Release 2025.10
2025.10 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.10.0-rc1. You can find the latest one in the latest releases on GitHub. If you don't find any, it means we haven't released one yet.
Highlights
- SAML and OAuth2 provider Single Logout support: This release adds support for back-channel and front-channel SLO for SAML and front-channel for OAuth2/OIDC.
- Removed Redis dependency: authentik no longer uses Redis at all.
- Telegram source: Telegram can now be used for social login.
- SCIM provider OAuth support: Enterprise SCIM providers can use OAuth providers to authenticate to SCIM endpoints.
- RADIUS EAP-TLS Support: Enterprise The RADIUS provider now supports EAP-TLS, which can be used to authenticate WiFi clients.
Breaking changes
Redis removal
In previous versions, authentik used Redis for caching, tasks, the embedded proxy outpost's session store, and WebSocket connections. Since 2025.8, tasks were migrated to use Postgres. With this release we've also migrated caching, the embedded outpost, and WebSocket to Postgres, fully removing the need for Redis.
As a result of this change, it is expected that authentik will use roughly TODO% more database connections to Postgres. Redis-related settings have also been removed and can be deleted from your configuration.
If your Postgres instance requires a TLS connection, authentik now requires TLS 1.3 or the Extended Master Secret extension to connect to Postgres.
Default OAuth scope mappings
In previous releases with the default scope mappings, we set the email_verified claim to true. As we don't have a single source of whether a users' email is verified or not, and claiming that it is verified could lead to security implications, this claim has been corrected to false.
Some applications may require this claim to be true to successfully authenticate users, in which case you can create a custom email scope mapping that returns email_verified as true.
New features and improvements
SCIM provider OAuth support Enterprise
SCIM providers can now use OAuth sources to authenticate to SCIM endpoints. This requires support in the remote system for OAuth authentication. Using an OAuth source provides improved security due to not requiring long-lived static tokens.
This is supported by applications such as Slack and Salesforce.
See SCIM Provider documentation for more details.
RADIUS EAP-TLS support Enterprise
The RADIUS outpost can now support EAP-TLS which allows for client authentication using certificates with the Mutual TLS stage.
See RADIUS Provider documentation.
SAML and OAuth2 provider Single Logout support
In 2025.8 we've introduced support for back-channel logout in the OAuth2 Provider. This release adds support for front-channel logout in the OAuth2 Provider and both back- and front-channel logout support in the SAML Provider.
See OAuth2 Provider documentation and SAML Provider documentation.
Telegram source
Being one of the most upvoted GitHub issues, we've finally done it. Telegram can now be used as a federated identity provider in authentik. This allows users to authenticate with their Telegram credentials.
See Telegram Source documentation.
Refined flow and user library
The flow interface now fits better on mobile devices/small viewports and looks sharper on HiDPi devices. There are also improvements for auto-completion during credential input (thanks to @cjoshmartin!). The user library has improved scaling and makes better use of space with a higher density.
Additional noteworthy improvements
- Credential provider: Alpha releases of desktop integrations are now available for testing; reach out to hello@goauthentik.io if you are interested in providing early feedback for any of these:
- Windows: a custom credential provider allowing custom authentication flows.
- macOS: a Platform SSO integration allowing seamless authentication.
- Linux: accessing Linux servers via an authentik identity.
- Add
ak_send_email: Allow for easier sending of emails in expressions; see ak_send_email. - Change recovery token duration: When using
ak create_recovery_key, the duration is now set in minutes instead of years. - Add OIDC
ui_localessupport: The OAuth2 provider now acceptsui_localesto set the locale of authentik. - Add support for separate labels and values in prompt choice inputs, see Prompt stage documentation; thanks to @ErikAhlund!
New integration guides
An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.
Upgrading
Following the upgrade instructions below will remove Redis from your installation. If you use authentik with an externally configured Redis, you can simply remove the Redis configuration from authentik; for more detailed information about upgrading authentik, refer to our Upgrade documentation.
When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
Docker Compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2025.10/docker-compose.yml
docker compose up -d --remove-orphans
The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.
The --remove-orphans flag removes the Redis container as its no longer needed.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.10
If you had persistence for Redis configured, you can delete the PVC and PV after the upgrade.