web/flow: Tidy identification stage#20261
Merged
kensternberg-authentik merged 160 commits intomainfrom Feb 25, 2026
Merged
Conversation
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* main: (43 commits) core, web: update translations (#11858) web/admin: fix code-based MFA toggle not working in wizard (#11854) sources/kerberos: add kiprop to ignored system principals (#11852) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11846) translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#11845) translate: Updates for file web/xliff/en.xlf in zh_CN (#11847) translate: Updates for file web/xliff/en.xlf in zh-Hans (#11848) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11849) translate: Updates for file web/xliff/en.xlf in it (#11850) website: 2024.10 Release Notes (#11839) translate: Updates for file web/xliff/en.xlf in zh-Hans (#11814) core, web: update translations (#11821) core: bump goauthentik.io/api/v3 from 3.2024083.13 to 3.2024083.14 (#11830) core: bump service-identity from 24.1.0 to 24.2.0 (#11831) core: bump twilio from 9.3.5 to 9.3.6 (#11832) core: bump pytest-randomly from 3.15.0 to 3.16.0 (#11833) website/docs: Update social-logins github (#11822) website/docs: remove � (#11823) lifecycle: fix kdc5-config missing (#11826) website/docs: update preview status of different features (#11817) ...
* main: website: bump elliptic from 6.5.7 to 6.6.0 in /website (#11869) core: bump selenium from 4.25.0 to 4.26.0 (#11875) core: bump goauthentik.io/api/v3 from 3.2024083.14 to 3.2024100.1 (#11876) website/docs: add info about invalidation flow, default flows in general (#11800) website: fix docs redirect (#11873) website: remove RC disclaimer for version 2024.10 (#11871) website: update supported versions (#11841) web: bump API Client version (#11870) root: backport version bump 2024.10.0 (#11868) website/docs: 2024.8.4 release notes (#11862) web/admin: provide default invalidation flows for LDAP and Radius (#11861)
* main: core: add `None` check to a device's `extra_description` (#11904) providers/oauth2: fix size limited index for tokens (#11879) web: fix missing status code on failed build (#11903) website: bump docusaurus-theme-openapi-docs from 4.1.0 to 4.2.0 in /website (#11897) translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#11891) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#11884) translate: Updates for file web/xliff/en.xlf in tr (#11878) translate: Updates for file locale/en/LC_MESSAGES/django.po in tr (#11866) core: bump google-api-python-client from 2.149.0 to 2.151.0 (#11885) core: bump selenium from 4.26.0 to 4.26.1 (#11886) core, web: update translations (#11896) website: bump docusaurus-plugin-openapi-docs from 4.1.0 to 4.2.0 in /website (#11898) core: bump watchdog from 5.0.3 to 6.0.0 (#11899) core: bump ruff from 0.7.1 to 0.7.2 (#11900) core: bump django-pglock from 1.6.2 to 1.7.0 (#11901) website/docs: fix release notes to say Federation (#11889)
* main: website/docs: fix slug matching redirect URI causing broken refresh (#11950) website/integrations: jellyfin: update plugin catalog location (#11948) translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#11942) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11946) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11947) website/docs: clarify traefik ingress setup (#11938) core: bump importlib-metadata from 8.4.0 to 8.5.0 (#11934) web: bump API Client version (#11930) root: backport version bump `2024.10.1` (#11929) website/docs: `2024.10.1` Release Notes (#11926) website: bump path-to-regexp from 1.8.0 to 1.9.0 in /website (#11924) core: bump sentry-sdk from 2.17.0 to 2.18.0 (#11918) website: bump the docusaurus group in /website with 9 updates (#11917) core: bump goauthentik.io/api/v3 from 3.2024100.1 to 3.2024100.2 (#11915) core, web: update translations (#11914)
* main: ci: fix dockerfile warning (#11956)
* main: (21 commits) web: bump API Client version (#11997) sources/kerberos: use new python-kadmin implementation (#11932) core: add ability to provide reason for impersonation (#11951) website/integrations: update vcenter integration docs (#11768) core, web: update translations (#11995) website: bump postcss from 8.4.48 to 8.4.49 in /website (#11996) web: bump API Client version (#11992) blueprints: add default Password policy (#11793) stages/captcha: Run interactive captcha in Frame (#11857) core, web: update translations (#11979) core: bump packaging from 24.1 to 24.2 (#11985) core: bump ruff from 0.7.2 to 0.7.3 (#11986) core: bump msgraph-sdk from 1.11.0 to 1.12.0 (#11987) website: bump the docusaurus group in /website with 9 updates (#11988) website: bump postcss from 8.4.47 to 8.4.48 in /website (#11989) stages/password: use recovery flow from brand (#11953) core: bump golang.org/x/sync from 0.8.0 to 0.9.0 (#11962) web: bump cookie, swagger-client and express in /web (#11966) core, web: update translations (#11959) core: bump debugpy from 1.8.7 to 1.8.8 (#11961) ...
* main: providers/ldap: fix global search_full_directory permission not being sufficient (#12028) website/docs: 2024.10.2 release notes (#12025) lifecycle: fix ak exit status not being passed (#12024) core: use versioned_script for path only (#12003) core, web: update translations (#12020) core: bump google-api-python-client from 2.152.0 to 2.153.0 (#12021) providers/oauth2: fix manual device code entry (#12017) crypto: validate that generated certificate's name is unique (#12015) core, web: update translations (#12006) core: bump google-api-python-client from 2.151.0 to 2.152.0 (#12007) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12011) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12010) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12012) translate: Updates for file web/xliff/en.xlf in zh_CN (#12013) providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968) website/docs: move S3 ad GeoIP to System Management/Operations (#11998) website/integrations: nextcloud: add SSE warning (#11976)
* main: translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12045) translate: Updates for file web/xliff/en.xlf in zh_CN (#12047) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12044) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12046) web/flows: fix invisible captcha call (#12048) rbac: fix incorrect object_description for object-level permissions (#12029) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#12036) core: bump coverage from 7.6.4 to 7.6.5 (#12037) ci: bump codecov/codecov-action from 4 to 5 (#12038) release: 2024.10.2 (#12031)
* main: (28 commits) providers/scim: accept string and int for SCIM IDs (#12093) website: bump the docusaurus group in /website with 9 updates (#12086) core: fix source_flow_manager throwing error when authenticated user attempts to re-authenticate with existing link (#12080) translate: Updates for file locale/en/LC_MESSAGES/django.po in de (#12079) scripts: remove read_replicas from generated dev config (#12078) core: bump geoip2 from 4.8.0 to 4.8.1 (#12071) core: bump goauthentik.io/api/v3 from 3.2024100.2 to 3.2024102.2 (#12072) core: bump maxmind/geoipupdate from v7.0.1 to v7.1.0 (#12073) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12074) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12075) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12076) translate: Updates for file web/xliff/en.xlf in zh_CN (#12077) web/admin: auto-prefill user path for new users based on selected path (#12070) core: bump aiohttp from 3.10.2 to 3.10.11 (#12069) web/admin: fix brand title not respected in application list (#12068) core: bump pyjwt from 2.9.0 to 2.10.0 (#12063) web: add italian locale (#11958) web/admin: better footer links (#12004) core, web: update translations (#12052) core: bump twilio from 9.3.6 to 9.3.7 (#12061) ...
* main: (33 commits) ci: mirror repo to internal repo (#12160) core: bump goauthentik.io/api/v3 from 3.2024102.2 to 3.2024104.1 (#12149) core: bump debugpy from 1.8.8 to 1.8.9 (#12150) core: bump webauthn from 2.2.0 to 2.3.0 (#12151) core: bump pydantic from 2.10.0 to 2.10.1 (#12152) translate: Updates for file web/xliff/en.xlf in zh_CN (#12156) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12157) core: bump sentry-sdk from 2.18.0 to 2.19.0 (#12153) web: bump API Client version (#12147) root: Backport version change (#12146) website/docs: update info about footer links to match new UI (#12120) website/docs: prepare release notes (#12142) providers/oauth2: fix migration (#12138) providers/oauth2: fix migration dependencies (#12123) web: bump API Client version (#12129) providers/oauth2: fix redirect uri input (#12122) providers/proxy: fix redirect_uri (#12121) website/docs: prepare release notes (#12119) web: bump API Client version (#12118) security: fix CVE 2024 52289 (#12113) ...
* main: ci: only mirror if secret is available (#12181) root: fix database ssl options not set correctly (#12180) core, web: update translations (#12145) core: bump tornado from 6.4.1 to 6.4.2 (#12165) website: bump the docusaurus group in /website with 9 updates (#12172) website: bump typescript from 5.6.3 to 5.7.2 in /website (#12173) ci: bump actions/checkout from 3 to 4 (#12174) core: bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#12175) core: bump coverage from 7.6.7 to 7.6.8 (#12176) core: bump ruff from 0.7.4 to 0.8.0 (#12177)
* main: website/docs: Fix CSP syntax (#12124)
* main: website/docs: Add note about single group per role (#12169) website/docs: Fix documentation about attribute merging for indirect membership (#12168) root: support running authentik in subpath (#8675) docs: fix contribution link (#12189) core, web: update translations (#12190) core: Bump msgraph-sdk from 1.12.0 to 1.13.0 (#12191) core: Bump selenium from 4.26.1 to 4.27.0 (#12192)
* main: (31 commits) web/admin: bugfix: dual select initialization revision (#12051) web: update tests for Chromedriver 131 (#12199) website/integrations: add Aruba Orchestrator (#12220) core: bump aws-cdk-lib from 2.167.1 to 2.171.1 (#12237) website: bump aws-cdk from 2.167.1 to 2.171.1 in /website (#12241) core, web: update translations (#12236) core: bump python-kadmin-rs from 0.2.0 to 0.3.0 (#12238) core: bump pytest from 8.3.3 to 8.3.4 (#12239) core: bump drf-spectacular from 0.27.2 to 0.28.0 (#12240) core, web: update translations (#12222) core: Bump ruff from 0.8.0 to 0.8.1 (#12224) core: Bump ua-parser from 0.18.0 to 1.0.0 (#12225) core: Bump msgraph-sdk from 1.13.0 to 1.14.0 (#12226) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#12234) website/docs: install: add aws (#12082) core: Bump pyjwt from 2.10.0 to 2.10.1 (#12217) core: Bump fido2 from 1.1.3 to 1.2.0 (#12218) core: Bump cryptography from 43.0.3 to 44.0.0 (#12219) providers/oauth2: allow m2m for JWKS without alg in keys (#12196) translate: Updates for file locale/en/LC_MESSAGES/django.po in fr (#12210) ...
* main: web: simplify `?inline` handler for Storybook (#12246) website/docs: Update Traefik middleware example to reflect latest version of Traefik (#12267) website/docs: add . in https://netbird.company* (#12166) core: bump goauthentik.io/api/v3 from 3.2024104.1 to 3.2024104.2 (#12263) core: bump pydantic from 2.10.2 to 2.10.3 (#12262) core: bump github.com/getsentry/sentry-go from 0.29.1 to 0.30.0 (#12264) core, web: update translations (#12268) website: bump @types/react from 18.3.12 to 18.3.13 in /website (#12269) website: bump prettier from 3.4.1 to 3.4.2 in /website (#12270) ci: bump actions/attest-build-provenance from 1 to 2 (#12271) core: bump golang.org/x/sync from 0.9.0 to 0.10.0 (#12272) core: bump django from 5.0.9 to 5.0.10 (#12273) core: bump webauthn from 2.3.0 to 2.4.0 (#12274) website/integrations: add The Lounge (#11971) core: bump python-kadmin-rs from 0.3.0 to 0.4.0 (#12257) root: fix health status code (#12255) ci: fix should_push always being false (#12252) web: bump API Client version (#12251) providers/oauth2: Add provider federation between OAuth2 Providers (#12083) website/integrations: mastodon: set correct uid field (#11945)
* main: website/docs: add page about the Cobalt pentest (#12249) core: bump aws-cdk-lib from 2.171.1 to 2.172.0 (#12296) website: bump aws-cdk from 2.171.1 to 2.172.0 in /website (#12295) core: bump sentry-sdk from 2.19.1 to 2.19.2 (#12297) core: bump coverage from 7.6.8 to 7.6.9 (#12299) core, web: update translations (#12290) root: fix override locale only if it is not empty (#12283) translate: Updates for file web/xliff/en.xlf in fr (#12276) core: bump twilio from 9.3.7 to 9.3.8 (#12282) website: bump path-to-regexp and express in /website (#12279) core: bump sentry-sdk from 2.19.0 to 2.19.1 (#12280) core: bump ruff from 0.8.1 to 0.8.2 (#12281) website/docs: fix lint (#12287) website/integrations: netbird: fix redirect URI regex (#12284)
* main: flows: better test stage's challenge responses (#12316) enterprise/stages/authenticator_endpoint_gdtc: don't set frame options globally (#12311) stages/identification: fix invalid challenge warning when no captcha stage is set (#12312) website/docs: prepare 2024.10.5 release notes (#12309) website: bump nanoid from 3.3.7 to 3.3.8 in /website (#12307) flows: silent authz flow (#12213) root: use healthcheck in depends_on for postgres and redis (#12301) ci: ensure mark jobs always run and reflect correct status (#12288) enterprise: allow deletion/modification of users when in read-only mode (#12289) web/flows: resize captcha iframes (#12260)
* main: (118 commits) outposts: fix version label (#12486) web: only load version context when authenticated (#12482) core: bump goauthentik.io/api/v3 from 3.2024120.2 to 3.2024121.2 (#12478) ci: bump helm/kind-action from 1.11.0 to 1.12.0 (#12479) web: fix build dev build (#12473) root: fix dev build version being invalid semver (#12472) internal: fix missing trailing slash in outpost websocket (#12470) web: bump API Client version (#12469) admin: monitor worker version (#12463) core: bump jinja2 from 3.1.4 to 3.1.5 (#12467) web: bump API Client version (#12468) release: 2024.12.1 (#12466) web: misc fixes for admin and flow inspector (#12461) website/docs: 2024.12.1 release notes (#12462) core: bump goauthentik.io/api/v3 from 3.2024120.1 to 3.2024120.2 (#12456) core: bump urllib3 from 2.2.3 to 2.3.0 (#12457) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#12454) translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#12453) translate: Updates for file web/xliff/en.xlf in zh-Hans (#12455) translate: Updates for file web/xliff/en.xlf in zh_CN (#12458) ...
…ing. \# What \# Why \# How \# Designs \# Test Steps \# Other Notes
…rom failing." This reverts commit dddde09.
