ContextQMD
Back to Authentik

Release 2025.6

website/docs/releases/2025/v2025.6.md

latest21.1 KB
Original Source

Highlights

  • mTLS Stage: :ak-enterprise The Mutual TLS stage provides support for mTLS, a standard protocol that uses certificates for mutual authentication between a client and a server.

  • Email verification compatibility with link scanners: We have improved compatibility for environments that have automated scanning software that inadvertently invalidated one-time links sent by authentik.

  • LDAP source sync forward deletions: This option synchronizes the deletion of users and groups from LDAP sources to authentik.

Breaking changes

  • Helm chart dependencies upgrades:

    • The PostgreSQL chart has been updated to version 16.7.4. The PostgreSQL image is no longer pinned in authentik's default values and has been upgraded from version 15 to 17. Follow our PostgreSQL upgrade instructions to update to the latest PostgreSQL version.
    • The Redis chart has been updated to version 21.1.6. There are no breaking changes and Redis has been upgraded from version 7 to 8.

  • Deprecated and frozen :latest container image tag after 2025.2

    Using the :latest tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. The tag will not be removed, however it will also not be updated past 2025.2. We strongly recommended the use of a specific version tag for authentik instances' container images, such as :2025.6.

  • CSS: We’ve made some improvements to our theming system. If your authentik instance uses custom CSS, you might need to review flow and user interfaces for any visual changes.

New features and improvements

  • mTLS stage: :ak-enterprise The Mutual TLS stage enables authentik to use client certificates to enroll and authenticate users. These certificates can be local to the device or available via PIV Smart Cards, Yubikeys, etc. For environments where certificates are already rolled out, this can make authentication a lot more seamless. Refer to our technical documentation for more information.
  • Email verification compatibility with link scanners: We have improved compatibility for environments with automated scanning software that inadvertently invalidated one-time links sent by authentik.
  • LDAP source sync forward deletions: With this option enabled, users or groups created in authentik via LDAP sources will also be removed from authentik if they are deleted from the LDAP source. For more information, please refer to our LDAP source documentation.
  • Provider sync performance: We have implemented parallel scheduling for outgoing syncs to provide faster synchronization.
  • Branding: Custom branding should now be more consistent on initial load, without flickering.
  • Remote Access Control (RAC) improved documentation: Added content about how to authenticate using a public key and improved the wording and formatting throughout the topic.

New integration guides

An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added to our documentation:

Upgrading

This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

:::warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. :::

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

shell
wget -O docker-compose.yml https://goauthentik.io/version/2025.6/docker-compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

shell
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.6

Minor changes/fixes

  • brands: fix CSS Migration not updating brands (#14306)
  • core: fix session migration when old session can't be loaded (#14466)
  • core: fix unable to create group if no enable_group_superuser permission is given (#14510)
  • core: Migrate permissions before deleting OldAuthenticatedSession (#14788)
  • core: Publish web packages. (#14648)
  • core: remove OldAuthenticatedSession content type (#14507)
  • enterprise: fix expired license's users being counted (#14451)
  • enterprise/stages: Add MTLS stage (#14296)
  • enterprise/stages/mtls: improve certificate validation (#14582)
  • enterprise/stages/mtls: update go & web client, fix py client generation (#14576)
  • lib/sync: fix static incorrect label of pages (#14851)
  • lib/sync/outgoing: reduce number of db queries made (#14177)
  • lib/sync/outgoing: sync in parallel (#14697)
  • lifecycle: fix ak dump_config (#14445)
  • lifecycle: fix test-all in docker (#14244)
  • outposts: fix tmpdir in containers not being set (#14444)
  • providers/ldap: retain binder and update users instead of re-creating (#14735)
  • providers/proxy: kubernetes outpost: fix reconcile when ingress class name changed (#14612)
  • providers/rac: apply ConnectionToken scoped-settings last (#14838)
  • rbac: add name to Permissions search (#14269)
  • rbac: fix RoleObjectPermissionTable not showing add_user_to_group (#14312)
  • root: backport SFE Build fix (#14495)
  • root: do not use /bin/bash directly (#14698)
  • root: improve sentry distributed tracing (#14468)
  • root: move forked dependencies to goauthentik org (#14590)
  • root: pin package version in pyproject for dependabot (#14469)
  • root: readme: use right contribution guide link (#14250)
  • root: replace raw.githubusercontent.com by checking out repo (#14567)
  • root: temporarily deactivate database pool option (#14443)
  • sources/kerberos: resolve logger warnings (#14540)
  • sources/ldap: add forward deletion option (#14718)
  • stages/email: fix email scanner voiding token (#14325)
  • tests/e2e: Add E2E tests for Flow SFE (#14484)
  • tests/e2e: add test for authentication flow in compatibility mode (#14392)
  • tests/e2e: fix flaky SAML Source test (#14708)
  • web, website: update browserslist (#14386)
  • web: Add specific Storybook dependency. (#14719)
  • web: Clean up browser-only module imports that crash WebDriverIO. (#14330)
  • web: cleanup/loading attribute always true (#14288)
  • web: Controller refinements, error handling (#14700)
  • Web: Controllers cleanup (#14616)
  • web: fix bug that was causing charts to be too tall (#14253)
  • web: fix description for signing responses in SAML provider (#14573)
  • web: Fix issue where dual select type is not specific. (#14783)
  • web: Fix issue where Storybook cannot resolve styles. (#14553)
  • web: Fix missing Enterprise sidebar entries. (#14615)
  • web: fix regression in subpath support (#14646)
  • web: NPM workspaces (#14274)
  • web: Type Tidy (#14647)
  • web: Use engine available on Github Actions. (#14699)
  • web: Use monorepo package utilities to build packages (#14159)
  • web/admin: Dual select state management, custom event dispatching. (#14490)
  • web/admin: fix enterprise menu display (#14447)
  • web/admin: fix permissions modal button missing for PolicyBindings and FlowStageBindings (#14619)
  • web/admin: Fix sidebar toggle synchronization. (#14487)
  • web/admin: prevent default logo flashing in admin interface (#13960)
  • web/flows: update default flow background (#14769)
  • web/flows/sfe: fix global background image not being loaded (#14442)

