authentik overlay patch3: SFE for ALL old iOS browsers + social-login links
Two follow-ups to patch2 (both in patch-compat-sfe.py, guarded): 1. compat_needs_sfe() now also serves the SFE to ANY iOS browser on iOS<=16.3, not just Safari. iOS Chrome/Firefox are WebKit skins (Apple mandate) reporting a non-Safari UA family, so the Safari-only check missed them and they still got the blank modern SPA. Added an os.family=="iOS" + version<=16.3 branch. 2. Inject static social-login <a> links (Continue with Google/GitHub/Facebook -> /source/oauth/login/<slug>/) into the SFE shell (flow-sfe.html). The SFE architecturally can't render Identification-stage sources (authentik docs), and emo's account (emil.barzin@gmail.com) is Google-only with NO password — so the SFE's username/password form was a dead end. The links are plain redirects that work on any browser. Slugs are static; re-verify on source changes. Tag -> 2026.2.4-patch3; values repoint + docs land once GHA builds it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
6ba60cbb2d
commit
916516eeab
3 changed files with 75 additions and 30 deletions
2
.github/workflows/build-authentik.yml
vendored
2
.github/workflows/build-authentik.yml
vendored
|
|
@ -35,5 +35,5 @@ jobs:
|
||||||
provenance: false
|
provenance: false
|
||||||
push: true
|
push: true
|
||||||
tags: |
|
tags: |
|
||||||
ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch2
|
ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch3
|
||||||
ghcr.io/viktorbarzin/authentik-server:latest
|
ghcr.io/viktorbarzin/authentik-server:latest
|
||||||
|
|
|
||||||
|
|
@ -33,11 +33,14 @@ RUN set -eux; \
|
||||||
# PATCH #2 — old-browser BLANK LOGIN. authentik's modern flow SPA is ES2022 and
|
# PATCH #2 — old-browser BLANK LOGIN. authentik's modern flow SPA is ES2022 and
|
||||||
# hard-fails (blank login) on Safari<=16.3 (e.g. iPadOS<=16.3). authentik already
|
# hard-fails (blank login) on Safari<=16.3 (e.g. iPadOS<=16.3). authentik already
|
||||||
# ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
|
# ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
|
||||||
# IE/old-Edge/PKeyAuth. patch-compat-sfe.py extends compat_needs_sfe() to serve
|
# IE/old-Edge/PKeyAuth. patch-compat-sfe.py (a) extends compat_needs_sfe() to
|
||||||
# the SFE to old Safari too, so those clients get the REAL authentik login
|
# serve the SFE to old Safari AND any iOS browser (Chrome/CriOS, Firefox/FxiOS —
|
||||||
# (password + MFA + reputation, NO auth downgrade) instead of a blank page. The
|
# all share the system WebKit) on iOS<=16.3, and (b) injects static social-login
|
||||||
# script is guarded (asserts the upstream anchor + ast-parses) so the build fails
|
# <a> links into the SFE shell (the SFE can't render Identification-stage sources;
|
||||||
# loudly if upstream moves it — re-verify on every authentik bump.
|
# needed for password-less Google-only accounts). Clients get the REAL authentik
|
||||||
|
# login (password + MFA + reputation, NO auth downgrade) instead of a blank page.
|
||||||
|
# The script is guarded (asserts both upstream anchors + ast-parses) so the build
|
||||||
|
# fails loudly if upstream moves — re-verify on every authentik bump.
|
||||||
COPY patch-compat-sfe.py /tmp/patch-compat-sfe.py
|
COPY patch-compat-sfe.py /tmp/patch-compat-sfe.py
|
||||||
RUN python3 /tmp/patch-compat-sfe.py && rm -f /tmp/patch-compat-sfe.py
|
RUN python3 /tmp/patch-compat-sfe.py && rm -f /tmp/patch-compat-sfe.py
|
||||||
USER authentik
|
USER authentik
|
||||||
|
|
|
||||||
|
|
@ -1,25 +1,33 @@
|
||||||
#!/usr/bin/env python3
|
#!/usr/bin/env python3
|
||||||
"""Overlay patch #2 — serve authentik's no-JS SFE login to old Safari/WebKit.
|
"""Overlay patch — make authentik usable on OLD browsers (no modern-JS SPA).
|
||||||
|
|
||||||
authentik's modern flow SPA uses ES2022 (static{} init blocks) that hard-fail on
|
authentik's modern flow SPA is ES2022 (static{} init blocks) that hard-fail on
|
||||||
Safari <= 16.3 (e.g. iPadOS <= 16.3) and render a COMPLETELY BLANK login. authentik
|
Safari/WebKit <= 16.3 (e.g. iPadOS <= 16.3) and render a COMPLETELY BLANK login.