* main: website/integrations: meshcentral: document (#12509) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#12524) core: bump goauthentik.io/api/v3 from 3.2024121.2 to 3.2024121.3 (#12522) web: bump API Client version (#12520) website/integrations: chronograf: document (#12474) website/integrations: update preparation placeholder (#12507) providers/saml: fix handle Accept: application/xml for SAML Metadata endpoint (#12483) (#12518) core: bump aws-cdk-lib from 2.173.3 to 2.173.4 (#12513) website: bump aws-cdk from 2.173.3 to 2.173.4 in /website (#12514) core: bump coverage from 7.6.9 to 7.6.10 (#12499) core: bump aws-cdk-lib from 2.173.2 to 2.173.3 (#12500) website: bump aws-cdk from 2.173.2 to 2.173.3 in /website (#12501) core: bump github.com/go-ldap/ldap/v3 from 3.4.9 to 3.4.10 (#12502) website/docs: New "Whats Up Docker" URL (#12488)
* main: core: bump github.com/getsentry/sentry-go from 0.30.0 to 0.31.1 (#12543) core: bump google-api-python-client from 2.156.0 to 2.157.0 (#12544) core: bump ruff from 0.8.4 to 0.8.5 (#12545) core: bump msgraph-sdk from 1.15.0 to 1.16.0 (#12546) Update index.mdx (#12542) web: fix source selection and outpost integration health (#12530) Ading a step to paperless guide (#12539) website/integrations: Semaphore (#12515) website/integrations: komga: document (#12476) website/integrations: fix missing quote in paperless-ngx (#12537) website/integrations: cloudflare access: upd placeholder for saas (#12536) website/integrations: veeam-enterprise-manager: don't hardcode helpcenter doc version (#12538)
* main: core: bump golang.org/x/oauth2 from 0.24.0 to 0.25.0 (#12571) website: bump the docusaurus group in /website with 9 updates (#12569) core: bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0 (#12572) core: bump ruff from 0.8.5 to 0.8.6 (#12573) ci: release: fix AWS cfn template permissions (#12576) translate: Updates for file web/xliff/en.xlf in fr (#12578) translate: Updates for file locale/en/LC_MESSAGES/django.po in fr (#12577) sources/kerberos: authenticate with the user's username instead of the first username in authentik (#12497) website/integrations: Fix deprecated terraform ressource authentik_scope_mapping in docs (#12554) website/user-sources Fix Free IPA docs page (#12549) core: bump aws-cdk-lib from 2.173.4 to 2.174.0 (#12574) website/integrations: semaphore: fix formatting (#12567) website: bump aws-cdk from 2.173.4 to 2.174.0 in /website (#12570) website/integrations: Update Frappe Application index.md (#12527) website: add api reference docs to redirect file (#12551)
* main: lib: add expression helper ak_create_jwt to create JWTs (#12599) api: cleanup owner permissions (#12598) website: bump aws-cdk from 2.174.0 to 2.174.1 in /website (#12593) core: bump aws-cdk-lib from 2.174.0 to 2.174.1 (#12594) website/integrations: portainer: group config steps (#12548) translate: Updates for file web/xliff/en.xlf in fi (#12586) translate: Updates for file locale/en/LC_MESSAGES/django.po in fi (#12584) website/docs: fix Nginx redirection example (#12561)
* main: website: revise full development environment instructions (#12638) website: bump typescript from 5.7.2 to 5.7.3 in /website (#12620) website: bump aws-cdk from 2.174.1 to 2.175.0 in /website (#12621) ci: bump docker/setup-qemu-action from 3.2.0 to 3.3.0 (#12622) core: bump twilio from 9.4.1 to 9.4.2 (#12623) core: bump python-kadmin-rs from 0.5.2 to 0.5.3 (#12624) core: bump ruff from 0.8.6 to 0.9.0 (#12625) core: bump pydantic from 2.10.4 to 2.10.5 (#12626) core: bump google-api-python-client from 2.157.0 to 2.158.0 (#12628) core: bump goauthentik.io/api/v3 from 3.2024121.3 to 3.2024122.1 (#12629) web: bump API Client version (#12617) release: 2024.12.2 (#12615) website/docs: prepare 2024.12.2 release notes (#12614) providers/saml: fix invalid SAML Response when assertion and response are signed (#12611) core: fix error when creating new user with default path (#12609) rbac: permissions endpoint: allow authenticated users (#12608) website/docs: update customer portal (#12603) website/docs: policy for email whitelist: modernize (#12558)
* main: (65 commits) stages/redirect: fix query parameter when redirecting to flow (#12750) website/integrations: cloudflare-access: refactor (#12663) sources/kerberos: handle principal expire time (#12748) lifecycle: build binary dependencies which link against SSL directly (#12724) website/docs: style guide: document styling preferences for URLs (#12715) website/integrations: nextcloud: fix broken link (#12744) core: bump selenium from 4.27.1 to 4.28.0 (#12745) lifecycle: move AWS CFN generation to lifecycle and fix CI (#12743) core: search users' attributes (#12740) web/components: ak-number-input: add support for min (#12703) website/integrations: nextcloud: fix url for "disable username changes" (#12725) core: bump pytest-github-actions-annotate-failures from 0.2.0 to 0.3.0 (#12735) website: bump katex from 0.16.11 to 0.16.21 in /website (#12731) web: bump katex from 0.16.11 to 0.16.21 in /web (#12730) website/integrations: Fix URL for authentik installation instead of mobilizon installation (#12729) core: bump debugpy from 1.8.11 to 1.8.12 (#12718) core: bump ruff from 0.9.1 to 0.9.2 (#12717) core: bump webauthn from 2.4.0 to 2.5.0 (#12719) core: bump structlog from 24.4.0 to 25.1.0 (#12720) website/integrations: all: install -> installation (#12676) ...
* main: web: update gen-client-ts to OpenAPI 7.11.0 (#12756) website/integrations: rustdesk-server-pro (#12706) core: bump codespell from 2.3.0 to 2.4.0 (#12762) root: docker: ensure apt packages are up-to-date (#12683) ci: fix missing build args for dev and release (#12760) web: bump vite from 5.4.11 to 5.4.14 in /web (#12757) web: bump undici from 6.21.0 to 6.21.1 in /web (#12755) lifecycle: fix cryptography's OpenSSL path (#12753)
* main: (111 commits) root: correctly use correct schema for install_id (#13018) website: bump docusaurus-plugin-openapi-docs from 4.3.3 to 4.3.4 in /website (#13011) web: bump API Client version (#13017) core: bump aws-cdk-lib from 2.178.1 to 2.178.2 (#13013) core: bump oss/go/microsoft/golang from 1.23-fips-bookworm to 1.24-fips-bookworm (#13012) website: bump docusaurus-theme-openapi-docs from 4.3.3 to 4.3.4 in /website (#13010) lifecycle/aws: bump aws-cdk from 2.178.1 to 2.178.2 in /lifecycle/aws (#13009) core: bump github.com/sethvargo/go-envconfig from 1.1.0 to 1.1.1 (#13008) web/admin: fix source selection for identification stage (#13007) core: bump sentry-sdk from 2.20.0 to 2.21.0 (#13014) website/integrations: Open WebUI (#12939) root: use correct default schema for install_id (#13006) website/docs: fix a minor typo (#13004) enterprise/providers/ssf: fixes v2 (#13003) root: make default postgres schema configurable (#12949) providers/oauth2: cleanup tokens when user is deactivated (#12859) website/docs: fix Nginx redirection example (#12920) core: bump twilio from 9.4.4 to 9.4.5 (#12993) core: bump coverage from 7.6.11 to 7.6.12 (#12994) core: bump cryptography from 44.0.0 to 44.0.1 (#12992) ...
