authentik overlay: serve the no-JS SFE login to old Safari (patch #2)
Old Safari/WebKit (<=16.3, e.g. iPadOS<=16.3) can't parse authentik's modern ES2022 flow SPA and gets a COMPLETELY BLANK login — exactly what emo's iPadOS-15.8 iPad hit. authentik already ships a no-JS Simplified Flow Executor (SFE, ES5) and serves it via compat_needs_sfe(), but only for IE/old-Edge/PKeyAuth. Extend that to old Safari so those clients get the REAL authentik login (password + MFA + reputation, identity preserved — NO auth downgrade, no new credential store). Chosen over a Traefik basic-auth fallback after an adversarial review: that route would put a single, spoofable-UA password in front of vbarzin->wizard (passwordless root on the cluster-controlling devvm) — an MFA->single-factor path to cluster root. SFE keeps full authentik auth and is generic for any old browser. Shipped as patch #2 in the existing overlay image (patch-compat-sfe.py — guarded: asserts the upstream anchor + ast-parses; verified against the live interface.py). Tag -> 2026.2.4-patch2; the values repoint lands once GHA builds the image. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
69e35efd95
commit
f10bb71562
3 changed files with 66 additions and 1 deletions
2
.github/workflows/build-authentik.yml
vendored
2
.github/workflows/build-authentik.yml
vendored
|
|
@ -35,5 +35,5 @@ jobs:
|
|||
provenance: false
|
||||
push: true
|
||||
tags: |
|
||||
ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch1
|
||||
ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch2
|
||||
ghcr.io/viktorbarzin/authentik-server:latest
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue