Skip to content

core: add flag for future default behaviour of requiring a binding to access an application#16247

Merged
BeryJu merged 8 commits intomainfrom
core/flag-policy-required
Mar 23, 2026
Merged

core: add flag for future default behaviour of requiring a binding to access an application#16247
BeryJu merged 8 commits intomainfrom
core/flag-policy-required

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Aug 19, 2025
edited
Loading

Details

closes #2245
closes #3732

This adds a flag to early opt in to the new behaviour which will make applications not accessible by default, and require a binding to be in place to explicitly grant access

@BeryJu BeryJu requested review from a team as code owners August 19, 2025 12:37
@netlify
Copy link

netlify bot commented Aug 19, 2025
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 6f20dae
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/699db34f765454000834248b
😎 Deploy Preview https://deploy-preview-16247--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Aug 19, 2025
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit 8da4d35
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/69c1686de6db810008f59c4d
😎 Deploy Preview https://deploy-preview-16247--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Aug 19, 2025
edited
Loading

Deploy Preview for authentik-integrations canceled.

Name Link
🔨 Latest commit 379fa80
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/69344b8d502500000878da38

@codecov
Copy link

codecov bot commented Aug 19, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.81%. Comparing base (d6604d9) to head (8da4d35).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #16247   +/-   ##
=======================================
  Coverage   92.80%   92.81%           
=======================================
  Files        1000     1000           
  Lines       56536    56560   +24     
  Branches      425      425           
=======================================
+ Hits        52469    52494   +25     
+ Misses       4067     4066    -1
Flag Coverage Δ
conformance 37.40% <36.00%> (+<0.01%) ⬆️
e2e 42.90% <44.00%> (+<0.01%) ⬆️
integration 22.23% <16.00%> (-0.01%) ⬇️
rust 0.23% <ø> (ø)
unit 91.71% <92.00%> (+<0.01%) ⬆️
unit-migrate 91.80% <92.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu force-pushed the core/flag-policy-required branch from 77c9c76 to c803b81 Compare September 25, 2025 15:17
@BeryJu BeryJu force-pushed the core/flag-policy-required branch from c803b81 to 379fa80 Compare December 6, 2025 15:28
@github-actions
Copy link
Contributor

github-actions bot commented Dec 6, 2025
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-8da4d35e56a40241cb4fa14c1600f9d878427b82
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-8da4d35e56a40241cb4fa14c1600f9d878427b82

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu
core: add flag to configure if apps without bindings should be access…
9c318b3 
…ible to everyone or not

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	authentik/policies/views.py
#	schema.yml
@BeryJu
add description
6ad0bb4 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix
166029d 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	web/src/admin/admin-settings/AdminSettingsForm.ts
@BeryJu BeryJu force-pushed the core/flag-policy-required branch from 379fa80 to 166029d Compare December 17, 2025 16:32
@BeryJu BeryJu added this to the Release 2026.2 milestone Dec 17, 2025
@BeryJu
Merge branch 'main' into core/flag-policy-required
6f20dae 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	authentik/core/api/applications.py
#	authentik/providers/oauth2/views/token.py
#	schema.yml
#	web/src/admin/admin-settings/AdminSettingsForm.ts
#	web/src/common/ui/config.ts
@BeryJu
fix flag check
92976a1 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
include scim
252dd79 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
add description
99bf62a 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu force-pushed the core/flag-policy-required branch from 1955286 to 415614d Compare March 23, 2026 16:20
@BeryJu
Merge branch 'main' into core/flag-policy-required
8da4d35 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	authentik/policies/apps.py
#	schema.yml
@BeryJu BeryJu force-pushed the core/flag-policy-required branch from 415614d to 8da4d35 Compare March 23, 2026 16:20
@BeryJu BeryJu merged commit d1ed30b into main Mar 23, 2026
108 checks passed
@BeryJu BeryJu deleted the core/flag-policy-required branch March 23, 2026 17:14
kensternberg-authentik added a commit that referenced this pull request Mar 26, 2026
@kensternberg-authentik
Merge branch 'main' into dev
b6d8df0 
* main:
  core: remove filter_not_expired for QS (#18274)
  tenants: fix default schema in initial migration (#21114)
  core: bump django-stubs[compatible-mypy] from 5.2.9 to 6.0.1 (#21099)
  core, web: update translations (#21097)
  lifecycle/aws: bump aws-cdk from 2.1112.0 to 2.1113.0 in /lifecycle/aws (#21098)
  core: bump types-requests from 2.32.4.20260107 to 2.32.4.20260324 (#21100)
  core: bump constructs from 10.5.1 to 10.6.0 (#21101)
  core: bump astral-sh/uv from 0.10.12 to 0.11.0 in /lifecycle/container (#21103)
  ci: bump taiki-e/install-action from 2.69.6 to 2.69.7 in /.github/actions/setup (#21104)
  web: bump flatted from 3.4.1 to 3.4.2 (#21076)
  core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1774286095 (#21089)
  core: bump cbor2 from 5.8.0 to 5.9.0 (#21094)
  ci: fix cherry-pick action generating empty title (#21091)
  web: bump the swc group across 1 directory with 11 updates (#21070)
  web: bump yaml from 2.8.2 to 2.8.3 in /web (#21071)
  core: add flag for future default behaviour of requiring a binding to access an application (#16247)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rissson rissson rissson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Release 2026.5.0: Nice to have

Development

Successfully merging this pull request may close these issues.

Default application binding How to restrict access to an application

2 participants

@BeryJu @rissson