**. 6. Select the authentik service account that you've just created. 7. Grant these additional permissions (only required when _User password writeback_ is enabled on the LDAP source in authentik, and dependent on your AD Domain) ![](https://docs.goauthentik.io/assets/images/02_delegate-f00c66076936327b9be0680b209a5009.png) authentik Setup[​](https://docs.goauthentik.io/users-sources/sources/directory-sync/active-directory/#authentik-setup "Direct link to authentik Setup") -------------------------------------------------------------------------------------------------------------------------------------------------------- To support the integration of authentik with Active Directory, you will need to create a new LDAP Source in authentik. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Directory** > **Federation & Social login**. 3. Click **Create** and select **LDAP Source** as the type. 4. Provide a name, slug, and the following required configurations: Under **Connection Settings**: * **Server URI**: `ldap://ad.company` info For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://` as a prefix. You can verify that LDAPS is working by opening the `ldp.exe` tool on a domain controller and attempting a connection to the server via port 636. If a connection can be established, LDAPS is functioning as expected. More information can be found in the [Microsoft LDAPS documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ldap-over-ssl-connection-issues) . Multiple servers can be specified by separating URIs with a comma (e.g. `ldap://dc1.ad.company,ldap://dc2.ad.company`). If a DNS entry with multiple records is used, authentik will select a random entry when first connecting. * **Bind CN**: `@ad.company` * **Bind Password**: the password of the service account created in the previous section. * **Base DN**: the base DN which you want authentik to sync. Under **LDAP Attribute Mapping**: * **User Property Mappings**: select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory" * **Group Property Mappings**: select "authentik default LDAP Mapping: Name" Under **Additional Settings** _(optional)_ configurations that may need to be adjusted based on the setup of your domain: * **Group**: if enabled, all synchronized groups will be given this group as a parent. * **Addition User/Group DN**: additional DN which is _prepended_ to your Base DN configured above, to limit the scope of synchronization for Users and Groups. * **User object filter**: which objects should be considered users (e.g. `(objectClass=user)`). For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts. * **Group object filter**: which objects should be considered groups (e.g `(objectClass=group)`). * **Lookup using a user attribute**: acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories and nested groups memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field. * **Group membership field**: the user object attribute or the group object attribute that determines the group membership of a user (e.g. `member`). If **Lookup using a user attribute** is set, this should be a user object attribute, otherwise a group object attribute. * **User membership attribute**: ensure that this is set to `distinguishedName`. * **Object uniqueness field**: a user attribute that contains a unique identifier (e.g. `objectSid`). 5. Click **Finish** to save the LDAP Source. An LDAP synchronization will begin in the background. Once completed, you can view the summary by navigating to **Dashboards** > **System Tasks**: ![](https://docs.goauthentik.io/assets/images/03_additional_perms-fca59e77dfb52a749e229b4f77f2222c.png) 6. To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage. ![](https://docs.goauthentik.io/assets/images/11_ak_stage-1196baf814dadd946f8a2f6486d32fa3.png) * [Preparation](https://docs.goauthentik.io/users-sources/sources/directory-sync/active-directory/#preparation) * [Active Directory configuration](https://docs.goauthentik.io/users-sources/sources/directory-sync/active-directory/#active-directory-configuration) * [authentik Setup](https://docs.goauthentik.io/users-sources/sources/directory-sync/active-directory/#authentik-setup) --- # Source property mappings | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/sources/property-mappings/#__docusaurus_skipToContent_fallback) On this page Source property mappings allow you to modify or gather extra information from sources. This page is an overview of how property mappings work. For information about specific protocol, please refer to each protocol page: * [Kerberos](https://docs.goauthentik.io/users-sources/sources/protocols/kerberos/#kerberos-source-property-mappings) * [LDAP](https://docs.goauthentik.io/users-sources/sources/protocols/ldap/#ldap-source-property-mappings) * [OAuth](https://docs.goauthentik.io/users-sources/sources/protocols/oauth/#oauth-source-property-mappings) * [SAML](https://docs.goauthentik.io/users-sources/sources/protocols/saml/#saml-source-property-mappings) * [SCIM](https://docs.goauthentik.io/users-sources/sources/protocols/scim/#scim-source-property-mappings) Create a custom source property mapping[​](https://docs.goauthentik.io/users-sources/sources/property-mappings/#create-a-custom-source-property-mapping "Direct link to Create a custom source property mapping") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ If the default source mappings are not enough, or if you need to get additional data from the source, you can create your own custom source property mappings. Here are the steps: 1. In authentik, open the Admin interface, and then navigate to **Customization > Property Mappings**. 2. Click **Create**, select the property mapping type for your source, and then click **Next**. 3. Type a unique and meaningful **Name**, such as `ldap-displayName-mapping:name`. 4. In the **Expression** field enter Python expressions to retrieve the value from the source. See [Expression Semantics](https://docs.goauthentik.io/users-sources/sources/property-mappings/#expression-semantics) below for details. 5. In the source configuration, select the newly created property mapping as a **User property mapping** if it applies to users, or **Group property mapping** if it applies to groups. How it works[​](https://docs.goauthentik.io/users-sources/sources/property-mappings/#how-it-works "Direct link to How it works") --------------------------------------------------------------------------------------------------------------------------------- ### Expression semantics[​](https://docs.goauthentik.io/users-sources/sources/property-mappings/#expression-semantics "Direct link to Expression semantics") Each source provides the Python expression with additional data. You can import parts of that data into authentik users and groups. Assuming the source provides us with a `data` Python dictionary, you can write the following: return { "name": data.get("displayName"),} You can see that the expression returns a Python dictionary. The dictionary keys must match [User properties](https://docs.goauthentik.io/users-sources/user/user_ref/#object-properties) or [Group properties](https://docs.goauthentik.io/users-sources/groups/group_ref/#object-properties) . Note that for users, `ak_groups` and `group_attributes` cannot be set. See each source documentation for a reference of the available data. See the authentik [expressions documentation](https://docs.goauthentik.io/users-sources/sources/property-mappings/expressions/) for available data and functions. Note that the [`list_flatten`](https://docs.goauthentik.io/users-sources/sources/property-mappings/expressions/#list_flattenvalue-listany--any---optionalany) method is applied for all top-level properties, but not for attributes: return { "username": data.get("username"), # list_flatten is automatically applied to top-level attributes "attributes": { "phone": list_flatten(data.get("phoneNumber")), # but not for attributes! },} ### Object construction process[​](https://docs.goauthentik.io/users-sources/sources/property-mappings/#object-construction-process "Direct link to Object construction process") A user or group object is constructed as follows: 1. The source provides initial properties based on commonly used data. 2. Each property mapping associated with the source is run and results are merged into the previous properties. * If a property mapping throws an error, the process is aborted. If that happens inside a synchronization process, the object is skipped. If it happens during an enrollment or authentication flow, the flow is cancelled. * If a property mapping sets one attribute to `None`, that attribute is then discarded. 