|
||||||
already ships the Simplified Flow Executor (SFE, ES5, /web/dist/sfe) and serves it
|
authentik ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
|
||||||
when flows/views/interface.py::compat_needs_sfe() returns True — but that only
|
IE / old-Edge / PKeyAuth, and the SFE itself canNOT render Identification-stage
|
||||||
detects IE / old-Edge / PKeyAuth, never old Safari. This extends it to old
|
sources (social-login buttons) — authentik docs list "Sources" as unsupported.
|
||||||
Safari/WebKit so those clients get the REAL authentik login (password + MFA +
|
|
||||||
reputation, identity preserved — NO auth downgrade) instead of a blank page.
|
|
||||||
|
|
||||||
Guarded + idempotent-safe: asserts the upstream anchor exists exactly once and the
|
This patch does TWO things, both guarded (assert the upstream anchor + verify the
|
||||||
result parses, so the image build fails LOUDLY if upstream moves the code.
|
result) so the image build fails LOUDLY if upstream moves. RE-VERIFY on every
|
||||||
RE-VERIFY on every authentik upgrade (the anchor / SFE asset can change).
|
authentik upgrade.
|
||||||
|
|
||||||
|
1. flows/views/interface.py::compat_needs_sfe() -> also return True for old
|
||||||
|
Safari/WebKit: (a) Safari/Mobile Safari Version <= 16.3 (covers desktop-mode
|
||||||
|
iPadOS which reports as Mac Safari), and (b) ANY iOS browser (Chrome/CriOS,
|
||||||
|
Firefox/FxiOS, Edge — all share the system WebKit) on iOS <= 16.3. So old
|
||||||
|
iPads get the SFE on EVERY browser, not just Safari.
|
||||||
|
|
||||||
|
2. flows/templates/if/flow-sfe.html -> inject static social-login <a> links
|
||||||
|
(plain redirects to /source/oauth/login/<slug>/, work on ANY browser) so SFE
|
||||||
|
users (who otherwise see only username/password) can use social login —
|
||||||
|
required for accounts with no password (e.g. Google-only users like emo).
|
||||||
"""
|
"""
|
||||||
import ast
|
import ast
|
||||||
import glob
|
import glob
|
||||||
import os
|
import os
|
||||||
|
|
||||||
TARGET = "/authentik/flows/views/interface.py"
|
# --- Patch 1: compat_needs_sfe() UA gate -------------------------------------
|
||||||
|
INTERFACE = "/authentik/flows/views/interface.py"
|
||||||
# Upstream tail of compat_needs_sfe() (authentik 2026.2.x).
|
|
||||||
ANCHOR = (
|
ANCHOR = (
|
||||||
' if "PKeyAuth" in ua["string"]:\n'
|
' if "PKeyAuth" in ua["string"]:\n'
|
||||||
" return True\n"
|
" return True\n"
|
||||||
|
|
@ -28,9 +36,9 @@ ANCHOR = (
|
||||||
REPLACEMENT = (
|
REPLACEMENT = (
|
||||||
' if "PKeyAuth" in ua["string"]:\n'
|
' if "PKeyAuth" in ua["string"]:\n'
|
||||||
" return True\n"
|
" return True\n"
|
||||||
" # OVERLAY: old Safari/WebKit (iPadOS<=16.3) cannot parse the modern\n"
|
" # OVERLAY: old WebKit can't parse the modern ES2022 flow SPA (blank\n"
|
||||||
" # ES2022 flow SPA and renders a blank login; serve the SFE instead so\n"
|
" # login) -> serve the SFE (real authentik login). (a) desktop-mode\n"
|
||||||
" # those clients get the real authentik login (password + MFA).\n"
|
" # Safari/iPadOS reports as Mac Safari with Version<=16.3:\n"
|
||||||
' if ua["user_agent"]["family"] in ("Safari", "Mobile Safari"):\n'
|
' if ua["user_agent"]["family"] in ("Safari", "Mobile Safari"):\n'
|
||||||
" try:\n"
|
" try:\n"
|
||||||
' _maj = int(ua["user_agent"]["major"] or 0)\n'
|
' _maj = int(ua["user_agent"]["major"] or 0)\n'
|
||||||
|
|
@ -39,16 +47,50 @@ REPLACEMENT = (
|
||||||
" _maj = _min = 0\n"
|
" _maj = _min = 0\n"
|
||||||
" if _maj and (_maj < 16 or (_maj == 16 and _min <= 3)):\n"
|
" if _maj and (_maj < 16 or (_maj == 16 and _min <= 3)):\n"
|
||||||
" return True\n"
|
" return True\n"
|
||||||
|
" # (b) ANY iOS browser (Chrome/CriOS, Firefox/FxiOS, Edge) shares the\n"
|
||||||
|
" # system WebKit, so iOS<=16.3 fails regardless of the browser family:\n"
|
||||||
|
' if ua["os"]["family"] == "iOS":\n'
|
||||||
|
" try:\n"
|
||||||
|
' _omaj = int(ua["os"]["major"] or 0)\n'
|
||||||
|
' _omin = int(ua["os"]["minor"] or 0)\n'
|
||||||
|
" except (TypeError, ValueError):\n"
|
||||||
|
" _omaj = _omin = 0\n"
|
||||||
|
" if _omaj and (_omaj < 16 or (_omaj == 16 and _omin <= 3)):\n"
|
||||||
|
" return True\n"
|
||||||
" return False"
|
" return False"
|
||||||
)
|
)
|
||||||
|
src = open(INTERFACE).read()
|
||||||
src = open(TARGET).read()
|
|
||||||
assert "def compat_needs_sfe" in src, "compat_needs_sfe() not found — upstream changed"
|
assert "def compat_needs_sfe" in src, "compat_needs_sfe() not found — upstream changed"
|
||||||
assert src.count(ANCHOR) == 1, f"anchor not found exactly once in {TARGET}"
|
assert src.count(ANCHOR) == 1, f"anchor not found exactly once in {INTERFACE}"
|
||||||
src = src.replace(ANCHOR, REPLACEMENT)
|
src = src.replace(ANCHOR, REPLACEMENT)
|
||||||
open(TARGET, "w").write(src)
|
open(INTERFACE, "w").write(src)
|
||||||
ast.parse(src) # fail the build on a malformed patch
|
ast.parse(src)
|
||||||
assert "Mobile Safari" in open(TARGET).read(), "patch did not apply"
|
assert 'ua["os"]["family"] == "iOS"' in open(INTERFACE).read()
|
||||||
for pyc in glob.glob("/authentik/flows/views/__pycache__/interface.*.pyc"):
|
for pyc in glob.glob("/authentik/flows/views/__pycache__/interface.*.pyc"):
|
||||||
os.remove(pyc)
|
os.remove(pyc)
|
||||||
print("patch-compat-sfe: compat_needs_sfe() now serves the SFE to Safari<=16.3")
|
|
||||||
|
# --- Patch 2: social-login links on the SFE shell ----------------------------
|
||||||
|
SFE_HTML = "/authentik/flows/templates/if/flow-sfe.html"
|
||||||
|
HTML_ANCHOR = (
|
||||||
|
" </main>\n"
|
||||||
|
" <span class=\"mt-3 mb-0 text-muted text-center\">{% trans 'Powered by authentik' %}</span>"
|
||||||
|
)
|
||||||
|
HTML_REPLACEMENT = (
|
||||||
|
" </main>\n"
|
||||||
|
" <!-- OVERLAY: the SFE can't render Identification-stage sources, so add\n"
|
||||||
|
" static social-login links (plain redirects, work on any browser).\n"
|
||||||
|
" Re-verify slugs on source changes; shown on all SFE flows. -->\n"
|
||||||
|
' <div class="form-signin w-100 m-auto pt-2 mt-2 border-top">\n'
|
||||||
|
' <a class="btn btn-outline-secondary w-100 mb-2" href="/source/oauth/login/google/">Continue with Google</a>\n'
|
||||||
|
' <a class="btn btn-outline-secondary w-100 mb-2" href="/source/oauth/login/github/">Continue with GitHub</a>\n'
|
||||||
|
' <a class="btn btn-outline-secondary w-100 mb-2" href="/source/oauth/login/facebook/">Continue with Facebook</a>\n'
|
||||||
|
" </div>\n"
|
||||||
|
" <span class=\"mt-3 mb-0 text-muted text-center\">{% trans 'Powered by authentik' %}</span>"
|
||||||
|
)
|
||||||
|
html = open(SFE_HTML).read()
|
||||||
|
assert html.count(HTML_ANCHOR) == 1, f"SFE html anchor not found exactly once in {SFE_HTML}"
|
||||||
|
html = html.replace(HTML_ANCHOR, HTML_REPLACEMENT)
|
||||||
|
open(SFE_HTML, "w").write(html)
|
||||||
|
assert "Continue with Google" in open(SFE_HTML).read()
|
||||||
|
|
||||||
|
print("patch-compat-sfe: SFE for old Safari + all iOS<=16.3; social-login links added to SFE")
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue