release: 2024.4.1

website/docs: update release notes for 2024.4.1 again (#9471)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.2.2
+current_version = 2024.4.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@@ -21,6 +21,8 @@ optional_value = final
 
 [bumpversion:file:schema.yml]
 
+[bumpversion:file:blueprints/schema.json]
+
 [bumpversion:file:authentik/__init__.py]
 
 [bumpversion:file:internal/constants/constants.go]

.github/workflows/ci-web.yml

@@ -34,6 +34,13 @@ jobs:
       - name: Eslint
         working-directory: ${{ matrix.project }}/
         run: npm run lint
+  lint-lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: web/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
   lint-build:
     runs-on: ubuntu-latest
     steps:
@@ -95,6 +102,7 @@ jobs:
         run: npm run lit-analyse
   ci-web-mark:
     needs:
+      - lint-lockfile
       - lint-eslint
       - lint-prettier
       - lint-lit-analyse

.github/workflows/ci-website.yml

@@ -12,6 +12,13 @@ on:
       - version-*
 
 jobs:
+  lint-lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: website/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
   lint-prettier:
     runs-on: ubuntu-latest
     steps:
@@ -62,6 +69,7 @@ jobs:
         run: npm run ${{ matrix.job }}
   ci-website-mark:
     needs:
+      - lint-lockfile
       - lint-prettier
       - test
       - build

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version | Supported |
-| --- | --- |
-| 2023.6.x | ✅ |
-| 2023.8.x | ✅ |
+| Version   | Supported |
+| --------- | --------- |
+| 2023.10.x | ✅        |
+| 2024.2.x  | ✅        |
 
 ## Reporting a Vulnerability
 
@@ -31,12 +31,12 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:se
 
 authentik reserves the right to reclassify CVSS as necessary. To determine severity, we will use the CVSS calculator from NVD (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The calculated CVSS score will then be translated into one of the following categories:
 
-| Score | Severity |
-| --- | --- |
-| 0.0 | None |
-| 0.1 – 3.9 | Low |
-| 4.0 – 6.9 | Medium |
-| 7.0 – 8.9 | High |
+| Score      | Severity |
+| ---------- | -------- |
+| 0.0        | None     |
+| 0.1 – 3.9  | Low      |
+| 4.0 – 6.9  | Medium   |
+| 7.0 – 8.9  | High     |
 | 9.0 – 10.0 | Critical |
 
 ## Disclosure process

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.2.2"
+__version__ = "2024.4.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/brands/migrations/0006_brand_authentik_b_domain_b9b24a_idx_and_more.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.0.4 on 2024-04-18 18:56
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0005_tenantuuid_to_branduuid"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="brand",
+            index=models.Index(fields=["domain"], name="authentik_b_domain_b9b24a_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="brand",
+            index=models.Index(fields=["default"], name="authentik_b_default_3ccf12_idx"),
+        ),
+    ]

authentik/brands/models.py

@@ -84,3 +84,7 @@ class Brand(SerializerModel):
     class Meta:
         verbose_name = _("Brand")
         verbose_name_plural = _("Brands")
+        indexes = [
+            models.Index(fields=["domain"]),
+            models.Index(fields=["default"]),
+        ]

authentik/core/api/tokens.py

@@ -2,6 +2,7 @@
 
 from typing import Any
 
+from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import assign_perm, get_anonymous_user
@@ -27,7 +28,6 @@ from authentik.core.models import (
     TokenIntents,
     User,
     default_token_duration,
-    token_expires_from_timedelta,
 )
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
@@ -68,15 +68,17 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
             max_token_lifetime_dt = default_token_duration()
             if max_token_lifetime is not None:
                 try:
-                    max_token_lifetime_dt = timedelta_from_string(max_token_lifetime)
+                    max_token_lifetime_dt = now() + timedelta_from_string(max_token_lifetime)
                 except ValueError:
-                    max_token_lifetime_dt = default_token_duration()
+                    pass
 
-            if "expires" in attrs and attrs.get("expires") > token_expires_from_timedelta(
-                max_token_lifetime_dt
-            ):
+            if "expires" in attrs and attrs.get("expires") > max_token_lifetime_dt:
                 raise ValidationError(
-                    {"expires": f"Token expires exceeds maximum lifetime ({max_token_lifetime})."}
+                    {
+                        "expires": (
+                            f"Token expires exceeds maximum lifetime ({max_token_lifetime_dt} UTC)."
+                        )
+                    }
                 )
         elif attrs.get("intent") == TokenIntents.INTENT_API:
             # For API tokens, expires cannot be overridden

authentik/core/models.py

@@ -1,6 +1,6 @@
 """authentik core models"""
 
-from datetime import datetime, timedelta
+from datetime import datetime
 from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
@@ -54,9 +54,6 @@ options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
     # used_by API that allows models to specify if they shadow an object
     # for example the proxy provider which is built on top of an oauth provider
     "authentik_used_by_shadows",
-    # List fields for which changes are not logged (due to them having dedicated objects)
-    # for example user's password and last_login
-    "authentik_signals_ignored_fields",
 )
 
 
@@ -71,11 +68,6 @@ def default_token_duration() -> datetime:
     return now() + timedelta_from_string(token_duration)
 
 
-def token_expires_from_timedelta(dt: timedelta) -> datetime:
-    """Return a `datetime.datetime` object with the duration of the Token"""
-    return now() + dt
-
-
 def default_token_key() -> str:
     """Default token key"""
     current_tenant = get_current_tenant()
@@ -335,14 +327,6 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
             models.Index(fields=["path"]),
             models.Index(fields=["type"]),
         ]
-        authentik_signals_ignored_fields = [
-            # Logged by the events `password_set`
-            # the `password_set` action/signal doesn't currently convey which user
-            # initiated the password change, so for now we'll log two actions
-            # ("password", "password_change_date"),
-            # Logged by `login`
-            ("last_login",),
-        ]
 
 
 class Provider(SerializerModel):

authentik/enterprise/audit/middleware.py

@@ -102,9 +102,4 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
             new_state = self.serialize_simple(instance)
             diff = self.diff(prev_state, new_state)
             thread_kwargs["diff"] = diff
-            if not created:
-                ignored_field_sets = getattr(instance._meta, "authentik_signals_ignored_fields", [])
-                for field_set in ignored_field_sets:
-                    if set(diff.keys()) == set(field_set):
-                        return None
         return super().post_save_handler(request, sender, instance, created, thread_kwargs, **_)

authentik/lib/config.py

@@ -14,7 +14,7 @@ from pathlib import Path
 from sys import argv, stderr
 from time import time
 from typing import Any
-from urllib.parse import urlparse
+from urllib.parse import quote_plus, urlparse
 
 import yaml
 from django.conf import ImproperlyConfigured
@@ -331,6 +331,26 @@ class ConfigLoader:
 CONFIG = ConfigLoader()
 
 
+def redis_url(db: int) -> str:
+    """Helper to create a Redis URL for a specific database"""
+    _redis_protocol_prefix = "redis://"
+    _redis_tls_requirements = ""
+    if CONFIG.get_bool("redis.tls", False):
+        _redis_protocol_prefix = "rediss://"
+        _redis_tls_requirements = f"?ssl_cert_reqs={CONFIG.get('redis.tls_reqs')}"
+        if _redis_ca := CONFIG.get("redis.tls_ca_cert", None):
+            _redis_tls_requirements += f"&ssl_ca_certs={_redis_ca}"
+    _redis_url = (
+        f"{_redis_protocol_prefix}"
+        f"{quote_plus(CONFIG.get('redis.username'))}:"
+        f"{quote_plus(CONFIG.get('redis.password'))}@"
+        f"{quote_plus(CONFIG.get('redis.host'))}:"
+        f"{CONFIG.get_int('redis.port')}"
+        f"/{db}{_redis_tls_requirements}"
+    )
+    return _redis_url
+
+
 if __name__ == "__main__":
     if len(argv) < 2:  # noqa: PLR2004
         print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))

authentik/lib/default.yml

@@ -35,6 +35,7 @@ redis:
   password: ""
   tls: false
   tls_reqs: "none"
+  tls_ca_cert: null
 
 # broker:
 #   url: ""
@@ -58,6 +59,8 @@ remote_debug: false
 
 log_level: info
 
+session_storage: cache
+
 error_reporting:
   enabled: false
   sentry_dsn: https://151ba72610234c4c97c5bcff4e1cffd8@authentik.error-reporting.a7k.io/4504163677503489

authentik/root/settings.py

@@ -5,13 +5,13 @@ import os
 from collections import OrderedDict
 from hashlib import sha512
 from pathlib import Path
-from urllib.parse import quote_plus
 
 from celery.schedules import crontab
+from django.conf import ImproperlyConfigured
 from sentry_sdk import set_tag
 
 from authentik import ENV_GIT_HASH_KEY, __version__
-from authentik.lib.config import CONFIG
+from authentik.lib.config import CONFIG, redis_url
 from authentik.lib.logging import get_logger_config, structlog_configure
 from authentik.lib.sentry import sentry_init
 from authentik.lib.utils.reflection import get_env
@@ -195,25 +195,15 @@ REST_FRAMEWORK = {
     },
 }
 
-_redis_protocol_prefix = "redis://"
-_redis_celery_tls_requirements = ""
-if CONFIG.get_bool("redis.tls", False):
-    _redis_protocol_prefix = "rediss://"
-    _redis_celery_tls_requirements = f"?ssl_cert_reqs={CONFIG.get('redis.tls_reqs')}"
-_redis_url = (
-    f"{_redis_protocol_prefix}"
-    f"{quote_plus(CONFIG.get('redis.username'))}:"
-    f"{quote_plus(CONFIG.get('redis.password'))}@"
-    f"{quote_plus(CONFIG.get('redis.host'))}:"
-    f"{CONFIG.get_int('redis.port')}"
-)
 
 CACHES = {
     "default": {
         "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
+        "LOCATION": CONFIG.get("cache.url") or redis_url(CONFIG.get("redis.db")),
         "TIMEOUT": CONFIG.get_int("cache.timeout", 300),
-        "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
+        "OPTIONS": {
+            "CLIENT_CLASS": "django_redis.client.DefaultClient",
+        },
         "KEY_PREFIX": "authentik_cache",
         "KEY_FUNCTION": "django_tenants.cache.make_key",
         "REVERSE_KEY_FUNCTION": "django_tenants.cache.reverse_key",
@@ -222,7 +212,15 @@ CACHES = {
 DJANGO_REDIS_SCAN_ITERSIZE = 1000
 DJANGO_REDIS_IGNORE_EXCEPTIONS = True
 DJANGO_REDIS_LOG_IGNORED_EXCEPTIONS = True
-SESSION_ENGINE = "django.contrib.sessions.backends.cache"
+match CONFIG.get("session_storage", "cache"):
+    case "cache":
+        SESSION_ENGINE = "django.contrib.sessions.backends.cache"
+    case "db":
+        SESSION_ENGINE = "django.contrib.sessions.backends.db"
+    case _:
+        raise ImproperlyConfigured(
+            "Invalid session_storage setting, allowed values are db and cache"
+        )
 SESSION_SERIALIZER = "authentik.root.sessions.pickle.PickleSerializer"
 SESSION_CACHE_ALIAS = "default"
 # Configured via custom SessionMiddleware
@@ -276,7 +274,7 @@ CHANNEL_LAYERS = {
     "default": {
         "BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
         "CONFIG": {
-            "hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
+            "hosts": [CONFIG.get("channel.url") or redis_url(CONFIG.get("redis.db"))],
             "prefix": "authentik_channels_",
         },
     },
@@ -376,11 +374,9 @@ CELERY = {
     "beat_scheduler": "authentik.tenants.scheduler:TenantAwarePersistentScheduler",
     "task_create_missing_queues": True,
     "task_default_queue": "authentik",
-    "broker_url": CONFIG.get("broker.url")
-    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "broker_url": CONFIG.get("broker.url") or redis_url(CONFIG.get("redis.db")),
+    "result_backend": CONFIG.get("result_backend.url") or redis_url(CONFIG.get("redis.db")),
     "broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
-    "result_backend": CONFIG.get("result_backend.url")
-    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
 }
 
 # Sentry integration

authentik/sources/ldap/tests/mock_ad.py

@@ -34,7 +34,7 @@ def mock_ad_connection(password: str) -> Connection:
             "objectSid": "unique-test-group",
             "objectClass": "group",
             "distinguishedName": "cn=group1,ou=groups,dc=goauthentik,dc=io",
-            "member": ["cn=user0,ou=users,dc=goauthentik,dc=io"],
+            "member": ["cn=user,ou=users,dc=goauthentik,dc=io"],
         },
     )
     # Group without SID
@@ -47,7 +47,7 @@ def mock_ad_connection(password: str) -> Connection:
         },
     )
     connection.strategy.add_entry(
-        "cn=user0,ou=users,dc=goauthentik,dc=io",
+        "cn=user0,ou=foo,ou=users,dc=goauthentik,dc=io",
         {
             "userPassword": password,
             "sAMAccountName": "user0_sn",

authentik/sources/ldap/tests/test_auth.py

@@ -55,7 +55,7 @@ class LDAPSyncTests(TestCase):
             )
             connection.assert_called_with(
                 connection_kwargs={
-                    "user": "cn=user0,ou=users,dc=goauthentik,dc=io",
+                    "user": "cn=user0,ou=foo,ou=users,dc=goauthentik,dc=io",
                     "password": LDAP_PASSWORD,
                 }
             )

authentik/sources/oauth/tests/test_type_apple.py

@@ -0,0 +1,37 @@
+"""Apple Type tests"""
+
+from django.test import RequestFactory, TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import dummy_get_response
+from authentik.root.middleware import SessionMiddleware
+from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.types.registry import registry
+
+
+class TestTypeApple(TestCase):
+    """OAuth Source tests"""
+
+    def setUp(self):
+        self.source = OAuthSource.objects.create(
+            name="test",
+            slug="test",
+            provider_type="apple",
+            authorization_url="",
+            profile_url="",
+            consumer_key=generate_id(),
+        )
+        self.factory = RequestFactory()
+
+    def test_login_challenge(self):
+        """Test login_challenge"""
+        request = self.factory.get("/")
+        request.user = get_anonymous_user()
+
+        middleware = SessionMiddleware(dummy_get_response)
+        middleware.process_request(request)
+        request.session.save()
+        oauth_type = registry.find_type("apple")
+        challenge = oauth_type().login_challenge(self.source, request)
+        self.assertTrue(challenge.is_valid(raise_exception=True))

authentik/sources/oauth/types/apple.py

@@ -125,7 +125,7 @@ class AppleType(SourceType):
         )
         args = apple_client.get_redirect_args()
         return AppleLoginChallenge(
-            instance={
+            data={
                 "client_id": apple_client.get_client_id(),
                 "scope": "name email",
                 "redirect_uri": args["redirect_uri"],

authentik/sources/plex/models.py

@@ -66,7 +66,7 @@ class PlexSource(Source):
             icon = static("authentik/sources/plex.svg")
         return UILoginButton(
             challenge=PlexAuthenticationChallenge(
-                {
+                data={
                     "type": ChallengeTypes.NATIVE.value,
                     "component": "ak-source-plex",
                     "client_id": self.client_id,

authentik/sources/plex/tests.py

@@ -40,6 +40,11 @@ class TestPlexSource(TestCase):
             slug="test",
         )
 
+    def test_login_challenge(self):
+        """Test login_challenge"""
+        ui_login_button = self.source.ui_login_button(None)
+        self.assertTrue(ui_login_button.challenge.is_valid(raise_exception=True))
+
     def test_get_user_info(self):
         """Test get_user_info"""
         token = generate_key()

authentik/sources/scim/api/sources.py

@@ -7,7 +7,6 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.tokens import TokenSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.sources.scim.models import SCIMSource
 
 
@@ -27,25 +26,6 @@ class SCIMSourceSerializer(SourceSerializer):
             return relative_url
         return self.context["request"].build_absolute_uri(relative_url)
 
-    def create(self, validated_data):
-        instance: SCIMSource = super().create(validated_data)
-        identifier = f"ak-source-scim-{instance.pk}"
-        user = User.objects.create(
-            username=identifier,
-            name=f"SCIM Source {instance.name} Service-Account",
-            type=UserTypes.SERVICE_ACCOUNT,
-        )
-        token = Token.objects.create(
-            user=user,
-            identifier=identifier,
-            intent=TokenIntents.INTENT_API,
-            expiring=False,
-            managed=f"goauthentik.io/sources/scim/{instance.pk}",
-        )
-        instance.token = token
-        instance.save()
-        return instance
-
     class Meta:
 
         model = SCIMSource

authentik/sources/scim/apps.py

@@ -1,12 +1,13 @@
 """Authentik SCIM app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikSourceSCIMConfig(AppConfig):
+class AuthentikSourceSCIMConfig(ManagedAppConfig):
     """authentik SCIM Source app config"""
 
     name = "authentik.sources.scim"
     label = "authentik_sources_scim"
     verbose_name = "authentik Sources.SCIM"
     mountpoint = "source/scim/"
+    default = True

authentik/sources/scim/models.py

@@ -1,5 +1,7 @@
 """SCIM Source"""
 
+from uuid import uuid4
+
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import BaseSerializer
@@ -14,6 +16,12 @@ class SCIMSource(Source):
 
     token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
 
+    @property
+    def service_account_identifier(self) -> str:
+        if not self.pk:
+            self.pk = uuid4()
+        return f"ak-source-scim-{self.pk}"
+
     @property
     def component(self) -> str:
         """Return component used to edit this object"""

authentik/sources/scim/signals.py

@@ -0,0 +1,41 @@
+from django.db.models import Model
+from django.db.models.signals import pre_delete, pre_save
+from django.dispatch import receiver
+
+from authentik.core.models import USER_PATH_SYSTEM_PREFIX, Token, TokenIntents, User, UserTypes
+from authentik.sources.scim.models import SCIMSource
+
+USER_PATH_SOURCE_SCIM = USER_PATH_SYSTEM_PREFIX + "/sources/scim"
+
+
+@receiver(pre_save, sender=SCIMSource)
+def scim_source_pre_save(sender: type[Model], instance: SCIMSource, **_):
+    """Create service account before source is saved"""
+    # .service_account_identifier will auto-assign a primary key uuid to the source
+    # if none is set yet, just so we can get the identifier before we save
+    identifier = instance.service_account_identifier
+    user = User.objects.create(
+        username=identifier,
+        name=f"SCIM Source {instance.name} Service-Account",
+        type=UserTypes.INTERNAL_SERVICE_ACCOUNT,
+        path=USER_PATH_SOURCE_SCIM,
+    )
+    token = Token.objects.create(
+        user=user,
+        identifier=identifier,
+        intent=TokenIntents.INTENT_API,
+        expiring=False,
+        managed=f"goauthentik.io/sources/scim/{instance.pk}",
+    )
+    instance.token = token
+
+
+@receiver(pre_delete, sender=SCIMSource)
+def scim_source_pre_delete(sender: type[Model], instance: SCIMSource, **_):
+    """Delete SCIM Source service account before deleting source"""
+    Token.objects.filter(
+        identifier=instance.service_account_identifier, intent=TokenIntents.INTENT_API
+    ).delete()
+    User.objects.filter(
+        username=instance.service_account_identifier, type=UserTypes.INTERNAL_SERVICE_ACCOUNT
+    ).delete()

authentik/sources/scim/tests/test_auth.py

@@ -14,27 +14,13 @@ class TestSCIMAuth(APITestCase):
 
     def setUp(self) -> None:
         self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.token2 = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
         self.token3 = Token.objects.create(
             user=self.user,
             identifier=generate_id(),
             intent=TokenIntents.INTENT_API,
         )
-        self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
-        )
-        self.source2 = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token2
-        )
+        self.source = SCIMSource.objects.create(name=generate_id(), slug=generate_id())
+        self.source2 = SCIMSource.objects.create(name=generate_id(), slug=generate_id())
 
     def test_auth_ok(self):
         """Test successful auth"""
@@ -45,7 +31,7 @@ class TestSCIMAuth(APITestCase):
                     "source_slug": self.source.slug,
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 200)
 
@@ -71,7 +57,7 @@ class TestSCIMAuth(APITestCase):
                     "source_slug": self.source.slug,
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token2.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source2.token.key}",
         )
         self.assertEqual(response.status_code, 403)
         # Token for no source

authentik/sources/scim/tests/test_resource_types.py

@@ -3,8 +3,6 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.sources.scim.models import SCIMSource
 