…p-v3 * main: (105 commits) website/docs: Custom CSS (#19991) core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1770992049 (#20285) stage/invitation: Send invite via email UI (#19823) root: remove unused `django-cte` (#20090) core: bump ruff from 0.15.0 to 0.15.1 (#20273) core, web: update translations (#20271) ci: bump docker/build-push-action from 6.19.1 to 6.19.2 (#20274) enterprise/lifecycle: fix multiple reviews showing up in "Reviews" when the user is a member of multiple reviewer groups (#20266) ci: fix binary outpost build on release (#20248) web: add pretty names for lifecycle review events in event logs (#20264) web: fix italic formatting in lifecycle rule help text (#20263) website/docs: 2025.8.6 release notes (#20243) website/docs: 2025.12.4 release notes (#20226) website/docs: 2025.10.4 release notes (#20242) security: CVE-2026-25748 (#20240) security: CVE-2026-25922 (#20241) security: CVE-2026-25227 (#20239) ci: fix release testing (#20207) core: Apply CSpell corrections. (#20191) core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1770842608 (#20213) ...
…le is constructed ONCE at start-up, there's never going to be a cache hit. The FlowExecutorStageFactory produces StageMappings (StageMapping[]), which is itself a warehouse of singular server-component -> client-component relationships, fetching the client from the bundle as needed. The StageMapping only does the fetch once per instance, so (for example) a password failure will reinstantiate a PasswordStage, but it will not fetch it a second time.
…web/flow/tablize-token-component-relationship * web/flow/tablize-token-component-relationship-v3: (75 commits) Removed the cache; it's extra code for no benefit whatsoever; the table is constructed ONCE at start-up, there's never going to be a cache hit. The FlowExecutorStageFactory produces StageMappings (StageMapping[]), which is itself a warehouse of singular server-component -> client-component relationships, fetching the client from the bundle as needed. The StageMapping only does the fetch once per instance, so (for example) a password failure will reinstantiate a PasswordStage, but it will not fetch it a second time. Tidy. website/docs: Custom CSS (#19991) core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1770992049 (#20285) stage/invitation: Send invite via email UI (#19823) root: remove unused `django-cte` (#20090) core: bump ruff from 0.15.0 to 0.15.1 (#20273) core, web: update translations (#20271) ci: bump docker/build-push-action from 6.19.1 to 6.19.2 (#20274) enterprise/lifecycle: fix multiple reviews showing up in "Reviews" when the user is a member of multiple reviewer groups (#20266) ci: fix binary outpost build on release (#20248) web: add pretty names for lifecycle review events in event logs (#20264) web: fix italic formatting in lifecycle rule help text (#20263) website/docs: 2025.8.6 release notes (#20243) website/docs: 2025.12.4 release notes (#20226) website/docs: 2025.10.4 release notes (#20242) security: CVE-2026-25748 (#20240) security: CVE-2026-25922 (#20241) security: CVE-2026-25227 (#20239) ci: fix release testing (#20207) ...
…the FlowExecutor stage table. Moved the import of WebAuthnAuthenticticatorRegisterState from FlowExecutor.ts to FlowExecutorStages.ts; both files are bundled together, so this is a no-op functionally, but it's easier to confirm that StageEntries without import expressions (STageModuleCallbacks) have their stages bundled (pre-imported) if the import statement is in the same file.
…/flow/20030-one-true-api * web/flow/tablize-token-component-relationship: (76 commits) Removed comments about the cache. Added comments about where to find the FlowExecutor stage table. Moved the import of WebAuthnAuthenticticatorRegisterState from FlowExecutor.ts to FlowExecutorStages.ts; both files are bundled together, so this is a no-op functionally, but it's easier to confirm that StageEntries without import expressions (STageModuleCallbacks) have their stages bundled (pre-imported) if the import statement is in the same file. Removed the cache; it's extra code for no benefit whatsoever; the table is constructed ONCE at start-up, there's never going to be a cache hit. The FlowExecutorStageFactory produces StageMappings (StageMapping[]), which is itself a warehouse of singular server-component -> client-component relationships, fetching the client from the bundle as needed. The StageMapping only does the fetch once per instance, so (for example) a password failure will reinstantiate a PasswordStage, but it will not fetch it a second time. Tidy. website/docs: Custom CSS (#19991) core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1770992049 (#20285) stage/invitation: Send invite via email UI (#19823) root: remove unused `django-cte` (#20090) core: bump ruff from 0.15.0 to 0.15.1 (#20273) core, web: update translations (#20271) ci: bump docker/build-push-action from 6.19.1 to 6.19.2 (#20274) enterprise/lifecycle: fix multiple reviews showing up in "Reviews" when the user is a member of multiple reviewer groups (#20266) ci: fix binary outpost build on release (#20248) web: add pretty names for lifecycle review events in event logs (#20264) web: fix italic formatting in lifecycle rule help text (#20263) website/docs: 2025.8.6 release notes (#20243) website/docs: 2025.12.4 release notes (#20226) website/docs: 2025.10.4 release notes (#20242) security: CVE-2026-25748 (#20240) security: CVE-2026-25922 (#20241) security: CVE-2026-25227 (#20239) ...
…t-flow-inspector * web/flow/20030-one-true-api: Removed comments about the cache. Added comments about where to find the FlowExecutor stage table. Moved the import of WebAuthnAuthenticticatorRegisterState from FlowExecutor.ts to FlowExecutorStages.ts; both files are bundled together, so this is a no-op functionally, but it's easier to confirm that StageEntries without import expressions (STageModuleCallbacks) have their stages bundled (pre-imported) if the import statement is in the same file. Removed the cache; it's extra code for no benefit whatsoever; the table is constructed ONCE at start-up, there's never going to be a cache hit. The FlowExecutorStageFactory produces StageMappings (StageMapping[]), which is itself a warehouse of singular server-component -> client-component relationships, fetching the client from the bundle as needed. The StageMapping only does the fetch once per instance, so (for example) a password failure will reinstantiate a PasswordStage, but it will not fetch it a second time. Tidy. website/docs: Custom CSS (#19991) core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1770992049 (#20285) stage/invitation: Send invite via email UI (#19823) root: remove unused `django-cte` (#20090) core: bump ruff from 0.15.0 to 0.15.1 (#20273) core, web: update translations (#20271) ci: bump docker/build-push-action from 6.19.1 to 6.19.2 (#20274) enterprise/lifecycle: fix multiple reviews showing up in "Reviews" when the user is a member of multiple reviewer groups (#20266) ci: fix binary outpost build on release (#20248) web: add pretty names for lifecycle review events in event logs (#20264) web: fix italic formatting in lifecycle rule help text (#20263) website/docs: 2025.8.6 release notes (#20243) web/flow: optimize table for type safety web: Flesh out module driven tag names.
…oved into the FlowInspectorButton, FlowExecutor no longer needs the capabilities check at all.