3. If the `username` field is not set for user objects, or the `name` field is not set for group objects, the process is aborted. 4. The object is created or updated. The `attributes` property is merged with existing data if the object already exists. ### Group synchronization[​](https://docs.goauthentik.io/users-sources/sources/property-mappings/#group-synchronization "Direct link to Group synchronization") LDAP and SCIM sources have built-in mechanisms to get groups. This section does not apply to them. You can write a custom property mapping to set the user's groups: return { "groups": data.get("groups", []),} The `groups` attribute is a special attribute that must contain group identifiers. By default, those identifiers are also used as the group name by default, those identifiers are also used as the group name. Each of those identifiers is then given to group property mappings as the `group_id` variable, if extra processing needs to happen. * [Create a custom source property mapping](https://docs.goauthentik.io/users-sources/sources/property-mappings/#create-a-custom-source-property-mapping) * [How it works](https://docs.goauthentik.io/users-sources/sources/property-mappings/#how-it-works) * [Expression semantics](https://docs.goauthentik.io/users-sources/sources/property-mappings/#expression-semantics) * [Object construction process](https://docs.goauthentik.io/users-sources/sources/property-mappings/#object-construction-process) * [Group synchronization](https://docs.goauthentik.io/users-sources/sources/property-mappings/#group-synchronization) --- # Certificates | authentik [Skip to main content](https://docs.goauthentik.io/sys-mgmt/certificates/#__docusaurus_skipToContent_fallback) On this page Certificates in authentik are used for: * Signing and verifying SAML requests and responses * Signing JSON web tokens for OAuth and OIDC * Connecting to remote Docker hosts using the Docker integration * Verifying LDAP servers' certificates * Encrypting outposts' endpoints Default certificate[​](https://docs.goauthentik.io/sys-mgmt/certificates/#default-certificate "Direct link to Default certificate") ------------------------------------------------------------------------------------------------------------------------------------ Every authentik installation generates a self-signed certificate on first startup. The certificate is named `authentik Self-signed Certificate` and is valid for 1 year. This certificate serves as the default for all OAuth2/OIDC providers, as these don't require certificate configuration on both sides (JWT signatures are validated using the [JWKS](https://docs.goauthentik.io/users-sources/sources/protocols/oauth/#jwks) URL). While this certificate can be used for SAML providers/sources, remember that it's only valid for a year. Since some SAML applications require valid certificates, you might need to rotate them regularly. For SAML use-cases, you can generate a certificate with a longer validity period (at your own risk). Certificate considerations[​](https://docs.goauthentik.io/sys-mgmt/certificates/#certificate-considerations "Direct link to Certificate considerations") --------------------------------------------------------------------------------------------------------------------------------------------------------- ### OAuth and SAML[​](https://docs.goauthentik.io/sys-mgmt/certificates/#oauth-and-saml "Direct link to OAuth and SAML") For OAuth and SAML providers, in the vast majority of cases, certificate expiry does not matter. Most service providers don't check whether certificates are expired. What usually matters is that the signature is valid. However, there are some notable exceptions; for example, the Slack SAML integration does check for certificate expiry. We recommend checking your service provider's documentation for specific requirements. ### Proxy provider and brands[​](https://docs.goauthentik.io/sys-mgmt/certificates/#proxy-provider-and-brands "Direct link to Proxy provider and brands") We recommend using a certificate generated outside of authentik that matches your Fully Qualified Domain Name (FQDN), preferably issued by a publicly trusted certificate authority. ### Radius EAP-TLS[​](https://docs.goauthentik.io/sys-mgmt/certificates/#radius-eap-tls "Direct link to Radius EAP-TLS") We recommend using a certificate generated outside of authentik. A privately issued certificate is sufficient. Downloading SAML certificates[​](https://docs.goauthentik.io/sys-mgmt/certificates/#downloading-saml-certificates "Direct link to Downloading SAML certificates") ------------------------------------------------------------------------------------------------------------------------------------------------------------------ To download a certificate for SAML configuration: 1. Log into authentik as an administrator, and open the authentik Admin interface. 2. Navigate to **Applications** > **Providers** and click on the name of the provider. 3. Click the **Download** button found under **Download signing certificate**. The contents of this certificate will be required when configuring the service provider. Certificate recommendations[​](https://docs.goauthentik.io/sys-mgmt/certificates/#certificate-recommendations "Direct link to Certificate recommendations") ------------------------------------------------------------------------------------------------------------------------------------------------------------ It is generally not recommended to use short-lived certificates for SAML/OIDC signing operations as the main priority is that the signature is valid. Frequently changing certificates can be problematic as it requires updating configuration in authentik and potentially in connected applications. External certificates[​](https://docs.goauthentik.io/sys-mgmt/certificates/#external-certificates "Direct link to External certificates") ------------------------------------------------------------------------------------------------------------------------------------------ To use externally managed certificates (e.g., from Certbot or HashiCorp Vault), you can use the discovery feature. ### Certificate discovery[​](https://docs.goauthentik.io/sys-mgmt/certificates/#certificate-discovery "Direct link to Certificate discovery") authentik can automatically discover and import certificates from a designated directory. This allows you to use externally managed certificates with minimal configuration. info Certificate discovery can be manually initiated by restarting the `certificate_discovery` system task from the authentik Admin interface under **Dashboards** > **System Tasks**. #### Mounted directories[​](https://docs.goauthentik.io/sys-mgmt/certificates/#mounted-directories "Direct link to Mounted directories") * **Docker Compose**: A `certs` directory is mapped to `/certs` within the worker container. * **Kubernetes**: You can mount custom Secrets or Volumes under `/certs` and configure them in the worker Pod specification. When a new key pair is added or changed, authentik automatically triggers an outpost refresh. When a new key pair is added with a private key that already exists in the database, authentik updates the existing key pair's certificate instead of creating a duplicate one. ### Manual imports[​](https://docs.goauthentik.io/sys-mgmt/certificates/#manual-imports "Direct link to Manual imports") Since authentik 2022.9, you can import certificates with any folder structure directly. Run commands within the worker container to import certificates in different ways: #### Import certificate with private key[​](https://docs.goauthentik.io/sys-mgmt/certificates/#import-certificate-with-private-key "Direct link to Import certificate with private key") Use this option when you need to import a complete certificate keypair that authentik can use for signing or encryption: ak import_certificate --certificate /certs/mycert.pem --private-key /certs/private.pem --name mycert #### Import certificate for trust only[​](https://docs.goauthentik.io/sys-mgmt/certificates/#import-certificate-for-trust-only "Direct link to Import certificate for trust only") Use this option when you only need to establish trust with an external system and don't need the private key: ak import_certificate --certificate /certs/othercert.pem --name othercert These commands import certificates under the specified names. They are safe to run as cron jobs, as authentik only re-imports certificates when they change. #### Naming conventions[​](https://docs.goauthentik.io/sys-mgmt/certificates/#naming-conventions "Direct link to Naming conventions") authentik uses the following rules to import certificates: * **Root directory files**: Files in the root directory are imported based on their filename * `/foo.pem` will be imported as the keypair `foo` * Files are classified as private keys if they contain `PRIVATE KEY`, otherwise as certificates * **Certbot convention**: Files named `fullchain.pem` or `privkey.pem` will use their parent folder's name * Files in paths containing `archive` are ignored (to better support certbot setups) * **Flexible organization**: Files can use any directory structure and extension #### Directory structure example[​](https://docs.goauthentik.io/sys-mgmt/certificates/#directory-structure-example "Direct link to Directory structure example") Below is an example of a valid certificate directory structure: certs/├── baz│ └── bar.baz│ ├── fullchain.pem│ └── privkey.pem├── foo.bar│ ├── fullchain.pem│ └── privkey.pem├── foo.key└── foo.pem Web certificates[​](https://docs.goauthentik.io/sys-mgmt/certificates/#web-certificates "Direct link to Web certificates") --------------------------------------------------------------------------------------------------------------------------- You can configure the certificate used by authentik's core webserver, which allows for compact and self-contained authentik installations, even though most deployments use reverse proxies. ### Let's Encrypt integration[​](https://docs.goauthentik.io/sys-mgmt/certificates/#lets-encrypt-integration "Direct link to Let's Encrypt integration") To use Let's Encrypt certificates with Certbot in Docker Compose deployments, create or edit the `docker-compose.override.yml` file in the same directory as your authentik Docker Compose file. The example below demonstrates the use of the AWS Route 53 DNS plugin: services: certbot: image: certbot/dns-route53:v4.0.0 volumes: - ./certs/:/etc/letsencrypt # Variables depending on DNS Plugin environment: AWS_ACCESS_KEY_ID: ... command: - certonly - --non-interactive - --agree-tos # Replace [email protected] with the email you wish to use - -m [email protected] # Replace authentik.company with your actual domain - -d authentik.company # Again, match with your provider - --dns-route53 info For other DNS providers and detailed setup instructions, see the official [Certbot Docker documentation](https://eff-certbot.readthedocs.io/en/latest/install.html#alternative-1-docker) . Certbot provides Docker images for many popular DNS providers. info The Certbot container only runs once. You'll need to set up a separate mechanism for regular certificate renewals. Run `docker compose up -d` to create and start the Certbot container and generate your certificate. The certificate should appear in authentik within minutes. If it doesn't, restart the worker container (this can happen due to permission issues set by Certbot). For Kubernetes or AWS deployments, you can use similar approaches with appropriate certificate management tools for your platform. Navigate to **System** > **Brands**, edit any brand, and select your preferred certificate. * [Default certificate](https://docs.goauthentik.io/sys-mgmt/certificates/#default-certificate) * [Certificate considerations](https://docs.goauthentik.io/sys-mgmt/certificates/#certificate-considerations) * [OAuth and SAML](https://docs.goauthentik.io/sys-mgmt/certificates/#oauth-and-saml) * [Proxy provider and brands](https://docs.goauthentik.io/sys-mgmt/certificates/#proxy-provider-and-brands) * [Radius EAP-TLS](https://docs.goauthentik.io/sys-mgmt/certificates/#radius-eap-tls) * [Downloading SAML certificates](https://docs.goauthentik.io/sys-mgmt/certificates/#downloading-saml-certificates) * [Certificate recommendations](https://docs.goauthentik.io/sys-mgmt/certificates/#certificate-recommendations) * [External certificates](https://docs.goauthentik.io/sys-mgmt/certificates/#external-certificates) * [Certificate discovery](https://docs.goauthentik.io/sys-mgmt/certificates/#certificate-discovery) * [Manual imports](https://docs.goauthentik.io/sys-mgmt/certificates/#manual-imports) * [Web certificates](https://docs.goauthentik.io/sys-mgmt/certificates/#web-certificates) * [Let's Encrypt integration](https://docs.goauthentik.io/sys-mgmt/certificates/#lets-encrypt-integration) --- # Notification rules | authentik [Skip to main content](https://docs.goauthentik.io/sys-mgmt/events/notifications/#__docusaurus_skipToContent_fallback) On this page info To prevent infinite loops of cause and effect (events created by policies which are attached to a notification rule), _any events created by a policy which is attached to any notification rules do not trigger notifications._ An authentik administrator can create notification rules based on the creation of specified events. Filtering of events is processed by the authentik Policy Engine, using a combination of both 1) a policy and 2) a notification rule. Workflow overview[​](https://docs.goauthentik.io/sys-mgmt/events/notifications/#workflow-overview "Direct link to Workflow overview") -------------------------------------------------------------------------------------------------------------------------------------- To receive notifications about events, follow this workflow: 1. Create a notification transport (or use a default notification transport). 2. Create a policy. 3. Create a notification rule and bind the policy to the rule. 1\. Create a notification transport[​](https://docs.goauthentik.io/sys-mgmt/events/notifications/#1-create-a-notification-transport "Direct link to 1. Create a notification transport") ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- A notification transport determines the method used to deliver notifications to users. Supported delivery methods are: local notifications displayed in the authentik UI, email, and webhook. Follow these [instructions](https://docs.goauthentik.io/sys-mgmt/events/transports/#create-a-notification-transport) to create a notification transport. 2\. Create a policy[​](https://docs.goauthentik.io/sys-mgmt/events/notifications/#2-create-a-policy "Direct link to 2. Create a policy") ----------------------------------------------------------------------------------------------------------------------------------------- You will need to create a policy (either the **Event Matcher** policy or a custom Expression policy) that defines which events will trigger a notification. ### Event Matcher policy[​](https://docs.goauthentik.io/sys-mgmt/events/notifications/#event-matcher-policy "Direct link to Event Matcher policy") For simple event matching you can [create and configure](https://docs.goauthentik.io/customize/policies/working_with_policies/) an **Event Matcher policy** to define which events (known as _Actions_ in the policy) will trigger a notification. For example, whenever a user deletes a model object, or whenever any user fails to successfully log in. Be aware that an event has to match all configured fields in the policy, otherwise the notification rule will not trigger. ### Expression policy for events[​](https://docs.goauthentik.io/sys-mgmt/events/notifications/#expression-policy-for-events "Direct link to Expression policy for events") To match events with an **Expression Policy**, you can write code like so: if "event" not in request.context: return Falsereturn ip_address(request.context["event"].client_ip) in ip_network('192.0.2.0/24') For more code examples, see [notification rule expression policies](https://docs.goauthentik.io/sys-mgmt/events/notification_rule_expression_policies/) . 3\. Create a notification rule and bind it to the policy[​](https://docs.goauthentik.io/sys-mgmt/events/notifications/#3-create-a-notification-rule-and-bind-it-to-the-policy "Direct link to 3. Create a notification rule and bind it to the policy") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- After you've created the policies to match the events you want, create a notification rule. 1. Log in as an administrator, open the authentik Admin interface, and navigate to **Event > Notification Rules**. 2. Click **Create** to add a new notification rule or click the **Edit** icon next to an existing rule to modify it. 3. Define the policy configurations, and then click **Create** or **Update** to save the settings. * Note that policies are executed regardless of whether a group is selected. However, notifications are only triggered when a group is selected. * You also have to select which [notification transport](https://docs.goauthentik.io/sys-mgmt/events/transports/) should be used to send the notification. Two notification transports are created by default: * `default-email-transport`: Delivers notifications via email using the [global email configuration](https://docs.goauthentik.io/install-config/install/docker-compose/#email-configuration-optional-but-recommended) . * `default-local-transport`: Delivers notifications within the authentik UI. 4. In the list of notification rules, click the arrow in the row of the notification rule to expand the details of the rule. 5. Click **Bind existing Policy/Group/User** and in the **Create Binding** modal, select the policy that you created for this notification rule and then click **Create** to finalize the binding. info Be aware that policies are executed even when no group is selected. * [Workflow overview](https://docs.goauthentik.io/sys-mgmt/events/notifications/#workflow-overview) * [1\. Create a notification transport](https://docs.goauthentik.io/sys-mgmt/events/notifications/#1-create-a-notification-transport) * [2\. Create a policy](https://docs.goauthentik.io/sys-mgmt/events/notifications/#2-create-a-policy) * [Event Matcher policy](https://docs.goauthentik.io/sys-mgmt/events/notifications/#event-matcher-policy) * [Expression policy for events](https://docs.goauthentik.io/sys-mgmt/events/notifications/#expression-policy-for-events) * [3\. Create a notification rule and bind it to the policy](https://docs.goauthentik.io/sys-mgmt/events/notifications/#3-create-a-notification-rule-and-bind-it-to-the-policy) --- # Sources | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/sources/#__docusaurus_skipToContent_fallback) On this page Sources allow you to connect authentik to an external user directory. Sources can also be used with social login providers such as Facebook, Twitter, or GitHub. ### Find your source[​](https://docs.goauthentik.io/users-sources/sources/#find-your-source "Direct link to Find your source") Sources are in the following general categories: * **Protocols** ([Kerberos](https://docs.goauthentik.io/users-sources/sources/protocols/kerberos/) , [LDAP](https://docs.goauthentik.io/users-sources/sources/protocols/ldap/) , [OAuth](https://docs.goauthentik.io/users-sources/sources/protocols/oauth/) , [SAML](https://docs.goauthentik.io/users-sources/sources/protocols/saml/) , and [SCIM](https://docs.goauthentik.io/users-sources/sources/protocols/scim/) ) * [**Property mappings**](https://docs.goauthentik.io/users-sources/sources/property-mappings/) or how to import data from a source * **Directory synchronization** (Active Directory, FreeIPA) * **Social logins** (Apple, Discord, Twitch, Twitter, and many others) For instructions to add a specific source, refer to the documentation links in the left navigation pane. ### Add sources to default login page[​](https://docs.goauthentik.io/users-sources/sources/#add-sources-to-default-login-page "Direct link to Add sources to default login page") To have sources show on the default login screen you will need to add them to the flow. The process below assumes that you have not created or renamed the default stages and flows. 1. Log in to authentik as an administrator and open the authentik Admin interface. 2. Navigate to **Flows and Stages** > **Flows**. 3. Click the **default-authentication-flow**. 4. Click the **Stage Bindings** tab. 5. Click **Edit Stage** on the **default-authentication-identification** stage. 6. Under **Source settings**, add sources to **Selected sources** to have them displayed on the authentik login page. * [Find your source](https://docs.goauthentik.io/users-sources/sources/#find-your-source) * [Add sources to default login page](https://docs.goauthentik.io/users-sources/sources/#add-sources-to-default-login-page) --- # Manage users | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#__docusaurus_skipToContent_fallback) On this page The following topics are for the basic management of users: how to create, modify, delete or deactivate users, and using a recovery email. [Policies](https://docs.goauthentik.io/customize/policies/) can be used to further manage how users are authenticated. For example, by default authentik does not require email addresses be unique, but you can use a policy to [enforce unique email addresses](https://docs.goauthentik.io/customize/policies/expression/unique_email/) . Create a user[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#create-a-user "Direct link to Create a user") ------------------------------------------------------------------------------------------------------------------------------------- > If you want to automate user creation, you can do that either by [invitations](https://docs.goauthentik.io/users-sources/user/invitations/) > , [`user_write` stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/user_write/) > , or [using the API](https://api.goauthentik.io/reference/core-users-create) > . 1. In the Admin interface of your authentik instance, select **Directory** > **Users** in the left side menu. 2. Select the folder where you want to create a user. 3. Click **Create** (for a default user). 4. Fill in the required fields: * **Username**: This value must be unique across your user folders. * **Path**: The path where the user will be created. It will be automatically populated with the folder you selected in the previous step. 5. Fill the **_optional_** fields if needed: * **Name**: The display name of the user. * **Email**: The email address of the user. Email addresses are used in [email stages](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) and to receive [notifications](https://docs.goauthentik.io/sys-mgmt/events/notifications/) , if configured. * **Is active**: Define if the newly created user account is active. Selected by default. * **Attributes**: Custom attributes definition for the user, in YAML or JSON format. These attributes can be used to enforce additional prompts on authentication stages or define conditions to enforce specific policies if the current implementation does not fit your use case. The value is an empty dictionary by default. 6. Click **Create** You should see a confirmation pop-up on the top-right of the screen that the user has been created, and see the new user in the user list. You can directly click the username if you want to [modify your user](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#modify-a-user) . info To create a super-user, you need to add the user to a group that has super-user permissions. For more information, refer to [Create a Group](https://docs.goauthentik.io/users-sources/groups/manage_groups/#create-a-group) . Advanced queries for usersEnterprise[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#tell-me-more "Direct link to tell-me-more") ---------------------------------------------------------------------------------------------------------------------------------------------------------- You can create advanced queries to locate specific users within the list shown under **Directory** > **Users** in the Admin interface. Use the auto-complete in the **Search** field or enter your own queries to return results with greater specificity. * **Field**: `username`, `path`, `name`, `email`, `path`, `is_active`, `type`, `attributes` * **Operators**: `=`, `!