website/docs: add 2025.10 release notes

website/docs/releases/2025/v2025.10.md

@@ -0,0 +1,129 @@
+---
+title: Release 2025.10
+slug: "/releases/2025.10"
+---
+
+:::info
+2025.10 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
+
+To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.10.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
+:::
+
+## Highlights
+
+- **SAML and OAuth2 provider Single Logout support**: This release adds support for back-channel and front-channel SLO for SAML and front-channel for OIDC.
+- **Removed Redis dependency**: authentik no longer uses Redis at all.
+- **Telegram source**: Telegram can now be used for social login.
+- **SCIM provider OAuth support**: :ak-enterprise SCIM providers can use OAuth providers to authenticate to SCIM endpoints.
+- **RADIUS EAP-TLS Support**: :ak-enterprise The RADIUS provider now supports EAP-TLS, which can be used to authenticate WiFi clients.
+
+## Breaking changes
+
+### Redis removal
+
+In previous versions, authentik used Redis for caching, tasks, and WebSocket connections. Since [2025.8](./v2025.8.mdx), tasks were migrated to use Postgres. With this release we've also migrated caching and WebSocket to Postgres, fully removing the need for Redis.
+
+As a result of this change, it is expected that authentik will use roughly TODO% more database connections to Postgres. Redis-related settings have also been removed and can be deleted from your configuration.
+
+If your Postgres instance requires a TLS connection, authentik now requires TLS 1.3 or the Extended Master Secret extension to connect to Postgres.
+
+### Default OAuth scope mappings
+
+In previous releases with the default scope mappings, we set the `email_verified` claim to `true`. As we don't have a single source of whether a users' email is verified or not, and claiming that it is verified could lead to security implications, this claim has been corrected to `false`.
+
+Some applications may require this claim to be `true` to successfully authenticate users, in which case you can create a custom `email` scope mapping that returns `email_verified` as `true`.
+
+## New features and improvements
+
+### SCIM provider OAuth support :ak-enterprise
+
+SCIM providers can use an OAuth sources to authenticate to SCIM endpoints. This requires support in the remote system for OAuth authentication. Using an OAuth source provides improved security due to
+not requiring long-lived static tokens.
+
+This is supported by applications such as Slack and Salesforce.
+
+See [SCIM Provider documentation](../../add-secure-apps/providers/scim/index.md#oauth-authentication-for-a-scim-provider--) for more details.
+
+### RADIUS EAP-TLS support :ak-enterprise
+
+The RADIUS outpost can now support EAP-TLS which allows for client authentication using certificates with the [Mutual TLS stage](../../add-secure-apps/flows-stages/stages/mtls/index.md).
+
+See [RADIUS Provider documentation](../../add-secure-apps/providers/radius/index.mdx).
+
+### SAML and OAuth2 provider Single Logout support
+
+In [2025.8](v2025.8.mdx) we've introduced support for back-channel logout in the OAuth2 Provider. This release adds support for front-channel logout in the OAuth2 Provider and both back- and front-channel logout support in the SAML Provider.
+
+See [OAuth2 Provider documentation](../../add-secure-apps/providers/oauth2/index.mdx) and [SAML Provider documentation](../../add-secure-apps/providers/saml/index.md).
+
+### Telegram source
+
+Being one of the most upvoted GitHub issues, we've finally done it.
+
+See [Telegram Source documentation](../../users-sources/sources/social-logins/telegram/index.md).
+
+### Refined flow and user library
+
+The flow interface now fits better on mobile devices/small viewports and looks sharper on HiDPi devices. There are also improvements for auto-completion during credential input (thanks to @cjoshmartin!).
+The user library has improved scaling and makes better use of space with a higher density.
+
+### Additional noteworthy improvements
+
+- Credential provider: Alpha releases of desktop integrations are now available for testing; reach out to [email protected] if you are interested in providing early feedback for any of these:
+    - Windows: a custom credential provider allowing custom authentication flows.
+    - macOS: a Platform SSO integration allowing seamless authentication.
+    - Linux: accessing Linux servers via an authentik identity.
+- Add `ak_send_email`: Allow for easier sending of emails in expressions; see [ak_send_email](../../customize/policies/expression.mdx#ak_send_emailaddress-str--liststr-subject-str-body-str--none-stage-emailstage--none-template-str--none-context-dict--none---bool).
+- Change recovery token duration: When using `ak create_recovery_key`, the duration is now set in minutes instead of years.
+- Add OIDC `ui_locales` support: The OAuth2 provider now accepts `ui_locales` to set the locale of authentik.
+- Add support for separate labels and values in prompt choice inputs, see [Prompt stage documentation](../../add-secure-apps/flows-stages/stages/prompt/index.md); thanks to @ErikAhlund!
+
+## New integration guides
+
+An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.
+
+- [Cloudflare](https://integrations.goauthentik.io/platforms/cloudflare/)
+- [Digital Ocean](https://integrations.goauthentik.io/cloud-providers/digitalocean/)
+- [Entra ID SCIM](../../users-sources/sources/social-logins/entra-id/scim/index.mdx)
+- [osTicket](https://integrations.goauthentik.io/infrastructure/osticket/)
+- [Termix](https://integrations.goauthentik.io/infrastructure/termix/)
+
+## Upgrading
+
+Following the upgrade instructions below will remove Redis from your installation. If you use authentik with an externally configured Redis, you can simply remove the Redis configuration from authentik; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).
+
+:::warning
+When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
+:::
+
+### Docker Compose
+
+To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
+
+```shell
+wget -O docker-compose.yml https://goauthentik.io/version/2025.10/docker-compose.yml
+docker compose up -d --remove-orphans
+```
+
+The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name.
+
+The `--remove-orphans` flag removes the Redis container as its no longer needed.
+
+### Kubernetes
+
+Upgrade the Helm Chart to the new version, using the following commands:
+
+```shell
+helm repo update
+helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.10
+```
+
+If you had persistence for Redis configured, you can delete the PVC and PV after the upgrade.
+
+## Minor changes/fixes
+
+<!-- _Insert the output of `make gen-changelog` here_ -->
+
+## API Changes
+
+<!-- _Insert output of `make gen-diff` here_ -->