habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
17,164 Commits 205 Branches 395 Tags
ec01f16e99c6bd9eb38f99a73248acf7fe97ec2e
Commit Graph

202 Commits

Author SHA1 Message Date
Jens L.
cec3fdb612 stages: authenticator_endpoint_gdtc (#10477) 
* rework

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add loading overlay for chrome

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* save data

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix web ui, prevent deletion

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* text fixes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
 2024-10-22 22:46:46 +02:00
Jens L.
47206d3328 providers/oauth2: add initial JWE support (#11344) 
* providers/oauth2: add initial JWE support

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-migrate, only set id_token_encryption_* when encryption key is set

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add jwks test with encryption

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-10-17 14:04:19 +02:00
Jens L.
075944abba providers/scim: add option to ignore SCIM server cert (#11437) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-10-14 17:03:58 +02:00
Jens L.
5b66dbe890 flows: provider invalidation (#5048) 
* add initial

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add web stage for session end

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate saml and tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* group flow settings when providers have multiple flows

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* adjust name for default provider invalidation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-make migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add invalidation_flow to saml importer

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-do migrations again

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update web stuff to get rid of old libraries

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make unbind flow for ldap configurable

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated: fix flow inspector

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* handle invalidation_flow as optional, as it should be

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also fix ldap outpost

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* don't generate URL in client

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* actually make it work???

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix migration breaking things...?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start fixing tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix fallback

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-migrate

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix duplicate flow setting

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix race condition with brand

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix oauth test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix SAML tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add to wizard, fix required

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make required, start release notes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-10-14 15:35:12 +02:00
Nicolas
77c595a0fd sources/saml: fix NameIDFormat descriptor in metadata generation (#11614) 
* source/saml - Changed namespace of X509SSubjectName NameIDFormat

Under the SAML2 Core spec
(http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)
8.3.3 the URI of the 5.509 Subject Name contains SAML:1.1 and not
SAML:2.0

* source/saml - Change NameIDFormat descriptor build logic to only append chosen format for the source.

* Merge diff
 2024-10-11 14:27:36 +02:00
Jens L.
975b6e53a6 release: 2024.8.3 (#11542) 2024-09-27 16:58:04 +02:00
Jens L.
ba28e6de41 security: fix CVE-2024-47070 (#11536) 
* security: fix CVE-2024-47070

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Update website/docs/security/CVE-2024-47070.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
 2024-09-27 16:18:37 +02:00
Jens L.
5822653155 release: 2024.8.2 (#11395) 2024-09-16 15:02:51 +02:00
Jens L.
b8ae028d4d root: backport release 2024.8.1 (#11273) 
release: 2024.8.1
 2024-09-08 01:35:15 +02:00
Jens L.
02ae099bdf root: version 2024.8 backport (#11166) 
* schemas: fix XML Schema loading...for some reason?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* release: 2024.8.0-rc1

* release: 2024.8.0

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

# Conflicts:
#	.bumpversion.cfg

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-09-03 14:41:40 +02:00
Jens L.
a6225ad7a7 root: backport version bump (#11045) 
* fix outpost form not loading apps for correct type

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix bug from previous pr

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* release: 2024.6.4

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-08-23 16:33:07 +02:00
Jens L.
eb5842fa5a rbac: generate blueprint schema permissions from defined models not DB (#10962) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-08-19 13:44:13 +02:00
Jens L.
d577152f83 providers/SAML: encryption support (#10934) 
* providers/saml: add option to sign assertion and or response

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add encryption

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add form option

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests for API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-08-17 21:10:28 +02:00
Jens L.
8f53d0b9f3 providers/ldap: Remove search group (#10639) 
* remove search_group

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make api operations cleaerer

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* actually use get

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use correct api client for ldap

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated: fix migration warning

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated: fix styling issue in dark mode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated-ish fix button order in wizard

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated: fix missing css import

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Optimised images with calibre/image-actions

* Update index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* Update index.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* update release notes based on new template

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
 2024-08-14 16:31:11 +02:00
Jens L.
a073b7a5b1 enterprise: add support for license flags (#10842) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-08-09 22:20:01 +02:00
Jens L.
4b5bb77d99 enterprise: UI improvements, better handling of expiry (#10828) 
* web/admin: show enterprise banner on the very top

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rework license

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix a bunch of things

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add some more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix middleware

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* better api

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests for and fix read only mode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* field name consistency

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-08-09 14:26:38 +02:00
Marc 'risson' Schmitt
68af5b0572 sources/plex: add property mappings (#10772) 2024-08-08 11:36:24 +02:00
Nicolas
19c3f7dd80 sources/saml: Basic support for EncryptedAssertion element. (#10099) 
* source/saml: Updated backend for encrypted assertion support

* source/saml: all lint-fix checks passed

* source/saml: Used Optional type instead of union, on enc_key_descriptor type hint

* source/saml: request_encrypted_assertion model field migration

* source/saml: Added 'noqa' comment to type hint on encryption key descriptor

* small fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add to UI

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add some error handling

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sources/saml: Pivot to encryption_kp model field, instead of request_encryption bool

* sources/saml: Typo fix

* re-create migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add to release notes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add improve error handling, add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test metadata with encryption and remove WantAssertionsEncrypted since it's not in the schema

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated fix to radius path

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix unrelated fix...sigh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-migrate

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2024-08-07 19:58:28 +02:00
Marc 'risson' Schmitt
83b02a17d5 sources: add property mappings for all oauth and saml sources (#8771) 
Co-authored-by: Jens L. <jens@goauthentik.io>
 2024-08-07 19:14:22 +02:00
Simonyi Gergő
f7b16ed723 policies: add GeoIP policy (#10454) 
* add GeoIP policy

* handle empty lists of ASNs and countries

* handle missing GeoIP database or missing IP from the database

The exceptions raised here are `PolicyException`s to let admins bypass
an execution failure.

* fix translations

whoops

* remove `GeoIPPolicyMode`

Use the policy binding's `negate` option instead

* fix `DataProvision` typing

`ak-dual-select-provider` can handle unpaginated data

* use `django-countries` instead of a static list of countries for ISO-3166

* simplify `GeoIPPolicyForm`

* pass `GeoIPPolicy` on empty policy

* add backend tests to `GeoIPPolicy`

* revise translations

* move `iso-3166/` to `policies/geoip_iso3166/`

* add client-side caching to ISO3166 API call

* fix `GeoIPPolicy` creation

The automatically generated APIs can't seem to handle `CountryField`,
so I'll have to do this by hand too.

* add docs for GeoIP Policy

* docs: stylize

add review suggestions from @tanberry

* refactor `GeoIPPolicy` API

It is now as declarative as I could make it.

* clean up `api.py` and `views.py`
 2024-08-06 10:37:29 +00:00
Jens Langhammer
4363c899ac release: 2024.6.3 2024-08-05 20:08:28 +02:00
Jens L.
d24e2abe7f rbac: rework API for terraform, add blueprint support (#10698) 
* rbac: rework API slightly to improve terraform compatibility

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sigh https://www.django-rest-framework.org/api-guide/filtering/#filtering-and-object-lookups

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add permission support for users global permissions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add role support to blueprints

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix yaml tags

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add generated read-only role

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make permissions optional

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add object permission support to blueprints

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests kinda

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more tests and fix bugs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-08-02 16:34:30 +02:00
Jens Langhammer
e60c36b889 release: 2024.6.2 2024-08-01 01:13:29 +02:00
Marc 'risson' Schmitt
3b1c42776b sources/scim: add property mappings (#10650) 
* sources/scim: add property mappings

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix filterset

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix doc link

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2024-07-29 22:32:51 +02:00
Jens L.
61c6887e82 providers/radius: Add support for custom attributes (#10509) 
* unrelated: show logs for failed blueprints

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add dictionaries

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated: remove some unused api functions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add initial api

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* placeholder backend

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* idk

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add proper mappings

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-07-25 19:08:33 +02:00
Marc 'risson' Schmitt
ced4533890 sources/ldap: rename ldappropertymapping to ldapsourcepropertymapping (#10606) 2024-07-25 16:09:36 +02:00
Marc 'risson' Schmitt
e65b905301 sources: refactor user connection api (#10607) 2024-07-25 14:16:50 +02:00
Jens L.
5a8d580c86 core: b2c improvements p1 (#9257) 
* add default app and restrict