=`, `~`, `!~`, `startswith`, `not startswith`, `endswith`, `not endswith`, `in`, `not in` * **Values**: `True`, `False`, `None`, and more * **Example queries**: * search user by status: `is_active = False` * search user by username: `username = "bob"` * search user by email address: `email = "[[email protected]](https://docs.goauthentik.io/cdn-cgi/l/email-protection) "` * search user by attribute: `attribute.my_custom_attribute = "foo"` info 1. To dismiss the drop-down menu option, click **ESC**. 2. If the list of operators does not appear in a drop-down menu you will need to manually enter it. View user details[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#view-user-details "Direct link to View user details") ------------------------------------------------------------------------------------------------------------------------------------------------- In the **Directory** > **Users** menu of the Admin interface, you can browse all the users in your authentik instance. To view details about a specific user: 1. In the list of all users, click on the name of the user you want to check. This takes you to the **Overview** tab, with basic information about the user, and also quick access to perform basic actions to the user. 2. To see further details, click any of the other tabs: * **Session** shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking **Delete**. This forces the user to authenticate again on the deleted devices. * **Groups** allows you to manage the group membership of the user. You can find more details on [groups](https://docs.goauthentik.io/users-sources/groups/) . * **User events** displays all the events generated by the user during a session, such as login, logout, application authorisation, password reset, user info update, etc. * **Explicit consent** lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an [explicit consent flow in an OAuth2 provider](https://docs.goauthentik.io/add-secure-apps/providers/oauth2/) . If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click **Delete**. The user will be asked to again give explicit consent to share information with the application. * **OAuth Refresh Tokens** lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking **Delete**. * **MFA Authenticators** shows all the authentications that the user has registered to their user profile. You can remove the tokens if the user has lost their authenticator and want to enroll a new one. Modify a user[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#modify-a-user "Direct link to Modify a user") ------------------------------------------------------------------------------------------------------------------------------------- After the creation of the user, you can edit any parameter defined during the creation. To modify a user object, go to **Directory** > **Users**, and click the edit icon beside the name. You can also go into [user details](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#view-user-details) , and click **Edit**. Assign, modify, or remove permissions for a user[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#assign-modify-or-remove-permissions-for-a-user "Direct link to Assign, modify, or remove permissions for a user") -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You can grant a user specific global or object-level permissions. Alternatively, you can add a user to a group that has the appropriate permissions, and the user inherits all of the group's permissions. For more information, review ["Permissions"](https://docs.goauthentik.io/users-sources/access-control/permissions/) . Add a user to a group[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#add-a-user-to-a-group "Direct link to Add a user to a group") ------------------------------------------------------------------------------------------------------------------------------------------------------------- 1. To add a user to a group, navigate to **Directory** > **Users** to display all users. 2. Click the name of the user to display the full user details page. 3. Click the **Groups** tab, and then click either **Add to existing group** or **Add to new group**. User credentials recovery[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#user-credentials-recovery "Direct link to User credentials recovery") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If a user has lost their credentials and needs to recover their account, there are two available options: 1. Create a recovery link and send it to the user 2. Have authentik send the user a recovery email Both options require you to configure a recovery flow and set it as the **Default recovery flow** for the active brand. ### Configure a recovery flow[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#configure-a-recovery-flow "Direct link to Configure a recovery flow") To get started, you can [import](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/#import-or-export-a-flow) this example flow: [Recovery with email verification flow](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/examples/flows/#recovery-with-email-verification) Then, set this as the default recovery flow for the active brand: 1. In the Admin interface, navigate to **System** > **Brands**, and select the active brand. 2. Under **Default flows**, set **Recovery flow** to the imported recovery flow: `default-recovery-flow`. 3. Click **Update**. Now that you've configured a recovery flow, you can select one of the following options: ### 1\. Create a recovery link[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#1-create-a-recovery-link "Direct link to 1. Create a recovery link") Email stage not required The example recovery flow includes an email stage. However, if you're manually sending the recovery link to the user, this email stage is not required and can be removed. 1. In the Admin interface, navigate to **Directory** > **Users** to display all users. 2. Click the name of the user to display the full User details page. 3. To generate a recovery link, which you can then send to the user, click **Create recovery link**. A pop-up will appear on your browser with the link for you to copy and to send to the user. ### 2\. Email a recovery link[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#2-email-a-recovery-link "Direct link to 2. Email a recovery link") Email stage required This option is only available if the default recovery flow has an [Email Stage](https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/email/) bound to it. The example recovery flow includes an email stage. You can send a link with the URL for the user to reset their password via Email. This option will only work if you have [configured email](https://docs.goauthentik.io/install-config/email/) and set an email address for the user. 1. In the Admin interface, navigate to **Directory** > **Users** to display all users. 2. Click the name of the user to display the full User details page. 3. To send the email to the user, click **Email recovery link**. If the user does not receive the email, check if the mail server parameters [are properly configured](https://docs.goauthentik.io/troubleshooting/emails/) . Reset the password for the user[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#reset-the-password-for-the-user "Direct link to Reset the password for the user") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- As an Admin, you can simply reset the password for the user. 1. In the Admin interface, navigate to **Directory** > **Users** to display all users. 2. Either click the name of the user to display the full User details page, or click the chevron beside their name to expand the options. 3. To reset the user's password, click **Reset password**, and then define the new value. Deactivate or Delete user[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#deactivate-or-delete-user "Direct link to Deactivate or Delete user") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### To deactivate a user:[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#to-deactivate-a-user "Direct link to To deactivate a user:") 1. Go into the user list or detail, and click **Deactivate**. 2. Review the changes and click **Update**. The active sessions are revoked and the authentication of the user blocked. You can reactivate the account by following the same procedure. ### To delete a user:[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#to-delete-a-user "Direct link to To delete a user:") caution This deletion is not reversible, so be sure you do not need to recover any identity data of the user. You may instead deactivate the account to preserve identity data. 1. Go into the user list and select one (or multiple users) to delete and click **Delete** on the top-right of the page. 2. Review the changes and click **Delete**. The user list refreshes and no longer displays the removed users. Impersonate a user[​](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#impersonate-a-user "Direct link to Impersonate a user") ---------------------------------------------------------------------------------------------------------------------------------------------------- With authentik, an Admin can impersonate a user, meaning that the Admin temporarily assumes the identity of the user. 1. In the Admin interface, navigate to **Directory** > **Users** to display all users. 2. Click the name of the user to display the full User details page. 3. On the Overview tab, beneath **User Details**, in the **Actions** area, click **Impersonate**. 4. At the prompt, provide a reason why you are impersonating this user, and then click **Impersonate**. info An Admin can globally enable or disable impersonation in the [System Settings](https://docs.goauthentik.io/sys-mgmt/settings/#impersonation) . By default, this option is set to true, meaning all users can be impersonated. An Admin can also configure whether inputting a reason for impersonation is required in the [System Settings](https://docs.goauthentik.io/sys-mgmt/settings/#require-reason-for-impersonation) . * [Create a user](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#create-a-user) * [Advanced queries for users](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#tell-me-more) * [View user details](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#view-user-details) * [Modify a user](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#modify-a-user) * [Assign, modify, or remove permissions for a user](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#assign-modify-or-remove-permissions-for-a-user) * [Add a user to a group](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#add-a-user-to-a-group) * [User credentials recovery](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#user-credentials-recovery) * [Configure a recovery flow](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#configure-a-recovery-flow) * [1\. Create a recovery link](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#1-create-a-recovery-link) * [2\. Email a recovery link](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#2-email-a-recovery-link) * [Reset the password for the user](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#reset-the-password-for-the-user) * [Deactivate or Delete user](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#deactivate-or-delete-user) * [To deactivate a user:](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#to-deactivate-a-user) * [To delete a user:](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#to-delete-a-user) * [Impersonate a user](https://docs.goauthentik.io/users-sources/user/user_basic_operations/#impersonate-a-user) --- # Forward auth troubleshooting | authentik [Skip to main content](https://docs.goauthentik.io/troubleshooting/forward_auth/#__docusaurus_skipToContent_fallback) [📄️ General troubleshooting steps\ ---------------------------------\ \ Set the log level to TRACE](https://docs.goauthentik.io/troubleshooting/forward_auth/general/) --- # About groups | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/groups/#__docusaurus_skipToContent_fallback) On this page For information about creating and editing groups refer to [Manage groups](https://docs.goauthentik.io/users-sources/groups/manage_groups/) . Hierarchy[​](https://docs.goauthentik.io/users-sources/groups/#hierarchy "Direct link to Hierarchy") ----------------------------------------------------------------------------------------------------- Groups can be children of another group. Members of children groups are effective members of the parent group. When you bind a group to an application or flow, any members of any child group of the selected group will have access. Recursion is limited to 20 levels to prevent deadlocks. Attributes[​](https://docs.goauthentik.io/users-sources/groups/#attributes "Direct link to Attributes") -------------------------------------------------------------------------------------------------------- Attributes of groups are recursively merged, for all groups the user is a member of. For more information, see [Group properties and attributes](https://docs.goauthentik.io/users-sources/groups/group_ref/) . * [Hierarchy](https://docs.goauthentik.io/users-sources/groups/#hierarchy) * [Attributes](https://docs.goauthentik.io/users-sources/groups/#attributes) --- # About roles | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/roles/#__docusaurus_skipToContent_fallback) Roles are a way to simplify the assignment of permissions. Roles are also the backbone of role-based access control (RBAC), an industry standard for managing [access control](https://docs.goauthentik.io/users-sources/access-control/) . In authentik, RBAC is how you manage access to system components and specific objects such as flows, stages, users, etc. Think of roles as a collection of permissions. A role, along with its "bucket" of assigned permissions, can then be assigned to a group, which means that every user who is a part of that group will inherit all of the permissions in that role's "bucket". For example, let's take a look at the following scenario: > You need to add 5 new users, all new hires, to authentik, your identity management system. These users will be the first team members on the brand new Security team, so they will need some high-level permissions, with object permissions to create and remove other users, revoke permissions, and send recovery emails. They will also need [global permissions](https://docs.goauthentik.io/users-sources/access-control/permissions/#fundamentals-of-authentik-permissions) > to control access to flows and stages. The easiest workflow for setting up these new users involves [creating a role](https://docs.goauthentik.io/users-sources/roles/manage_roles/#create-a-role) specifically for their type of work, and then [assigning that role to a group](https://docs.goauthentik.io/users-sources/roles/manage_roles/#assign-a-role-to-a-group) to which all of the users belong. To learn more about working with roles in authentik, refer to the following topics: [📄️ Manage roles\ ----------------\ \ Learn how to work with roles and permissions in authentik.](https://docs.goauthentik.io/users-sources/roles/manage_roles/) --- # User properties and attributes | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/user/user_ref/#__docusaurus_skipToContent_fallback) On this page Object properties[​](https://docs.goauthentik.io/users-sources/user/user_ref/#object-properties "Direct link to Object properties") ------------------------------------------------------------------------------------------------------------------------------------ The User object has the following properties: * `username`: User's username. * `email`: User's email. * `uid`: User's unique ID. Read-only. * `name`: User's display name. * `is_staff`: Boolean field defining if user is staff. * `is_active`: Boolean field defining if user is active. * `date_joined`: Date user joined/was created. Read-only. * `password_change_date`: Date password was last changed. Read-only. * `path`: User's path, see [Path](https://docs.goauthentik.io/users-sources/user/user_ref/#path) * `attributes`: Dynamic attributes, see [Attributes](https://docs.goauthentik.io/users-sources/user/user_ref/#attributes) * `group_attributes()`: Merged attributes of all groups the user is a member of and the user's own attributes. Read-only. * `ak_groups`: This is a queryset of all the user's direct groups. * `all_groups()`: This