core: fix read replica routing during transactions #19086
Merged
+10
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When authentik is configured with pg read replicas, the application wizard fails with "Invalid pk - object does not exist" for the provider field. The issue occurs in the blueprint validation flow: 1. Provider is created on the primary database (e.g PK 159) 2. KeyOf.resolve() returns this PK for the application's provider field 3. ApplicationSerializer.is_valid() validates the provider FK 4. DRF's PrimaryKeyRelatedField queries to verify the PK exists 5. FailoverRouter routes this read to a replica 6. Replica hasn't replicated the new provider yet --> validation fails Number 6 happens because the transaction has not been commited yet cause blueprint validation runs in transaction_rollback() The fix introduces TransactionApplicationRequestSerializer which excludes provider-related fields (provider, provider_obj, backchannel_providers, backchannel_providers_obj) from validation. This is safe because: - The provider is created in the same blueprint transaction - The KeyOf reference correctly links them during blueprint apply() - The blueprint importer handles the actual FK assignment
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
dominic-r
added
the
backport/version-2025.12
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #19086 +/- ##
==========================================
+ Coverage 93.15% 93.34% +0.19%
==========================================
Files 949 949
Lines 52384 52388 +4
==========================================
+ Hits 48797 48904 +107
+ Misses 3587 3484 -103
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Contributor
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-afe1debcc490ff614d3bb9d08d6e4ba49d6b6021
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-afe1debcc490ff614d3bb9d08d6e4ba49d6b6021Afterwards, run the upgrade commands from the latest release notes. |
dominic-r
added
the
backport/version-2025.10
dominic-r
changed the title
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
gergosimonyi
reviewed
Jan 7, 2026
Collaborator
gergosimonyi
left a comment
gergosimonyi
left a comment
There was a problem hiding this comment.
@BeryJu I think this is the correct approach, but I'll leave the checkmark up to you.
BeryJu
approved these changes
Jan 8, 2026
authentik-automation bot
pushed a commit
that referenced
this pull request
Jan 8, 2026
* core: fix transactional app creation failing with read replicas When authentik is configured with pg read replicas, the application wizard fails with "Invalid pk - object does not exist" for the provider field. The issue occurs in the blueprint validation flow: 1. Provider is created on the primary database (e.g PK 159) 2. KeyOf.resolve() returns this PK for the application's provider field 3. ApplicationSerializer.is_valid() validates the provider FK 4. DRF's PrimaryKeyRelatedField queries to verify the PK exists 5. FailoverRouter routes this read to a replica 6. Replica hasn't replicated the new provider yet --> validation fails Number 6 happens because the transaction has not been commited yet cause blueprint validation runs in transaction_rollback() The fix introduces TransactionApplicationRequestSerializer which excludes provider-related fields (provider, provider_obj, backchannel_providers, backchannel_providers_obj) from validation. This is safe because: - The provider is created in the same blueprint transaction - The KeyOf reference correctly links them during blueprint apply() - The blueprint importer handles the actual FK assignment * wip * wip * wip * wip * wip * wip
Contributor
|
🍒 Cherry-pick to |
authentik-automation bot
pushed a commit
that referenced
this pull request
Jan 8, 2026
* core: fix transactional app creation failing with read replicas When authentik is configured with pg read replicas, the application wizard fails with "Invalid pk - object does not exist" for the provider field. The issue occurs in the blueprint validation flow: 1. Provider is created on the primary database (e.g PK 159) 2. KeyOf.resolve() returns this PK for the application's provider field 3. ApplicationSerializer.is_valid() validates the provider FK 4. DRF's PrimaryKeyRelatedField queries to verify the PK exists 5. FailoverRouter routes this read to a replica 6. Replica hasn't replicated the new provider yet --> validation fails Number 6 happens because the transaction has not been commited yet cause blueprint validation runs in transaction_rollback() The fix introduces TransactionApplicationRequestSerializer which excludes provider-related fields (provider, provider_obj, backchannel_providers, backchannel_providers_obj) from validation. This is safe because: - The provider is created in the same blueprint transaction - The KeyOf reference correctly links them during blueprint apply() - The blueprint importer handles the actual FK assignment * wip * wip * wip * wip * wip * wip
Contributor
|
🍒 Cherry-pick to |
rissson
pushed a commit
that referenced
this pull request
Jan 8, 2026
…to version-2025.12) (#19241) Co-authored-by: Dominic R <[email protected]> fix read replica routing during transactions (#19086)
rissson
pushed a commit
that referenced
this pull request
Jan 8, 2026
…to version-2025.10) (#19240) Co-authored-by: Dominic R <[email protected]> fix read replica routing during transactions (#19086)
kensternberg-authentik
added a commit
that referenced
this pull request
Jan 8, 2026
* main: stages/prompt: optimize API endpoints (#19251) web: bump the rollup group across 1 directory with 4 updates (#19206) web: bump vite from 7.3.0 to 7.3.1 in /web (#19245) website/docs: update github social login script example (#19246) website/integrations: update AWS (#17861) core: bump goauthentik.io/api/v3 from 3.2026020.8 to 3.2026020.10 (#19242) website: Fix typos. (#19243) core: fix read replica routing during transactions (#19086) website/glossary: improve (#18969) stages/authenticator_static: set max token length to 100 chars (#19162)
kensternberg-authentik
added a commit
that referenced
this pull request
Jan 12, 2026
* main: (44 commits) web: Fix flow inspector advancement event. (#19309) web: bump knip from 5.80.0 to 5.80.1 in /web (#19301) core: bump urllib3 from 2.5.0 to v2.6.3 (#19287) endpoints: show agent version (#19239) core: bump django from v5.2.9 to 5.2.10 (#19290) web/admin: add banner to flow import form (#19288) web: bump chromedriver from 143.0.3 to 143.0.4 in /web (#19244) stages/password: replace session-based retries with reputation (#18643) website/integations: fix aws spelling (#19253) website/docs: update entra id provider docs (#18366) stages/prompt: optimize API endpoints (#19251) web: bump the rollup group across 1 directory with 4 updates (#19206) web: bump vite from 7.3.0 to 7.3.1 in /web (#19245) website/docs: update github social login script example (#19246) website/integrations: update AWS (#17861) core: bump goauthentik.io/api/v3 from 3.2026020.8 to 3.2026020.10 (#19242) website: Fix typos. (#19243) core: fix read replica routing during transactions (#19086) website/glossary: improve (#18969) stages/authenticator_static: set max token length to 100 chars (#19162) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
FailoverRouterwas routing reads to replicas even inside active transactions. This caused the application wizard to fail with "Invalid pk - object does not exist" when using read replicas (mabye other things too, have not checked), as FK validation queries couldn't see uncommitted rows on the primary