…261-tidy-identification-stage * web/flow/20063-extract-flow-inspector: Move the inspector into its own folder. Since the check for `this.can(CapabilitiesEnum.CanDebug))` has been moved into the FlowInspectorButton, FlowExecutor no longer needs the capabilities check at all. Of COURSE prettier had opinions! Removed comments about the cache. Added comments about where to find the FlowExecutor stage table. Moved the import of WebAuthnAuthenticticatorRegisterState from FlowExecutor.ts to FlowExecutorStages.ts; both files are bundled together, so this is a no-op functionally, but it's easier to confirm that StageEntries without import expressions (STageModuleCallbacks) have their stages bundled (pre-imported) if the import statement is in the same file. Removed the cache; it's extra code for no benefit whatsoever; the table is constructed ONCE at start-up, there's never going to be a cache hit. The FlowExecutorStageFactory produces StageMappings (StageMapping[]), which is itself a warehouse of singular server-component -> client-component relationships, fetching the client from the bundle as needed. The StageMapping only does the fetch once per instance, so (for example) a password failure will reinstantiate a PasswordStage, but it will not fetch it a second time. Tidy. website/docs: Custom CSS (#19991) core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1770992049 (#20285) stage/invitation: Send invite via email UI (#19823) root: remove unused `django-cte` (#20090) core: bump ruff from 0.15.0 to 0.15.1 (#20273) core, web: update translations (#20271) ci: bump docker/build-push-action from 6.19.1 to 6.19.2 (#20274) enterprise/lifecycle: fix multiple reviews showing up in "Reviews" when the user is a member of multiple reviewer groups (#20266) ci: fix binary outpost build on release (#20248) web: add pretty names for lifecycle review events in event logs (#20264) web: fix italic formatting in lifecycle rule help text (#20263) website/docs: 2025.8.6 release notes (#20243) web/flow: optimize table for type safety web: Flesh out module driven tag names.
GirlBossRush
approved these changes
Feb 14, 2026
| : null; | ||
|
|
||
| if (!enrollmentItem && !recoveryItem) { | ||
| renderPromotedSource(source: LoginSource) { |
Contributor
There was a problem hiding this comment.
Suggested change
| renderPromotedSource(source: LoginSource) { | |
| protected renderPromotedSource(source: LoginSource): SlottedTemplateResult { |
| </button>`; | ||
| } | ||
|
|
||
| renderSource(source: LoginSource, showLabels: boolean) { |
Contributor
There was a problem hiding this comment.
Suggested change
| renderSource(source: LoginSource, showLabels: boolean) { | |
| protected renderSource(source: LoginSource, showLabels: boolean): SlottedTemplateResult { |
| : this.renderDefaultSource(source, showLabels); | ||
| } | ||
|
|
||
| renderRecoveryPhase() { |
Contributor
There was a problem hiding this comment.
Suggested change
| renderRecoveryPhase() { | |
| protected renderRecoveryPhase(): SlottedTemplateResult { |
| return html` <p>${message}</p> `; | ||
| } | ||
|
|
||
| renderIdentityInput(challenge: IdentificationChallenge) { |
Contributor
There was a problem hiding this comment.
Suggested change
| renderIdentityInput(challenge: IdentificationChallenge) { | |
| protected renderIdentityInput(challenge: IdentificationChallenge): SlottedTemplateResult { |
Comment on lines
+385
to
+408
| const fields = (challenge.userFields || []).sort(); | ||
| const type = | ||
| fields.includes(UserFieldsEnum.Email) && fields.length === 1 ? "email" : "text"; | ||
| const label = OR_LIST_FORMATTERS.format(fields.map((f) => UI_FIELDS[f])); | ||
| const passkeyChallenge = (challenge as PasskeyChallenge)?.passkeyChallenge; | ||
| const autocomplete: AutoFill = passkeyChallenge ? "username webauthn" : "username"; | ||
|
|
||
| return html`<div class="pf-c-form__group"> | ||
| ${AKLabel({ required: true, htmlFor: this.inputID }, label)} | ||
| <input | ||
| id=${this.inputID} | ||
| type=${type} | ||
| name="uidField" | ||
| placeholder=${label} | ||
| autofocus | ||
| autocomplete=${autocomplete} | ||
| spellcheck="false" | ||
| class="pf-c-form-control" | ||
| value=${this.#rememberMe?.username ?? challenge.pendingUserIdentifier ?? ""} | ||
| required | ||
| /> | ||
| ${this.#rememberMe.render()} | ||
| ${AKFormErrors({ errors: challenge.responseErrors?.uid_field })} | ||
| </div>`; |
Contributor
There was a problem hiding this comment.
Suggested change
| const fields = (challenge.userFields || []).sort(); | |
| const type = | |
| fields.includes(UserFieldsEnum.Email) && fields.length === 1 ? "email" : "text"; | |
| const label = OR_LIST_FORMATTERS.format(fields.map((f) => UI_FIELDS[f])); | |
| const passkeyChallenge = (challenge as PasskeyChallenge)?.passkeyChallenge; | |
| const autocomplete: AutoFill = passkeyChallenge ? "username webauthn" : "username"; | |
| return html`<div class="pf-c-form__group"> | |
| ${AKLabel({ required: true, htmlFor: this.inputID }, label)} | |
| <input | |
| id=${this.inputID} | |
| type=${type} | |
| name="uidField" | |
| placeholder=${label} | |
| autofocus | |
| autocomplete=${autocomplete} | |
| spellcheck="false" | |
| class="pf-c-form-control" | |
| value=${this.#rememberMe?.username ?? challenge.pendingUserIdentifier ?? ""} | |
| required | |
| /> | |
| ${this.#rememberMe.render()} | |
| ${AKFormErrors({ errors: challenge.responseErrors?.uid_field })} | |
| </div>`; | |
| return guard([challenge], () => { | |
| const fields = (challenge.userFields || []).sort(); | |
| const type = | |
| fields.includes(UserFieldsEnum.Email) && fields.length === 1 ? "email" : "text"; | |
| const label = OR_LIST_FORMATTERS.format(fields.map((f) => UI_FIELDS[f])); | |
| const passkeyChallenge = (challenge as PasskeyChallenge)?.passkeyChallenge; | |
| const autocomplete: AutoFill = passkeyChallenge ? "username webauthn" : "username"; | |
| return html`<div class="pf-c-form__group"> | |
| ${AKLabel({ required: true, htmlFor: this.inputID }, label)} | |
| <input | |
| id=${this.inputID} | |
| type=${type} | |
| name="uidField" | |
| placeholder=${label} | |
| autofocus | |
| autocomplete=${autocomplete} | |
| spellcheck="false" | |
| class="pf-c-form-control" | |
| value=${this.#rememberMe?.username ?? challenge.pendingUserIdentifier ?? ""} | |
| required | |
| /> | |
| ${this.#rememberMe.render()} | |
| ${AKFormErrors({ errors: challenge.responseErrors?.uid_field })} | |
| </div>`; | |
| }); |
Contributor
Author
There was a problem hiding this comment.
guard excessively complicates the issue without winning you anything at all. guard is useful if you have dozens or hundreds of... things... that you get from a single property, and can't use repeat. In this case, there's not much more than a handful of values. More code for an insignificant performance improvement isn't a good trade.
| class="pf-c-button pf-m-secondary pf-m-block" | ||
| > | ||
| ${msg("Use a security key")} | ||
| </a> `; |
Contributor
There was a problem hiding this comment.
Suggested change
| </a> `; | |
| </a>`; |
|
|
||
| // These have the same type, and can be supplied out-of-order. Passing them in by name prevents | ||
| // mis-ordering. | ||
| renderFooter({ enrollUrl, recoveryUrl }: IdentificationFooter) { |
Contributor
There was a problem hiding this comment.
Suggested change
| renderFooter({ enrollUrl, recoveryUrl }: IdentificationFooter) { | |
| protected renderFooter({ enrollUrl, recoveryUrl }: IdentificationFooter): SlottedTemplateResult { |
Comment on lines
519
to
543
| renderLoginSources(sources: LoginSource[], showLabels: boolean) { | ||
| const key = ({ name }: LoginSource, idx: number) => `${name}${idx}`; | ||
| const content = (source: LoginSource) => this.renderSource(source, showLabels); | ||
| const promoted = (a: LoginSource) => !!a.promoted; | ||
|
|
||
| // Check if passkey login is enabled to add webauthn to autocomplete | ||
| const passkeyChallenge = ( | ||
| this.challenge as IdentificationChallenge & { | ||
| passkeyChallenge?: PublicKeyCredentialRequestOptions; | ||
| } | ||
| )?.passkeyChallenge; | ||
| // When passkey is enabled, add "webauthn" to autocomplete to enable passkey autofill | ||
| const autocomplete: AutoFill = passkeyChallenge ? "username webauthn" : "username"; | ||
| // Sort promoted sources to show up first | ||
| const sortby = (a: LoginSource, b: LoginSource) => | ||
| match([promoted(a), promoted(b)]) | ||
| .with([true, false], () => -1) | ||
| .with([false, true], () => 1) | ||
| .otherwise(() => 0); | ||
|
|
||
| return html`${this.challenge.flowDesignation === FlowDesignationEnum.Recovery | ||
| ? html` | ||
| <p> | ||
| ${msg( | ||
| "Enter the email associated with your account, and we'll send you a link to reset your password.", | ||
| )} | ||
| </p> | ||
| ` | ||
| : nothing} | ||
| <div class="pf-c-form__group"> | ||
| ${AKLabel({ required: true, htmlFor: this.inputID }, label)} | ||
| <input | ||
| id=${this.inputID} | ||
| type=${type} | ||
| name="uidField" | ||
| placeholder=${label} | ||
| autofocus | ||
| autocomplete=${autocomplete} | ||
| spellcheck="false" | ||
| class="pf-c-form-control" | ||
| value=${this.#rememberMe?.username ?? | ||
| this.challenge.pendingUserIdentifier ?? | ||
| ""} | ||
| required | ||
| /> | ||
| ${this.#rememberMe.render()} | ||
| ${AKFormErrors({ errors: this.challenge.responseErrors?.uid_field })} | ||
| </div> | ||
| ${this.challenge.passwordFields | ||
| ? html` | ||
| <ak-flow-input-password | ||
| label=${msg("Password")} | ||
| input-id="ak-stage-identification-password" | ||
| required | ||
| class="pf-c-form__group" | ||
| .errors=${this.challenge?.responseErrors?.password} | ||
| ?allow-show-password=${this.challenge.allowShowPassword} | ||
| prefill=${PasswordManagerPrefill.password ?? ""} | ||
| ></ak-flow-input-password> | ||
| ` | ||
| : nothing} | ||
| ${this.renderNonFieldErrors()} | ||
| ${this.challenge.captchaStage | ||
| ? html` | ||
| <div class="captcha-container"> | ||
| <ak-stage-captcha | ||
| .challenge=${this.challenge.captchaStage} | ||
| .onTokenChange=${this.#tokenChangeListener} | ||
| .onLoad=${this.#captchaLoadListener} | ||
| .refreshedAt=${this.captchaRefreshedAt} | ||
| embedded | ||
| > | ||
| </ak-stage-captcha> | ||
| <input | ||
| aria-hidden="true" | ||
| class="faux-input" | ||
| ${ref(this.#captchaInputRef)} | ||
| name="captchaToken" | ||
| type="text" | ||
| required | ||
| value="" | ||
| /> | ||
| </div> | ||
| ` | ||
| : nothing} | ||
| const sortedSources = [...sources].sort(sortby); | ||
|
|
||
| <div class="pf-c-form__group ${this.challenge.captchaStage ? "" : "pf-m-action"}"> | ||
| <button | ||
| ?disabled=${this.challenge.captchaStage && | ||
| this.challenge.captchaStage.interactive && | ||
| !this.captchaLoaded} | ||
| type="submit" | ||
| class="pf-c-button pf-m-primary pf-m-block" | ||
| > | ||
| ${this.challenge.primaryAction} | ||
| </button> | ||
| </div> | ||
| ${this.challenge.passwordlessUrl | ||
| ? html`<ak-divider>${msg("Or")}</ak-divider>` | ||
| : nothing}`; | ||
| return html`<fieldset | ||
| slot="footer" | ||
| part="source-list" | ||
| role="group" | ||
| name="login-sources" | ||
| class="pf-c-form__group" | ||
| > | ||
| <legend class="sr-only">${msg("Login sources")}</legend> | ||
| ${repeat(sortedSources, key, content)} | ||
| </fieldset> `; | ||
| } |
Contributor
There was a problem hiding this comment.
Suggested change
| renderLoginSources(sources: LoginSource[], showLabels: boolean) { | |
| const key = ({ name }: LoginSource, idx: number) => `${name}${idx}`; | |
| const content = (source: LoginSource) => this.renderSource(source, showLabels); | |
| const promoted = (a: LoginSource) => !!a.promoted; | |
| // Check if passkey login is enabled to add webauthn to autocomplete | |
| const passkeyChallenge = ( | |
| this.challenge as IdentificationChallenge & { | |
| passkeyChallenge?: PublicKeyCredentialRequestOptions; | |
| } | |
| )?.passkeyChallenge; | |
| // When passkey is enabled, add "webauthn" to autocomplete to enable passkey autofill | |
| const autocomplete: AutoFill = passkeyChallenge ? "username webauthn" : "username"; | |
| // Sort promoted sources to show up first | |
| const sortby = (a: LoginSource, b: LoginSource) => | |
| match([promoted(a), promoted(b)]) | |
| .with([true, false], () => -1) | |
| .with([false, true], () => 1) | |
| .otherwise(() => 0); | |
| return html`${this.challenge.flowDesignation === FlowDesignationEnum.Recovery | |
| ? html` | |
| <p> | |
| ${msg( | |
| "Enter the email associated with your account, and we'll send you a link to reset your password.", | |
| )} | |
| </p> | |
| ` | |
| : nothing} | |
| <div class="pf-c-form__group"> | |
| ${AKLabel({ required: true, htmlFor: this.inputID }, label)} | |
| <input | |
| id=${this.inputID} | |
| type=${type} | |
| name="uidField" | |
| placeholder=${label} | |
| autofocus | |
| autocomplete=${autocomplete} | |
| spellcheck="false" | |
| class="pf-c-form-control" | |
| value=${this.#rememberMe?.username ?? | |
| this.challenge.pendingUserIdentifier ?? | |
| ""} | |
| required | |
| /> | |
| ${this.#rememberMe.render()} | |
| ${AKFormErrors({ errors: this.challenge.responseErrors?.uid_field })} | |
| </div> | |
| ${this.challenge.passwordFields | |
| ? html` | |
| <ak-flow-input-password | |
| label=${msg("Password")} | |
| input-id="ak-stage-identification-password" | |
| required | |
| class="pf-c-form__group" | |
| .errors=${this.challenge?.responseErrors?.password} | |
| ?allow-show-password=${this.challenge.allowShowPassword} | |
| prefill=${PasswordManagerPrefill.password ?? ""} | |
| ></ak-flow-input-password> | |
| ` | |
| : nothing} | |
| ${this.renderNonFieldErrors()} | |
