goauthentik · BeryJu · Sep 23, 2024 · Sep 16, 2024 · Sep 23, 2024 · Sep 23, 2024
@@ -2,11 +2,7 @@
 title: Export
 ---
 
-## Global export
-
-:::info
-Requires authentik 2022.8.2
-:::
+## Global export <span class="badge badge--version">authentik 2022.8.2+</span>
 
 To migrate existing configurations to blueprints, run `ak export_blueprint` within any authentik Worker container. This will output a blueprint for most currently created objects. Some objects will not be exported as they might have dependencies on other things.
 

@@ -2,9 +2,9 @@
 title: Blueprints
 ---
 
-:::info
-Requires authentik 2022.8
-:::
+<span class="badge badge--version">authentik 2022.8+</span>
+
+---
 
 Blueprints offer a new way to template, automate and distribute authentik configuration. Blueprints can be used to automatically configure instances, manage config as code without any external tools, and to distribute application configs.
 
@@ -58,11 +58,7 @@ To push a blueprint to an OCI-compatible registry, [ORAS](https://oras.land/) ca
 oras push ghcr.io/<username>/blueprint/<blueprint name>:latest <yaml file>:application/vnd.goauthentik.blueprint.v1+yaml
 ```
 
-## Storage - Internal
-
-:::info
-Requires authentik 2023.1
-:::
+## Storage - Internal <span class="badge badge--version">authentik 2023.1+</span>
 
 Blueprints can be stored in authentik's database, which allows blueprints to be managed via external configuration management tools like Terraform.
 

@@ -4,11 +4,7 @@ Some models behave differently and allow for access to different API fields when
 
 ## `authentik_core.token`
 
-### `key`
-
-:::info
-Requires authentik 2023.4
-:::
+### `key` <span class="badge badge--version">authentik 2023.4+</span>
 
 Via the standard API, a token's key cannot be changed, it can only be rotated. This is to ensure a high entropy in it's key, and to prevent insecure data from being used. However, when provisioning tokens via a blueprint, it may be required to set a token to an existing value.
 
@@ -30,11 +26,7 @@ For example:
 
 ## `authentik_core.user`
 
-### `password`
-
-:::info
-Requires authentik 2023.6
-:::
+### `password` <span class="badge badge--version">authentik 2023.6+</span>
 
 Via the standard API, a user's password can only be set via the separate `/api/v3/core/users/<id>/set_password/` endpoint. In blueprints, the password of a user can be set using the `password` field.
 
@@ -53,11 +45,7 @@ For example:
       password: this-should-be-a-long-value
 ```
 
-### `permissions`
-
-:::info
-Requires authentik 2024.8
-:::
+### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
 
 The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints.
 
@@ -75,11 +63,7 @@ For example:
 
 ## `authentik_core.application`
 
-### `icon`
-
-:::info
-Requires authentik 2023.5
-:::
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>
 
 Application icons can be directly set to URLs with the `icon` field.
 
@@ -97,11 +81,7 @@ For example:
 
 ## `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`
 
-### `icon`
-
-:::info
-Requires authentik 2023.5
-:::
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>
 
 Source icons can be directly set to URLs with the `icon` field.
 
@@ -119,11 +99,7 @@ For example:
 
 ## `authentik_flows.flow`
 
-### `icon`
-
-:::info
-Requires authentik 2023.5
-:::
+### `icon` <span class="badge badge--version">authentik 2023.5+</span>
 
 Flow backgrounds can be directly set to URLs with the `background` field.
 
@@ -143,11 +119,7 @@ For example:
 
 ## `authentik_rbac.role`
 
-### `permissions`
-
-:::info
-Requires authentik 2024.8
-:::
+### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
 
 The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints.
 

@@ -29,11 +29,7 @@ user = list_flatten(["foo"])
 # user = "foo"
 ```
 
-### `ak_call_policy(name: str, **kwargs) -> PolicyResult`
-
-:::info
-Requires authentik 2021.12
-:::
+### `ak_call_policy(name: str, **kwargs) -> PolicyResult` <span class="badge badge--version">authentik 2021.12+</span>
 
 Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
 can be used to modify the request's context.
@@ -74,11 +70,7 @@ Example:
 other_user = ak_user_by(username="other_user")
 ```
 
-### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` (2021.9+)
-
-:::info
-Only available in property mappings with authentik 2022.9 and newer
-:::
+### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` <span class="badge badge--version">authentik 2022.9+</span>
 
 Check if a user has any authenticator devices. Only fully validated devices are counted.
 
@@ -95,11 +87,7 @@ Example:
 return ak_user_has_authenticator(request.user)
 ```
 
-### `ak_create_event(action: str, **kwargs) -> None`
-
-:::info
-Requires authentik 2022.9
-:::
+### `ak_create_event(action: str, **kwargs) -> None` <span class="badge badge--version">authentik 2022.9+</span>
 
 Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called.
 
@@ -124,11 +112,7 @@ ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
 # evaluates to True
 ```
 
-## DNS resolution and reverse DNS lookups
-
-:::note
-Requires authentik 2023.3 or higher
-:::
+## DNS resolution and reverse DNS lookups <span class="badge badge--version">authentik 2023.3+</span>
 
 To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`.
 

@@ -60,7 +60,7 @@ When an unauthenticated user attempts to access a secured resource, they are red
 
 When a user authenticates/enrolls via an external source, this will be set to the source they are using.
 
-#### `outpost` (dictionary) <span class="badge badge--info">authentik 2024.10+</span>
+#### `outpost` (dictionary) <span class="badge badge--version">authentik 2024.10+</span>
 
 When a flow is executed by an Outpost (for example the [LDAP](../../providers/ldap/index.md) or [RADIUS](../../providers/radius/index.mdx)), this will be set to a dictionary containing the Outpost instance under the key `"instance"`.
 
@@ -92,11 +92,7 @@ URL that the form will be submitted to.
 
 Key-value pairs of the data that is included in the form and will be submitted to `url`.
 
-#### Captcha stage
-
-:::info
-Requires authentik 2024.6
-:::
+#### Captcha stage <span class="badge badge--version">authentik 2024.6+</span>
 
 ##### `captcha` (dictionary)
 
@@ -116,11 +112,7 @@ An optional list of all permissions that will be given to the application by gra
 
 #### Deny stage
 
-##### `deny_message` (string)
-
-:::info
-Requires authentik 2023.10
-:::
+##### `deny_message` (string) <span class="badge badge--version">authentik 2023.10+</span>
 
 Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage.
 
@@ -136,11 +128,7 @@ If set, this must be a list of group objects and not group names.
 
 Path the `pending_user` will be written to. If not set in the flow, falls back to the value set in the user_write stage, and otherwise to the `users` path.
 
-##### `user_type` (string)
-
-:::info
-Requires authentik 2023.10
-:::
+##### `user_type` (string) <span class="badge badge--version">authentik 2023.10+</span>
 
 Type the `pending_user` will be created as. Must be one of `internal`, `external` or `service_account`.
 

@@ -2,11 +2,7 @@
 title: Example policy snippets for flows
 ---
 
-### Redirect current flow to another URL
-
-:::info
-Requires authentik 2022.7
-:::
+### Redirect current flow to another URL <span class="badge badge--version">authentik 2022.7+</span>
 
 ```python
 plan = request.context.get("flow_plan")

@@ -2,7 +2,7 @@
 title: Simplified flow executor
 ---
 
-<span class="badge badge--info">authentik 2024.6.1+</span>
+<span class="badge badge--version">authentik 2024.6.1+</span>
 
 A simplified web-based flow executor that authentik automatically uses for older browsers that do not support modern web technologies.
 

@@ -2,9 +2,9 @@
 title: User settings
 ---
 
-:::info
-Requires authentik 2022.3
-:::
+<span class="badge badge--version">authentik 2023.3+</span>
+
+---
 
 The user interface (/if/user/) uses a specialized flow executor to allow individual users to customize their profile. A user's profile consists of key/value fields, so this executor only supports Prompt or User Write stages. If the configured flow contains another stage, a button will be shown to open the default executor.
 

@@ -10,25 +10,17 @@ Copy all of the integration key, secret key and API hostname, and paste them in
 
 Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed.
 
-## Importing users
+## Importing users <span class="badge badge--version">authentik 2022.9+</span>
 
 :::info
 Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
 :::
 
-:::info
-This requires authentik 2022.9
-:::
-
 To import a device, open the Stages list in the authentik Admin interface. On the right next to the import button you'll see an import button, with which you can import Duo devices to authentik users.
 
 The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device.
 
-### Older versions
-
-:::info
-This API requires authentik 2021.9.1 or later
-:::
+### Older versions <span class="badge badge--version">authentik 2021.9.1+</span>
 
 You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:
 

@@ -46,11 +46,7 @@ return {
 }
 ```
 