is a queryset of all the user's direct and indirect groups. Clarifying direct vs indirect group membership A user is a member of a group (direct member). If that group in turn has a parent group, then the user is an indirect member of that parent group. Examples[​](https://docs.goauthentik.io/users-sources/user/user_ref/#examples "Direct link to Examples") --------------------------------------------------------------------------------------------------------- These are examples of how User objects can be used within Policies and Property Mappings. ### List a user's group memberships[​](https://docs.goauthentik.io/users-sources/user/user_ref/#list-a-users-group-memberships "Direct link to List a user's group memberships") Use the following example to list all groups that a user object is a direct member of: for group in user.ak_groups.all(): yield group.name ### List a user's group memberships and filter based on group name[​](https://docs.goauthentik.io/users-sources/user/user_ref/#list-a-users-group-memberships-and-filter-based-on-group-name "Direct link to List a user's group memberships and filter based on group name") Use the following example to list groups that a user object is a direct member of, filtered based on group name: user.ak_groups.filter(name__startswith='test') ### List a user's group memberships including parent groups[​](https://docs.goauthentik.io/users-sources/user/user_ref/#list-a-users-group-memberships-including-parent-groups "Direct link to List a user's group memberships including parent groups") Use the following example to list all groups that a user object is a direct and indirect member of: groups = [group.name for group in request.user.all_groups()] info For Django field lookups, see the [Django documentation](https://docs.djangoproject.com/en/stable/ref/models/querysets/#id4) . Path[​](https://docs.goauthentik.io/users-sources/user/user_ref/#path "Direct link to Path") --------------------------------------------------------------------------------------------- Paths can be used to organize users into folders depending on which source created them or organizational structure. Paths may not start or end with a slash, but they can contain any other character as path segments. The paths are currently purely used for organization, it does not affect their permissions, group memberships, or anything else. Attributes[​](https://docs.goauthentik.io/users-sources/user/user_ref/#attributes "Direct link to Attributes") --------------------------------------------------------------------------------------------------------------- ### `goauthentik.io/user/can-change-username`[​](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousercan-change-username "Direct link to goauthentikiousercan-change-username") Optional flag, when set to false prevents the user from changing their own username. ### `goauthentik.io/user/can-change-name`[​](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousercan-change-name "Direct link to goauthentikiousercan-change-name") Optional flag, when set to false prevents the user from changing their own name. ### `goauthentik.io/user/can-change-email`[​](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousercan-change-email "Direct link to goauthentikiousercan-change-email") Optional flag, when set to false prevents the user from changing their own email address. ### `goauthentik.io/user/token-expires`:[​](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousertoken-expires "Direct link to goauthentikiousertoken-expires") Optional flag, when set to false, Tokens created by the user will not expire. Only applies when the token creation is triggered by the user with this attribute set. Additionally, the flag does not apply to superusers. ### `goauthentik.io/user/token-maximum-lifetime`:[​](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousertoken-maximum-lifetime "Direct link to goauthentikiousertoken-maximum-lifetime") Optional flag, when set, defines the maximum lifetime of user-created tokens. Defaults to the system setting if not set. Only applies when `goauthentik.io/user/token-expires` set to true. Format is string of format `days=10;hours=1;minute=3;seconds=5`. ### `goauthentik.io/user/debug`:[​](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiouserdebug "Direct link to goauthentikiouserdebug") See [Troubleshooting access problems](https://docs.goauthentik.io/troubleshooting/access/) , when set, the user gets a more detailed explanation of access decisions. ### `additionalHeaders`:[​](https://docs.goauthentik.io/users-sources/user/user_ref/#additionalheaders "Direct link to additionalheaders") info This field is only used by the Proxy Provider. Some applications can be configured to create new users using header information forwarded from authentik. You can forward additional header information by adding each header underneath `additionalHeaders`: #### Example[​](https://docs.goauthentik.io/users-sources/user/user_ref/#example "Direct link to Example") additionalHeaders: REMOTE-USER: joe.smith REMOTE-EMAIL: [email protected] REMOTE-NAME: Joseph These headers will now be passed to the application when the user logs in. Most applications will need to be configured to accept these headers. Some examples of applications that can accept additional headers from an authentik Proxy Provider are [Grafana](https://grafana.com/docs/grafana/latest/auth/auth-proxy/) and [Tandoor Recipes](https://docs.tandoor.dev/features/authentication/) . * [Object properties](https://docs.goauthentik.io/users-sources/user/user_ref/#object-properties) * [Examples](https://docs.goauthentik.io/users-sources/user/user_ref/#examples) * [List a user's group memberships](https://docs.goauthentik.io/users-sources/user/user_ref/#list-a-users-group-memberships) * [List a user's group memberships and filter based on group name](https://docs.goauthentik.io/users-sources/user/user_ref/#list-a-users-group-memberships-and-filter-based-on-group-name) * [List a user's group memberships including parent groups](https://docs.goauthentik.io/users-sources/user/user_ref/#list-a-users-group-memberships-including-parent-groups) * [Path](https://docs.goauthentik.io/users-sources/user/user_ref/#path) * [Attributes](https://docs.goauthentik.io/users-sources/user/user_ref/#attributes) * [`goauthentik.io/user/can-change-username`](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousercan-change-username) * [`goauthentik.io/user/can-change-name`](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousercan-change-name) * [`goauthentik.io/user/can-change-email`](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousercan-change-email) * [`goauthentik.io/user/token-expires`:](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousertoken-expires) * [`goauthentik.io/user/token-maximum-lifetime`:](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiousertoken-maximum-lifetime) * [`goauthentik.io/user/debug`:](https://docs.goauthentik.io/users-sources/user/user_ref/#goauthentikiouserdebug) * [`additionalHeaders`:](https://docs.goauthentik.io/users-sources/user/user_ref/#additionalheaders) --- # About permissions | authentik [Skip to main content](https://docs.goauthentik.io/users-sources/access-control/permissions/#__docusaurus_skipToContent_fallback) On this page Permissions are the central components in all access control systems, the lowest-level components, the controlling pieces of access data. Permissions are assigned to (or removed from!) to define exactly WHO can do WHAT to WHICH part of the overall software system. info Note that global and object permissions only apply to objects within authentik, and not to who can access certain applications (which are access-controlled using [policies](https://docs.goauthentik.io/customize/policies/) ). For instructions to add, remove, and manage permissions, refer to [Manage Permissions](https://docs.goauthentik.io/users-sources/access-control/manage_permissions/) . Fundamentals of authentik permissions[​](https://docs.goauthentik.io/users-sources/access-control/permissions/#fundamentals-of-authentik-permissions "Direct link to Fundamentals of authentik permissions") ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- There are two main types