Fixed in 2025.6.1

  • providers/proxy: add option to override host header with property mappings (cherry-pick #14927) (#14945)
  • tenants: fix tenant aware celery scheduler (cherry-pick #14921)
  • web/user: fix user settings flow not loading (cherry-pick #14911) (#14930)

Fixed in 2025.6.2

  • brands: fix custom_css being escaped (cherry-pick #14994) (#14996)
  • core: bump django from 5.1.10 to 5.1.11 (cherry-pick #14997) (#15010)
  • core: bump django from 5.1.9 to 5.1.10 (cherry-pick #14951) (#15008)
  • internal/outpost: fix incorrect usage of golang SHA API (cherry-pick #14981) (#14982)
  • providers/rac: fixes prompt data not being merged with connection_settings (cherry-pick #15037) (#15038)
  • stages/email: Only attach logo to email if used (cherry-pick #14835) (#14969)
  • web/elements: fix dual select without sortBy (cherry-pick #14977) (#14979)
  • web/elements: fix typo in localeComparator (cherry-pick #15054) (#15055)

Fixed in 2025.6.3

  • ci: fix CodeQL failing on cherry-pick PRs (cherry-pick #15205) (#15206)
  • ci: fix post-release e2e builds failing (cherry-pick #15082) (#15092)
  • core: bump goauthentik/fips-python from 3.13.3-slim-bookworm-fips to 3.13.5-slim-bookworm-fips in 2025.6 (#15274)
  • core: bump protobuf from 6.30.2 to v6.31.1 (cherry-pick #14894) (#15173)
  • core: bump requests from 2.32.3 to v2.32.4 (cherry-pick #15129) (#15135)
  • core: bump tornado from 6.4.2 to v6.5.1 (cherry-pick #15100) (#15116)
  • core: bump urllib3 from 2.4.0 to v2.5.0 (cherry-pick #15131) (#15174)
  • security: fix CVE-2025-52553 (cherry-pick #15289) (#15290)
  • sources/ldap: fix sync on empty groups (cherry-pick #15158) (#15171)
  • stages/user_login: fix session binding logging (#15175)
  • web/elements: Add light mode custom css handling (cherry-pick #14944) (#15096)
  • web/elements: typing error when variables are not converted to string (cherry-pick #15169) (#15222)
  • web/user: fix infinite loop when no user settings flow is set (cherry-pick #15188) (#15192)

Fixed in 2025.6.4

  • web/elements: fix table search not resetting page when query changes (cherry-pick #15324) (#15326)
  • core: fix missing serializer on AuthenticatedSession (cherry-pick #15323) (#15365)
  • core: fix set_token_key permission not declared (cherry-pick #15384) (#15391)
  • providers/proxy: fix ingress-nginx proxy buffer size annotations (cherry-pick #15506) by (#15507)
  • providers/radius: set message authenticator (cherry-pick #15635) (#15665)

API Changes

What's New

GET /stages/mtls/
POST /stages/mtls/
GET /stages/mtls/{stage_uuid}/
PUT /stages/mtls/{stage_uuid}/
DELETE /stages/mtls/{stage_uuid}/
PATCH /stages/mtls/{stage_uuid}/
GET /stages/mtls/{stage_uuid}/used_by/

What's Changed

GET /core/brands/{brand_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property client_certificates (array)

      Certificates used for client authentication.