-## Verify only
-
-:::info
-Requires authentik 2022.6
-:::
+## Verify only <span class="badge badge--version">authentik 2022.6+</span>
 
 To only verify the validity of a users' phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](../authenticator_validate/) stage.
 

@@ -23,19 +23,11 @@ Keep in mind that when using Code-based devices (TOTP, Static and SMS), values l
 
 ### Options
 
-#### Less-frequent validation
-
-:::info
-Requires authentik 2022.5.1
-:::
+#### Less-frequent validation <span class="badge badge--version">authentik 2022.5.1+</span>
 
 You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked.
 
-#### Passwordless authentication
-
-:::info
-Requires authentik 2021.12.4
-:::
+#### Passwordless authentication <span class="badge badge--version">authentik 2021.12.4+</span>
 
 :::caution
 Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
@@ -76,11 +68,7 @@ Logins which used Passwordless authentication have the _auth_method_ context var
 }
 ```
 
-#### WebAuthn Device type restrictions
-
-:::info
-Requires authentik 2024.4
-:::
+#### WebAuthn Device type restrictions <span class="badge badge--version">authentik 2024.4+</span>
 
 Optionally restrict which WebAuthn device types can be used to authenticate.
 

@@ -18,11 +18,7 @@ Configure if the created authenticator is stored in the encrypted memory on the
 
 Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
 
-#### Device type restrictions
-
-:::info
-Requires authentik 2024.4
-:::
+#### Device type restrictions <span class="badge badge--version">authentik 2024.4+</span>
 
 Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.
 

@@ -22,11 +22,7 @@ To prompt users for their password on the same step as identifying themselves, a
 
 These fields specify if and which flows are linked on the form. The enrollment flow is linked as `Need an account? Sign up.`, and the recovery flow is linked as `Forgot username or password?`.
 
-## Pretend user exists
-
-:::info
-Requires authentik 2024.2
-:::
+## Pretend user exists <span class="badge badge--version">authentik 2024.2+</span>
 
 When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
 
@@ -46,7 +42,7 @@ Starting with authentik 2023.5, when no user fields are selected and only one so
 
 ### Passwordless flow
 
-See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication).
+See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication-authentik-2021124).
 
 ### Enrollment flow
 

@@ -6,7 +6,7 @@ This is a generic password prompt which authenticates the current `pending_user`
 
 ## Passwordless login
 
-There are two different ways to configure passwordless authentication; you can follow the instructions [here](../authenticator_validate/index.md#passwordless-authentication) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.
+There are two different ways to configure passwordless authentication; you can follow the instructions [here](../authenticator_validate/index.md#passwordless-authentication-authentik-2021124) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.
 
 Depending on what kind of device you want to require the user to have:
 

@@ -3,7 +3,7 @@ title: Source stage
 ---
 
 <span class="badge badge--primary">Enterprise</span>
-<span class="badge badge--info">authentik 2024.4+</span>
+<span class="badge badge--version">authentik 2024.4+</span>
 
 ---
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,7 +3,7 @@ title: Source stage @@
     ---
     <span class="badge badge--primary">Enterprise</span>
-    <span class="badge badge--info">authentik 2024.4+</span>
+    <span class="badge badge--version">authentik 2024.4+</span>
     ---
@@ Expand Down @@