@@ -13,14 +11,9 @@ class TestSCIMResourceTypes(APITestCase):
     """Test SCIM ResourceTypes view"""
 
     def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
         self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
+            name=generate_id(),
+            slug=generate_id(),
         )
 
     def test_resource_type(self):
@@ -32,7 +25,7 @@ class TestSCIMResourceTypes(APITestCase):
                     "source_slug": self.source.slug,
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 200)
 
@@ -46,7 +39,7 @@ class TestSCIMResourceTypes(APITestCase):
                     "resource_type": "ServiceProviderConfig",
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 200)
 
@@ -60,6 +53,6 @@ class TestSCIMResourceTypes(APITestCase):
                     "resource_type": "foo",
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 404)

authentik/sources/scim/tests/test_schemas.py

@@ -3,8 +3,6 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.sources.scim.models import SCIMSource
 
@@ -13,15 +11,7 @@ class TestSCIMSchemas(APITestCase):
     """Test SCIM Schema view"""
 
     def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
-        )
+        self.source = SCIMSource.objects.create(name=generate_id(), slug=generate_id())
 
     def test_schema(self):
         """Test full schema view"""
@@ -32,7 +22,7 @@ class TestSCIMSchemas(APITestCase):
                     "source_slug": self.source.slug,
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 200)
 
@@ -46,7 +36,7 @@ class TestSCIMSchemas(APITestCase):
                     "schema_uri": "urn:ietf:params:scim:schemas:core:2.0:Meta",
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 200)
 
@@ -60,6 +50,6 @@ class TestSCIMSchemas(APITestCase):
                     "schema_uri": "foo",
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 404)

authentik/sources/scim/tests/test_service_provider_config.py

@@ -3,8 +3,6 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.sources.scim.models import SCIMSource
 
@@ -13,14 +11,9 @@ class TestSCIMServiceProviderConfig(APITestCase):
     """Test SCIM ServiceProviderConfig view"""
 
     def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
         self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
+            name=generate_id(),
+            slug=generate_id(),
         )
 
     def test_config(self):
@@ -32,6 +25,6 @@ class TestSCIMServiceProviderConfig(APITestCase):
                     "source_slug": self.source.slug,
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 200)

authentik/sources/scim/tests/test_signals.py

@@ -0,0 +1,27 @@
+"""Test SCIM Source creation"""
+
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Token, User
+from authentik.lib.generators import generate_id
+from authentik.sources.scim.models import SCIMSource
+
+
+class TestSCIMSignals(APITestCase):
+    """Test SCIM Signals view"""
+
+    def setUp(self) -> None:
+        self.uid = generate_id()
+
+    def test_create(self) -> None:
+        source = SCIMSource.objects.create(name=self.uid, slug=self.uid)
+        self.assertIsNotNone(source.token)
+        self.assertIsNotNone(source.token.user)
+
+    def test_delete(self):
+        self.test_create()
+        source = SCIMSource.objects.filter(slug=self.uid).first()
+        identifier = source.service_account_identifier
+        source.delete()
+        self.assertFalse(User.objects.filter(username=identifier).exists())
+        self.assertFalse(Token.objects.filter(identifier=identifier).exists())

authentik/sources/scim/tests/test_users.py

@@ -6,8 +6,8 @@ from uuid import uuid4
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Token, TokenIntents
-from authentik.core.tests.utils import create_test_admin_user
+from authentik.core.tests.utils import create_test_user
+from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.providers.scim.clients.schema import User as SCIMUserSchema
 from authentik.sources.scim.models import SCIMSource, SCIMSourceUser
@@ -18,15 +18,7 @@ class TestSCIMUsers(APITestCase):
     """Test SCIM User view"""
 
     def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.token = Token.objects.create(
-            user=self.user,
-            identifier=generate_id(),
-            intent=TokenIntents.INTENT_API,
-        )
-        self.source = SCIMSource.objects.create(
-            name=generate_id(), slug=generate_id(), token=self.token
-        )
+        self.source = SCIMSource.objects.create(name=generate_id(), slug=generate_id())
 
     def test_user_list(self):
         """Test full user list"""
@@ -37,15 +29,16 @@ class TestSCIMUsers(APITestCase):
                     "source_slug": self.source.slug,
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 200)
 
     def test_user_list_single(self):
         """Test full user list (single user)"""
+        user = create_test_user()
         SCIMSourceUser.objects.create(
             source=self.source,
-            user=self.user,
+            user=user,
             id=str(uuid4()),
         )
         response = self.client.get(
@@ -53,16 +46,17 @@ class TestSCIMUsers(APITestCase):
                 "authentik_sources_scim:v2-users",
                 kwargs={
                     "source_slug": self.source.slug,
-                    "user_id": str(self.user.uuid),
+                    "user_id": str(user.uuid),
                 },
             ),
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 200)
         SCIMUserSchema.model_validate_json(response.content, strict=True)
 
     def test_user_create(self):
         """Test user create"""
+        user = create_test_user()
         ext_id = generate_id()
         response = self.client.post(
             reverse(
@@ -78,13 +72,18 @@ class TestSCIMUsers(APITestCase):
                     "emails": [
                         {
                             "primary": True,
-                            "value": self.user.email,
+                            "value": user.email,
                         }
                     ],
                 }
             ),
             content_type=SCIM_CONTENT_TYPE,
-            HTTP_AUTHORIZATION=f"Bearer {self.token.key}",
+            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
         )
         self.assertEqual(response.status_code, 201)
         self.assertTrue(SCIMSourceUser.objects.filter(source=self.source, id=ext_id).exists())
+        self.assertTrue(
+            Event.objects.filter(
+                action=EventAction.MODEL_CREATED, user__username=self.source.token.user.username
+            ).exists()
+        )

authentik/stages/authenticator_webauthn/api/devices.py

@@ -20,7 +20,10 @@ class WebAuthnDeviceSerializer(ModelSerializer):
 
     class Meta:
         model = WebAuthnDevice
-        fields = ["pk", "name", "created_on", "device_type"]
+        fields = ["pk", "name", "created_on", "device_type", "aaguid"]
+        extra_kwargs = {
+            "aaguid": {"read_only": True},
+        }
 
 
 class WebAuthnDeviceViewSet(

authentik/stages/authenticator_webauthn/migrations/0001_squashed_0011_webauthndevice_aaguid.py

@@ -0,0 +1,168 @@
+# Generated by Django 5.0.4 on 2024-04-18 11:29
+
+import django.db.models.deletion
+import django.utils.timezone
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    replaces = [
+        ("authentik_stages_authenticator_webauthn", "0001_initial"),
+        ("authentik_stages_authenticator_webauthn", "0002_default_setup_flow"),
+        ("authentik_stages_authenticator_webauthn", "0003_webauthndevice_confirmed"),
+        ("authentik_stages_authenticator_webauthn", "0004_auto_20210304_1850"),
+        (
+            "authentik_stages_authenticator_webauthn",
+            "0005_authenticatewebauthnstage_user_verification",
+        ),
+        (
+            "authentik_stages_authenticator_webauthn",
+            "0006_authenticatewebauthnstage_authenticator_attachment_and_more",
+        ),
+        (
+            "authentik_stages_authenticator_webauthn",
+            "0007_rename_last_used_on_webauthndevice_last_t",
+        ),
+        ("authentik_stages_authenticator_webauthn", "0008_alter_webauthndevice_credential_id"),
+        ("authentik_stages_authenticator_webauthn", "0009_authenticatewebauthnstage_friendly_name"),
+        (
+            "authentik_stages_authenticator_webauthn",
+            "0010_webauthndevicetype_authenticatorwebauthnstage_and_more",
+        ),
+        ("authentik_stages_authenticator_webauthn", "0011_webauthndevice_aaguid"),
+    ]
+
+    initial = True
+
+    dependencies = [
+        ("authentik_flows", "0016_auto_20201202_1307"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="WebAuthnDeviceType",
+            fields=[
+                ("aaguid", models.UUIDField(primary_key=True, serialize=False, unique=True)),
+                ("description", models.TextField()),
+                ("icon", models.TextField(null=True)),
+            ],
+            options={
+                "verbose_name": "WebAuthn Device type",
+                "verbose_name_plural": "WebAuthn Device types",
+            },
+        ),
+        migrations.CreateModel(
+            name="AuthenticatorWebAuthnStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_flows.stage",
+                    ),
+                ),
+                (
+                    "configure_flow",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        to="authentik_flows.flow",
+                    ),
+                ),
+                (
+                    "user_verification",
+                    models.TextField(
+                        choices=[
+                            ("required", "Required"),
+                            ("preferred", "Preferred"),
+                            ("discouraged", "Discouraged"),
+                        ],
+                        default="preferred",
+                    ),
+                ),
+                (
+                    "authenticator_attachment",
+                    models.TextField(
+                        choices=[("platform", "Platform"), ("cross-platform", "Cross Platform")],
+                        default=None,
+                        null=True,
+                    ),
+                ),
+                (
+                    "resident_key_requirement",
+                    models.TextField(
+                        choices=[
+                            ("discouraged", "Discouraged"),
+                            ("preferred", "Preferred"),
+                            ("required", "Required"),
+                        ],
+                        default="preferred",
+                    ),
+                ),
+                ("friendly_name", models.TextField(null=True)),
+                (
+                    "device_type_restrictions",
+                    models.ManyToManyField(
+                        blank=True, to="authentik_stages_authenticator_webauthn.webauthndevicetype"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "WebAuthn Authenticator Setup Stage",
+                "verbose_name_plural": "WebAuthn Authenticator Setup Stages",
+            },
+            bases=("authentik_flows.stage", models.Model),
+        ),
+        migrations.CreateModel(
+            name="WebAuthnDevice",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("name", models.TextField(max_length=200)),
+                ("credential_id", models.TextField(unique=True)),
+                ("public_key", models.TextField()),
+                ("sign_count", models.IntegerField(default=0)),
+                ("rp_id", models.CharField(max_length=253)),
+                ("created_on", models.DateTimeField(auto_now_add=True)),
+                ("last_t", models.DateTimeField(default=django.utils.timezone.now)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+                (
+                    "confirmed",
+                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
+                ),
+                (
+                    "device_type",
+                    models.ForeignKey(
+                        default=None,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_DEFAULT,
+                        to="authentik_stages_authenticator_webauthn.webauthndevicetype",
+                    ),
+                ),
+                ("aaguid", models.TextField(default="00000000-0000-0000-0000-000000000000")),
+            ],
+            options={
+                "verbose_name": "WebAuthn Device",
+                "verbose_name_plural": "WebAuthn Devices",
+            },
+        ),
+    ]

authentik/stages/authenticator_webauthn/migrations/0011_webauthndevice_aaguid.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.0.4 on 2024-04-18 11:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_authenticator_webauthn",
+            "0010_webauthndevicetype_authenticatorwebauthnstage_and_more",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="webauthndevice",
+            name="aaguid",
+            field=models.TextField(default="00000000-0000-0000-0000-000000000000"),
+        ),
+    ]

authentik/stages/authenticator_webauthn/models.py

@@ -132,6 +132,7 @@ class WebAuthnDevice(SerializerModel, Device):
     created_on = models.DateTimeField(auto_now_add=True)
     last_t = models.DateTimeField(default=now)
 
+    aaguid = models.TextField(default=UNKNOWN_DEVICE_TYPE_AAGUID)
     device_type = models.ForeignKey(
         "WebAuthnDeviceType", on_delete=models.SET_DEFAULT, null=True, default=None
     )

authentik/stages/authenticator_webauthn/stage.py

@@ -126,10 +126,6 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
         if authenticator_attachment:
             authenticator_attachment = AuthenticatorAttachment(str(authenticator_attachment))
 
-        attestation = AttestationConveyancePreference.DIRECT
-        if stage.device_type_restrictions.exists():
-            attestation = AttestationConveyancePreference.ENTERPRISE
-
         registration_options: PublicKeyCredentialCreationOptions = generate_registration_options(
             rp_id=get_rp_id(self.request),
             rp_name=self.request.brand.branding_title,
@@ -141,7 +137,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
                 user_verification=UserVerificationRequirement(str(stage.user_verification)),
                 authenticator_attachment=authenticator_attachment,
             ),
-            attestation=attestation,
+            attestation=AttestationConveyancePreference.DIRECT,
         )
 
         self.request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = registration_options.challenge
@@ -180,6 +176,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
                 sign_count=webauthn_credential.sign_count,
                 rp_id=get_rp_id(self.request),
                 device_type=device_type,
+                aaguid=webauthn_credential.aaguid,
             )
         else:
             return self.executor.stage_invalid("Device with Credential ID already exists.")

authentik/stages/prompt/stage.py

@@ -150,22 +150,26 @@ class PromptChallengeResponse(ChallengeResponse):
         return attrs
 
 
-def username_field_validator_factory() -> Callable[[PromptChallenge, str], Any]:
+def username_field_validator_factory() -> Callable[[PromptChallengeResponse, str], Any]:
     """Return a `clean_` method for `field`. Clean method checks if username is taken already."""
 
-    def username_field_validator(_: PromptChallenge, value: str) -> Any:
+    def username_field_validator(self: PromptChallengeResponse, value: str) -> Any:
         """Check for duplicate usernames"""
-        if User.objects.filter(username=value).exists():
+        pending_user = self.stage.get_pending_user()
+        query = User.objects.all()
+        if pending_user.pk:
+            query = query.exclude(username=pending_user.username)
+        if query.filter(username=value).exists():
             raise ValidationError("Username is already taken.")
         return value
 
     return username_field_validator
 
 
-def password_single_validator_factory() -> Callable[[PromptChallenge, str], Any]:
+def password_single_validator_factory() -> Callable[[PromptChallengeResponse, str], Any]:
     """Return a `clean_` method for `field`. Clean method checks if username is taken already."""
 
-    def password_single_clean(self: PromptChallenge, value: str) -> Any:
+    def password_single_clean(self: PromptChallengeResponse, value: str) -> Any:
         """Send password validation signals for e.g. LDAP Source"""
         password_validate.send(sender=self, password=value, plan_context=self.plan.context)
         return value

authentik/stages/user_login/stage.py

@@ -9,6 +9,7 @@ from django.utils.translation import gettext as _
 from rest_framework.fields import BooleanField, CharField
 
 from authentik.core.models import AuthenticatedSession, User
+from authentik.events.middleware import audit_ignore
 from authentik.flows.challenge import ChallengeResponse, ChallengeTypes, WithUserInfoChallenge
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
 from authentik.flows.stage import ChallengeStageView
@@ -95,11 +96,14 @@ class UserLoginStageView(ChallengeStageView):
             self.logger.warning("User is not active, login will not work.")
         delta = self.set_session_duration(remember)
         self.set_session_ip()
-        login(
-            self.request,
-            user,
-            backend=backend,
-        )
+        # the `user_logged_in` signal will update the user to write the `last_login` field
+        # which we don't want to log as we already have a dedicated login event
+        with audit_ignore():
+            login(
+                self.request,
+                user,
+                backend=backend,
+            )
         self.logger.debug(
             "Logged in",
             backend=backend,

authentik/tenants/models.py

@@ -23,7 +23,7 @@ LOGGER = get_logger()
 
 VALID_SCHEMA_NAME = re.compile(r"^t_[a-z0-9]{1,61}$")
 
-DEFAULT_TOKEN_DURATION = "minutes=30"  # nosec
+DEFAULT_TOKEN_DURATION = "days=1"  # nosec
 DEFAULT_TOKEN_LENGTH = 60
 
 

blueprints/default/flow-default-source-enrollment.yaml

@@ -16,7 +16,7 @@ entries:
     placeholder: Username
     placeholder_expression: false
     required: true
-    type: text
+    type: username
     field_key: username
     label: Username
   identifiers:

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.2.2 Blueprint schema",
+    "title": "authentik 2024.4.1 Blueprint schema",
     "required": [
         "version",
         "entries"

blueprints/system/sources-ldap.yaml

@@ -11,7 +11,6 @@ entries:
       name: "authentik default LDAP Mapping: DN to User Path"
       object_field: "path"
       expression: |
-        dn = ldap.get("distinguishedName")
         path_elements = []
         for pair in dn.split(","):
             attr, _, value = pair.partition("=")

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.1}
     restart: unless-stopped
     command: server
     environment:
@@ -53,7 +53,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.1}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -1,15 +1,13 @@
 module goauthentik.io
 
-go 1.22
-
-toolchain go1.22.0
+go 1.22.2
 
 require (
 	beryju.io/ldap v0.1.0
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/getsentry/sentry-go v0.27.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
-	github.com/go-ldap/ldap/v3 v3.4.7
+	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
@@ -30,7 +28,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024022.11
+	goauthentik.io/api/v3 v3.2024023.2
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.19.0
 	golang.org/x/sync v0.7.0
@@ -75,7 +73,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect

go.sum

@@ -84,8 +84,8 @@ github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 h1:O6yi4xa9b2D
 github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27/go.mod h1:AYvN8omj7nKLmbcXS2dyABYU6JB1Lz1bHmkkq1kf4I4=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9yue4+QkG/HQ/W67wvtQmWJ4SDo9aK/GIno=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
-github.com/go-ldap/ldap/v3 v3.4.7 h1:3Hbd7mIB1qjd3Ra59fI3JYea/t5kykFu2CVHBca9koE=
-github.com/go-ldap/ldap/v3 v3.4.7/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
+github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
+github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -294,8 +294,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2024022.11 h1:MlsaBwyMM9NtDvZcoaWvuNznPHXA0a5olnDLyr24REA=
-goauthentik.io/api/v3 v3.2024022.11/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024023.2 h1:lSVaZAKTpsDhtw11wnkGjPalkDzv9H2VKEJllBi2aXs=
+goauthentik.io/api/v3 v3.2024023.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -373,8 +373,9 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=

internal/config/struct.go

@@ -25,13 +25,14 @@ type Config struct {
 }
 
 type RedisConfig struct {
-	Host     string `yaml:"host" env:"HOST, overwrite"`
-	Port     int    `yaml:"port" env:"PORT, overwrite"`
-	DB       int    `yaml:"db" env:"DB, overwrite"`
-	Username string `yaml:"username" env:"USERNAME, overwrite"`
-	Password string `yaml:"password" env:"PASSWORD, overwrite"`
-	TLS      bool   `yaml:"tls" env:"TLS, overwrite"`
-	TLSReqs  string `yaml:"tls_reqs" env:"TLS_REQS, overwrite"`
+	Host      string  `yaml:"host" env:"HOST, overwrite"`
+	Port      int     `yaml:"port" env:"PORT, overwrite"`
+	DB        int     `yaml:"db" env:"DB, overwrite"`
+	Username  string  `yaml:"username" env:"USERNAME, overwrite"`
+	Password  string  `yaml:"password" env:"PASSWORD, overwrite"`
+	TLS       bool    `yaml:"tls" env:"TLS, overwrite"`
+	TLSReqs   string  `yaml:"tls_reqs" env:"TLS_REQS, overwrite"`
+	TLSCaCert *string `yaml:"tls_ca_certs" env:"TLS_CA_CERT, overwrite"`
 }
 
 type ListenConfig struct {

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.2.2"
+const VERSION = "2024.4.1"

internal/outpost/proxyv2/application/session.go

@@ -2,6 +2,8 @@ package application
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"math"
 	"net/http"
@@ -19,6 +21,7 @@ import (
 	"goauthentik.io/internal/outpost/proxyv2/codecs"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 	"goauthentik.io/internal/outpost/proxyv2/redisstore"
+	"goauthentik.io/internal/utils"
 )
 
 const RedisKeyPrefix = "authentik_proxy_session_"
@@ -31,11 +34,40 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 		maxAge = int(*t) + 1
 	}
 	if a.isEmbedded {
+		var tls *tls.Config
+		if config.Get().Redis.TLS {
+			tls = utils.GetTLSConfig()
+			switch strings.ToLower(config.Get().Redis.TLSReqs) {
+			case "none":
+			case "false":
+				tls.InsecureSkipVerify = true
+			case "required":
+				break
+			}
+			ca := config.Get().Redis.TLSCaCert
+			if ca != nil {
+				// Get the SystemCertPool, continue with an empty pool on error
+				rootCAs, _ := x509.SystemCertPool()
+				if rootCAs == nil {
+					rootCAs = x509.NewCertPool()
+				}
+				certs, err := os.ReadFile(*ca)
+				if err != nil {
+					a.log.WithError(err).Fatalf("Failed to append %s to RootCAs", *ca)
+				}
+				// Append our cert to the system pool
+				if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+					a.log.Println("No certs appended, using system certs only")
+				}
+				tls.RootCAs = rootCAs
+			}
+		}
 		client := redis.NewClient(&redis.Options{
-			Addr:     fmt.Sprintf("%s:%d", config.Get().Redis.Host, config.Get().Redis.Port),
-			Username: config.Get().Redis.Username,
-			Password: config.Get().Redis.Password,
-			DB:       config.Get().Redis.DB,
+			Addr:      fmt.Sprintf("%s:%d", config.Get().Redis.Host, config.Get().Redis.Port),
+			Username:  config.Get().Redis.Username,
+			Password:  config.Get().Redis.Password,
+			DB:        config.Get().Redis.DB,
+			TLSConfig: tls,
 		})
 