| ${this.challenge.captchaStage | |
| ? html` | |
| <div class="captcha-container"> | |
| <ak-stage-captcha | |
| .challenge=${this.challenge.captchaStage} | |
| .onTokenChange=${this.#tokenChangeListener} | |
| .onLoad=${this.#captchaLoadListener} | |
| .refreshedAt=${this.captchaRefreshedAt} | |
| embedded | |
| > | |
| </ak-stage-captcha> | |
| <input | |
| aria-hidden="true" | |
| class="faux-input" | |
| ${ref(this.#captchaInputRef)} | |
| name="captchaToken" | |
| type="text" | |
| required | |
| value="" | |
| /> | |
| </div> | |
| ` | |
| : nothing} | |
| const sortedSources = [...sources].sort(sortby); | |
| <div class="pf-c-form__group ${this.challenge.captchaStage ? "" : "pf-m-action"}"> | |
| <button | |
| ?disabled=${this.challenge.captchaStage && | |
| this.challenge.captchaStage.interactive && | |
| !this.captchaLoaded} | |
| type="submit" | |
| class="pf-c-button pf-m-primary pf-m-block" | |
| > | |
| ${this.challenge.primaryAction} | |
| </button> | |
| </div> | |
| ${this.challenge.passwordlessUrl | |
| ? html`<ak-divider>${msg("Or")}</ak-divider>` | |
| : nothing}`; | |
| return html`<fieldset | |
| slot="footer" | |
| part="source-list" | |
| role="group" | |
| name="login-sources" | |
| class="pf-c-form__group" | |
| > | |
| <legend class="sr-only">${msg("Login sources")}</legend> | |
| ${repeat(sortedSources, key, content)} | |
| </fieldset> `; | |
| } | |
| protected renderLoginSources(sources: LoginSource[], showLabels: boolean): SlottedTemplateResult { | |
| return guard([sources, showLabels], () => { | |
| const key = ({ name }: LoginSource, idx: number) => `${name}${idx}`; | |
| const content = (source: LoginSource) => this.renderSource(source, showLabels); | |
| const promoted = (a: LoginSource) => !!a.promoted; | |
| // Sort promoted sources to show up first | |
| const sortby = (a: LoginSource, b: LoginSource) => | |
| match([promoted(a), promoted(b)]) | |
| .with([true, false], () => -1) | |
| .with([false, true], () => 1) | |
| .otherwise(() => 0); | |
| const sortedSources = [...sources].sort(sortby); | |
| return html`<fieldset | |
| slot="footer" | |
| part="source-list" | |
| role="group" | |
| name="login-sources" | |
| class="pf-c-form__group" | |
| > | |
| <legend class="sr-only">${msg("Login sources")}</legend> | |
| ${repeat(sortedSources, key, content)} | |
| </fieldset>`; | |
| }); | |
| } |
| </ak-flow-card>`; | ||
| } | ||
|
|
||
| render() { |
Contributor
There was a problem hiding this comment.
Suggested change
| render() { | |
| protected override render(): SlottedTemplateResult { |
web/src/flow/FlowExecutor.ts
Outdated
Comment on lines
+241
to
+244
| const previous = Array.from(this.children).find((el) => | ||
| el.matches('[slot="slotted-dialog"]'), | ||
| ); | ||
| (previous as Element | undefined)?.remove(); |
Contributor
There was a problem hiding this comment.
Suggested change
| const previous = Array.from(this.children).find((el) => | |
| el.matches('[slot="slotted-dialog"]'), | |
| ); | |
| (previous as Element | undefined)?.remove(); | |
| const previous = Iterator.from(this.children).find((el) => | |
| el.matches('[slot="slotted-dialog"]'), | |
| ); | |
| previous?.remove(); |
Alternatively, direct references to the slots?
class FlowExecutor {
protected dialogSlot: HTMLSlotElement;
protected placeholderSlot: HTMLSlotElement;
constructor() {
configureSentry();
super();
this.dialogSlot = this.ownerDocument.createElement("slot");
this.dialogSlot.name = "slotted-dialog";
this.placeholderSlot = this.ownerDocument.createElement("slot");
this.placeholderSlot.name = "placeholder";
this.placeholderSlot.classList.add("slotted-content");
}* main: (52 commits) web/admin: bug: stage update forms not rendering, several modal form buttons missing (#20373) lifecycle: bump rac guacd base image (#20390) web: revert `tree-sitter` removal from lockfile (#20377) root: fix dependabot config for docker (#20380) website/docs: Fix broken link to flow executor (#20364) core: add cause to `ak_groups` deprecation event and logs (#20361) rbac: fix object permission request (#20304) enterprise/providers/ws_federation: fix incorrect metadata download URL (#20173) core, web: update translations (#20303) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#20305) core: bump django-countries from 7.6.1 to 8.2.0 (#19459) web: bump the storybook group across 1 directory with 5 updates (#20130) web: bump pino from 10.3.0 to 10.3.1 in /web (#20133) core: bump github.com/pires/go-proxyproto from 0.10.0 to 0.11.0 (#20182) web: bump @patternfly/elements from 4.2.0 to 4.3.1 in /web (#20185) lifecycle/aws: bump aws-cdk from 2.1105.0 to 2.1106.0 in /lifecycle/aws (#20272) web: bump chromedriver from 145.0.1 to 145.0.3 in /web (#20313) web: bump @sentry/browser from 10.38.0 to 10.39.0 in /web in the sentry group across 1 directory (#20340) web: bump mermaid from 11.12.2 to 11.12.3 in /web (#20359) ci: bump tj-actions/changed-files from 47.0.2 to 47.0.3 (#20357) ...
Co-authored-by: Ken Sternberg <ken@goauthentik.io>
…to web/flow/20030-one-true-api * web/flow/19999-tablize-token-component-relationship: (58 commits) web: Flesh out stage mapping error handling. (#20292) web/admin: maintenance: centralize types that are used across stages (#20398) website/integrations: beszel: remove slug reference (#20393) web/admin: maintenance: give dialogs default exports (#20397) web: Fix element property names with custom attributes. (#20396) enterprise/providers/microsoft_entra: fix dangling comma (#20391) web/admin: bug: stage update forms not rendering, several modal form buttons missing (#20373) lifecycle: bump rac guacd base image (#20390) web: revert `tree-sitter` removal from lockfile (#20377) root: fix dependabot config for docker (#20380) website/docs: Fix broken link to flow executor (#20364) core: add cause to `ak_groups` deprecation event and logs (#20361) rbac: fix object permission request (#20304) enterprise/providers/ws_federation: fix incorrect metadata download URL (#20173) core, web: update translations (#20303) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#20305) core: bump django-countries from 7.6.1 to 8.2.0 (#19459) web: bump the storybook group across 1 directory with 5 updates (#20130) web: bump pino from 10.3.0 to 10.3.1 in /web (#20133) core: bump github.com/pires/go-proxyproto from 0.10.0 to 0.11.0 (#20182) ...
