Release 2025.10

Highlights

• SAML and OAuth2 provider Single Logout support: This release adds support for back-channel and front-channel SLO for SAML and front-channel for OAuth2/OIDC.
• Removed Redis dependency: authentik no longer uses Redis at all.
• Telegram source: Telegram can now be used for social login.
• SCIM provider OAuth support: :ak-enterprise SCIM providers can use OAuth providers to authenticate to SCIM endpoints.
• RADIUS EAP-TLS Support: :ak-enterprise The RADIUS provider now supports EAP-TLS, which can be used to authenticate WiFi clients.

Breaking changes

Redis removal

In previous versions, authentik used Redis for caching, tasks, the embedded proxy outpost's session store, and WebSocket connections. Since 2025.8, tasks were migrated to use Postgres. With this release we've also migrated caching, the embedded outpost, and WebSocket to Postgres, fully removing the need for Redis.

As a result of this change, it is expected that authentik will use roughly 50% more database connections to Postgres. Redis-related settings have also been removed and can be deleted from your configuration.

If your Postgres instance requires a TLS connection, authentik now requires TLS 1.3 or the Extended Master Secret extension to connect to Postgres.

Default OAuth scope mappings

In previous releases with the default scope mappings, we set the email_verified claim to true. As we don't have a single source of whether a users' email is verified or not, and claiming that it is verified could lead to security implications, this claim has been corrected to false.

Some applications may require this claim to be true to successfully authenticate users, in which case you can create a custom email scope mapping that returns email_verified as true.

For more information, refer to the Email scope verification documentation.

New features and improvements

SCIM provider OAuth support :ak-enterprise

SCIM providers can now use OAuth sources to authenticate to SCIM endpoints. This requires support in the remote system for OAuth authentication. Using an OAuth source provides improved security due to not requiring long-lived static tokens.

This is supported by applications such as Slack and Salesforce.

See SCIM Provider documentation for more details.

RADIUS EAP-TLS support :ak-enterprise

The RADIUS outpost can now support EAP-TLS which allows for client authentication using certificates with the Mutual TLS stage.

See RADIUS Provider documentation.

SAML and OAuth2 provider Single Logout support

In 2025.8 we've introduced support for back-channel logout in the OAuth2 Provider. This release adds support for front-channel logout in the OAuth2 Provider and both back- and front-channel logout support in the SAML Provider.

See OAuth2 Provider documentation and SAML Provider documentation.

Telegram source

Being one of the most upvoted GitHub issues, we've finally done it. Telegram can now be used as a federated identity provider in authentik. This allows users to authenticate with their Telegram credentials.

See Telegram Source documentation.

Refined flow and user library

The flow interface now fits better on mobile devices/small viewports and looks sharper on HiDPi devices. There are also improvements for auto-completion during credential input (thanks to @cjoshmartin!). The user library has improved scaling and makes better use of space with a higher density.

Additional noteworthy improvements

• Credential provider: Alpha releases of desktop integrations are now available for testing; reach out to [email protected] if you are interested in providing early feedback for any of these:
  • Windows: a custom credential provider allowing custom authentication flows.
  • macOS: a Platform SSO integration allowing seamless authentication.
  • Linux: accessing Linux servers via an authentik identity.
• Add ak_send_email: Allow for easier sending of emails in expressions; see ak_send_email.
• Change recovery token duration: When using ak create_recovery_key, the duration is now set in minutes instead of years.
• Add OIDC ui_locales support: The OAuth2 provider now accepts ui_locales to set the locale of authentik.
• Add support for separate labels and values in prompt choice inputs, see Prompt stage documentation; thanks to @ErikAhlund!

New integration guides

An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.

• Cloudflare
• Digital Ocean
• Entra ID SCIM
• osTicket
• Terraform Cloud
• Termix
• Zendesk
• Zoom
• Zot

Upgrading

Following the upgrade instructions below will remove Redis from your installation. If you use authentik with an externally configured Redis, you can simply remove the Redis configuration from authentik; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

:::warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. :::

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2025.10/docker-compose.yml
docker compose up -d --remove-orphans

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

The --remove-orphans flag removes the Redis container as its no longer needed.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.10

If you had persistence for Redis configured, you can delete the PVC and PV after the upgrade.

Minor changes/fixes

• *: add ruff BLE rules (#16943)
• *: Fix dead doc link (#16288)
• *: remove Redis leftovers (#17146)
• */bindings: order by pk (#17027)
• api: Clean schema up more (#17055)
• api: Fix locale propagation from ?locale parameter in frontend (#16857)
• api: optimize schemas' common query parameters (#16884)
• blueprints: ensure tasks retry on database errors (#17333)
• blueprints: exclude exporting UserConsent (#16640)
• blueprints: fix email address verified by default (#16206)
• blueprints: fix typo in sources-google-ldap-mappings (#16955)
• blueprints: regenerate schema (#17365)
• brands: revert sort matched brand by match length (revert #15413) (#16233)
• cmd/server/healthcheck: info log success instead of debug (#17093)
• core, events: reduce memory usage when batch deleting objects (#12436)
• core: Add ak_send_email function in expression context (#16941)
• core: Add email template selector (#16170)
• core: add index on Group.is_superuser (#17011)
• core: Add input validation for service account creation (#16964)
• core: add QL for groups (#17527)
• core: Block usage of Django's createsuperuser (#16215)
• core: fix absolute and relative path file uploads (#17269)
• core: fix application and source's fa:// icon (#17416)
• core: fix client-side only validation allowing admin to set blank user password (#16467)
• core: fix description on remove_user_from_group (#16694)
• core: Fix middleware race condition induced crash (#16705)
• core: Fix typo (#16560)
• core: Include region comments in VSCode Minimap. (#16667)
• core: Mark impersonation reason field as required in UI and fix status codes (#16065)
• core: Normalize NPM script arguments. (#16725)
• core: update_attributes: only update the model if attributes changed (#16322)
• core: use email backend for test_email management command (#16311)
• core/api: Better naming for partial user/group serializer, optimize bindings (#17022)
• enterprise/providers/gws+entra: fix group integrity error during discovery (#17355)
• enterprise/providers/gws+entra: fix integrity error during discovery (#17341)
• enterprise/providers/radius: add EAP-TLS support (#15702)
• enterprise/providers/scim: Add SCIM OAuth support (#16903)
• enterprise/stages/mtls: Improve Email address extraction (#17068)
• events: remove deprecated models (#15823)
• flows: redirect to next when accessing an unapplicable authentication flow while already authenticated (#17243)
• flows: SessionEndStage: only show page if user is still authenticated (#17003)
• lib: import ExceptionDictTransformer from structlog.tracebacks (#17526)
• lib: match exception_to_dict locals behaviour (#17006)
• lib: small type hinting improvements (#17528)
• lib/config: fix listen settings (#17005)
• lib/logging: only show locals when in debug mode (#16772)
• lib/sync: fix missing f for string (#16423)
• lib/sync: revert breaking type change (#17553)
• lib/sync/outgoing: fix single object sync timeout (#16447)
• lib/sync/outgoing: revert reduce number of db queries made (revert #14177) (#17306)
• lifecycle: fix permission error when running worker as root (#16735)
• lifecycle: fix PROMETHEUS_MULTIPROC_DIR missing suffix (#16401)
• lifecycle: set PROMETHEUS_MULTIPROC_DIR as early as possible (#16298)
• outpost: proxyv2: Use Postgres for the Embedded Outpost (#16628)
• outpost/proxyv2: postgresstore: credential refresh (#17414)
• outpost/proxyv2: postgresstore: db/pool/misc cleanup and enhancement (#17511)
• outposts: allow ingress path type configuration (#16339)
• outposts: fix flow executor when using subpath (#16947)
• outposts: fix service connection update task arguments (#16312)
• outposts/ldap: add pwdChangeTime attribute (#17010)
• packages/django-channels-postgres: compression and connection pool (#17303)
• packages/django-channels-postgres: init (#17247)
• packages/django-channels-postgres/layer: fix connection deadlock (#17270)
• packages/django-dramatiq-postgres: broker: fix new messages not being picked up when too many messages are waiting (#17106)version-2025.8) (#17108)
• packages/django-dramatiq-postgres: broker: fix task expiration (#17178)
• packages/django-dramatiq-postgres: broker: fix various timing issues (#16340)
• packages/django-dramatiq-postgres: broker: task retrieval fixes and improvements (#17335)
• packages/django-dramatiq-postgres: fix error when updating task with no changes (#16728)
