viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

authentik overlay: serve the no-JS SFE login to old Safari (patch #2)

Browse source 
Old Safari/WebKit (<=16.3, e.g. iPadOS<=16.3) can't parse authentik's modern
ES2022 flow SPA and gets a COMPLETELY BLANK login — exactly what emo's iPadOS-15.8
iPad hit. authentik already ships a no-JS Simplified Flow Executor (SFE, ES5) and
serves it via compat_needs_sfe(), but only for IE/old-Edge/PKeyAuth. Extend that
to old Safari so those clients get the REAL authentik login (password + MFA +
reputation, identity preserved — NO auth downgrade, no new credential store).

Chosen over a Traefik basic-auth fallback after an adversarial review: that route
would put a single, spoofable-UA password in front of vbarzin->wizard (passwordless
root on the cluster-controlling devvm) — an MFA->single-factor path to cluster root.
SFE keeps full authentik auth and is generic for any old browser.

Shipped as patch #2 in the existing overlay image (patch-compat-sfe.py — guarded:
asserts the upstream anchor + ast-parses; verified against the live interface.py).
Tag -> 2026.2.4-patch2; the values repoint lands once GHA builds the image.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-28 11:38:05 +00:00
parent 69e35efd95
commit f10bb71562
3 changed files with 66 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/build-authentik.yml vendored
View file

@ -35,5 +35,5 @@ jobs:
provenance: false provenance: false
push: true push: true
tags: | tags: |
ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch1 ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch2
ghcr.io/viktorbarzin/authentik-server:latest ghcr.io/viktorbarzin/authentik-server:latest

11
stacks/authentik/Dockerfile
View file

@ -29,4 +29,15 @@ RUN set -eux; \
grep -q 'select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")' "$F"; \ grep -q 'select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")' "$F"; \
PY="$(command -v python || command -v python3)"; "$PY" -c "import ast,sys; ast.parse(open('$F').read())"; \ PY="$(command -v python || command -v python3)"; "$PY" -c "import ast,sys; ast.parse(open('$F').read())"; \
rm -f /authentik/stages/identification/__pycache__/stage.*.pyc rm -f /authentik/stages/identification/__pycache__/stage.*.pyc
# PATCH #2 — old-browser BLANK LOGIN. authentik's modern flow SPA is ES2022 and
# hard-fails (blank login) on Safari<=16.3 (e.g. iPadOS<=16.3). authentik already
# ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
# IE/old-Edge/PKeyAuth. patch-compat-sfe.py extends compat_needs_sfe() to serve
# the SFE to old Safari too, so those clients get the REAL authentik login
# (password + MFA + reputation, NO auth downgrade) instead of a blank page. The
# script is guarded (asserts the upstream anchor + ast-parses) so the build fails
# loudly if upstream moves it — re-verify on every authentik bump.
COPY patch-compat-sfe.py /tmp/patch-compat-sfe.py
RUN python3 /tmp/patch-compat-sfe.py && rm -f /tmp/patch-compat-sfe.py
USER authentik USER authentik

54
stacks/authentik/patch-compat-sfe.py Normal file
View file

@ -0,0 +1,54 @@
#!/usr/bin/env python3
"""Overlay patch #2 — serve authentik's no-JS SFE login to old Safari/WebKit.
authentik's modern flow SPA uses ES2022 (static{} init blocks) that hard-fail on
Safari <= 16.3 (e.g. iPadOS <= 16.3) and render a COMPLETELY BLANK login. authentik
already ships the Simplified Flow Executor (SFE, ES5, /web/dist/sfe) and serves it
when flows/views/interface.py::compat_needs_sfe() returns True but that only
detects IE / old-Edge / PKeyAuth, never old Safari. This extends it to old
Safari/WebKit so those clients get the REAL authentik login (password + MFA +
reputation, identity preserved NO auth downgrade) instead of a blank page.
Guarded + idempotent-safe: asserts the upstream anchor exists exactly once and the
result parses, so the image build fails LOUDLY if upstream moves the code.
RE-VERIFY on every authentik upgrade (the anchor / SFE asset can change).
"""
import ast
import glob
import os
TARGET = "/authentik/flows/views/interface.py"
# Upstream tail of compat_needs_sfe() (authentik 2026.2.x).
ANCHOR = (
' if "PKeyAuth" in ua["string"]:\n'
" return True\n"
" return False"
)
REPLACEMENT = (
' if "PKeyAuth" in ua["string"]:\n'
" return True\n"
" # OVERLAY: old Safari/WebKit (iPadOS<=16.3) cannot parse the modern\n"
" # ES2022 flow SPA and renders a blank login; serve the SFE instead so\n"
" # those clients get the real authentik login (password + MFA).\n"
' if ua["user_agent"]["family"] in ("Safari", "Mobile Safari"):\n'
" try:\n"
' _maj = int(ua["user_agent"]["major"] or 0)\n'
' _min = int(ua["user_agent"]["minor"] or 0)\n'
" except (TypeError, ValueError):\n"
" _maj = _min = 0\n"
" if _maj and (_maj < 16 or (_maj == 16 and _min <= 3)):\n"
" return True\n"
" return False"
)
src = open(TARGET).read()
assert "def compat_needs_sfe" in src, "compat_needs_sfe() not found — upstream changed"
assert src.count(ANCHOR) == 1, f"anchor not found exactly once in {TARGET}"
src = src.replace(ANCHOR, REPLACEMENT)
open(TARGET, "w").write(src)
ast.parse(src) # fail the build on a malformed patch
assert "Mobile Safari" in open(TARGET).read(), "patch did not apply"
for pyc in glob.glob("/authentik/flows/views/__pycache__/interface.*.pyc"):
os.remove(pyc)
print("patch-compat-sfe: compat_needs_sfe() now serves the SFE to Safari<=16.3")