Describe the bug
Maybe its not really a bug but I'm posting it in case someone gets the same issue (lost some time on this for quite a simple fix)
After upgrading from 2026.2.3 → 2026.5.0, every existing user session becomes undecodable. Any OAuth2/proxy etc... authorization attempt by an already-logged-in user lands on a 404 page (authentik logo, no error). The session backend silently returns {}, the authorize view sees no login_event, tries to re-run the authentication flow, the authentication flow raises FlowNonApplicableException (the default auth flow won't re-run for a user that is already logged in), and PolicyAccessView converts that to Http404
Downgrading the container back to 2026.2.3 does not work because sessions touched during the brief 2026.5 window now contain references to the new class name and 2026.2 can't decode those either.
The fix is actually to just log out and log back in.
maybe the migration could
DELETE FROM authentik_core_authenticatedsession;
DELETE FROM django_session;
or mention this in the release.
How to reproduce
- Run 2026.2.3 with active user sessions (any user logged in via the web UI, any proxy outpost holding tokens).
- Upgrade to 2026.5.0 (docker compose, just bumping AUTHENTIK_TAG).
- As an already-logged-in user, hit any /application/o/authorize/?... URL (OIDC app or proxy provider).
- Observe 404.
Expected behavior
Existing sessions should remain valid across the upgrade, or be transparently invalidated (forcing a re-login) rather than producing an empty session that breaks the authorize flow.
Screenshots
No response
Additional context
commit 8f1bdc0, "providers/oauth2: Configure allowed grant types" renamed the enum:
- class GrantTypes(models.TextChoices):
+ class GrantType(models.TextChoices):
Deployment Method
Docker
Version
2026.5
Relevant log output
{"event": "Failed to decode session data",
"exception": [{"exc_type": "AttributeError",
"exc_value": "module 'authentik.providers.oauth2.models' has no attribute 'GrantTypes'",
"frames": [{"filename": "/authentik/core/sessions.py", "lineno": 68, "name": "decode"}]}],
"level": "warning"}
Describe the bug
Maybe its not really a bug but I'm posting it in case someone gets the same issue (lost some time on this for quite a simple fix)
After upgrading from 2026.2.3 → 2026.5.0, every existing user session becomes undecodable. Any OAuth2/proxy etc... authorization attempt by an already-logged-in user lands on a 404 page (authentik logo, no error). The session backend silently returns {}, the authorize view sees no login_event, tries to re-run the authentication flow, the authentication flow raises FlowNonApplicableException (the default auth flow won't re-run for a user that is already logged in), and PolicyAccessView converts that to Http404
Downgrading the container back to 2026.2.3 does not work because sessions touched during the brief 2026.5 window now contain references to the new class name and 2026.2 can't decode those either.
The fix is actually to just log out and log back in.
maybe the migration could
or mention this in the release.
How to reproduce
Expected behavior
Existing sessions should remain valid across the upgrade, or be transparently invalidated (forcing a re-login) rather than producing an empty session that breaks the authorize flow.
Screenshots
No response
Additional context
commit 8f1bdc0, "providers/oauth2: Configure allowed grant types" renamed the enum:
Deployment Method
Docker
Version
2026.5
Relevant log output