…t-flow-inspector * web/flow/20030-one-true-api: (58 commits) web: Flesh out stage mapping error handling. (#20292) web/admin: maintenance: centralize types that are used across stages (#20398) website/integrations: beszel: remove slug reference (#20393) web/admin: maintenance: give dialogs default exports (#20397) web: Fix element property names with custom attributes. (#20396) enterprise/providers/microsoft_entra: fix dangling comma (#20391) web/admin: bug: stage update forms not rendering, several modal form buttons missing (#20373) lifecycle: bump rac guacd base image (#20390) web: revert `tree-sitter` removal from lockfile (#20377) root: fix dependabot config for docker (#20380) website/docs: Fix broken link to flow executor (#20364) core: add cause to `ak_groups` deprecation event and logs (#20361) rbac: fix object permission request (#20304) enterprise/providers/ws_federation: fix incorrect metadata download URL (#20173) core, web: update translations (#20303) stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#20305) core: bump django-countries from 7.6.1 to 8.2.0 (#19459) web: bump the storybook group across 1 directory with 5 updates (#20130) web: bump pino from 10.3.0 to 10.3.1 in /web (#20133) core: bump github.com/pires/go-proxyproto from 0.10.0 to 0.11.0 (#20182) ...
* main: (30 commits) web/flow: generate a single API object for network transactions and use it for the lifetime of the FlowExecutor (#20030) web/flow: refactor flow executor so component selection is in an easy-to-maintain table (#19999) website/integrations: gatus: fix config block (#20446) core: bump msgraph-sdk from 1.54.0 to 1.55.0 (#20432) core: bump aws-cdk-lib from 2.238.0 to 2.239.0 (#20434) core: bump constructs from 10.5.0 to 10.5.1 (#20433) core: bump goauthentik/fips-python from `c272691` to `d973c46` in /lifecycle/container (#20437) core: bump goauthentik/fips-debian from `b0917af` to `4419749` in /lifecycle/container (#20438) web/admin/bugfix: Edit Stage not working. Invoking IdentificationStageForm not working (#20429) core: bump ruff from 0.15.1 to 0.15.2 (#20435) enterprise/providers/microsoft_entra: only check upn when set (#20441) core: bump selenium from 4.40.0 to 4.41.0 (#20436) website/docs: change permission name from 'Can view Admin interface' to 'Can access…' (#20412) website/integrations: add OIDC and update SAML instructions for Zammad (#20421) website/integrations: update wazuh acs url (#20401) web: Center footer links. (#20345) core: bump goauthentik.io/api/v3 to 3.2026.5.0-rc1-1771349690 (#20367) ci: bump tj-actions/changed-files from 47.0.3 to 47.0.4 (#20374) ci: bump helm/kind-action from 1.13.0 to 1.14.0 (#20375) core: bump library/golang from 1.25.5-trixie to 1.26.0-trixie in /lifecycle/container (#20381) ...
* main: enterprise: monkey patch pyjwt to accept mismatching key (#20402) enterprise/lifecycle: use datetime instead of date to track review cycles (#20283) root: run `npm i` with `npm@11.10.1` in all subdirectories (#20471) providers/oauth2: device code flow client id via auth header (#20457) core: bump goauthentik/fips-debian from `4419749` to `d6def0a` in /lifecycle/container (#20467) core: bump goauthentik/fips-python from `d973c46` to `bccefee` in /lifecycle/container (#20466) core, web: bump ajv from 6.12.6 to 6.14.0 in /packages/prettier-config (#20462) ci: bump and fix daily (#20461) website/integrations: fix Vaultwarden SSO_SCOPES syntax (#20459) stages/user_login: log correct user when session binding is broken (#20094)
* main: (104 commits) sources/saml: improve exception handling for saml response parsing (#20125) web/flow: separate flow inspector lifecycle from flow executor lifecycle (#20063) web/maintenance: no unknown attributes part 2 (#19014) website/docs: add info about make install and recovery key (#20447) web: bump ajv from 6.12.6 to 6.14.0 in /web (#20479) providers/proxy: preserve URL-encoded path characters in redirect (#20476) policies: measure policy process from manager (#20477) enterprise: monkey patch pyjwt to accept mismatching key (#20402) enterprise/lifecycle: use datetime instead of date to track review cycles (#20283) root: run `npm i` with `npm@11.10.1` in all subdirectories (#20471) providers/oauth2: device code flow client id via auth header (#20457) core: bump goauthentik/fips-debian from `4419749` to `d6def0a` in /lifecycle/container (#20467) core: bump goauthentik/fips-python from `d973c46` to `bccefee` in /lifecycle/container (#20466) core, web: bump ajv from 6.12.6 to 6.14.0 in /packages/prettier-config (#20462) ci: bump and fix daily (#20461) website/integrations: fix Vaultwarden SSO_SCOPES syntax (#20459) stages/user_login: log correct user when session binding is broken (#20094) web/flow: generate a single API object for network transactions and use it for the lifetime of the FlowExecutor (#20030) web/flow: refactor flow executor so component selection is in an easy-to-maintain table (#19999) website/integrations: gatus: fix config block (#20446) ...
…dy-identification-stage * web/flow/20063-extract-flow-inspector: Weird merge bug: same function appeared twice. web: Flesh out stage mapping error handling. (#20292)
Contributor
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-b39dcb8526551b40b4e7479764b0f8fe758c51f7
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-b39dcb8526551b40b4e7479764b0f8fe758c51f7Afterwards, run the upgrade commands from the latest release notes. |
kensternberg-authentik
added a commit
that referenced
this pull request
Feb 25, 2026
* main: web/flow: Tidy identification stage (#20261) website/docs: fix upgrade link in release notes (#20540) website/docs: fix upgrade link in `2026.2` release notes (#20539) website/docs: update supported versions (#20534) website/docs: create draft release notes for `2026.5` (#20529) Fix redirect URI in Seafile integration documentation (#20532) website/docs: autogenerate release notes (#20527) providers/oauth2: add jti claim (#20484) providers/oauth2: deactivate locale after testing (#20518) policies: fix PolicyEngineMode ALL with static binding optimization (#20430) website/docs: fix linux setup docs (#20508) web: fix Edit Policy button on Flow view page (#20511) endpoints: fix infinite recursion in stage with unsupported connector (#20485) enterprise: add `ES384` to enterprise license algorithms (#20507) web/flow: fix typo in RedirectStage (#20488) website/docs: fix GitHub social-login wording and capitalization (#20489) web: bump knip from 5.84.1 to 5.85.0 in /web (#20464) website/integrations: standardize resource sections and update template (#20423) core, web: bump ajv from 6.12.6 to 6.14.0 in /packages/eslint-config (#20478)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
web/flow: re-arrange IdentificationStage for maintainability
What
Every conditional section of the IdentificationStage has been separated out into its own individual render function. Where possible, the information passed to the renderer has been reduced to a bare minimum (i.e if the function only needed the
passwordlessUrl, that’s the only thing that’s passed to it), which helps highlight some inconsistencies in the API.No change
This is a purely maintenance-level change to the code, to make it obvious what needs to be plumbed/corrected in order to expose our dialogs to password managers. No functionality has been changed.
Why
Figuring out how to turn our web components into proper elements, where what they contain is not isolated from the view of password managers, requires pulling out the functionality into small, readable components.
Future work
Doing this has exposed several fundamental issues:
auto-redirect is a state change from one LoginChallenge to another under a collection of conditions available on the challenge, triggered when FlowExecutor writes a new challenge. “Which challenge?” in FlowExecutor ought to be handling this, not handing it off to IdentificationStage.
Everything about Captcha is about Captcha. It ought to be in its own little state managing class, perhaps as a lit controller.
The same is true about WebAuthn.
hostis doing very little work; at best, it’s receiving a “change this” or “submit that” message, which is an Event. Look forward to that.The code has been formatted (
make web)