of permissions in authentik: * [**Global permissions**](https://docs.goauthentik.io/users-sources/access-control/permissions/#global-permissions) * [**Object permissions**](https://docs.goauthentik.io/users-sources/access-control/permissions/#object-permissions) Additionally, authentik employs _initial permissions_ to streamline the process of granting object-level permissions when an object (user or role) is created. This feature enables an Admin to proactively assign specific rights to a user for object creation, as well as for viewing and managing those objects and other objects created by individuals in the same role. For more details, refer to [Initial permissions](https://docs.goauthentik.io/users-sources/access-control/initial_permissions/) . ### Global permissions[​](https://docs.goauthentik.io/users-sources/access-control/permissions/#global-permissions "Direct link to Global permissions") Global permissions define who can do what on a global level across the entire system. Some examples in authentik are the ability to add new [flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/) or to create a URL for users to recover their login credentials. You can assign _global permissions_ to individual [users](https://docs.goauthentik.io/users-sources/user/) or to [roles](https://docs.goauthentik.io/users-sources/roles/) . The most common and best practice is to assign permissions to roles. An example of a global permission is [`Can view admin interface`](https://docs.goauthentik.io/users-sources/access-control/manage_permissions/#assign-can-view-admin-interface-permissions) , which an administrator can assign to a non-administrator user or role to provide view access to the Admin interface. ### Object permissions[​](https://docs.goauthentik.io/users-sources/access-control/permissions/#object-permissions "Direct link to Object permissions") Object permissions have two categories: * **_User_ object permissions**: defines WHO (which user) can change the **_object_** * **_Role_ object permissions**: defines which ROLE can change the **_object_** Object permissions are assigned, as the name indicates, to an object ([users](https://docs.goauthentik.io/users-sources/user/) , [groups](https://docs.goauthentik.io/users-sources/groups/) , [roles](https://docs.goauthentik.io/users-sources/roles/) , [flows](https://docs.goauthentik.io/add-secure-apps/flows-stages/flow/) , and stages), and the assigned permissions state exactly what a user or role can do TO the object (i.e. what permissions does the user or role have on that object). When working with object permissions it is important to understand that when you are viewing the page for an object, the permissions table shows which users or roles have permissions ON that specific object. Those permissions describe what those users or roles can do TO the object detailed on the page. For example, the Admin interface UI shown below shows a user page for the user named Peter. ![](https://docs.goauthentik.io/assets/images/user-page-9ffb2c8c668e179a977a3548bf1e87ca.png) You can see in the **User Object Permissions** table that the Admin user (`akadmin`) and one other user (roberto) has permissions on Peter (that is, on the user object named Peter). Looking at another example, with a flow object called `default-recovery-flow`, you can see that the Admin user (akadmin) has all object permissions on the flow, but roberto only has a few permissions on that flow. ![](https://docs.goauthentik.io/assets/images/flow-page-d452b5bac80eeb33bb98e13bda3f1c54.png) * [Fundamentals of authentik permissions](https://docs.goauthentik.io/users-sources/access-control/permissions/#fundamentals-of-authentik-permissions) * [Global permissions](https://docs.goauthentik.io/users-sources/access-control/permissions/#global-permissions) * [Object permissions](https://docs.goauthentik.io/users-sources/access-control/permissions/#object-permissions) --- # I can't access an application | authentik [Skip to main content](https://docs.goauthentik.io/troubleshooting/access/#__docusaurus_skipToContent_fallback) If your user is a superuser, or has the attribute `goauthentik.io/user/debug` set to true (can also be set on a group level): ![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAggAAACGCAMAAACPB4LQAAAATlBMVEUnKCLc3NxoU446OD709PQVFRWJaML///+ugf8tLCtTTGCMjIxnZ2dHQ061tbTFxcWkpKSZc9z1JnCkeu94eHj7lh/RJmN0Kj2lJ1K1cSAdkdtaAAAACXBIWXMAAAsSAAALEgHS3X78AAAKdklEQVR42u2di3bjqg6GjQHb4Hvs03Te/0XPL4EvSdPOdJ2ZOdP019p1CJZBRh8STrKHov6SMgR9mULtwmqmYqjt5EzrnDd1Zwez4rW3xsQOusYN3rkRf3UbBtNZN1jjpkFaWNt69Gs9hrr1o2nDruLa6NBcZ8Yw7Z20fkIjdX1zEtce7bUrDsVo/OjG9s11awcjzdFqNw5hTTfTtXXbaZWJhbQkWkO0u0FS5dAsbmQ1bqucULR1urkujqNF/9sAQEaYEYbc76kC/RjTjem6fjLeFF8aBLxMwYnTatvqUHkDH6AgIEy4b6+1UjYepQCHQGGwo8sN2Xpdg/gPbsDl46aS32P00PjWidSpnE8qCFt7OwiDU1Bvr1s7U59aLaADRk8gTGLvmEEwchh2g+p0Wzjt6qPSKfxyc/CmE+T3AVBx0mzq91Qx2WSvDgoGp1u/Nghrh8lmIbE20YdWRm/09QGC8TKjrC0SCM4H0R4woXw0ebiDsaYfkrPCuKkcvh76vZO3IOAkQDjayyCg3ksbd9eZrvCr21vtkgEnELTqBAJuYjdoByGcbqQLts8gjNqZPQZAOQ8hdLnfU8VuUAZh9F8aBMw7mXRb5ViMGhHMDQgSFNwREfaJsUZ9jauF97zbQNhVzr7eOnkPhKO9NiYQUIHZ/eY6WNS3e6s5ImjYyhGheBQRjvveQNgq297Vp4iQnWs2ECTC5c7R76lC+zmBUNuvCkJhzNgiuWsadpIpZTQEhDr2o2sPEGRcTJg0ckq+dQYTYNKIrUPpZZUQ6x2ErCLRc5+7uZPDoeeTcMzRntgwyWrDAVZ3f107gskdBFesZuyxMChaZ4q0Rigkd2cQVme6sNusgoyQQMiVE0AYFQTcXIyjG+DobQBkcLAc6Lrc76lC1ghpyIzmTZDxRUHw3oduSKh7hGXXFkVKDbhR79ub1BB6i3LnJYYXHkOOa4pumz+jeOIAIavUzvpuc1nu5ADhfBKOObWHq1tEps4X/fjmuiEUxZEaamM9mpF47WNUEKSq2EEofC9RIRuUsEXuC/Ve6boidNKc3hxuHI7W1/VIDVgwp35PFWpYl6+TgXJfFIQbcS6vgo710BYm6/OZpOfO17zTYP1W5/6Cu/fH263kfqL3SPmuuJfdo+tvbyQ9zbh3tM723Y1afv8MINwJHpRMF2vKp+QZQegCUjNd++1BoBAECkGgEAQKQaAQBApBoBAECkGgEAQKQaAQBApBoBAECkGgEAQKQaAQBApBoBAECkGgEAQKQaAQBApBoBAECkGgEIS/aTbldwtBoBAECkGgEAQKQaAQBApBoBAECkGgEAQKQaAQBApBoBAEyt8GweDfoh/HfweEH/9JUhS58KO45tKVfv0dIPSyDwIcPx5HkU62Q+judN3g/kEQftCvvwEEg70QxLte/4VzH88R4Q0IrR//b6khqNyUwlFH+V9BWH3npwcgpJ3H/iEQKH8UBOet8T02/dA9UvToQou80AZsVBe7gI2wcBb+77D5R+FDMPWoW1nJHlKhMwThOUCYsMlRxB5Zkw/TkI4O+9G0spUgCh32icGWWvjDoqGeOr9O2J3Ktj1qsO3Y1BOEJwEBu8c52fHqlBqcFhUE2Q4I8WIDIaWGiN2sUOsCdp5kangSEGSpCMF2cGcQuhMIdSjuQAh6ieyD6T0jwpOAgGAwDEMHR78Hgq4gJGTEIyJs3jfDm+UkQfiSILhCt4Yc4U8LJGo9nkDwK/aZw96B2GsOW8/JvntR1gihbbE9cr8OE0F4DhCG9GESoj12qhWnyvEEQuy9bkI6oVoigovYiVAfMXTvRbw4gvB0HzHf76dYP9qLMO+m+AvbKRIEfulEEAgCQSAIBIEgEASCQBAIwpOAYO0HJ/tHX3KH6nNffX9WnyD8DhDymFdz+QtaUmrmpD8/gqR51ErVfM6xm36Y5+pc/bGJj6wOBOFXpWzSa2yqj6LAyZVJMc6PvPsQhNB8zoG7fiiXs1Efm/hIXl4IwmdBKOaPQXiTD+IvT/PykwHhpF/dGDX/ZhDC9wChrKpYVZhcsWoWzbqhnJullByMt5Ucgq2a3lo5OS+lnkSer5pG9OXqRWenLZvSprVBpU0mEHpt45zbq6pP4FRLk4uY4JWe6qXBXg1rluRTtSeoqT16TY2FNPFDsv9kD0AQk8LJfjGtKstUbKfuxnnX6+VyvV5x6lUKL5eXcL28FOFyET7Cy+Vyef0GIMyNSsQEa+AWmWVlM6NkkXtxKOUQk9Kc9Oes1VSVlHpchf96uCZJUBBygAYI0CxvF3kV+hPXoa25SWW0ZzXvl0JklPcVUGi0boE9s6LaSF/20A+Ldlmd7Mm3tITDfulJ1XB2dc7dxoOLCn60fX29AIOXSwANwEIOggMKr08PQo/BgadKeHEJW37FL1ej+E4jvR6gYtPvWWVcezgqZBrUBWWez7GJ+69e5w2Esnmzug/J+UIP2ldyQsrzmvj1tC4Fy1lNVBqinNDTxaGPvsX+6mzPnOrKk/0LerKLdiQghPdSg/JQSGzIh1etuFzCs4OgiVZGP6ZZK1MwTbwbEG7XCKLfywTERF1yG9V8t0bYQWje5v4EwvZgoRfFpr8FATN8mUubp3qVEDhCS9Zfkv3V2Z650YaWw/6URtKiIkzj+u4aYZv6OwgSIRAjLtfnB8HegLA0MoTR2h2EPoNwnugJhFIkZkjeB2HeV/HhHoTqiPHLUtyCEGKFGK+cLdqT3SNJcehr7igSCJs9c5PP7PafQUDD7y8WN4ffgfD6Gr5BarC20jA669sFf2V+wFOvVAcIEvU3EGTGyajaWxBkmtpbEDRyJ49vNO2pQaezHPvNxaIbNTUk3/UbojacQdj0Z+kxamrY7TnVbfZjMYu8pd1H/K9mPwXhKoUXBeH6mQeHL7xY1DSQBmyRxZms+bSwRBm/Ki/F+2bWpVtsll5Wkxb6c4mV2FzYWQLEknK4XhqKWOo87mUpH6SZmNaZ6j3MWywEMcMl6OeV5LzsnxJpl9J+FfVTCKwHoS3PJdt1J33JCLMudnd7JBktWEPak/32WMa2b9cIr5fXqywI8fzwoo8PWCO+XDUh4Ini9fr6DVIDhhL+0ulfygDKjI4YRXliwzmMcdXkkJDdg5mm5CR9PKVJMg9VeqaQS6u44QXVKiVtjQlR16P7w0VM6unBc0/+0lKVHCsN9LkKXhagmjf64nY1arcnNTCL0Yf9IZYxpYbeuOF+ySIPDi/XIj0+vCY2UHO5SGzIjxTf4QOlbVj3j1rDow9Twp/4aDY3YatHXR7t33f0M/2HRu8fSf/Kh8ynvq/he3yglBLCk0uQ5DLzS6cPQJBPiOLTfz+MtcTyF76s5NfQXyAm8GtogsDfIxAEgkAQCAJBIAgEgSAQBIJAEAgCQSAIBIEgEASCQBAIAkEgCASBIBAEgkAQCAJBIAgEgSAQBIJAEAgCQSAIBIEgEASCQBAIAkEgCASBIBAEgkAQCAJBIAgEgSAQBIJAEAgCQaAQBApBoBAECkGgEAQKQaAQBApBoBAECkGgEAQKQaAQBApBoBAECkEgCASBIBAEgvAHOfgvrqstRY2FMH8AAAAASUVORK5CYII=) Afterwards, try to access the application again. You will now see a message explaining which policy denied you access: ![](https://docs.goauthentik.io/assets/images/access_denied_message-f66673f8ace6245d3d497c8a4be4a9a5.png) ---