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also pass raw email token for custom email templates

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* revoke access token when user logs out

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remigrate

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add command to change user types

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add some docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* blankable

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* actually fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-07-23 11:10:38 +02:00
Marc 'risson' Schmitt
1a6ac4740d sources: introduce new property mappings per user and group (#8750) 
* sources: introduce new property mappings per-user and group

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* sources/ldap: migrate to new property mappings

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint-fix and make gen

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* web changes

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix tests

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* update tests

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* remove flatten for generic implem

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* rework migration

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint-fix

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix migrations

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* re-add field migration to property mappings

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix migrations

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* more migrations fixes

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* easy fixes

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* migrate to propertymappingmanager

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ruff and small fixes

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* move mapping things into a separate class

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* migrations: use using(db_alias)

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* migrations: use built-in variable

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* add docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* add release notes

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

---------

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
 2024-07-22 15:26:22 +02:00
Jens L.
6abbe1dd4b web: fix mismatched button labels for boundpolicy and boundstage list (#10551) 
* remove wrong help text for multi select

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make labelling for create and and bind existing more consistent

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix oobe missing label

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix application library empty state not shown

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing formatting for title on access denied stage

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-07-19 17:51:28 +02:00
Ken Sternberg
b0507d2063 web: provide 'show password' button (#10337) 
* web: fix esbuild issue with style sheets

Getting ESBuild, Lit, and Storybook to all agree on how to read and parse stylesheets is a serious
pain. This fix better identifies the value types (instances) being passed from various sources in
the repo to the three *different* kinds of style processors we're using (the native one, the
polyfill one, and whatever the heck Storybook does internally).

Falling back to using older CSS instantiating techniques one era at a time seems to do the trick.
It's ugly, but in the face of the aggressive styling we use to avoid Flashes of Unstyled Content
(FLoUC), it's the logic with which we're left.

In standard mode, the following warning appears on the console when running a Flow:

```
Autofocus processing was blocked because a document already has a focused element.
```

In compatibility mode, the following **error** appears on the console when running a Flow:

```
crawler-inject.js:1106 Uncaught TypeError: Failed to execute 'observe' on 'MutationObserver': parameter 1 is not of type 'Node'.
    at initDomMutationObservers (crawler-inject.js:1106:18)
    at crawler-inject.js:1114:24
    at Array.forEach (<anonymous>)
    at initDomMutationObservers (crawler-inject.js:1114:10)
    at crawler-inject.js:1549:1
initDomMutationObservers @ crawler-inject.js:1106
(anonymous) @ crawler-inject.js:1114
initDomMutationObservers @ crawler-inject.js:1114
(anonymous) @ crawler-inject.js:1549
```

Despite this error, nothing seems to be broken and flows work as anticipated.

* web: provide `show password` on login page

Provide a `show password` icon, text, and button for the password field both in the
IdentificationStage and the PasswordStage. Essentially the same code for both, although the id of
the password field is unique to each.

Requested by Cloudflare.  Seems to be a common thing anyway.

Should it be an administrative option that this facility is available?  From where should I derive
that information?  I suspect the answer is "a site attribute," but I'd like to get confirmation.

* web: comment doesn't need to be exposed. It's sufficient where it is .

* web: fix button rendering issues

During testing, the buttons did not change as expected.  We are using pure DOM
state to control the look of the button, and avoiding using `.requestUpdate()`
to avoid losing customer input, so depending upon Lit to re-render just the
button was an error.

This commit goes old-school and updates the button's label and icon using
standard DOM features, although we do lean into Lit-html`s `render()`
function to create the DOM component for the icon.

* web: provide `show password` on login page

Provide a `show password` icon, text, and button for the password field both in the
IdentificationStage and the PasswordStage. Essentially the same code for both, although the id of
the password field is unique to each.

Provide a configuration detail server-side to allow administrator to enable or disable the 'show
password' feature.  Off by default.

Requested by Cloudflare.  Seems to be a common thing anyway.  Making it configurable wasn't in
Cloudfare's request, but it seemed logical to add.

* ensure the tests pass; quibbling over the wording of the admin field continues.

* Removed some manually identified fluff.

* web: break out `show password`-enabled input field into its own component

Provides a `show password` field, but as a LightDOM-oriented web component. This form of
input[type="password"] is for flows only, as it has a number of specializations for understanding a
flow's validating round-trip, possible error messages within the challenge, and is left within the
LightDOM both to support compatibility issues and to avoid using `elementInterals`, which is a DOM
feature not supported by some older browsers.

Avoids having to maintain two different instances of the same logic, both for permitting 'show
password', and for handling it.

* web: update PasswordStageForm according to lit-analyzer

With lit-analyzer in the mix and functional, we're seeing new complaints about
inconsistent typing in lit objects, and this was one of them.

* Another lit-analyze error found.
 2024-07-15 18:14:46 -07:00
Jens Langhammer
f6a9773930 release: 2024.6.1 2024-07-11 22:50:33 +02:00
Marc 'risson' Schmitt
35cd126406 release: 2024.6.0-rc1 2024-06-14 18:42:26 +02:00
Jens L
7bb90b1661 providers/microsoft_entra: fix error when updating connection attributes (#10039) 
* providers/microsoft_entra: fix error when updating connection attributes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include URL to field references

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only set gws user password when creating by default

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* merge instead of replace connection attributes

an update might not return all attributes so we don't want to fully replace the attributes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-06-11 16:03:23 +09:00
Jens L
6cf418a37e stages/captcha: rework (#9959) 
* stages/captcha: rework

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update form with continue option

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs, add notes for scores

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also only raise error from success if needed

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* return full data

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-06-04 18:25:38 +09:00
Jens L
95d26563e7 providers/oauth2: don't handle api scope as special scope (#9910) 
* providers/oauth2: don't handle api scope as special scope

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make default scope selection less magic

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ensure missing folder exists

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix duplicate name

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-06-01 17:16:56 +09:00
Jens L
50fffa72cc lib/providers/sync: improve outgoing sync (#9835) 
* make connection objects not updatable but allow creating with provider

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* save data returned from google/entra and show it in UI

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* pass connection object

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set immutable id on user automatically

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* better define transient error codes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix entra

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-05-30 10:40:10 +09:00
Jens L
99ad492951 enterprise/providers/microsoft_entra: initial account sync to microsoft entra (#9632) 
* initial

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add entra mappings

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix some stuff

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make API endpoints more consistent

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* implement more things

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add user tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix most group tests + fix bugs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more group tests, fix bugs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing __init__

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add ui for provisioned users

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix a bunch of bugs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add `creating` to property mapping env

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* always sync group members

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix stuff

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix group membership

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix some types

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add group member add test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* create sync status component to dedupe

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix discovery tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* get rid of more code and fix more issues

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add error handling for auth and transient

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make sure autoretry is on

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* wait for task in signal

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add squashed google migration

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-05-09 15:41:23 +02:00
Jens L
aeb1b450eb enterprise/providers/google: initial account sync to google workspace (#9384) 
* providers/google: initial account sync to google workspace

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start separating scim sync client

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* generalize more...ish

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set dispatch_uid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start generalizing task

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fully separate tasks

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix more

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix signals...?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start google dedupe

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* drawing the rest of the owl

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* juse use a whole lot less magic

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* member sync, better implement conflict/retry-able exceptions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* max wizards taller

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* gen api, basic UI

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix some bugs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix a bunch more bugs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* generalize sync status API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rework sync chart

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add slugify to evaluator

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add test property mappings

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rename to google workspace

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* handle existing objects

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix credential render

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* verify email has correct domain before syncing user

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing docstring

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix lock not being used

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* abstract more common stuff away

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* backport time limit fix

https://github.com/goauthentik/authentik/pull/9546
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start discovery

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* implement discover for google

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* prevent same issue as with https://github.com/goauthentik/authentik/pull/9557