• packages/django-dramatiq-postgres: middleware: fix listening on hosts where ipv6 is not supported (#16308)
• packages/django-dramatiq-postgres: typing (#16978)
• packages/django-postgres-cache: Initial implementation of postgres cache (#16653)
• policies: remove object pk from authentik_policies_execution_time to reduce cardinality (#16500)
• policies/password: Fix amount_uppercase in password policy check (#16197)
• policies/reputation: update reputation in a single query (#17529)
• providers/ldap: add include_children parameter to cached search mode (#16918)
• providers/oauth2: add missing exp claim for logout token (#16593)
• providers/oauth2: add ui_locales support for OIDC (#17140)
• providers/oauth2: allow setting logout method always (#17470)
• providers/oauth2: avoid deadlock during session migration (#16361)
• providers/oauth2: fix authentication error with identical app passwords (#17100)
• providers/oauth2: fix logout token missing sid, fix wrong sub mode used (#16295)
• providers/oauth2: include scope in JWT (#16454)
• providers/oauth2: only issue new refresh token if old one is about to expire (#16905)
• providers/proxy: fix missing postgres import (#17582)
• providers/rac: bump guacd to 1.6 (#17392)
• providers/rac: fix AuthenticatedSession migration (#16400)
• providers/rac: remove autobahn import (#17224)
• providers/saml: add frontchannel idp slo, backchannel post idp slo (#15863)
• providers/saml: fix timezone naive warning (#17382)
• providers/scim: add salesforce support (#16976)
• providers/scim: fix string formatting for SCIM user filter (#16465)
• providers/scim: improve error message when object fails to sync (#16625)
• rbac: assign InitialPermissions in a middleware (#16138)
• rbac: fix role search fields (#17305)
• rbac: fix typo (#16476)
• rbac: optimize rbac assigned by users query (#17015)
• readme: Remove Docker pulls badge (#16707)
• recovery: Default to 60 minutes (#16005)
• router: fix missing response headers on compressed 404 for static files (#16216)
• sources: add Telegram source (#15749)
• sources/ldap: fix malformed filter error with special characters in group DN (#16243)
• sources/oauth: add support for login support if source was started within a flow executor (#16982)
• sources/oauth: configurable PKCE mode (#17487)
• sources/oauth/entra_id: do not assume group_id comes from entra (#16456)
• sources/saml: add default error messages to exceptions (#15562)
• sources/saml: add location selection for Signature node (#15626)
• stages: update friendly_name model from null to blank (#16672)
• stages/authenticator_duo: Add test to fix codecov error (#16257)
• stages/authenticator_duo: return generic error message (#16194)
• stages/email_authenticator: Fix email mfa loop (#16579)
• stages/identification: fix mismatched error messages (#17090)
• stages/prompt: add ability to set separate labels and values for choices (#16693)
• stages/user_login: add user to query (#17171)
• stages/user_write: fix attribute path replacement (#17507)
• tasks: add preprocess, running and postprocess statuses (#17297)
• tasks: add rel_obj to system task exception event (#16270)
• tasks: add sentry dramatiq integration (#16167)
• tasks: add task status summary (#17302)
• tasks: fix errors found in tests (#17062)
• tasks: fix logger name (#17009)
• tasks: fix status and healthcheck breaking with connection issues (#16504)
• tasks: only set tenant on task creation (#17358)
• tasks: reduce default number of retries and max backoff (#17107)
• tasks: set uid early (#17356)
• tasks: show number of retries and planned execution time (#17295)
• tasks: store messages in separate table (#17359)
• tasks/middlewares/messages: make sure exceptions are always logged (#17237)
• tasks/schedules: fix api search fields (#16405)
• tasks/schedules: upsert instead of update_or_create (#17534)
• tests/e2e: fix ldap tests following #17010 (#17021)
• tests/e2e: less hardcoded names (#17047)
• tests/e2e: switch chrome for chromium (#17407)
• web: Add disabled radio styles. (#17026)
• web: Additional text field properties, ARIA fixes (#17115)
• web: ak-status-label: add neutral status (#16064)
• web: Apply consistent background color when input is disabled or readonly. (#17105)
• web: Automatic reload during server start up. (#16030)
• web: Clean up render interfaces. (#16031)
• web: Do not mark Attributes as a mandatory field (#16004)
• web: Docker versioning compatibility (#16139)
• web: fix "Explore integrations" link in Quick actions (#16274)
• web: Fix ak-flow-card footer alignment. (#16236)
• web: Fix avatar image load flash. (#17220)
• web: Fix behavior for modals configured with closeAfterSuccessfulSubmit (#17277)
• web: Fix card alignment, slotting, labeling (#17307)
• web: Fix default RADIUS EAP-TLS cert without license. (#17152)
• web: Fix docs links, a11y input descriptors (#16671)
• web: Fix flow autofocus element targeting. (#17255)
• web: Fix flow view title setter. (#17245)
• web: Fix hidden textarea required attribute. (#16168)
• web: Fix issue where clicking a list item scrolls container. (#16174)
• web: Fix issue where form group uses unknown slot. (#16276)
• web: Fix layout class for 'row' in LibraryPage (#16752)
• web: Fix low DPI on QR Codes. (#17251)
• web: Fix native icon colors when using dark theme. (#17118)
• web: Fix nested table column span behavior. (#17177)
• web: Fix numeric values in search select inputs, search input fixes (#16928)
• web: Fix Recent Events toolbar height. (#17172)
• web: Fix reported error precedence (#16231)
• web: Fix skip-to-content element target, order. (#17030)
• web: Fix tab theme consistency, table overflow. (#17222)
• web: Fix table child alignment (#17114)
• web: Fix table column updates, template parsing (#17254)
• web: Fixed null lastUsed and autofocus on TOTP login field (#16739)
• web: Flow fixes -- Captchas, form states, compatibility mode. (#17226)
• web: Flush logs on SIGINT. (#16723)
• web: Ignore spellchecking of Playwright output. (#16862)
• web: Improvements to ReCaptcha resizing (#16171)
• web: Minimal mobile flow (#17280)
• web: Minimal mobile flow, revisions (#17310)
• web: Remove brand column. (#17173)
• web: Remove CSS constructor polyfill. (#16920)
• web: Remove deprecated node:path polyfill. (#16702)
• web: Replace Github Slugger package with change-case. (#16921)
• web: Report unregistered elements. (#17025)
• web: Responsive toolbar flow (#17278)
• web: revert bump the swc group across 1 directory with 11 updates (#17113)
• web: revise ak-page-navbar to use standard event handlers (#16898)
• web: saml provider view: fix state refresh issues (#14474)
• web: Table refresh timestamp. (#17145)
• web: Use curated dictionary for e2e fixtures. (#16750)
• web: Use embedded layout. (#16481)
• web: Use Pino console logger, reduce live reload noise. (#16703)
• web: User library UI fixes (#17376)
• web: Username truncation, field alignment. (#16283)
• web/a11y: Accessible scrollbars. (#17253)
• web/a11y: Admin overview regions. (#17170)
• web/a11y: Associating labels with inputs (#16119)
• web/a11y: Brand form (#16011)
• web/a11y: Codemirror (#16010)
• web/a11y: File Inputs (#16038)
• web/a11y: Fix "skip to content" target. (#17510)
• web/a11y: Fix dark theme color contrast (#17144)
• web/a11y: Fix missing screen reader class on fieldset legends. (#17298)
• web/a11y: Flow inspector. (#17271)
• web/a11y: Flow Search (#15876)
• web/a11y: Flow Stages (#17273)
• web/a11y: Notifications drawer (#17031)
• web/a11y: QL Search Input (#16198)
• web/a11y: Status label (#17148)
• web/a11y: Table header -- Fix pagination jitter, prepare alignment (#17116)
• web/a11y: Table header -- Search input (#17117)
• web/a11y: Tables -- labels, input handlers, selection and expanded state (#16207)
• web/a11y: Text Input (#16041)
• web/a11y: Tree view (#17147)
• web/a11y: User library (#17311)
• web/a11y: User settings flow. (#17219)
• web/admin: Add link to the docs in the import flow dialog (#17436)
• web/admin: allow blank value for User path template in User Write Stage (#16347)
• web/admin: Fix disappearing "Create" button in service account modal (#16963)
• web/admin: fix federation sources automatically selected (#17069)
• web/admin: fix incorrect placeholder for scim provider (#17308)
• web/admin: fix settings saving (#16184)
• web/admin: providers/rac: improve host field hint (#16443)
• web/admin: remove maxlength on user display name (#17412)
• web/admin: rework task status summary (#17337)
• web/e2e: Playwright end-to-end test runner (#16014)
• web/e2e: User creation (#17149)
• web/flow: small layout fixes (#17551)
• web/flows: fix card alignment (#17332)
• web/flows: only disable login button when interactive captcha is configured and not loaded (#16586)
• web/flows: update default flow background (#17315)
• web/maintenance: typo in icon class (#16371)

Fixed in 2025.10.1

• internal: fix Go deprecation for +build (cherry-pick #17806 to version-2025.10) (#17824)
• internal: full openssl path (cherry-pick #17856 to version-2025.10) (#17860)
• internal/web/proxy: fix return status code during startup (cherry-pick #17827 to version-2025.10) (#17832)
• outpost: revert breaking signals change (cherry-pick #17847 to version-2025.10) (#17848)
• outposts: update permissions more eagerly (cherry-pick #17783 to version-2025.10) (#17841)
• packages/django-postgres-cache: use upsert instead of select/update in a transaction (cherry-pick #17760 to version-2025.10) (#17767)
• providers/oauth2: fix kid always required for federation (cherry-pick #17914 to version-2025.10) (#17917)
• providers/oauth2: move encryption key field (cherry-pick #17722 to version-2025.10) (#17729)
• providers/proxy: fix missing JWT/claims header (cherry-pick #17759 to version-2025.10) (#17764)
• providers/radius: fix inverted message authenticator validation (cherry-pick #17855 to version-2025.10) (#17888)
• providers/radius: fix panic when no cert is configured (cherry-pick #17762 to version-2025.10) (#17766)
• providers/radius: revert fix inverted message authenticator validation (#17855) (cherry-pick #17915 to version-2025.10) (#17916)
• root: Add Dockerfile label org.opencontainers.image.source (cherry-pick #17756 to version-2025.10) (#17757)
• root: use hashes for dockerfile FROM (cherry-pick #17795 to version-2025.10) (#17798)
• sources/oauth: Make PKCE verifier 128 characters (cherry-pick #17763 to version-2025.10) (#17765)
• tasks: delay startup signals (cherry-pick #17769 to version-2025.10) (#17775)
• tasks: sanitize log attributes (cherry-pick #17833 to version-2025.10) (#17842)
• web: Consistent Tab Panel URL Parameters (cherry-pick #17804 to version-2025.10) (#17859)
• web/a11y: User library -- fix issues surrounding element focus, ARIA labeling. (cherry-pick #17522 to version-2025.10) (#17828)
• web/admin: fix SCIM provider form (cherry-pick #17831 to version-2025.10) (#17834)

Fixed in 2025.10.2

• brands: add more matching tests (cherry-pick #16185 to version-2025.10) (#17924)
• brands: sort matched brand by match length (cherry-pick #17920 to version-2025.10) (#17935)
• cmd/server/healthcheck: remove worker HTTP healthcheck (cherry-pick #18090 to version-2025.10) (#18091)
• core: bump django from 5.2.7 to 5.2.8 (cherry-pick #17967 to version-2025.10) (#18003)
• core: improve app launch URL formatting (cherry-pick #18076 to version-2025.10) (#18087)
• events: fix timezone not set for log events (cherry-pick #18067 to version-2025.10) (#18071)
• internal: Automated internal backport: 1487-invitation-expiry.sec.patch to authentik-2025.10 (#18258)
• internal: Automated internal backport: 1498-oauth2-cc-user-active.sec.patch to authentik-2025.10 (#18259)
• internal: Automated internal backport: 5000-sidebar.sec.patch to authentik-2025.10 (#18260)
• packages/django-channels-postgres/layer: fix query when subscribed to multiple channels (cherry-pick #18152 to version-2025.10) (#18153)
• packages/django-dramatiq-postgres: broker: ensure locking happens with the same connection (cherry-pick #18095 to version-2025.10) (#18119)
• providers/scim: allow custom schema data (cherry-pick #18073 to version-2025.10) (#18075)
• stages/prompt: fix choices with labels causing error on submit (cherry-pick #18183 to version-2025.10) (#18236)
• tasks/schedules: fix rel obj not being associated or updated (cherry-pick #17934 to version-2025.10) (#17936)
• web: Disable library <datalist> on Firefox. (cherry-pick #18103 to version-2025.10) (#18135)
• web: Fix RAC modal visibility. (cherry-pick #17941 to version-2025.10) (#18097)
• web: Fix tab activation, blank provider URLs (cherry-pick #18031 to version-2025.10) (#18101)
• web/admin: link to user on invitation list page (cherry-pick #18132 to version-2025.10) (#18134)
• web/flows: improvements for hCaptcha (cherry-pick #16882 to version-2025.10) (#18128)
• web/sfe: downgrade bootstrap that was accidentally upgraded (cherry-pick #18157 to version-2025.10) (#18171)

Fixed in 2025.10.3

• core: list applications fix (cherry-pick #18798 to version-2025.10) (#18827)
• core: optimize list applications (cherry-pick #18330 to version-2025.10) (#18791)
• enterprise/stages/mtls: fix traefik certificate parsing (cherry-pick #18607 to version-2025.10) (#18645)
• flows: refresh unauthenticated tabs (cherry-pick #18621 to version-2025.10) (#18633)
• lib/sync/outgoing: check if there is a provider before creating tasks (cherry-pick #18394 to version-2025.10) (#18397)
• outpost/proxyv2: more tests, fix pg password with spaces, and existing session on restart (cherry-pick #18211 to version-2025.10) (#18742)
• outposts: set container healthcheck inline (cherry-pick #18298 to version-2025.10) (#18370)
• packages/django-channels-postgres: fix notify size check (cherry-pick #18347 to version-2025.10) (#18409)
• packages/django-dramatiq-postgres: broker: close django connections on consumer close (cherry-pick #18833 to version-2025.10) (#18835)
• providers/scim: compare users/groups before sending update request (cherry-pick #18456 to version-2025.10) (#18465)
• root: fix missing authentik_device cookie causing error (cherry-pick #18642 to version-2025.10) (#18644)
• root: skip current tab when refreshing others (cherry-pick #18674 to version-2025.10) (#18675)
• sources/ldap: make server info optional (cherry-pick #18648 to version-2025.10) (#18654)
• stages/prompt: set allow_blank for _read_only fields (cherry-pick #18297 to version-2025.10) (#18406)
• web: Fix row expansion on modal trigger buttons. (cherry-pick #18412 to version-2025.10) (#18647)
• web: Fix stale table rows (cherry-pick #17940 to version-2025.10) (#18373)
• web: Fix stale table rows (cherry-pick #17940 to version-2025.10) (#18408)
• web: Hide device picker when challenges are not present. (cherry-pick #18611 to version-2025.10) (#18681)
• web: Improved table selection behavior (cherry-pick #18622 to version-2025.10) (#18685)
• web: revert Fix stale table rows (cherry-pick #17940 to version-2025.10) (#18407)
• web/admin: add entitlement search (cherry-pick #18291 to version-2025.10) (#18390)
• web/admin: fix brands default switch label (cherry-pick #18518 to version-2025.10) (#18522)
• web/admin: fix event volume chart not updating with query (cherry-pick #18649 to version-2025.10) (#18653)
• web/admin: fix wording in password stage (cherry-pick #18393 to version-2025.10) (#18395)
• web/admin: fixes capitalization in application wizard title (cherry-pick #17959 to version-2025.10) (#17962)

Fixed in 2025.10.4

• core: bump django from v5.2.8 to 5.2.11 (version-2025.10) (#20020)
• core: fix read replica routing during transactions (cherry-pick #19086 to version-2025.10) (#19240)
• core: return bad request when user is authenticated and not active (cherry-pick #19706 to version-2025.10) (#19709)
• core: use chunked_queryset for expired message deletion (cherry-pick #19028 to version-2025.10) (#19030)
• internal: fix incorrect metric calculation (cherry-pick #19701 to version-2025.10) (#19702)
• internal: rework liveness probe and proxy (cherry-pick #19312 to version-2025.10) (#19383)
• internal: update TLS Suite (cherry-pick #19076 to version-2025.10) (#19077)
• outpost/proxyv2: fix stale session cookie causing 400 error in createState (cherry-pick #19026 to version-2025.10) (#19374)
• outpost/proxyv2: reduce max number of postgres connections (cherry-pick #19211 to version-2025.10) (#20139)
• outpost/proxyv2: revalidate auth if session fails to load (cherry-pick #18063 to version-2025.10) (#20058)
• providers/oauth2: add logout+jwt token type for oidc logout token. (cherry-pick #19554 to version-2025.10) (#19674)
• providers/oauth2: use compare_digest for client_secret comparison (cherry-pick #19979 to version-2025.10) (#19982)
• recovery: consume token in transaction (cherry-pick #19967 to version-2025.10) (#19981)
• root: update client-go generation (cherry-pick #19762 and #19906 to version-2025.10) (#19933)
• security: CVE-2026-25227 (#20227)
• security: CVE-2026-25748 (#20228)
• security: CVE-2026-25922 (#20229)
• web/admin: Fix haveibeenpwned link in PasswordPolicyForm (cherry-pick #18984 to version-2025.10) (#18988)
• web/admin: add banner to flow import form (cherry-pick #19288 to version-2025.10) (#19292)
• web/admin: fix dark theme on map (cherry-pick #18985 to version-2025.10) (#18986)
• web/admin: fix impersonation form requesting data without being opened (cherry-pick #19673 to version-2025.10) (#19711)
• web/elements: hidden secrets not propagating (cherry-pick #19029 to version-2025.10) (#19376)
• web/flow: Fix spurious double submit on ak-stage-autosubmit (cherry-pick #18727 to version-2025.10) (#18932)
• web/sfe: downgrade bootstrap, add access denied test (cherry-pick #19763 to version-2025.10) (#19764)
• web: fix slug auto-updating when editing existing applications (cherry-pick #19169 to version-2025.10) (#19172)

API Changes

What's Changed

GET /providers/google_workspace/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

PUT /providers/google_workspace/{id}/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

PATCH /providers/google_workspace/{id}/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

GET /providers/microsoft_entra/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

PUT /providers/microsoft_entra/{id}/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

PATCH /providers/microsoft_entra/{id}/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

GET /providers/scim/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

PUT /providers/scim/{id}/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

PATCH /providers/scim/{id}/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

POST /providers/google_workspace/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

GET /providers/google_workspace/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > GoogleWorkspaceProvider Serializer

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

POST /providers/microsoft_entra/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

GET /providers/microsoft_entra/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > MicrosoftEntraProvider Serializer

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

POST /providers/scim/

Request:

Changed content type : application/json

• Added property sync_page_size (integer)

  Controls the number of objects synced in a single task

• Added property sync_page_timeout (string)

  Timeout for synchronization of a single page

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

GET /providers/scim/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SCIMProvider Serializer

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

PUT /core/transactional/applications/

Request:

Changed content type : application/json

• Changed property provider (object)

  Updated authentik_providers_microsoft_entra.microsoftentraprovider provider_model:

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

  Updated authentik_providers_google_workspace.googleworkspaceprovider provider_model:

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

  Updated authentik_providers_scim.scimprovider provider_model:

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page