diff --git a/authentik/events/signals.py b/authentik/events/signals.py index 9f4680f6e7..1d0685ddfe 100644 --- a/authentik/events/signals.py +++ b/authentik/events/signals.py @@ -1,13 +1,16 @@ """authentik events signal listener""" +from importlib import import_module from typing import Any +from django.conf import settings from django.contrib.auth.signals import user_logged_in, user_logged_out from django.db.models.signals import post_save, pre_delete from django.dispatch import receiver from django.http import HttpRequest +from rest_framework.request import Request -from authentik.core.models import User +from authentik.core.models import AuthenticatedSession, User from authentik.core.signals import login_failed, password_changed from authentik.events.apps import SYSTEM_TASK_STATUS from authentik.events.models import Event, EventAction, SystemTask @@ -23,6 +26,7 @@ from authentik.stages.user_write.signals import user_write from authentik.tenants.utils import get_current_tenant SESSION_LOGIN_EVENT = "login_event" +_session_engine = import_module(settings.SESSION_ENGINE) @receiver(user_logged_in) @@ -43,11 +47,20 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_): kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST] event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user) request.session[SESSION_LOGIN_EVENT] = event + request.session.save() -def get_login_event(request: HttpRequest) -> Event | None: +def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | None) -> Event | None: """Wrapper to get login event that can be mocked in tests""" - return request.session.get(SESSION_LOGIN_EVENT, None) + session = None + if not request_or_session: + return None + if isinstance(request_or_session, HttpRequest | Request): + session = request_or_session.session + if isinstance(request_or_session, AuthenticatedSession): + SessionStore = _session_engine.SessionStore + session = SessionStore(request_or_session.session_key) + return session.get(SESSION_LOGIN_EVENT, None) @receiver(user_logged_out) diff --git a/authentik/providers/oauth2/id_token.py b/authentik/providers/oauth2/id_token.py index 7b92804c62..27c5f2600f 100644 --- a/authentik/providers/oauth2/id_token.py +++ b/authentik/providers/oauth2/id_token.py @@ -1,6 +1,7 @@ """id_token utils""" from dataclasses import asdict, dataclass, field +from hashlib import sha256 from typing import TYPE_CHECKING, Any from django.db import models @@ -23,8 +24,13 @@ if TYPE_CHECKING: from authentik.providers.oauth2.models import BaseGrantModel, OAuth2Provider +def hash_session_key(session_key: str) -> str: + """Hash the session key for inclusion in JWTs as `sid`""" + return sha256(session_key.encode("ascii")).hexdigest() + + class SubModes(models.TextChoices): - """Mode after which 'sub' attribute is generateed, for compatibility reasons""" + """Mode after which 'sub' attribute is generated, for compatibility reasons""" HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID") USER_ID = "user_id", _("Based on user ID") @@ -51,7 +57,8 @@ class IDToken: and potentially other requested Claims. The ID Token is represented as a JSON Web Token (JWT) [JWT]. - https://openid.net/specs/openid-connect-core-1_0.html#IDToken""" + https://openid.net/specs/openid-connect-core-1_0.html#IDToken + https://www.iana.org/assignments/jwt/jwt.xhtml""" # Issuer, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.1 iss: str | None = None @@ -79,6 +86,8 @@ class IDToken: nonce: str | None = None # Access Token hash value, http://openid.net/specs/openid-connect-core-1_0.html at_hash: str | None = None + # Session ID, https://openid.net/specs/openid-connect-frontchannel-1_0.html#ClaimsContents + sid: str | None = None claims: dict[str, Any] = field(default_factory=dict) @@ -116,9 +125,11 @@ class IDToken: now = timezone.now() id_token.iat = int(now.timestamp()) id_token.auth_time = int(token.auth_time.timestamp()) + if token.session: + id_token.sid = hash_session_key(token.session.session_key) # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time - auth_event = get_login_event(request) + auth_event = get_login_event(token.session) if auth_event: # Also check which method was used for authentication method = auth_event.context.get(PLAN_CONTEXT_METHOD, "") diff --git a/authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py b/authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py index 81656d9cc5..6f5eddc402 100644 --- a/authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py +++ b/authentik/providers/oauth2/migrations/0007_auto_20201016_1107_squashed_0017_alter_oauth2provider_token_validity.py @@ -3,6 +3,7 @@ import django.db.models.deletion from django.apps.registry import Apps from django.db import migrations, models +from django.db.backends.base.schema import BaseDatabaseSchemaEditor import authentik.lib.utils.time @@ -14,7 +15,7 @@ scope_uid_map = { } -def set_managed_flag(apps: Apps, schema_editor): +def set_managed_flag(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): ScopeMapping = apps.get_model("authentik_providers_oauth2", "ScopeMapping") db_alias = schema_editor.connection.alias for mapping in ScopeMapping.objects.using(db_alias).filter(name__startswith="Autogenerated "): diff --git a/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py b/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py new file mode 100644 index 0000000000..081f45962c --- /dev/null +++ b/authentik/providers/oauth2/migrations/0022_remove_accesstoken_session_id_and_more.py @@ -0,0 +1,113 @@ +# Generated by Django 5.0.9 on 2024-10-23 13:38 + +from hashlib import sha256 +import django.db.models.deletion +from django.db import migrations, models +from django.apps.registry import Apps +from django.db.backends.base.schema import BaseDatabaseSchemaEditor +from authentik.lib.migrations import progress_bar + + +def migrate_session(apps: Apps, schema_editor: BaseDatabaseSchemaEditor): + AuthenticatedSession = apps.get_model("authentik_core", "authenticatedsession") + AuthorizationCode = apps.get_model("authentik_providers_oauth2", "authorizationcode") + AccessToken = apps.get_model("authentik_providers_oauth2", "accesstoken") + RefreshToken = apps.get_model("authentik_providers_oauth2", "refreshtoken") + db_alias = schema_editor.connection.alias + + print(f"\nFetching session keys, this might take a couple of minutes...") + session_ids = {} + for session in progress_bar(AuthenticatedSession.objects.using(db_alias).all()): + session_ids[sha256(session.session_key.encode("ascii")).hexdigest()] = session.session_key + for model in [AuthorizationCode, AccessToken, RefreshToken]: + print( + f"\nAdding session to {model._meta.verbose_name}, this might take a couple of minutes..." + ) + for code in progress_bar(model.objects.using(db_alias).all()): + if code.session_id_old not in session_ids: + continue + code.session = ( + AuthenticatedSession.objects.using(db_alias) + .filter(session_key=session_ids[code.session_id_old]) + .first() + ) + code.save() + + +class Migration(migrations.Migration): + + dependencies = [ + ("authentik_core", "0040_provider_invalidation_flow"), + ("authentik_providers_oauth2", "0021_oauth2provider_encryption_key_and_more"), + ] + + operations = [ + migrations.RenameField( + model_name="accesstoken", + old_name="session_id", + new_name="session_id_old", + ), + migrations.RenameField( + model_name="authorizationcode", + old_name="session_id", + new_name="session_id_old", + ), + migrations.RenameField( + model_name="refreshtoken", + old_name="session_id", + new_name="session_id_old", + ), + migrations.AddField( + model_name="accesstoken", + name="session", + field=models.ForeignKey( + default=None, + null=True, + on_delete=django.db.models.deletion.SET_DEFAULT, + to="authentik_core.authenticatedsession", + ), + ), + migrations.AddField( + model_name="authorizationcode", + name="session", + field=models.ForeignKey( + default=None, + null=True, + on_delete=django.db.models.deletion.SET_DEFAULT, + to="authentik_core.authenticatedsession", + ), + ), + migrations.AddField( + model_name="devicetoken", + name="session", + field=models.ForeignKey( + default=None, + null=True, + on_delete=django.db.models.deletion.SET_DEFAULT, + to="authentik_core.authenticatedsession", + ), + ), + migrations.AddField( + model_name="refreshtoken", + name="session", + field=models.ForeignKey( + default=None, + null=True, + on_delete=django.db.models.deletion.SET_DEFAULT, + to="authentik_core.authenticatedsession", + ), + ), + migrations.RunPython(migrate_session), + migrations.RemoveField( + model_name="accesstoken", + name="session_id_old", + ), + migrations.RemoveField( + model_name="authorizationcode", + name="session_id_old", + ), + migrations.RemoveField( + model_name="refreshtoken", + name="session_id_old", + ), + ] diff --git a/authentik/providers/oauth2/models.py b/authentik/providers/oauth2/models.py index b67cdbe0b9..966d085148 100644 --- a/authentik/providers/oauth2/models.py +++ b/authentik/providers/oauth2/models.py @@ -26,7 +26,13 @@ from rest_framework.serializers import Serializer from structlog.stdlib import get_logger from authentik.brands.models import WebfingerProvider -from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User +from authentik.core.models import ( + AuthenticatedSession, + ExpiringModel, + PropertyMapping, + Provider, + User, +) from authentik.crypto.models import CertificateKeyPair from authentik.lib.generators import generate_code_fixed_length, generate_id, generate_key from authentik.lib.models import SerializerModel @@ -353,7 +359,9 @@ class BaseGrantModel(models.Model): revoked = models.BooleanField(default=False) _scope = models.TextField(default="", verbose_name=_("Scopes")) auth_time = models.DateTimeField(verbose_name="Authentication time") - session_id = models.CharField(default="", blank=True) + session = models.ForeignKey( + AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None + ) class Meta: abstract = True @@ -491,6 +499,9 @@ class DeviceToken(ExpiringModel): device_code = models.TextField(default=generate_key) user_code = models.TextField(default=generate_code_fixed_length) _scope = models.TextField(default="", verbose_name=_("Scopes")) + session = models.ForeignKey( + AuthenticatedSession, null=True, on_delete=models.SET_DEFAULT, default=None + ) @property def scope(self) -> list[str]: diff --git a/authentik/providers/oauth2/signals.py b/authentik/providers/oauth2/signals.py index ee0f4ed9c8..16996ced33 100644 --- a/authentik/providers/oauth2/signals.py +++ b/authentik/providers/oauth2/signals.py @@ -1,5 +1,3 @@ -from hashlib import sha256 - from django.contrib.auth.signals import user_logged_out from django.dispatch import receiver from django.http import HttpRequest @@ -13,5 +11,4 @@ def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User, """Revoke access tokens upon user logout""" if not request.session or not request.session.session_key: return - hashed_session_key = sha256(request.session.session_key.encode("ascii")).hexdigest() - AccessToken.objects.filter(user=user, session_id=hashed_session_key).delete() + AccessToken.objects.filter(user=user, session__session_key=request.session.session_key).delete() diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index 5cf5145c03..49f785d002 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -2,7 +2,6 @@ from dataclasses import InitVar, dataclass, field from datetime import timedelta -from hashlib import sha256 from json import dumps from re import error as RegexError from re import fullmatch @@ -16,7 +15,7 @@ from django.utils import timezone from django.utils.translation import gettext as _ from structlog.stdlib import get_logger -from authentik.core.models import Application +from authentik.core.models import Application, AuthenticatedSession from authentik.events.models import Event, EventAction from authentik.events.signals import get_login_event from authentik.flows.challenge import ( @@ -318,7 +317,9 @@ class OAuthAuthorizationParams: expires=now + timedelta_from_string(self.provider.access_code_validity), scope=self.scope, nonce=self.nonce, - session_id=sha256(request.session.session_key.encode("ascii")).hexdigest(), + session=AuthenticatedSession.objects.filter( + session_key=request.session.session_key + ).first(), ) if self.code_challenge and self.code_challenge_method: @@ -610,7 +611,9 @@ class OAuthFulfillmentStage(StageView): expires=access_token_expiry, provider=self.provider, auth_time=auth_event.created if auth_event else now, - session_id=sha256(self.request.session.session_key.encode("ascii")).hexdigest(), + session=AuthenticatedSession.objects.filter( + session_key=self.request.session.session_key + ).first(), ) id_token = IDToken.new(self.provider, token, self.request) diff --git a/authentik/providers/oauth2/views/token.py b/authentik/providers/oauth2/views/token.py index a0b9327e18..cfb75fedd9 100644 --- a/authentik/providers/oauth2/views/token.py +++ b/authentik/providers/oauth2/views/token.py @@ -550,7 +550,7 @@ class TokenView(View): # Keep same scopes as previous token scope=self.params.authorization_code.scope, auth_time=self.params.authorization_code.auth_time, - session_id=self.params.authorization_code.session_id, + session=self.params.authorization_code.session, ) access_id_token = IDToken.new( self.provider, @@ -578,7 +578,7 @@ class TokenView(View): expires=refresh_token_expiry, provider=self.provider, auth_time=self.params.authorization_code.auth_time, - session_id=self.params.authorization_code.session_id, + session=self.params.authorization_code.session, ) id_token = IDToken.new( self.provider, @@ -611,7 +611,7 @@ class TokenView(View): # Keep same scopes as previous token scope=self.params.refresh_token.scope, auth_time=self.params.refresh_token.auth_time, - session_id=self.params.refresh_token.session_id, + session=self.params.refresh_token.session, ) access_token.id_token = IDToken.new( self.provider, @@ -627,7 +627,7 @@ class TokenView(View): expires=refresh_token_expiry, provider=self.provider, auth_time=self.params.refresh_token.auth_time, - session_id=self.params.refresh_token.session_id, + session=self.params.refresh_token.session, ) id_token = IDToken.new( self.provider, @@ -685,13 +685,14 @@ class TokenView(View): raise DeviceCodeError("authorization_pending") now = timezone.now() access_token_expiry = now + timedelta_from_string(self.provider.access_token_validity) - auth_event = get_login_event(self.request) + auth_event = get_login_event(self.params.device_code.session) access_token = AccessToken( provider=self.provider, user=self.params.device_code.user, expires=access_token_expiry, scope=self.params.device_code.scope, auth_time=auth_event.created if auth_event else now, + session=self.params.device_code.session, ) access_token.id_token = IDToken.new( self.provider, diff --git a/authentik/providers/proxy/tasks.py b/authentik/providers/proxy/tasks.py index 8b2f94c035..e9c449fcf0 100644 --- a/authentik/providers/proxy/tasks.py +++ b/authentik/providers/proxy/tasks.py @@ -1,13 +1,12 @@ """proxy provider tasks""" -from hashlib import sha256 - from asgiref.sync import async_to_sync from channels.layers import get_channel_layer from django.db import DatabaseError, InternalError, ProgrammingError from authentik.outposts.consumer import OUTPOST_GROUP from authentik.outposts.models import Outpost, OutpostType +from authentik.providers.oauth2.id_token import hash_session_key from authentik.providers.proxy.models import ProxyProvider from authentik.root.celery import CELERY_APP @@ -26,7 +25,7 @@ def proxy_set_defaults(): def proxy_on_logout(session_id: str): """Update outpost instances connected to a single outpost""" layer = get_channel_layer() - hashed_session_id = sha256(session_id.encode("ascii")).hexdigest() + hashed_session_id = hash_session_key(session_id) for outpost in Outpost.objects.filter(type=OutpostType.PROXY): group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)} async_to_sync(layer.group_send)( diff --git a/blueprints/system/providers-proxy.yaml b/blueprints/system/providers-proxy.yaml index 2fd4db560f..1214d157d1 100644 --- a/blueprints/system/providers-proxy.yaml +++ b/blueprints/system/providers-proxy.yaml @@ -14,11 +14,7 @@ entries: expression: | # This mapping is used by the authentik proxy. It passes extra user attributes, # which are used for example for the HTTP-Basic Authentication mapping. - session_id = None - if "token" in request.context: - session_id = request.context.get("token").session_id return { - "sid": session_id, "ak_proxy": { "user_attributes": request.user.group_attributes(request), "is_superuser": request.user.is_superuser, diff --git a/locale/en/LC_MESSAGES/django.po b/locale/en/LC_MESSAGES/django.po index ee9393bb23..9477afafd1 100644 --- a/locale/en/LC_MESSAGES/django.po +++ b/locale/en/LC_MESSAGES/django.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2024-10-23 00:08+0000\n" +"POT-Creation-Date: 2024-10-23 16:39+0000\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -1843,6 +1843,107 @@ msgstr "" msgid "Used recovery-link to authenticate." msgstr "" +#: authentik/sources/kerberos/models.py +msgid "Kerberos realm" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Custom krb5.conf to use. Uses the system one by default" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Sync users from Kerberos into authentik" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "When a user changes their password, sync it back to Kerberos" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Principal to authenticate to kadmin for sync." +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Password to authenticate to kadmin for sync" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "" +"Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the " +"form TYPE:residual" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "" +"Credentials cache to authenticate to kadmin for sync. Must be in the form " +"TYPE:residual" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "" +"Force the use of a specific server name for SPNEGO. Must be in the form " +"HTTP@hostname" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Credential cache to use for SPNEGO in form type:residual" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "" +"If enabled, the authentik-stored password will be updated upon login with " +"the Kerberos password backend" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Kerberos Source" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Kerberos Sources" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Kerberos Source Property Mapping" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Kerberos Source Property Mappings" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "User Kerberos Source Connection" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "User Kerberos Source Connections" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Group Kerberos Source Connection" +msgstr "" + +#: authentik/sources/kerberos/models.py +msgid "Group Kerberos Source Connections" +msgstr "" + +#: authentik/sources/kerberos/views.py +msgid "SPNEGO authentication required" +msgstr "" + +#: authentik/sources/kerberos/views.py +msgid "" +"\n" +" Make sure you have valid tickets (obtainable via kinit)\n" +" and configured the browser correctly.\n" +" Please contact your administrator.\n" +" " +msgstr "" + #: authentik/sources/ldap/api.py msgid "Only a single LDAP Source with password synchronization is allowed" msgstr "" @@ -2848,6 +2949,10 @@ msgstr "" msgid "User database + LDAP password" msgstr "" +#: authentik/stages/password/models.py +msgid "User database + Kerberos password" +msgstr "" + #: authentik/stages/password/models.py msgid "Selection of backends to test the password against." msgstr "" diff --git a/locale/ru/LC_MESSAGES/django.mo b/locale/ru/LC_MESSAGES/django.mo index 91b08cc253..62988afcb7 100644 Binary files a/locale/ru/LC_MESSAGES/django.mo and b/locale/ru/LC_MESSAGES/django.mo differ diff --git a/tests/e2e/test_provider_oidc.py b/tests/e2e/test_provider_oidc.py index 0bccb12f58..60ee951c2d 100644 --- a/tests/e2e/test_provider_oidc.py +++ b/tests/e2e/test_provider_oidc.py @@ -157,6 +157,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase): body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text) self.assertEqual(body["IDTokenClaims"]["nickname"], self.user.username) + self.assertEqual(body["IDTokenClaims"]["amr"], ["pwd"]) self.assertEqual(body["UserInfo"]["nickname"], self.user.username) self.assertEqual(body["IDTokenClaims"]["name"], self.user.name) diff --git a/tests/e2e/test_provider_proxy.py b/tests/e2e/test_provider_proxy.py index 90c55781d0..0ac9300e6f 100644 --- a/tests/e2e/test_provider_proxy.py +++ b/tests/e2e/test_provider_proxy.py @@ -8,6 +8,7 @@ from time import sleep from unittest.case import skip, skipUnless from channels.testing import ChannelsLiveServerTestCase +from jwt import decode from selenium.webdriver.common.by import By from authentik.blueprints.tests import apply_blueprint, reconcile_app @@ -107,6 +108,11 @@ class TestProviderProxy(SeleniumTestCase): self.assertEqual(body["headers"]["X-Authentik-Username"], [self.user.username]) self.assertEqual(body["headers"]["X-Foo"], ["bar"]) + raw_jwt: str = body["headers"]["X-Authentik-Jwt"][0] + jwt = decode(raw_jwt, options={"verify_signature": False}) + + self.assertIsNotNone(jwt["sid"]) + self.assertIsNotNone(jwt["ak_proxy"]) self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out") sleep(2) diff --git a/web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts b/web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts index c7d6bd0f0e..fca1666d81 100644 --- a/web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts +++ b/web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts @@ -75,6 +75,26 @@ export class ApplicationWizardAuthenticationByRadius extends WithBrandConfig(Bas > + + ${msg("Advanced flow settings")} +
+ + +

+ ${msg("Flow used when logging out of this provider.")} +

+ +
`; } } diff --git a/web/src/admin/providers/radius/RadiusProviderForm.ts b/web/src/admin/providers/radius/RadiusProviderForm.ts index 9beb0e115f..d3280d8013 100644 --- a/web/src/admin/providers/radius/RadiusProviderForm.ts +++ b/web/src/admin/providers/radius/RadiusProviderForm.ts @@ -1,3 +1,5 @@ +import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search"; +import "@goauthentik/admin/common/ak-flow-search/ak-flow-search"; import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm"; import { DEFAULT_CONFIG } from "@goauthentik/common/api/config"; import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils"; @@ -70,7 +72,8 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm + return html` + - + ${msg("Protocol settings")}
- `; + + + ${msg("Advanced flow settings")} +
+ + +

+ ${msg("Flow used when logging out of this provider.")} +

+ +
+ `; } } diff --git a/web/src/admin/stages/identification/IdentificationStageForm.ts b/web/src/admin/stages/identification/IdentificationStageForm.ts index 9123fba71a..6a9c65de08 100644 --- a/web/src/admin/stages/identification/IdentificationStageForm.ts +++ b/web/src/admin/stages/identification/IdentificationStageForm.ts @@ -236,8 +236,8 @@ export class IdentificationStageForm extends BaseStageForm

${msg( diff --git a/web/src/elements/oauth/UserAccessTokenList.ts b/web/src/elements/oauth/UserAccessTokenList.ts index 96ea31616c..53cdd92a34 100644 --- a/web/src/elements/oauth/UserAccessTokenList.ts +++ b/web/src/elements/oauth/UserAccessTokenList.ts @@ -34,7 +34,7 @@ export class UserOAuthAccessTokenList extends Table { } checkbox = true; - order = "expires"; + order = "-expires"; columns(): TableColumn[] { return [ diff --git a/web/src/elements/oauth/UserRefreshTokenList.ts b/web/src/elements/oauth/UserRefreshTokenList.ts index d0581b1d89..f3cd743701 100644 --- a/web/src/elements/oauth/UserRefreshTokenList.ts +++ b/web/src/elements/oauth/UserRefreshTokenList.ts @@ -35,7 +35,7 @@ export class UserOAuthRefreshTokenList extends Table { checkbox = true; clearOnRefresh = true; - order = "expires"; + order = "-expires"; columns(): TableColumn[] { return [ diff --git a/web/xliff/de.xlf b/web/xliff/de.xlf index 6557ef539d..60c805f296 100644 --- a/web/xliff/de.xlf +++ b/web/xliff/de.xlf @@ -6940,6 +6940,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/en.xlf b/web/xliff/en.xlf index 1e9f88ec22..b14da6b8a7 100644 --- a/web/xliff/en.xlf +++ b/web/xliff/en.xlf @@ -7205,6 +7205,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/es.xlf b/web/xliff/es.xlf index 4101166bae..9b0c6b889d 100644 --- a/web/xliff/es.xlf +++ b/web/xliff/es.xlf @@ -6857,6 +6857,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/fr.xlf b/web/xliff/fr.xlf index 788facee03..92015eaf59 100644 --- a/web/xliff/fr.xlf +++ b/web/xliff/fr.xlf @@ -9140,6 +9140,81 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/ko.xlf b/web/xliff/ko.xlf index c3f4fc0479..2caaf0ff33 100644 --- a/web/xliff/ko.xlf +++ b/web/xliff/ko.xlf @@ -8774,6 +8774,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/nl.xlf b/web/xliff/nl.xlf index a3f16ce8e1..26ee9d5583 100644 --- a/web/xliff/nl.xlf +++ b/web/xliff/nl.xlf @@ -8620,6 +8620,81 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/pl.xlf b/web/xliff/pl.xlf index 471cf36bf4..e12e27ea45 100644 --- a/web/xliff/pl.xlf +++ b/web/xliff/pl.xlf @@ -9039,6 +9039,81 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/pseudo-LOCALE.xlf b/web/xliff/pseudo-LOCALE.xlf index f3e80141dc..f48c709c47 100644 --- a/web/xliff/pseudo-LOCALE.xlf +++ b/web/xliff/pseudo-LOCALE.xlf @@ -9079,4 +9079,79 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password + diff --git a/web/xliff/ru.xlf b/web/xliff/ru.xlf index d1bb351523..77fe00d706 100644 --- a/web/xliff/ru.xlf +++ b/web/xliff/ru.xlf @@ -9102,6 +9102,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/tr.xlf b/web/xliff/tr.xlf index af2928b054..5dd3da263d 100644 --- a/web/xliff/tr.xlf +++ b/web/xliff/tr.xlf @@ -6850,6 +6850,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/zh-CN.xlf b/web/xliff/zh-CN.xlf index 67d6f76298..391c35a696 100644 --- a/web/xliff/zh-CN.xlf +++ b/web/xliff/zh-CN.xlf @@ -5788,6 +5788,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password + diff --git a/web/xliff/zh-Hans.xlf b/web/xliff/zh-Hans.xlf index 5cb977f532..75f8ac1428 100644 --- a/web/xliff/zh-Hans.xlf +++ b/web/xliff/zh-Hans.xlf @@ -9142,6 +9142,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/zh-Hant.xlf b/web/xliff/zh-Hant.xlf index f9deba1bec..dece9bf789 100644 --- a/web/xliff/zh-Hant.xlf +++ b/web/xliff/zh-Hant.xlf @@ -6898,6 +6898,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password diff --git a/web/xliff/zh_TW.xlf b/web/xliff/zh_TW.xlf index b4fdff610f..24c0e9870b 100644 --- a/web/xliff/zh_TW.xlf +++ b/web/xliff/zh_TW.xlf @@ -8735,6 +8735,81 @@ Bindings to groups/users are checked against the user of the event. Device type cannot be edited + + + Advanced flow settings + + + Enable this option to write password changes made in authentik back to Kerberos. Ignored if sync is disabled. + + + Realm settings + + + Realm + + + Kerberos 5 configuration + + + Kerberos 5 configuration. See man krb5.conf(5) for configuration format. If left empty, a default krb5.conf will be used. + + + Sync connection settings + + + Sync principal + + + Principal used to authenticate to the KDC for syncing. + + + Sync password + + + Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided. + + + Sync keytab + + + Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + Sync credentials cache + + + Credentials cache used to authenticate to the KDC for syncing. Optional if Sync password or Sync keytab is provided. Must be in the form TYPE:residual. + + + SPNEGO settings + + + SPNEGO server name + + + Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain + + + SPNEGO keytab + + + Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual. + + + SPNEGO credentials cache + + + Credentials cache used for SPNEGO. Optional if SPNEGO keytab is provided. Must be in the form TYPE:residual. + + + Kerberos Attribute mapping + + + Update Kerberos Source + + + User database + Kerberos password