      Items (string):

PUT /core/brands/{brand_uuid}/
Request:

Changed content type : application/json

  • Added property client_certificates (array)

    Certificates used for client authentication.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property client_certificates (array)

      Certificates used for client authentication.

PATCH /core/brands/{brand_uuid}/
Request:

Changed content type : application/json

  • Added property client_certificates (array)

    Certificates used for client authentication.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property client_certificates (array)

      Certificates used for client authentication.

GET /policies/event_matcher/{policy_uuid}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.enterprise.stages.mtls

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum value:

      • authentik_stages_mtls.mutualtlsstage
PUT /policies/event_matcher/{policy_uuid}/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.enterprise.stages.mtls

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum value:

    • authentik_stages_mtls.mutualtlsstage
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.enterprise.stages.mtls

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum value:

      • authentik_stages_mtls.mutualtlsstage
PATCH /policies/event_matcher/{policy_uuid}/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.enterprise.stages.mtls

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum value:

    • authentik_stages_mtls.mutualtlsstage
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.enterprise.stages.mtls

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum value:

      • authentik_stages_mtls.mutualtlsstage
POST /core/brands/
Request:

Changed content type : application/json

  • Added property client_certificates (array)

    Certificates used for client authentication.

Return Type:

Changed response : 201 Created

  • Changed content type : application/json
    • Added property client_certificates (array)

      Certificates used for client authentication.

GET /core/brands/
Parameters:

Added: client_certificates in query

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Brand Serializer

      • Added property client_certificates (array)

        Certificates used for client authentication.

POST /policies/event_matcher/
Request:

Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.enterprise.stages.mtls

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum value:

    • authentik_stages_mtls.mutualtlsstage
Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.enterprise.stages.mtls

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum value:

      • authentik_stages_mtls.mutualtlsstage
GET /policies/event_matcher/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > Event Matcher Policy Serializer

      • Changed property app (string)

        Match events created by selected application. When left empty, all applications are matched.

        Added enum value:

        • authentik.enterprise.stages.mtls

      • Changed property model (string)

        Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

        Added enum value:

        • authentik_stages_mtls.mutualtlsstage
POST /rbac/permissions/assigned_by_roles/{uuid}/assign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum value:

    • authentik_stages_mtls.mutualtlsstage
PATCH /rbac/permissions/assigned_by_roles/{uuid}/unassign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum value:

    • authentik_stages_mtls.mutualtlsstage
POST /rbac/permissions/assigned_by_users/{id}/assign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum value:

    • authentik_stages_mtls.mutualtlsstage
PATCH /rbac/permissions/assigned_by_users/{id}/unassign/
Request:

Changed content type : application/json

  • Changed property model (string)

    Added enum value:

    • authentik_stages_mtls.mutualtlsstage
GET /sources/ldap/{slug}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property delete_not_found_objects (boolean)

      Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

PUT /sources/ldap/{slug}/
Request:

Changed content type : application/json

  • Added property delete_not_found_objects (boolean)

    Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property delete_not_found_objects (boolean)

      Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

PATCH /sources/ldap/{slug}/
Request:

Changed content type : application/json

  • Added property delete_not_found_objects (boolean)

    Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

Return Type:

Changed response : 200 OK

  • Changed content type : application/json
    • Added property delete_not_found_objects (boolean)

      Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

GET /rbac/permissions/assigned_by_roles/
Parameters:

Changed: model in query

GET /rbac/permissions/assigned_by_users/
Parameters:

Changed: model in query

POST /sources/ldap/
Request:

Changed content type : application/json

  • Added property delete_not_found_objects (boolean)

    Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

Return Type:

Changed response : 201 Created

  • Changed content type : application/json
    • Added property delete_not_found_objects (boolean)

      Delete authentik users and groups which were previously supplied by this source, but are now missing from it.

GET /sources/ldap/
Parameters:

Added: delete_not_found_objects in query

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > LDAP Source Serializer

      • Added property delete_not_found_objects (boolean)

        Delete authentik users and groups which were previously supplied by this source, but are now missing from it.