viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

authentik overlay: serve the no-JS SFE login to old Safari (patch #2)

Browse source 
Old Safari/WebKit (<=16.3, e.g. iPadOS<=16.3) can't parse authentik's modern
ES2022 flow SPA and gets a COMPLETELY BLANK login — exactly what emo's iPadOS-15.8
iPad hit. authentik already ships a no-JS Simplified Flow Executor (SFE, ES5) and
serves it via compat_needs_sfe(), but only for IE/old-Edge/PKeyAuth. Extend that
to old Safari so those clients get the REAL authentik login (password + MFA +
reputation, identity preserved — NO auth downgrade, no new credential store).

Chosen over a Traefik basic-auth fallback after an adversarial review: that route
would put a single, spoofable-UA password in front of vbarzin->wizard (passwordless
root on the cluster-controlling devvm) — an MFA->single-factor path to cluster root.
SFE keeps full authentik auth and is generic for any old browser.

Shipped as patch #2 in the existing overlay image (patch-compat-sfe.py — guarded:
asserts the upstream anchor + ast-parses; verified against the live interface.py).
Tag -> 2026.2.4-patch2; the values repoint lands once GHA builds the image.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-28 11:38:05 +00:00
parent 69e35efd95
commit f10bb71562
3 changed files with 66 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
stacks/authentik/Dockerfile
View file

@ -29,4 +29,15 @@ RUN set -eux; \
grep -q 'select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")' "$F"; \
PY="$(command -v python || command -v python3)"; "$PY" -c "import ast,sys; ast.parse(open('$F').read())"; \
rm -f /authentik/stages/identification/__pycache__/stage.*.pyc
# PATCH #2 — old-browser BLANK LOGIN. authentik's modern flow SPA is ES2022 and
# hard-fails (blank login) on Safari<=16.3 (e.g. iPadOS<=16.3). authentik already
# ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
# IE/old-Edge/PKeyAuth. patch-compat-sfe.py extends compat_needs_sfe() to serve
# the SFE to old Safari too, so those clients get the REAL authentik login
# (password + MFA + reputation, NO auth downgrade) instead of a blank page. The
# script is guarded (asserts the upstream anchor + ast-parses) so the build fails
# loudly if upstream moves it — re-verify on every authentik bump.
COPY patch-compat-sfe.py /tmp/patch-compat-sfe.py
RUN python3 /tmp/patch-compat-sfe.py && rm -f /tmp/patch-compat-sfe.py
USER authentik