Summary Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially access authentik even if their account is deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. Patches authentik 2025.4.4 and 2025.6.4 fix this issue. Workarounds Adding an expression policy to the user login stage on the respective authentication flow with the expression of py return request.context["pending_user"].is_active This expression will only activate the user login stage when the user is active. For more information If you have any questions or comments about this advisory: Email us at…Read More
Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources
