infra/stacks/authentik/Dockerfile

# SLOW-1a overlay over the official authentik server image.
#
# The login flow's identification stage renders each enabled source's UI login
# button. Upstream authentik/stages/identification/stage.py does:
#     current_stage.sources.filter(enabled=True).order_by("name").select_subclasses()
# The bare no-arg select_subclasses() (django-model-utils InheritanceManager)
# LEFT-JOINs EVERY Source subtype table; on the cold-login hot path that is ~1.5s
# (verified live on 2026.2.4: 1527ms vs 14ms). Passing only the subtypes that
# actually render a UI login button — every concrete Source type that overrides
# ui_login_button: oauth/saml/plex/telegram/kerberos, NOT the sync-only ldap/scim —
# is ~100x faster and BYTE-IDENTICAL output (verified: concrete types + rendered
# buttons match). django-model-utils accepts the lowercase subclass *accessor
# names* as strings, so no new import is needed (no circular-import risk) — the
# patch is a single, reviewable line edit.
#
# RE-VERIFY ON EVERY AUTHENTIK BUMP: bump the FROM tag below AND the image tag in
# modules/authentik/values.yaml together. The grep guards fail the build LOUDLY if
# the upstream target line moved. If a future authentik version adds a NEW
# login-capable source type, add its lowercase accessor to the list below.
# Upstream: the bare select_subclasses() is still present in main (no fix/PR as of
# 2026-06-28) — drop this overlay once upstream narrows the query.
FROM ghcr.io/goauthentik/server:2026.2.4

USER root
RUN set -eux; \
    F=/authentik/stages/identification/stage.py; \
    grep -q 'order_by("name").select_subclasses()' "$F"; \
    sed -i 's/order_by("name")\.select_subclasses()/order_by("name").select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")/' "$F"; \
    grep -q 'select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")' "$F"; \
    PY="$(command -v python || command -v python3)"; "$PY" -c "import ast,sys; ast.parse(open('$F').read())"; \
    rm -f /authentik/stages/identification/__pycache__/stage.*.pyc

# PATCH #2 — old-browser BLANK LOGIN. authentik's modern flow SPA is ES2022 and
# hard-fails (blank login) on Safari<=16.3 (e.g. iPadOS<=16.3). authentik already
# ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
# IE/old-Edge/PKeyAuth. patch-compat-sfe.py extends compat_needs_sfe() to serve
# the SFE to old Safari too, so those clients get the REAL authentik login
# (password + MFA + reputation, NO auth downgrade) instead of a blank page. The
# script is guarded (asserts the upstream anchor + ast-parses) so the build fails
# loudly if upstream moves it — re-verify on every authentik bump.
COPY patch-compat-sfe.py /tmp/patch-compat-sfe.py
RUN python3 /tmp/patch-compat-sfe.py && rm -f /tmp/patch-compat-sfe.py
USER authentik
authentik: custom-image overlay to fix the 1.4s login-flow query (SLOW-1a) The login flow's identification stage runs a bare select_subclasses() that LEFT-JOINs every Source subtype table — ~1.4s server-side on every cold login (verified live: 1527ms vs 14ms). Narrow it to only the subtypes that render a UI login button (oauth/saml/plex/telegram/kerberos — not the sync-only ldap/scim), via django-model-utils string accessors so no import is needed. Byte-identical output, ~100x faster, robust to adding new login source types. Shipped as a thin overlay over the official image (mirrors the diun/excalidraw precedent): stacks/authentik/Dockerfile (FROM ghcr.io/goauthentik/server:2026.2.4 + a guarded sed) built by .github/workflows/build-authentik.yml -> ghcr.io/ viktorbarzin/authentik-server:2026.2.4-patch1. The values repoint + Keel freeze land in a follow-up commit once the image is built. Upstream bug still present in main (no fix/PR) — drop this overlay once upstream narrows the query. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-28 10:42:58 +00:00			`# SLOW-1a overlay over the official authentik server image.`
			`#`
			`# The login flow's identification stage renders each enabled source's UI login`
			`# button. Upstream authentik/stages/identification/stage.py does:`
			`# current_stage.sources.filter(enabled=True).order_by("name").select_subclasses()`
			`# The bare no-arg select_subclasses() (django-model-utils InheritanceManager)`
			`# LEFT-JOINs EVERY Source subtype table; on the cold-login hot path that is ~1.5s`
			`# (verified live on 2026.2.4: 1527ms vs 14ms). Passing only the subtypes that`
			`# actually render a UI login button — every concrete Source type that overrides`
			`# ui_login_button: oauth/saml/plex/telegram/kerberos, NOT the sync-only ldap/scim —`
			`# is ~100x faster and BYTE-IDENTICAL output (verified: concrete types + rendered`
			`# buttons match). django-model-utils accepts the lowercase subclass *accessor`
			`# names* as strings, so no new import is needed (no circular-import risk) — the`
			`# patch is a single, reviewable line edit.`
			`#`
			`# RE-VERIFY ON EVERY AUTHENTIK BUMP: bump the FROM tag below AND the image tag in`
			`# modules/authentik/values.yaml together. The grep guards fail the build LOUDLY if`
			`# the upstream target line moved. If a future authentik version adds a NEW`
			`# login-capable source type, add its lowercase accessor to the list below.`
			`# Upstream: the bare select_subclasses() is still present in main (no fix/PR as of`
			`# 2026-06-28) — drop this overlay once upstream narrows the query.`
			`FROM ghcr.io/goauthentik/server:2026.2.4`

			`USER root`
			`RUN set -eux; \`
			`F=/authentik/stages/identification/stage.py; \`
			`grep -q 'order_by("name").select_subclasses()' "$F"; \`
			`sed -i 's/order_by("name")\.select_subclasses()/order_by("name").select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")/' "$F"; \`
			`grep -q 'select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")' "$F"; \`
			`PY="$(command -v python \|\| command -v python3)"; "$PY" -c "import ast,sys; ast.parse(open('$F').read())"; \`
			`rm -f /authentik/stages/identification/__pycache__/stage.*.pyc`
authentik overlay: serve the no-JS SFE login to old Safari (patch #2) Old Safari/WebKit (<=16.3, e.g. iPadOS<=16.3) can't parse authentik's modern ES2022 flow SPA and gets a COMPLETELY BLANK login — exactly what emo's iPadOS-15.8 iPad hit. authentik already ships a no-JS Simplified Flow Executor (SFE, ES5) and serves it via compat_needs_sfe(), but only for IE/old-Edge/PKeyAuth. Extend that to old Safari so those clients get the REAL authentik login (password + MFA + reputation, identity preserved — NO auth downgrade, no new credential store). Chosen over a Traefik basic-auth fallback after an adversarial review: that route would put a single, spoofable-UA password in front of vbarzin->wizard (passwordless root on the cluster-controlling devvm) — an MFA->single-factor path to cluster root. SFE keeps full authentik auth and is generic for any old browser. Shipped as patch #2 in the existing overlay image (patch-compat-sfe.py — guarded: asserts the upstream anchor + ast-parses; verified against the live interface.py). Tag -> 2026.2.4-patch2; the values repoint lands once GHA builds the image. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-28 11:38:05 +00:00
			`# PATCH #2 — old-browser BLANK LOGIN. authentik's modern flow SPA is ES2022 and`
			`# hard-fails (blank login) on Safari<=16.3 (e.g. iPadOS<=16.3). authentik already`
			`# ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to`
			`# IE/old-Edge/PKeyAuth. patch-compat-sfe.py extends compat_needs_sfe() to serve`
			`# the SFE to old Safari too, so those clients get the REAL authentik login`
			`# (password + MFA + reputation, NO auth downgrade) instead of a blank page. The`
			`# script is guarded (asserts the upstream anchor + ast-parses) so the build fails`
			`# loudly if upstream moves it — re-verify on every authentik bump.`
			`COPY patch-compat-sfe.py /tmp/patch-compat-sfe.py`
			`RUN python3 /tmp/patch-compat-sfe.py && rm -f /tmp/patch-compat-sfe.py`
authentik: custom-image overlay to fix the 1.4s login-flow query (SLOW-1a) The login flow's identification stage runs a bare select_subclasses() that LEFT-JOINs every Source subtype table — ~1.4s server-side on every cold login (verified live: 1527ms vs 14ms). Narrow it to only the subtypes that render a UI login button (oauth/saml/plex/telegram/kerberos — not the sync-only ldap/scim), via django-model-utils string accessors so no import is needed. Byte-identical output, ~100x faster, robust to adding new login source types. Shipped as a thin overlay over the official image (mirrors the diun/excalidraw precedent): stacks/authentik/Dockerfile (FROM ghcr.io/goauthentik/server:2026.2.4 + a guarded sed) built by .github/workflows/build-authentik.yml -> ghcr.io/ viktorbarzin/authentik-server:2026.2.4-patch1. The values repoint + Keel freeze land in a follow-up commit once the image is built. Upstream bug still present in main (no fix/PR) — drop this overlay once upstream narrows the query. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-28 10:42:58 +00:00			`USER authentik`