Skip to main content

Release 2025.10

Highlights

  • SAML and OAuth2 provider Single Logout support: This release adds support for back-channel and front-channel SLO for SAML and front-channel for OAuth2/OIDC.
  • Removed Redis dependency: authentik no longer uses Redis at all.
  • Telegram source: Telegram can now be used for social login.
  • SCIM provider OAuth support: Enterprise SCIM providers can use OAuth providers to authenticate to SCIM endpoints.
  • RADIUS EAP-TLS Support: Enterprise The RADIUS provider now supports EAP-TLS, which can be used to authenticate WiFi clients.

Breaking changes

Redis removal

In previous versions, authentik used Redis for caching, tasks, the embedded proxy outpost's session store, and WebSocket connections. Since 2025.8, tasks were migrated to use Postgres. With this release we've also migrated caching, the embedded outpost, and WebSocket to Postgres, fully removing the need for Redis.

As a result of this change, it is expected that authentik will use roughly 50% more database connections to Postgres. Redis-related settings have also been removed and can be deleted from your configuration.

If your Postgres instance requires a TLS connection, authentik now requires TLS 1.3 or the Extended Master Secret extension to connect to Postgres.

Default OAuth scope mappings

In previous releases with the default scope mappings, we set the email_verified claim to true. As we don't have a single source of whether a users' email is verified or not, and claiming that it is verified could lead to security implications, this claim has been corrected to false.

Some applications may require this claim to be true to successfully authenticate users, in which case you can create a custom email scope mapping that returns email_verified as true.

New features and improvements

SCIM provider OAuth support Enterprise

SCIM providers can now use OAuth sources to authenticate to SCIM endpoints. This requires support in the remote system for OAuth authentication. Using an OAuth source provides improved security due to not requiring long-lived static tokens.

This is supported by applications such as Slack and Salesforce.

See SCIM Provider documentation for more details.

RADIUS EAP-TLS support Enterprise

The RADIUS outpost can now support EAP-TLS which allows for client authentication using certificates with the Mutual TLS stage.

See RADIUS Provider documentation.

SAML and OAuth2 provider Single Logout support

In 2025.8 we've introduced support for back-channel logout in the OAuth2 Provider. This release adds support for front-channel logout in the OAuth2 Provider and both back- and front-channel logout support in the SAML Provider.

See OAuth2 Provider documentation and SAML Provider documentation.

Telegram source

Being one of the most upvoted GitHub issues, we've finally done it. Telegram can now be used as a federated identity provider in authentik. This allows users to authenticate with their Telegram credentials.

See Telegram Source documentation.

Refined flow and user library

The flow interface now fits better on mobile devices/small viewports and looks sharper on HiDPi devices. There are also improvements for auto-completion during credential input (thanks to @cjoshmartin!). The user library has improved scaling and makes better use of space with a higher density.

Additional noteworthy improvements

  • Credential provider: Alpha releases of desktop integrations are now available for testing; reach out to hello@goauthentik.io if you are interested in providing early feedback for any of these:
    • Windows: a custom credential provider allowing custom authentication flows.
    • macOS: a Platform SSO integration allowing seamless authentication.
    • Linux: accessing Linux servers via an authentik identity.
  • Add ak_send_email: Allow for easier sending of emails in expressions; see ak_send_email.
  • Change recovery token duration: When using ak create_recovery_key, the duration is now set in minutes instead of years.
  • Add OIDC ui_locales support: The OAuth2 provider now accepts ui_locales to set the locale of authentik.
  • Add support for separate labels and values in prompt choice inputs, see Prompt stage documentation; thanks to @ErikAhlund!

New integration guides

An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.

Upgrading

Following the upgrade instructions below will remove Redis from your installation. If you use authentik with an externally configured Redis, you can simply remove the Redis configuration from authentik; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

warning

When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2025.10/docker-compose.yml
docker compose up -d --remove-orphans

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

The --remove-orphans flag removes the Redis container as its no longer needed.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.10

If you had persistence for Redis configured, you can delete the PVC and PV after the upgrade.

Minor changes/fixes

  • *: add ruff BLE rules (#16943)
  • *: Fix dead doc link (#16288)
  • *: remove Redis leftovers (#17146)
  • */bindings: order by pk (#17027)
  • api: Clean schema up more (#17055)
  • api: Fix locale propagation from ?locale parameter in frontend (#16857)
  • api: optimise schemas' common query parameters (#16884)
  • blueprints: ensure tasks retry on database errors (#17333)
  • blueprints: exclude exporting UserConsent (#16640)
  • blueprints: fix email address verified by default (#16206)
  • blueprints: fix typo in sources-google-ldap-mappings (#16955)
  • blueprints: regenerate schema (#17365)
  • brands: revert sort matched brand by match length (revert #15413) (#16233)
  • cmd/server/healthcheck: info log success instead of debug (#17093)
  • core, events: reduce memory usage when batch deleting objects (#12436)
  • core: Add ak_send_email function in expression context (#16941)
  • core: Add email template selector (#16170)
  • core: add index on Group.is_superuser (#17011)
  • core: Add input validation for service account creation (#16964)
  • core: add QL for groups (#17527)
  • core: Block usage of Django's createsuperuser (#16215)
  • core: fix absolute and relative path file uploads (#17269)
  • core: fix application and source's fa:// icon (#17416)
  • core: fix client-side only validation allowing admin to set blank user password (#16467)
  • core: fix description on remove_user_from_group (#16694)
  • core: Fix middleware race condition induced crash (#16705)
  • core: Fix typo (#16560)
  • core: Include region comments in VSCode Minimap. (#16667)
  • core: Mark impersonation reason field as required in UI and fix status codes (#16065)
  • core: Normalize NPM script arguments. (#16725)
  • core: update_attributes: only update the model if attributes changed (#16322)
  • core: use email backend for test_email management command (#16311)
  • core/api: Better naming for partial user/group serializer, optimise bindings (#17022)
  • enterprise/providers/gws+entra: fix group integrity error during discovery (#17355)
  • enterprise/providers/gws+entra: fix integrity error during discovery (#17341)
  • enterprise/providers/radius: add EAP-TLS support (#15702)
  • enterprise/providers/scim: Add SCIM OAuth support (#16903)
  • enterprise/stages/mtls: Improve Email address extraction (#17068)
  • events: remove deprecated models (#15823)
  • flows: redirect to next when accessing an unapplicable authentication flow while already authenticated (#17243)
  • flows: SessionEndStage: only show page if user is still authenticated (#17003)
  • lib: import ExceptionDictTransformer from structlog.tracebacks (#17526)
  • lib: match exception_to_dict locals behaviour (#17006)
  • lib: small type hinting improvements (#17528)
  • lib/config: fix listen settings (#17005)
  • lib/logging: only show locals when in debug mode (#16772)
  • lib/sync: fix missing f for string (#16423)
  • lib/sync: revert breaking type change (#17553)
  • lib/sync/outgoing: fix single object sync timeout (#16447)
  • lib/sync/outgoing: revert reduce number of db queries made (revert #14177) (#17306)
  • lifecycle: fix permission error when running worker as root (#16735)
  • lifecycle: fix PROMETHEUS_MULTIPROC_DIR missing suffix (#16401)
  • lifecycle: set PROMETHEUS_MULTIPROC_DIR as early as possible (#16298)
  • outpost: proxyv2: Use Postgres for the Embedded Outpost (#16628)
  • outpost/proxyv2: postgresstore: credential refresh (#17414)
  • outpost/proxyv2: postgresstore: db/pool/misc cleanup and enhancement (#17511)
  • outposts: allow ingress path type configuration (#16339)
  • outposts: fix flow executor when using subpath (#16947)
  • outposts: fix service connection update task arguments (#16312)
  • outposts/ldap: add pwdChangeTime attribute (#17010)
  • packages/django-channels-postgres: compression and connection pool (#17303)
  • packages/django-channels-postgres: init (#17247)
  • packages/django-channels-postgres/layer: fix connection deadlock (#17270)
  • packages/django-dramatiq-postgres: broker: fix new messages not being picked up when too many messages are waiting (#17106)version-2025.8) (#17108)
  • packages/django-dramatiq-postgres: broker: fix task expiration (#17178)
  • packages/django-dramatiq-postgres: broker: fix various timing issues (#16340)
  • packages/django-dramatiq-postgres: broker: task retrieval fixes and improvements (#17335)
  • packages/django-dramatiq-postgres: fix error when updating task with no changes (#16728)
  • packages/django-dramatiq-postgres: middleware: fix listening on hosts where ipv6 is not supported (#16308)
  • packages/django-dramatiq-postgres: typing (#16978)
  • packages/django-postgres-cache: Initial implementation of postgres cache (#16653)
  • policies: remove object pk from authentik_policies_execution_time to reduce cardinality (#16500)
  • policies/password: Fix amount_uppercase in password policy check (#16197)
  • policies/reputation: update reputation in a single query (#17529)
  • providers/ldap: add include_children parameter to cached search mode (#16918)
  • providers/oauth2: add missing exp claim for logout token (#16593)
  • providers/oauth2: add ui_locales support for OIDC (#17140)
  • providers/oauth2: allow setting logout method always (#17470)
  • providers/oauth2: avoid deadlock during session migration (#16361)
  • providers/oauth2: fix authentication error with identical app passwords (#17100)
  • providers/oauth2: fix logout token missing sid, fix wrong sub mode used (#16295)
  • providers/oauth2: include scope in JWT (#16454)
  • providers/oauth2: only issue new refresh token if old one is about to expire (#16905)
  • providers/proxy: fix missing postgres import (#17582)
  • providers/rac: bump guacd to 1.6 (#17392)
  • providers/rac: fix AuthenticatedSession migration (#16400)
  • providers/rac: remove autobahn import (#17224)
  • providers/saml: add frontchannel idp slo, backchannel post idp slo (#15863)
  • providers/saml: fix timezone naive warning (#17382)
  • providers/scim: add salesforce support (#16976)
  • providers/scim: fix string formatting for SCIM user filter (#16465)
  • providers/scim: improve error message when object fails to sync (#16625)
  • rbac: assign InitialPermissions in a middleware (#16138)
  • rbac: fix role search fields (#17305)
  • rbac: fix typo (#16476)
  • rbac: optimize rbac assigned by users query (#17015)
  • readme: Remove Docker pulls badge (#16707)
  • recovery: Default to 60 minutes (#16005)
  • router: fix missing response headers on compressed 404 for static files (#16216)
  • sources: add Telegram source (#15749)
  • sources/ldap: fix malformed filter error with special characters in group DN (#16243)
  • sources/oauth: add support for login support if source was started within a flow executor (#16982)
  • sources/oauth: configurable PKCE mode (#17487)
  • sources/oauth/entra_id: do not assume group_id comes from entra (#16456)
  • sources/saml: add default error messages to exceptions (#15562)
  • sources/saml: add location selection for Signature node (#15626)
  • stages: update friendly_name model from null to blank (#16672)
  • stages/authenticator_duo: Add test to fix codecov error (#16257)
  • stages/authenticator_duo: return generic error message (#16194)
  • stages/email_authenticator: Fix email mfa loop (#16579)
  • stages/identification: fix mismatched error messages (#17090)
  • stages/prompt: add ability to set separate labels and values for choices (#16693)
  • stages/user_login: add user to query (#17171)
  • stages/user_write: fix attribute path replacement (#17507)
  • tasks: add preprocess, running and postprocess statuses (#17297)
  • tasks: add rel_obj to system task exception event (#16270)
  • tasks: add sentry dramatiq integration (#16167)
  • tasks: add task status summary (#17302)
  • tasks: fix errors found in tests (#17062)
  • tasks: fix logger name (#17009)
  • tasks: fix status and healthcheck breaking with connection issues (#16504)
  • tasks: only set tenant on task creation (#17358)
  • tasks: reduce default number of retries and max backoff (#17107)
  • tasks: set uid early (#17356)
  • tasks: show number of retries and planned execution time (#17295)
  • tasks: store messages in separate table (#17359)
  • tasks/middlewares/messages: make sure exceptions are always logged (#17237)
  • tasks/schedules: fix api search fields (#16405)
  • tasks/schedules: upsert instead of update_or_create (#17534)
  • tests/e2e: fix ldap tests following #17010 (#17021)
  • tests/e2e: less hardcoded names (#17047)
  • tests/e2e: switch chrome for chromium (#17407)
  • web: Add disabled radio styles. (#17026)
  • web: Additional text field properties, ARIA fixes (#17115)
  • web: ak-status-label: add neutral status (#16064)
  • web: Apply consistent background color when input is disabled or readonly. (#17105)
  • web: Automatic reload during server start up. (#16030)
  • web: Clean up render interfaces. (#16031)
  • web: Do not mark Attributes as a mandatory field (#16004)
  • web: Docker versioning compatibility (#16139)
  • web: fix "Explore integrations" link in Quick actions (#16274)
  • web: Fix ak-flow-card footer alignment. (#16236)
  • web: Fix avatar image load flash. (#17220)
  • web: Fix behavior for modals configured with closeAfterSuccessfulSubmit (#17277)
  • web: Fix card alignment, slotting, labeling (#17307)
  • web: Fix default RADIUS EAP-TLS cert without license. (#17152)
  • web: Fix docs links, a11y input descriptors (#16671)
  • web: Fix flow autofocus element targeting. (#17255)
  • web: Fix flow view title setter. (#17245)
  • web: Fix hidden textarea required attribute. (#16168)
  • web: Fix issue where clicking a list item scrolls container. (#16174)
  • web: Fix issue where form group uses unknown slot. (#16276)
  • web: Fix layout class for 'row' in LibraryPage (#16752)
  • web: Fix low DPI on QR Codes. (#17251)
  • web: Fix native icon colors when using dark theme. (#17118)
  • web: Fix nested table column span behavior. (#17177)
  • web: Fix numeric values in search select inputs, search input fixes (#16928)
  • web: Fix Recent Events toolbar height. (#17172)
  • web: Fix reported error precedence (#16231)
  • web: Fix skip-to-content element target, order. (#17030)
  • web: Fix tab theme consistency, table overflow. (#17222)
  • web: Fix table child alignment (#17114)
  • web: Fix table column updates, template parsing (#17254)
  • web: Fixed null lastUsed and autofocus on TOTP login field (#16739)
  • web: Flow fixes -- Captchas, form states, compatibility mode. (#17226)
  • web: Flush logs on SIGINT. (#16723)
  • web: Ignore spellchecking of Playwright output. (#16862)
  • web: Improvements to ReCaptcha resizing (#16171)
  • web: Minimal mobile flow (#17280)
  • web: Minimal mobile flow, revisions (#17310)
  • web: Remove brand column. (#17173)
  • web: Remove CSS constructor polyfill. (#16920)
  • web: Remove deprecated node:path polyfill. (#16702)
  • web: Replace Github Slugger package with change-case. (#16921)
  • web: Report unregistered elements. (#17025)
  • web: Responsive toolbar flow (#17278)
  • web: revert bump the swc group across 1 directory with 11 updates (#17113)
  • web: revise ak-page-navbar to use standard event handlers (#16898)
  • web: saml provider view: fix state refresh issues (#14474)
  • web: Table refresh timestamp. (#17145)
  • web: Use curated dictionary for e2e fixtures. (#16750)
  • web: Use embedded layout. (#16481)
  • web: Use Pino console logger, reduce live reload noise. (#16703)
  • web: User library UI fixes (#17376)
  • web: Username truncation, field alignment. (#16283)
  • web/a11y: Accessible scrollbars. (#17253)
  • web/a11y: Admin overview regions. (#17170)
  • web/a11y: Associating labels with inputs (#16119)
  • web/a11y: Brand form (#16011)
  • web/a11y: Codemirror (#16010)
  • web/a11y: File Inputs (#16038)
  • web/a11y: Fix "skip to content" target. (#17510)
  • web/a11y: Fix dark theme color contrast (#17144)
  • web/a11y: Fix missing screen reader class on fieldset legends. (#17298)
  • web/a11y: Flow inspector. (#17271)
  • web/a11y: Flow Search (#15876)
  • web/a11y: Flow Stages (#17273)
  • web/a11y: Notifications drawer (#17031)
  • web/a11y: QL Search Input (#16198)
  • web/a11y: Status label (#17148)
  • web/a11y: Table header -- Fix pagination jitter, prepare alignment (#17116)
  • web/a11y: Table header -- Search input (#17117)
  • web/a11y: Tables -- labels, input handlers, selection and expanded state (#16207)
  • web/a11y: Text Input (#16041)
  • web/a11y: Tree view (#17147)
  • web/a11y: User library (#17311)
  • web/a11y: User settings flow. (#17219)
  • web/admin: Add link to the docs in the import flow dialog (#17436)
  • web/admin: allow blank value for User path template in User Write Stage (#16347)
  • web/admin: Fix disappearing "Create" button in service account modal (#16963)
  • web/admin: fix federation sources automatically selected (#17069)
  • web/admin: fix incorrect placeholder for scim provider (#17308)
  • web/admin: fix settings saving (#16184)
  • web/admin: providers/rac: improve host field hint (#16443)
  • web/admin: remove maxlength on user display name (#17412)
  • web/admin: rework task status summary (#17337)
  • web/e2e: Playwright end-to-end test runner (#16014)
  • web/e2e: User creation (#17149)
  • web/flow: small layout fixes (#17551)
  • web/flows: fix card alignment (#17332)
  • web/flows: only disable login button when interactive captcha is configured and not loaded (#16586)
  • web/flows: update default flow background (#17315)
  • web/maintenance: typo in icon class (#16371)

API Changes

What's Changed

GET /providers/google_workspace/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

PUT /providers/google_workspace/{id}/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

PATCH /providers/google_workspace/{id}/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

GET /providers/microsoft_entra/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

PUT /providers/microsoft_entra/{id}/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

PATCH /providers/microsoft_entra/{id}/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

GET /providers/scim/{id}/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

PUT /providers/scim/{id}/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

PATCH /providers/scim/{id}/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

POST /providers/google_workspace/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

GET /providers/google_workspace/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > GoogleWorkspaceProvider Serializer

      • Added property sync_page_size (integer)

        Controls the number of objects synced in a single task

      • Added property sync_page_timeout (string)

        Timeout for synchronization of a single page

POST /providers/microsoft_entra/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

GET /providers/microsoft_entra/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > MicrosoftEntraProvider Serializer

      • Added property sync_page_size (integer)

        Controls the number of objects synced in a single task

      • Added property sync_page_timeout (string)

        Timeout for synchronization of a single page

POST /providers/scim/
Request:

Changed content type : application/json

  • Added property sync_page_size (integer)

    Controls the number of objects synced in a single task

  • Added property sync_page_timeout (string)

    Timeout for synchronization of a single page

Return Type:

Changed response : 201 Created

  • Changed content type : application/json

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

GET /providers/scim/
Return Type:

Changed response : 200 OK

  • Changed content type : application/json

    • Changed property results (array)

      Changed items (object): > SCIMProvider Serializer

      • Added property sync_page_size (integer)

        Controls the number of objects synced in a single task

      • Added property sync_page_timeout (string)

        Timeout for synchronization of a single page

PUT /core/transactional/applications/
Request:

Changed content type : application/json

  • Changed property provider (object)

    Updated authentik_providers_microsoft_entra.microsoftentraprovider provider_model:

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

    Updated authentik_providers_google_workspace.googleworkspaceprovider provider_model:

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page

    Updated authentik_providers_scim.scimprovider provider_model:

    • Added property sync_page_size (integer)

      Controls the number of objects synced in a single task

    • Added property sync_page_timeout (string)

      Timeout for synchronization of a single page