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix sync status

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make group name unique in API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix reference to old wrapper

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start adding tests

man this api client is awful

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add SkipObject

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* dont use weak ref

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add group tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add user and group delete options

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* set user agent

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* if the api's testing tools are awful, let's just make our own

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more tests and already fix some more bugs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add discover

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add preview banner

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add group import test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only import users/groups in the correct parent group

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix conflicting args

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing schedule

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix web ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add default_group_email_domain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-05-07 19:52:20 +02:00
Marc 'risson' Schmitt
6802614fbf release: 2024.4.2 2024-05-07 18:45:37 +02:00
Jens L
e33ca93f05 providers/saml: fix ecdsa support (#9537) 
* crypto: add option to select which alg to use to generate

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing ecdsa options for XML signing

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* bump xml libraries and remove disclaimer

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* lock djangoframework

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-05-02 15:18:14 +02:00
Jens Langhammer
8f8c3e4944 release: 2024.4.1 2024-04-26 18:43:33 +02:00
Jens Langhammer
6b6d88b81b release: 2024.4.0-rc1 2024-04-24 19:12:47 +02:00
Jens L
6f3dc2eafd sources/ldap: fix default blueprint for mapping user DN to path (#9355) 
* sources/ldap: fix default blueprint for mapping user DN to path

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-04-19 14:44:48 +02:00
Jens L
0a5b8bea5d stages/prompt: fix username field throwing error with existing user (#9342) 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-04-18 20:54:31 +02:00
Jens L
ddc78cc297 stages/authenticator_webauthn: fix attestation value (#9333) 
* fix incorrect attestation conveyance with device restriction

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* save raw aaguid on webauthn device

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-04-18 14:00:16 +02:00
Jens L
3c28cf1909 sources: add SCIM source (#3051) 
* initial

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* rebuild migration

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* include root URL in API

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add UI base URL

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* only allow SCIM basic auth for testing and debug

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* start user tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* antlr for scim filter parsing, why

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix url mountpoint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* ...turns out we don't need antlr

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start to revive this PR

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Apply suggestions from code review

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

* don't put doc structure changes into this

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix web ui

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* make mostly work

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add filter support

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add e2e tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix helper

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-add codecov oidc

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove unused fields from API

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix group membership

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* unrelated: fix backchannel helper text size

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test against authentik as SCIM server I guess?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix scim provider task render

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add preview banner

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Revert "re-add codecov oidc"

This reverts commit fdeeb391afba710645e77608e0ab2e97485c48d1.

* add API for connection objects

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix preview banner

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add UI for users and groups

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
 2024-04-15 14:23:43 +02:00
Jens L
7ef14eb86d blueprints: only create default brand if no other default brand exists (#9222) 
* blueprints: only create default brand if no other default brand exists

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix invalid blueprint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix flaky test, improve pytest output

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* format

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-04-12 14:59:48 +02:00
Jens L
fd44bc2bec stages/authenticator_validate: add ability to limit webauthn device types (#9180) 
* stages/authenticator_validate: add ability to limit webauthn device types

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* reword

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* require enterprise attestation when a device restriction is configured as we need the aaguid

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* improve error message

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add more tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
 2024-04-11 13:10:05 +02:00
Jean-Michel DILLY
a70363bd95 core: add user settable token durations (#7410) 
* core: add support for user settable token duration

* web: add support for user settable token duration

* website: add documentation for user settable token duration

* core : fix locales

* web: fix tokenIntent when updating

* core: fix linting

* website: Update website/docs/user-group-role/user/user_ref.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jean-Michel DILLY <48059109+jmdilly@users.noreply.github.com>

* make token duration system-wide configurable

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* small fixup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate token configs to tenants

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* add release notes

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* make website

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint-fix

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix migrations

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* nosec

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint-fix

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix migrations for real this time

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* trying with no model using default_token_key

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint-fix

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix save

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* lint-fix

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* use signal instead of overriding save

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix tests

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

---------

Signed-off-by: Jean-Michel DILLY <48059109+jmdilly@users.noreply.github.com>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
 2024-04-11 13:05:05 +02:00