authentik overlay patch3: SFE for ALL old iOS browsers + social-login links

Two follow-ups to patch2 (both in patch-compat-sfe.py, guarded): 1. compat_needs_sfe() now also serves the SFE to ANY iOS browser on iOS<=16.3, not just Safari. iOS Chrome/Firefox are WebKit skins (Apple mandate) reporting a non-Safari UA family, so the Safari-only check missed them and they still got the blank modern SPA. Added an os.family=="iOS" + version<=16.3 branch. 2. Inject static social-login <a> links (Continue with Google/GitHub/Facebook -> /source/oauth/login/<slug>/) into the SFE shell (flow-sfe.html). The SFE architecturally can't render Identification-stage sources (authentik docs), and emo's account (emil.barzin@gmail.com) is Google-only with NO password — so the SFE's username/password form was a dead end. The links are plain redirects that work on any browser. Slugs are static; re-verify on source changes. Tag -> 2026.2.4-patch3; values repoint + docs land once GHA builds it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 11:53:03 +00:00 · 2026-06-28 11:53:03 +00:00 · 916516eeab
commit 916516eeab
parent 6ba60cbb2d
3 changed files with 75 additions and 30 deletions
--- a/.github/workflows/build-authentik.yml
+++ b/.github/workflows/build-authentik.yml
@ -35,5 +35,5 @@ jobs:
          provenance: false
          push: true
          tags: |
-            ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch2
+            ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch3
            ghcr.io/viktorbarzin/authentik-server:latest
--- a/stacks/authentik/Dockerfile
+++ b/stacks/authentik/Dockerfile
@ -33,11 +33,14 @@ RUN set -eux; \
 # PATCH #2 — old-browser BLANK LOGIN. authentik's modern flow SPA is ES2022 and
 # hard-fails (blank login) on Safari<=16.3 (e.g. iPadOS<=16.3). authentik already
 # ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
-# IE/old-Edge/PKeyAuth. patch-compat-sfe.py extends compat_needs_sfe() to serve
-# the SFE to old Safari too, so those clients get the REAL authentik login
-# (password + MFA + reputation, NO auth downgrade) instead of a blank page. The
-# script is guarded (asserts the upstream anchor + ast-parses) so the build fails
-# loudly if upstream moves it — re-verify on every authentik bump.
+# IE/old-Edge/PKeyAuth. patch-compat-sfe.py (a) extends compat_needs_sfe() to
+# serve the SFE to old Safari AND any iOS browser (Chrome/CriOS, Firefox/FxiOS —
+# all share the system WebKit) on iOS<=16.3, and (b) injects static social-login
+# <a> links into the SFE shell (the SFE can't render Identification-stage sources;
+# needed for password-less Google-only accounts). Clients get the REAL authentik
+# login (password + MFA + reputation, NO auth downgrade) instead of a blank page.
+# The script is guarded (asserts both upstream anchors + ast-parses) so the build
+# fails loudly if upstream moves — re-verify on every authentik bump.
 COPY patch-compat-sfe.py /tmp/patch-compat-sfe.py
 RUN python3 /tmp/patch-compat-sfe.py && rm -f /tmp/patch-compat-sfe.py
 USER authentik
--- a/stacks/authentik/patch-compat-sfe.py
+++ b/stacks/authentik/patch-compat-sfe.py
@ -1,25 +1,33 @@
 #!/usr/bin/env python3
-"""Overlay patch #2 — serve authentik's no-JS SFE login to old Safari/WebKit.
+"""Overlay patch — make authentik usable on OLD browsers (no modern-JS SPA).

-authentik's modern flow SPA uses ES2022 (static{} init blocks) that hard-fail on
-Safari <= 16.3 (e.g. iPadOS <= 16.3) and render a COMPLETELY BLANK login. authentik
-already ships the Simplified Flow Executor (SFE, ES5, /web/dist/sfe) and serves it
-when flows/views/interface.py::compat_needs_sfe() returns True — but that only
-detects IE / old-Edge / PKeyAuth, never old Safari. This extends it to old
-Safari/WebKit so those clients get the REAL authentik login (password + MFA +
-reputation, identity preserved — NO auth downgrade) instead of a blank page.
+authentik's modern flow SPA is ES2022 (static{} init blocks) that hard-fail on
+Safari/WebKit <= 16.3 (e.g. iPadOS <= 16.3) and render a COMPLETELY BLANK login.
+authentik ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
+IE / old-Edge / PKeyAuth, and the SFE itself canNOT render Identification-stage
+sources (social-login buttons) — authentik docs list "Sources" as unsupported.

-Guarded + idempotent-safe: asserts the upstream anchor exists exactly once and the
-result parses, so the image build fails LOUDLY if upstream moves the code.
-RE-VERIFY on every authentik upgrade (the anchor / SFE asset can change).
+This patch does TWO things, both guarded (assert the upstream anchor + verify the
+result) so the image build fails LOUDLY if upstream moves. RE-VERIFY on every
+authentik upgrade.
+
+  1. flows/views/interface.py::compat_needs_sfe() -> also return True for old
+     Safari/WebKit: (a) Safari/Mobile Safari Version <= 16.3 (covers desktop-mode
+     iPadOS which reports as Mac Safari), and (b) ANY iOS browser (Chrome/CriOS,
+     Firefox/FxiOS, Edge — all share the system WebKit) on iOS <= 16.3. So old
+     iPads get the SFE on EVERY browser, not just Safari.
+
+  2. flows/templates/if/flow-sfe.html -> inject static social-login <a> links
+     (plain redirects to /source/oauth/login/<slug>/, work on ANY browser) so SFE
+     users (who otherwise see only username/password) can use social login —
+     required for accounts with no password (e.g. Google-only users like emo).
 """
 import ast
 import glob
 import os

-TARGET = "/authentik/flows/views/interface.py"
-
-# Upstream tail of compat_needs_sfe() (authentik 2026.2.x).
+# --- Patch 1: compat_needs_sfe() UA gate -------------------------------------
+INTERFACE = "/authentik/flows/views/interface.py"
 ANCHOR = (
    '        if "PKeyAuth" in ua["string"]:\n'
    "            return True\n"
@ -28,9 +36,9 @@ ANCHOR = (
 REPLACEMENT = (
    '        if "PKeyAuth" in ua["string"]:\n'
    "            return True\n"
-    "        # OVERLAY: old Safari/WebKit (iPadOS<=16.3) cannot parse the modern\n"
-    "        # ES2022 flow SPA and renders a blank login; serve the SFE instead so\n"
-    "        # those clients get the real authentik login (password + MFA).\n"
+    "        # OVERLAY: old WebKit can't parse the modern ES2022 flow SPA (blank\n"
+    "        # login) -> serve the SFE (real authentik login). (a) desktop-mode\n"
+    "        # Safari/iPadOS reports as Mac Safari with Version<=16.3:\n"
    '        if ua["user_agent"]["family"] in ("Safari", "Mobile Safari"):\n'
    "            try:\n"
    '                _maj = int(ua["user_agent"]["major"] or 0)\n'
@ -39,16 +47,50 @@ REPLACEMENT = (
    "                _maj = _min = 0\n"
    "            if _maj and (_maj < 16 or (_maj == 16 and _min <= 3)):\n"
    "                return True\n"
+    "        # (b) ANY iOS browser (Chrome/CriOS, Firefox/FxiOS, Edge) shares the\n"
+    "        # system WebKit, so iOS<=16.3 fails regardless of the browser family:\n"
+    '        if ua["os"]["family"] == "iOS":\n'
+    "            try:\n"
+    '                _omaj = int(ua["os"]["major"] or 0)\n'
+    '                _omin = int(ua["os"]["minor"] or 0)\n'
+    "            except (TypeError, ValueError):\n"
+    "                _omaj = _omin = 0\n"
+    "            if _omaj and (_omaj < 16 or (_omaj == 16 and _omin <= 3)):\n"
+    "                return True\n"
    "        return False"
 )
-
-src = open(TARGET).read()
+src = open(INTERFACE).read()
 assert "def compat_needs_sfe" in src, "compat_needs_sfe() not found — upstream changed"
-assert src.count(ANCHOR) == 1, f"anchor not found exactly once in {TARGET}"
+assert src.count(ANCHOR) == 1, f"anchor not found exactly once in {INTERFACE}"
 src = src.replace(ANCHOR, REPLACEMENT)
-open(TARGET, "w").write(src)
-ast.parse(src)  # fail the build on a malformed patch
-assert "Mobile Safari" in open(TARGET).read(), "patch did not apply"
+open(INTERFACE, "w").write(src)
+ast.parse(src)
+assert 'ua["os"]["family"] == "iOS"' in open(INTERFACE).read()
 for pyc in glob.glob("/authentik/flows/views/__pycache__/interface.*.pyc"):
    os.remove(pyc)
-print("patch-compat-sfe: compat_needs_sfe() now serves the SFE to Safari<=16.3")
+
+# --- Patch 2: social-login links on the SFE shell ----------------------------
+SFE_HTML = "/authentik/flows/templates/if/flow-sfe.html"
+HTML_ANCHOR = (
+    "        </main>\n"
+    "        <span class=\"mt-3 mb-0 text-muted text-center\">{% trans 'Powered by authentik' %}</span>"
+)
+HTML_REPLACEMENT = (
+    "        </main>\n"
+    "        <!-- OVERLAY: the SFE can't render Identification-stage sources, so add\n"
+    "             static social-login links (plain redirects, work on any browser).\n"
+    "             Re-verify slugs on source changes; shown on all SFE flows. -->\n"
+    '        <div class="form-signin w-100 m-auto pt-2 mt-2 border-top">\n'
+    '          <a class="btn btn-outline-secondary w-100 mb-2" href="/source/oauth/login/google/">Continue with Google</a>\n'
+    '          <a class="btn btn-outline-secondary w-100 mb-2" href="/source/oauth/login/github/">Continue with GitHub</a>\n'
+    '          <a class="btn btn-outline-secondary w-100 mb-2" href="/source/oauth/login/facebook/">Continue with Facebook</a>\n'
+    "        </div>\n"
+    "        <span class=\"mt-3 mb-0 text-muted text-center\">{% trans 'Powered by authentik' %}</span>"
+)
+html = open(SFE_HTML).read()
+assert html.count(HTML_ANCHOR) == 1, f"SFE html anchor not found exactly once in {SFE_HTML}"
+html = html.replace(HTML_ANCHOR, HTML_REPLACEMENT)
+open(SFE_HTML, "w").write(html)
+assert "Continue with Google" in open(SFE_HTML).read()
+
+print("patch-compat-sfe: SFE for old Safari + all iOS<=16.3; social-login links added to SFE")