 		// New default RedisStore

lifecycle/ak

@@ -54,7 +54,7 @@ function cleanup {
 }
 
 function prepare_debug {
-    poetry install --no-ansi --no-interaction
+    VIRTUAL_ENV=/ak-root/venv poetry install --no-ansi --no-interaction
     touch /unittest.xml
     chown authentik:authentik /unittest.xml
 }

lifecycle/wait_for_db.py

@@ -3,13 +3,12 @@
 import authentik. This is done by the dockerfile."""
 from sys import exit as sysexit
 from time import sleep
-from urllib.parse import quote_plus
 
 from psycopg import OperationalError, connect
 from redis import Redis
 from redis.exceptions import RedisError
 
-from authentik.lib.config import CONFIG
+from authentik.lib.config import CONFIG, redis_url
 
 
 def check_postgres():
@@ -35,24 +34,15 @@ def check_postgres():
 
 
 def check_redis():
-    REDIS_PROTOCOL_PREFIX = "redis://"
-    if CONFIG.get_bool("redis.tls", False):
-        REDIS_PROTOCOL_PREFIX = "rediss://"
-    REDIS_URL = (
-        f"{REDIS_PROTOCOL_PREFIX}"
-        f"{quote_plus(CONFIG.get('redis.username'))}:"
-        f"{quote_plus(CONFIG.get('redis.password'))}@"
-        f"{quote_plus(CONFIG.get('redis.host'))}:"
-        f"{CONFIG.get_int('redis.port')}/{CONFIG.get('redis.db')}"
-    )
+    url = CONFIG.get("cache.url") or redis_url(CONFIG.get("redis.db"))
     while True:
         try:
-            redis = Redis.from_url(REDIS_URL)
+            redis = Redis.from_url(url)
             redis.ping()
             break
         except RedisError as exc:
             sleep(1)
-            CONFIG.log("info", f"Redis Connection failed, retrying... ({exc})", redis_url=REDIS_URL)
+            CONFIG.log("info", f"Redis Connection failed, retrying... ({exc})")
     CONFIG.log("info", "Redis Connection successful")
 
 

locale/fr/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-03-05 00:07+0000\n"
+"POT-Creation-Date: 2024-04-16 00:07+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2024\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@@ -138,6 +138,14 @@ msgstr "Group"
 msgid "Groups"
 msgstr "Groupes"
 
+#: authentik/core/models.py
+msgid "Add user to group"
+msgstr "Ajouter un utilisateur au groupe"
+
+#: authentik/core/models.py
+msgid "Remove user from group"
+msgstr "Retirer l'utilisateur du groupe"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "Nom d'affichage de l'utilisateur"
@@ -505,6 +513,22 @@ msgstr "Limite maximum de connection atteinte."
 msgid "(You are already connected in another tab/window)"
 msgstr "(Vous êtes déjà connecté dans un autre onglet/une autre fenêtre)"
 
+#: authentik/enterprise/stages/source/models.py
+msgid ""
+"Amount of time a user can take to return from the source to continue the "
+"flow (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"Durée que l'utilisateur peut prendre pour revenir de la source pour "
+"continuer le flux (Format: hours=-1;minutes=-2;seconds=-3)"
+
+#: authentik/enterprise/stages/source/models.py
+msgid "Source Stage"
+msgstr "Étape Source"
+
+#: authentik/enterprise/stages/source/models.py
+msgid "Source Stages"
+msgstr "Étapes Source"
+
 #: authentik/events/api/tasks.py
 #, python-brace-format
 msgid "Successfully started task {name}."
@@ -1944,6 +1968,12 @@ msgstr "Les objets appliqués à ce filtre seront des groupes."
 msgid "Field which contains a unique Identifier."
 msgstr "Champ qui contient un identifiant unique."
 
+#: authentik/sources/ldap/models.py
+msgid "Update internal authentik password when login succeeds with LDAP"
+msgstr ""
+"Mettre à jour le mot de passe interne à authentik lorsque la connexion avec "
+"LDAP réussi"
+
 #: authentik/sources/ldap/models.py
 msgid ""
 "When a user changes their password, sync it back to LDAP. This can only be "
@@ -2282,6 +2312,14 @@ msgstr "Connexion de l'utilisateur à la source SAML"
 msgid "User SAML Source Connections"
 msgstr "Connexion de l'utilisateur aux sources SAML"
 
+#: authentik/sources/scim/models.py
+msgid "SCIM Source"
+msgstr "Source SCIM"
+
+#: authentik/sources/scim/models.py
+msgid "SCIM Sources"
+msgstr "Sources SCIM"
+
 #: authentik/stages/authenticator_duo/models.py
 msgid "Duo Authenticator Setup Stage"
 msgstr "Étape de configuration du Duo Authenticator"
@@ -2395,8 +2433,20 @@ msgid "TOTP Devices"
 msgstr "Équipements TOTP"
 
 #: authentik/stages/authenticator_validate/challenge.py
-msgid "Invalid Token"
-msgstr "Jeton Invalide"
+msgid ""
+"Invalid Token. Please ensure the time on your device is accurate and try "
+"again."
+msgstr ""
+"Jeton invalide. Merci de vous assurer que le temps défini sur votre appareil"
+" est juste et de réessayer,"
+
+#: authentik/stages/authenticator_validate/challenge.py
+#: authentik/stages/authenticator_webauthn/stage.py
+#, python-brace-format
+msgid "Invalid device type. Contact your {brand} administrator for help."
+msgstr ""
+"Type d'appareil invalide. Merci de contacter l'administrateur de {brand} "
+"pour de l'assistance."
 
 #: authentik/stages/authenticator_validate/models.py
 msgid "Static"
@@ -2452,6 +2502,10 @@ msgstr "Étape de validation de l'authentificateur"
 msgid "Authenticator Validation Stages"
 msgstr "Étapes de validation de l'authentificateur"
 
+#: authentik/stages/authenticator_validate/stage.py
+msgid "No (allowed) MFA authenticator configured."
+msgstr "Pas d'authentificateur MFA (autorisé) configuré."
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Étape de validation de l'authentificateur WebAuthn"
@@ -2468,6 +2522,14 @@ msgstr "Appareil WebAuthn"
 msgid "WebAuthn Devices"
 msgstr "Équipements WebAuthn"
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "WebAuthn Device type"
+msgstr "Type d'appareil WebAuthn"
+
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "WebAuthn Device types"
+msgstr "Types d'appareil WebAuthn"
+
 #: authentik/stages/captcha/models.py
 msgid "Public key, acquired your captcha Provider."
 msgstr "Clé publique, acquise auprès de votre fournisseur captcha."
@@ -3129,6 +3191,14 @@ msgstr ""
 msgid "Globally enable/disable impersonation."
 msgstr "Activer/désactiver l'appropriation utilisateur de manière globale."
 
+#: authentik/tenants/models.py
+msgid "Default token duration"
+msgstr "Durée par défaut des jetons"
+
+#: authentik/tenants/models.py
+msgid "Default token length"
+msgstr "Longueur par défaut des jetons"
+
 #: authentik/tenants/models.py
 msgid "Tenant"
 msgstr "Tenant"

poetry.lock

@@ -2,87 +2,87 @@
 
 [[package]]
 name = "aiohttp"
-version = "3.9.2"
+version = "3.9.4"
 description = "Async http client/server framework (asyncio)"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "aiohttp-3.9.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:772fbe371788e61c58d6d3d904268e48a594ba866804d08c995ad71b144f94cb"},
-    {file = "aiohttp-3.9.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:edd4f1af2253f227ae311ab3d403d0c506c9b4410c7fc8d9573dec6d9740369f"},
-    {file = "aiohttp-3.9.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:cfee9287778399fdef6f8a11c9e425e1cb13cc9920fd3a3df8f122500978292b"},
-    {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3cc158466f6a980a6095ee55174d1de5730ad7dec251be655d9a6a9dd7ea1ff9"},
-    {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:54ec82f45d57c9a65a1ead3953b51c704f9587440e6682f689da97f3e8defa35"},
-    {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:abeb813a18eb387f0d835ef51f88568540ad0325807a77a6e501fed4610f864e"},
-    {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cc91d07280d7d169f3a0f9179d8babd0ee05c79d4d891447629ff0d7d8089ec2"},
-    {file = "aiohttp-3.9.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b65e861f4bebfb660f7f0f40fa3eb9f2ab9af10647d05dac824390e7af8f75b7"},
-    {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:04fd8ffd2be73d42bcf55fd78cde7958eeee6d4d8f73c3846b7cba491ecdb570"},
-    {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:3d8d962b439a859b3ded9a1e111a4615357b01620a546bc601f25b0211f2da81"},
-    {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:8ceb658afd12b27552597cf9a65d9807d58aef45adbb58616cdd5ad4c258c39e"},
-    {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:0e4ee4df741670560b1bc393672035418bf9063718fee05e1796bf867e995fad"},
-    {file = "aiohttp-3.9.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:2dec87a556f300d3211decf018bfd263424f0690fcca00de94a837949fbcea02"},
-    {file = "aiohttp-3.9.2-cp310-cp310-win32.whl", hash = "sha256:3e1a800f988ce7c4917f34096f81585a73dbf65b5c39618b37926b1238cf9bc4"},
-    {file = "aiohttp-3.9.2-cp310-cp310-win_amd64.whl", hash = "sha256:ea510718a41b95c236c992b89fdfc3d04cc7ca60281f93aaada497c2b4e05c46"},
-    {file = "aiohttp-3.9.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:6aaa6f99256dd1b5756a50891a20f0d252bd7bdb0854c5d440edab4495c9f973"},
-    {file = "aiohttp-3.9.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:a27d8c70ad87bcfce2e97488652075a9bdd5b70093f50b10ae051dfe5e6baf37"},
-    {file = "aiohttp-3.9.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:54287bcb74d21715ac8382e9de146d9442b5f133d9babb7e5d9e453faadd005e"},
-    {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5bb3d05569aa83011fcb346b5266e00b04180105fcacc63743fc2e4a1862a891"},
-    {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c8534e7d69bb8e8d134fe2be9890d1b863518582f30c9874ed7ed12e48abe3c4"},
-    {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4bd9d5b989d57b41e4ff56ab250c5ddf259f32db17159cce630fd543376bd96b"},
-    {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fa6904088e6642609981f919ba775838ebf7df7fe64998b1a954fb411ffb4663"},
-    {file = "aiohttp-3.9.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bda42eb410be91b349fb4ee3a23a30ee301c391e503996a638d05659d76ea4c2"},
-    {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:193cc1ccd69d819562cc7f345c815a6fc51d223b2ef22f23c1a0f67a88de9a72"},
-    {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:b9f1cb839b621f84a5b006848e336cf1496688059d2408e617af33e3470ba204"},
-    {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:d22a0931848b8c7a023c695fa2057c6aaac19085f257d48baa24455e67df97ec"},
-    {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:4112d8ba61fbd0abd5d43a9cb312214565b446d926e282a6d7da3f5a5aa71d36"},
-    {file = "aiohttp-3.9.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c4ad4241b52bb2eb7a4d2bde060d31c2b255b8c6597dd8deac2f039168d14fd7"},
-    {file = "aiohttp-3.9.2-cp311-cp311-win32.whl", hash = "sha256:ee2661a3f5b529f4fc8a8ffee9f736ae054adfb353a0d2f78218be90617194b3"},
-    {file = "aiohttp-3.9.2-cp311-cp311-win_amd64.whl", hash = "sha256:4deae2c165a5db1ed97df2868ef31ca3cc999988812e82386d22937d9d6fed52"},
-    {file = "aiohttp-3.9.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:6f4cdba12539215aaecf3c310ce9d067b0081a0795dd8a8805fdb67a65c0572a"},
-    {file = "aiohttp-3.9.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:84e843b33d5460a5c501c05539809ff3aee07436296ff9fbc4d327e32aa3a326"},
-    {file = "aiohttp-3.9.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8008d0f451d66140a5aa1c17e3eedc9d56e14207568cd42072c9d6b92bf19b52"},
-    {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:61c47ab8ef629793c086378b1df93d18438612d3ed60dca76c3422f4fbafa792"},
-    {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:bc71f748e12284312f140eaa6599a520389273174b42c345d13c7e07792f4f57"},
-    {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a1c3a4d0ab2f75f22ec80bca62385db2e8810ee12efa8c9e92efea45c1849133"},
-    {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9a87aa0b13bbee025faa59fa58861303c2b064b9855d4c0e45ec70182bbeba1b"},
-    {file = "aiohttp-3.9.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e2cc0d04688b9f4a7854c56c18aa7af9e5b0a87a28f934e2e596ba7e14783192"},
-    {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:1956e3ac376b1711c1533266dec4efd485f821d84c13ce1217d53e42c9e65f08"},
-    {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:114da29f39eccd71b93a0fcacff178749a5c3559009b4a4498c2c173a6d74dff"},
-    {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:3f17999ae3927d8a9a823a1283b201344a0627272f92d4f3e3a4efe276972fe8"},
-    {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:f31df6a32217a34ae2f813b152a6f348154f948c83213b690e59d9e84020925c"},
-    {file = "aiohttp-3.9.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:7a75307ffe31329928a8d47eae0692192327c599113d41b278d4c12b54e1bd11"},
-    {file = "aiohttp-3.9.2-cp312-cp312-win32.whl", hash = "sha256:972b63d589ff8f305463593050a31b5ce91638918da38139b9d8deaba9e0fed7"},
-    {file = "aiohttp-3.9.2-cp312-cp312-win_amd64.whl", hash = "sha256:200dc0246f0cb5405c80d18ac905c8350179c063ea1587580e3335bfc243ba6a"},
-    {file = "aiohttp-3.9.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:158564d0d1020e0d3fe919a81d97aadad35171e13e7b425b244ad4337fc6793a"},
-    {file = "aiohttp-3.9.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:da1346cd0ccb395f0ed16b113ebb626fa43b7b07fd7344fce33e7a4f04a8897a"},
-    {file = "aiohttp-3.9.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:eaa9256de26ea0334ffa25f1913ae15a51e35c529a1ed9af8e6286dd44312554"},
-    {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1543e7fb00214fb4ccead42e6a7d86f3bb7c34751ec7c605cca7388e525fd0b4"},
-    {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:186e94570433a004e05f31f632726ae0f2c9dee4762a9ce915769ce9c0a23d89"},
-    {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:d52d20832ac1560f4510d68e7ba8befbc801a2b77df12bd0cd2bcf3b049e52a4"},
-    {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1c45e4e815ac6af3b72ca2bde9b608d2571737bb1e2d42299fc1ffdf60f6f9a1"},
-    {file = "aiohttp-3.9.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:aa906b9bdfd4a7972dd0628dbbd6413d2062df5b431194486a78f0d2ae87bd55"},
-    {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:68bbee9e17d66f17bb0010aa15a22c6eb28583edcc8b3212e2b8e3f77f3ebe2a"},
-    {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:4c189b64bd6d9a403a1a3f86a3ab3acbc3dc41a68f73a268a4f683f89a4dec1f"},
-    {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:8a7876f794523123bca6d44bfecd89c9fec9ec897a25f3dd202ee7fc5c6525b7"},
-    {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:d23fba734e3dd7b1d679b9473129cd52e4ec0e65a4512b488981a56420e708db"},
-    {file = "aiohttp-3.9.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:b141753be581fab842a25cb319f79536d19c2a51995d7d8b29ee290169868eab"},
-    {file = "aiohttp-3.9.2-cp38-cp38-win32.whl", hash = "sha256:103daf41ff3b53ba6fa09ad410793e2e76c9d0269151812e5aba4b9dd674a7e8"},
-    {file = "aiohttp-3.9.2-cp38-cp38-win_amd64.whl", hash = "sha256:328918a6c2835861ff7afa8c6d2c70c35fdaf996205d5932351bdd952f33fa2f"},
-    {file = "aiohttp-3.9.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:5264d7327c9464786f74e4ec9342afbbb6ee70dfbb2ec9e3dfce7a54c8043aa3"},
-    {file = "aiohttp-3.9.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:07205ae0015e05c78b3288c1517afa000823a678a41594b3fdc870878d645305"},
-    {file = "aiohttp-3.9.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ae0a1e638cffc3ec4d4784b8b4fd1cf28968febc4bd2718ffa25b99b96a741bd"},
-    {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d43302a30ba1166325974858e6ef31727a23bdd12db40e725bec0f759abce505"},
-    {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:16a967685907003765855999af11a79b24e70b34dc710f77a38d21cd9fc4f5fe"},
-    {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6fa3ee92cd441d5c2d07ca88d7a9cef50f7ec975f0117cd0c62018022a184308"},
-    {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b500c5ad9c07639d48615a770f49618130e61be36608fc9bc2d9bae31732b8f"},
-    {file = "aiohttp-3.9.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c07327b368745b1ce2393ae9e1aafed7073d9199e1dcba14e035cc646c7941bf"},
-    {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:cc7d6502c23a0ec109687bf31909b3fb7b196faf198f8cff68c81b49eb316ea9"},
-    {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:07be2be7071723c3509ab5c08108d3a74f2181d4964e869f2504aaab68f8d3e8"},
-    {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:122468f6fee5fcbe67cb07014a08c195b3d4c41ff71e7b5160a7bcc41d585a5f"},
-    {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:00a9abcea793c81e7f8778ca195a1714a64f6d7436c4c0bb168ad2a212627000"},
-    {file = "aiohttp-3.9.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:7a9825fdd64ecac5c670234d80bb52bdcaa4139d1f839165f548208b3779c6c6"},
-    {file = "aiohttp-3.9.2-cp39-cp39-win32.whl", hash = "sha256:5422cd9a4a00f24c7244e1b15aa9b87935c85fb6a00c8ac9b2527b38627a9211"},
-    {file = "aiohttp-3.9.2-cp39-cp39-win_amd64.whl", hash = "sha256:7d579dcd5d82a86a46f725458418458fa43686f6a7b252f2966d359033ffc8ab"},
-    {file = "aiohttp-3.9.2.tar.gz", hash = "sha256:b0ad0a5e86ce73f5368a164c10ada10504bf91869c05ab75d982c6048217fbf7"},
+    {file = "aiohttp-3.9.4-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:76d32588ef7e4a3f3adff1956a0ba96faabbdee58f2407c122dd45aa6e34f372"},
+    {file = "aiohttp-3.9.4-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:56181093c10dbc6ceb8a29dfeea1e815e1dfdc020169203d87fd8d37616f73f9"},
+    {file = "aiohttp-3.9.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c7a5b676d3c65e88b3aca41816bf72831898fcd73f0cbb2680e9d88e819d1e4d"},
+    {file = "aiohttp-3.9.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d1df528a85fb404899d4207a8d9934cfd6be626e30e5d3a5544a83dbae6d8a7e"},
+    {file = "aiohttp-3.9.4-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f595db1bceabd71c82e92df212dd9525a8a2c6947d39e3c994c4f27d2fe15b11"},
+    {file = "aiohttp-3.9.4-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9c0b09d76e5a4caac3d27752027fbd43dc987b95f3748fad2b924a03fe8632ad"},
+    {file = "aiohttp-3.9.4-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:689eb4356649ec9535b3686200b231876fb4cab4aca54e3bece71d37f50c1d13"},
+    {file = "aiohttp-3.9.4-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a3666cf4182efdb44d73602379a66f5fdfd5da0db5e4520f0ac0dcca644a3497"},
+    {file = "aiohttp-3.9.4-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:b65b0f8747b013570eea2f75726046fa54fa8e0c5db60f3b98dd5d161052004a"},
+    {file = "aiohttp-3.9.4-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:a1885d2470955f70dfdd33a02e1749613c5a9c5ab855f6db38e0b9389453dce7"},
+    {file = "aiohttp-3.9.4-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:0593822dcdb9483d41f12041ff7c90d4d1033ec0e880bcfaf102919b715f47f1"},
+    {file = "aiohttp-3.9.4-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:47f6eb74e1ecb5e19a78f4a4228aa24df7fbab3b62d4a625d3f41194a08bd54f"},
+    {file = "aiohttp-3.9.4-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:c8b04a3dbd54de6ccb7604242fe3ad67f2f3ca558f2d33fe19d4b08d90701a89"},
+    {file = "aiohttp-3.9.4-cp310-cp310-win32.whl", hash = "sha256:8a78dfb198a328bfb38e4308ca8167028920fb747ddcf086ce706fbdd23b2926"},
+    {file = "aiohttp-3.9.4-cp310-cp310-win_amd64.whl", hash = "sha256:e78da6b55275987cbc89141a1d8e75f5070e577c482dd48bd9123a76a96f0bbb"},
+    {file = "aiohttp-3.9.4-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:c111b3c69060d2bafc446917534150fd049e7aedd6cbf21ba526a5a97b4402a5"},
+    {file = "aiohttp-3.9.4-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:efbdd51872cf170093998c87ccdf3cb5993add3559341a8e5708bcb311934c94"},
+    {file = "aiohttp-3.9.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:7bfdb41dc6e85d8535b00d73947548a748e9534e8e4fddd2638109ff3fb081df"},
+    {file = "aiohttp-3.9.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2bd9d334412961125e9f68d5b73c1d0ab9ea3f74a58a475e6b119f5293eee7ba"},
+    {file = "aiohttp-3.9.4-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:35d78076736f4a668d57ade00c65d30a8ce28719d8a42471b2a06ccd1a2e3063"},
+    {file = "aiohttp-3.9.4-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:824dff4f9f4d0f59d0fa3577932ee9a20e09edec8a2f813e1d6b9f89ced8293f"},
+    {file = "aiohttp-3.9.4-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:52b8b4e06fc15519019e128abedaeb56412b106ab88b3c452188ca47a25c4093"},
+    {file = "aiohttp-3.9.4-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eae569fb1e7559d4f3919965617bb39f9e753967fae55ce13454bec2d1c54f09"},
+    {file = "aiohttp-3.9.4-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:69b97aa5792428f321f72aeb2f118e56893371f27e0b7d05750bcad06fc42ca1"},
+    {file = "aiohttp-3.9.4-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:4d79aad0ad4b980663316f26d9a492e8fab2af77c69c0f33780a56843ad2f89e"},
+    {file = "aiohttp-3.9.4-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:d6577140cd7db19e430661e4b2653680194ea8c22c994bc65b7a19d8ec834403"},
+    {file = "aiohttp-3.9.4-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:9860d455847cd98eb67897f5957b7cd69fbcb436dd3f06099230f16a66e66f79"},
+    {file = "aiohttp-3.9.4-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:69ff36d3f8f5652994e08bd22f093e11cfd0444cea310f92e01b45a4e46b624e"},
+    {file = "aiohttp-3.9.4-cp311-cp311-win32.whl", hash = "sha256:e27d3b5ed2c2013bce66ad67ee57cbf614288bda8cdf426c8d8fe548316f1b5f"},
+    {file = "aiohttp-3.9.4-cp311-cp311-win_amd64.whl", hash = "sha256:d6a67e26daa686a6fbdb600a9af8619c80a332556245fa8e86c747d226ab1a1e"},
+    {file = "aiohttp-3.9.4-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:c5ff8ff44825736a4065d8544b43b43ee4c6dd1530f3a08e6c0578a813b0aa35"},
+    {file = "aiohttp-3.9.4-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:d12a244627eba4e9dc52cbf924edef905ddd6cafc6513849b4876076a6f38b0e"},
+    {file = "aiohttp-3.9.4-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:dcad56c8d8348e7e468899d2fb3b309b9bc59d94e6db08710555f7436156097f"},
+    {file = "aiohttp-3.9.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4f7e69a7fd4b5ce419238388e55abd220336bd32212c673ceabc57ccf3d05b55"},
+    {file = "aiohttp-3.9.4-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c4870cb049f10d7680c239b55428916d84158798eb8f353e74fa2c98980dcc0b"},
+    {file = "aiohttp-3.9.4-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3b2feaf1b7031ede1bc0880cec4b0776fd347259a723d625357bb4b82f62687b"},
+    {file = "aiohttp-3.9.4-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:939393e8c3f0a5bcd33ef7ace67680c318dc2ae406f15e381c0054dd658397de"},
+    {file = "aiohttp-3.9.4-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7d2334e387b2adcc944680bebcf412743f2caf4eeebd550f67249c1c3696be04"},
+    {file = "aiohttp-3.9.4-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:e0198ea897680e480845ec0ffc5a14e8b694e25b3f104f63676d55bf76a82f1a"},
+    {file = "aiohttp-3.9.4-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:e40d2cd22914d67c84824045861a5bb0fb46586b15dfe4f046c7495bf08306b2"},
+    {file = "aiohttp-3.9.4-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:aba80e77c227f4234aa34a5ff2b6ff30c5d6a827a91d22ff6b999de9175d71bd"},
+    {file = "aiohttp-3.9.4-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:fb68dc73bc8ac322d2e392a59a9e396c4f35cb6fdbdd749e139d1d6c985f2527"},
+    {file = "aiohttp-3.9.4-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:f3460a92638dce7e47062cf088d6e7663adb135e936cb117be88d5e6c48c9d53"},
+    {file = "aiohttp-3.9.4-cp312-cp312-win32.whl", hash = "sha256:32dc814ddbb254f6170bca198fe307920f6c1308a5492f049f7f63554b88ef36"},
+    {file = "aiohttp-3.9.4-cp312-cp312-win_amd64.whl", hash = "sha256:63f41a909d182d2b78fe3abef557fcc14da50c7852f70ae3be60e83ff64edba5"},
+    {file = "aiohttp-3.9.4-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:c3770365675f6be220032f6609a8fbad994d6dcf3ef7dbcf295c7ee70884c9af"},
+    {file = "aiohttp-3.9.4-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:305edae1dea368ce09bcb858cf5a63a064f3bff4767dec6fa60a0cc0e805a1d3"},
+    {file = "aiohttp-3.9.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:6f121900131d116e4a93b55ab0d12ad72573f967b100e49086e496a9b24523ea"},
+    {file = "aiohttp-3.9.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b71e614c1ae35c3d62a293b19eface83d5e4d194e3eb2fabb10059d33e6e8cbf"},
+    {file = "aiohttp-3.9.4-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:419f009fa4cfde4d16a7fc070d64f36d70a8d35a90d71aa27670bba2be4fd039"},
+    {file = "aiohttp-3.9.4-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:7b39476ee69cfe64061fd77a73bf692c40021f8547cda617a3466530ef63f947"},
+    {file = "aiohttp-3.9.4-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b33f34c9c7decdb2ab99c74be6443942b730b56d9c5ee48fb7df2c86492f293c"},
+    {file = "aiohttp-3.9.4-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c78700130ce2dcebb1a8103202ae795be2fa8c9351d0dd22338fe3dac74847d9"},
+    {file = "aiohttp-3.9.4-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:268ba22d917655d1259af2d5659072b7dc11b4e1dc2cb9662fdd867d75afc6a4"},
+    {file = "aiohttp-3.9.4-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:17e7c051f53a0d2ebf33013a9cbf020bb4e098c4bc5bce6f7b0c962108d97eab"},
+    {file = "aiohttp-3.9.4-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:7be99f4abb008cb38e144f85f515598f4c2c8932bf11b65add0ff59c9c876d99"},
+    {file = "aiohttp-3.9.4-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:d58a54d6ff08d2547656356eea8572b224e6f9bbc0cf55fa9966bcaac4ddfb10"},
+    {file = "aiohttp-3.9.4-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:7673a76772bda15d0d10d1aa881b7911d0580c980dbd16e59d7ba1422b2d83cd"},
+    {file = "aiohttp-3.9.4-cp38-cp38-win32.whl", hash = "sha256:e4370dda04dc8951012f30e1ce7956a0a226ac0714a7b6c389fb2f43f22a250e"},
+    {file = "aiohttp-3.9.4-cp38-cp38-win_amd64.whl", hash = "sha256:eb30c4510a691bb87081192a394fb661860e75ca3896c01c6d186febe7c88530"},
+    {file = "aiohttp-3.9.4-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:84e90494db7df3be5e056f91412f9fa9e611fbe8ce4aaef70647297f5943b276"},
+    {file = "aiohttp-3.9.4-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:7d4845f8501ab28ebfdbeab980a50a273b415cf69e96e4e674d43d86a464df9d"},
+    {file = "aiohttp-3.9.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:69046cd9a2a17245c4ce3c1f1a4ff8c70c7701ef222fce3d1d8435f09042bba1"},
+    {file = "aiohttp-3.9.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8b73a06bafc8dcc508420db43b4dd5850e41e69de99009d0351c4f3007960019"},
+    {file = "aiohttp-3.9.4-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:418bb0038dfafeac923823c2e63226179976c76f981a2aaad0ad5d51f2229bca"},
+    {file = "aiohttp-3.9.4-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:71a8f241456b6c2668374d5d28398f8e8cdae4cce568aaea54e0f39359cd928d"},
+    {file = "aiohttp-3.9.4-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:935c369bf8acc2dc26f6eeb5222768aa7c62917c3554f7215f2ead7386b33748"},
+    {file = "aiohttp-3.9.4-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:74e4e48c8752d14ecfb36d2ebb3d76d614320570e14de0a3aa7a726ff150a03c"},
+    {file = "aiohttp-3.9.4-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:916b0417aeddf2c8c61291238ce25286f391a6acb6f28005dd9ce282bd6311b6"},
+    {file = "aiohttp-3.9.4-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:9b6787b6d0b3518b2ee4cbeadd24a507756ee703adbac1ab6dc7c4434b8c572a"},
+    {file = "aiohttp-3.9.4-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:221204dbda5ef350e8db6287937621cf75e85778b296c9c52260b522231940ed"},
+    {file = "aiohttp-3.9.4-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:10afd99b8251022ddf81eaed1d90f5a988e349ee7d779eb429fb07b670751e8c"},
+    {file = "aiohttp-3.9.4-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:2506d9f7a9b91033201be9ffe7d89c6a54150b0578803cce5cb84a943d075bc3"},
+    {file = "aiohttp-3.9.4-cp39-cp39-win32.whl", hash = "sha256:e571fdd9efd65e86c6af2f332e0e95dad259bfe6beb5d15b3c3eca3a6eb5d87b"},
+    {file = "aiohttp-3.9.4-cp39-cp39-win_amd64.whl", hash = "sha256:7d29dd5319d20aa3b7749719ac9685fbd926f71ac8c77b2477272725f882072d"},
+    {file = "aiohttp-3.9.4.tar.gz", hash = "sha256:6ff71ede6d9a5a58cfb7b6fffc83ab5d4a63138276c771ac91ceaaddf5459644"},
 ]
 
 [package.dependencies]
@@ -547,13 +547,13 @@ test = ["coverage (>=7)", "hypothesis", "pytest"]
 
 [[package]]
 name = "celery"
-version = "5.3.6"
+version = "5.4.0"
 description = "Distributed Task Queue."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "celery-5.3.6-py3-none-any.whl", hash = "sha256:9da4ea0118d232ce97dff5ed4974587fb1c0ff5c10042eb15278487cdd27d1af"},
-    {file = "celery-5.3.6.tar.gz", hash = "sha256:870cc71d737c0200c397290d730344cc991d13a057534353d124c9380267aab9"},
+    {file = "celery-5.4.0-py3-none-any.whl", hash = "sha256:369631eb580cf8c51a82721ec538684994f8277637edde2dfc0dacd73ed97f64"},
+    {file = "celery-5.4.0.tar.gz", hash = "sha256:504a19140e8d3029d5acad88330c541d4c3f64c789d85f94756762d8bca7e706"},
 ]
 
 [package.dependencies]
@@ -569,7 +569,7 @@ vine = ">=5.1.0,<6.0"
 
 [package.extras]
 arangodb = ["pyArango (>=2.0.2)"]
-auth = ["cryptography (==41.0.5)"]
+auth = ["cryptography (==42.0.5)"]
 azureblockblob = ["azure-storage-blob (>=12.15.0)"]
 brotli = ["brotli (>=1.0.0)", "brotlipy (>=0.7.0)"]
 cassandra = ["cassandra-driver (>=3.25.0,<4)"]
@@ -579,22 +579,23 @@ couchbase = ["couchbase (>=3.0.0)"]
 couchdb = ["pycouchdb (==1.14.2)"]
 django = ["Django (>=2.2.28)"]
 dynamodb = ["boto3 (>=1.26.143)"]
-elasticsearch = ["elastic-transport (<=8.10.0)", "elasticsearch (<=8.11.0)"]
+elasticsearch = ["elastic-transport (<=8.13.0)", "elasticsearch (<=8.13.0)"]
 eventlet = ["eventlet (>=0.32.0)"]
+gcs = ["google-cloud-storage (>=2.10.0)"]
 gevent = ["gevent (>=1.5.0)"]
 librabbitmq = ["librabbitmq (>=2.0.0)"]
 memcache = ["pylibmc (==1.6.3)"]
 mongodb = ["pymongo[srv] (>=4.0.2)"]
-msgpack = ["msgpack (==1.0.7)"]
-pymemcache = ["python-memcached (==1.59)"]
+msgpack = ["msgpack (==1.0.8)"]
+pymemcache = ["python-memcached (>=1.61)"]
 pyro = ["pyro4 (==4.82)"]
-pytest = ["pytest-celery (==0.0.0)"]
+pytest = ["pytest-celery[all] (>=1.0.0)"]
 redis = ["redis (>=4.5.2,!=4.5.5,<6.0.0)"]
 s3 = ["boto3 (>=1.26.143)"]
 slmq = ["softlayer-messaging (>=1.0.3)"]
 solar = ["ephem (==4.1.5)"]
 sqlalchemy = ["sqlalchemy (>=1.4.48,<2.1)"]
-sqs = ["boto3 (>=1.26.143)", "kombu[sqs] (>=5.3.0)", "pycurl (>=7.43.0.5)", "urllib3 (>=1.26.16)"]
+sqs = ["boto3 (>=1.26.143)", "kombu[sqs] (>=5.3.4)", "pycurl (>=7.43.0.5)", "urllib3 (>=1.26.16)"]
 tblib = ["tblib (>=1.3.0)", "tblib (>=1.5.0)"]
 yaml = ["PyYAML (>=3.10)"]
 zookeeper = ["kazoo (>=1.3.1)"]
@@ -1612,22 +1613,23 @@ requests = ["requests (>=2.20.0,<3.0.0.dev0)"]
 
 [[package]]
 name = "gunicorn"
-version = "21.2.0"
+version = "22.0.0"
 description = "WSGI HTTP Server for UNIX"
 optional = false
-python-versions = ">=3.5"
+python-versions = ">=3.7"
 files = [
-    {file = "gunicorn-21.2.0-py3-none-any.whl", hash = "sha256:3213aa5e8c24949e792bcacfc176fef362e7aac80b76c56f6b5122bf350722f0"},
-    {file = "gunicorn-21.2.0.tar.gz", hash = "sha256:88ec8bff1d634f98e61b9f65bc4bf3cd918a90806c6f5c48bc5603849ec81033"},
+    {file = "gunicorn-22.0.0-py3-none-any.whl", hash = "sha256:350679f91b24062c86e386e198a15438d53a7a8207235a78ba1b53df4c4378d9"},
+    {file = "gunicorn-22.0.0.tar.gz", hash = "sha256:4a0b436239ff76fb33f11c07a16482c521a7e09c1ce3cc293c2330afe01bec63"},
 ]
 
 [package.dependencies]
 packaging = "*"
 
 [package.extras]
-eventlet = ["eventlet (>=0.24.1)"]
+eventlet = ["eventlet (>=0.24.1,!=0.36.0)"]
 gevent = ["gevent (>=1.4.0)"]
 setproctitle = ["setproctitle"]
+testing = ["coverage", "eventlet", "gevent", "pytest", "pytest-cov"]
 tornado = ["tornado (>=0.2)"]
 
 [[package]]
@@ -3525,28 +3527,28 @@ pyasn1 = ">=0.1.3"
 
 [[package]]
 name = "ruff"
-version = "0.3.7"
+version = "0.4.0"
 description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.3.7-py3-none-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl", hash = "sha256:0e8377cccb2f07abd25e84fc5b2cbe48eeb0fea9f1719cad7caedb061d70e5ce"},
-    {file = "ruff-0.3.7-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:15a4d1cc1e64e556fa0d67bfd388fed416b7f3b26d5d1c3e7d192c897e39ba4b"},
-    {file = "ruff-0.3.7-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d28bdf3d7dc71dd46929fafeec98ba89b7c3550c3f0978e36389b5631b793663"},
-    {file = "ruff-0.3.7-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:379b67d4f49774ba679593b232dcd90d9e10f04d96e3c8ce4a28037ae473f7bb"},
-    {file = "ruff-0.3.7-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c060aea8ad5ef21cdfbbe05475ab5104ce7827b639a78dd55383a6e9895b7c51"},
-    {file = "ruff-0.3.7-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:ebf8f615dde968272d70502c083ebf963b6781aacd3079081e03b32adfe4d58a"},
-    {file = "ruff-0.3.7-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d48098bd8f5c38897b03604f5428901b65e3c97d40b3952e38637b5404b739a2"},
-    {file = "ruff-0.3.7-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:da8a4fda219bf9024692b1bc68c9cff4b80507879ada8769dc7e985755d662ea"},
-    {file = "ruff-0.3.7-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c44e0149f1d8b48c4d5c33d88c677a4aa22fd09b1683d6a7ff55b816b5d074f"},
-    {file = "ruff-0.3.7-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:3050ec0af72b709a62ecc2aca941b9cd479a7bf2b36cc4562f0033d688e44fa1"},
-    {file = "ruff-0.3.7-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:a29cc38e4c1ab00da18a3f6777f8b50099d73326981bb7d182e54a9a21bb4ff7"},
-    {file = "ruff-0.3.7-py3-none-musllinux_1_2_i686.whl", hash = "sha256:5b15cc59c19edca917f51b1956637db47e200b0fc5e6e1878233d3a938384b0b"},
-    {file = "ruff-0.3.7-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:e491045781b1e38b72c91247cf4634f040f8d0cb3e6d3d64d38dcf43616650b4"},
-    {file = "ruff-0.3.7-py3-none-win32.whl", hash = "sha256:bc931de87593d64fad3a22e201e55ad76271f1d5bfc44e1a1887edd0903c7d9f"},
-    {file = "ruff-0.3.7-py3-none-win_amd64.whl", hash = "sha256:5ef0e501e1e39f35e03c2acb1d1238c595b8bb36cf7a170e7c1df1b73da00e74"},
-    {file = "ruff-0.3.7-py3-none-win_arm64.whl", hash = "sha256:789e144f6dc7019d1f92a812891c645274ed08af6037d11fc65fcbc183b7d59f"},
-    {file = "ruff-0.3.7.tar.gz", hash = "sha256:d5c1aebee5162c2226784800ae031f660c350e7a3402c4d1f8ea4e97e232e3ba"},
+    {file = "ruff-0.4.0-py3-none-macosx_10_12_x86_64.macosx_11_0_arm64.macosx_10_12_universal2.whl", hash = "sha256:70b8c620cf2212744eabd6d69c4f839f2be0d8880d27beaeb0adb6aa0b316aa8"},
+    {file = "ruff-0.4.0-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:cfa3e3ff53be05a8c5570c1585ea1e089f6b399ca99fcb78598d4a8234f248db"},
+    {file = "ruff-0.4.0-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5616cca501d1d16b932b7e607d7e1fd1b8c8c51d6ee484b7940fc1adc5bea541"},
+    {file = "ruff-0.4.0-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:46eff08dd480b5d9b540846159fe134d70e3c45a3c913c600047cbf7f0e4e308"},
+    {file = "ruff-0.4.0-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2d546f511431fff2b17adcf7110f3b2c2c0c8d33b0e10e5fd27fd340bc617efc"},
+    {file = "ruff-0.4.0-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:c7b6b6b38e216036284c5779b6aa14acbf5664e3b5872533219cf93daf40ddfb"},
+    {file = "ruff-0.4.0-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5e1cf8b064bb2a6b4922af7274fe2dffcb552d96ba716b2fbe5e2c970ed7de18"},
+    {file = "ruff-0.4.0-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9911c9046b94253e1fa844c0192bb764b86866a881502dee324686474d498c17"},
+    {file = "ruff-0.4.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4ca7a971c8f1a0b6f5ff4a819c0d1c2619536530bbd5a289af725d8b2ef1013d"},
+    {file = "ruff-0.4.0-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:752e0f77f421141dd470a0b1bed4fd8f763aebabe32c80ed3580f740ef4ba807"},
+    {file = "ruff-0.4.0-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:84f2a5dd8f33964d826c5377e094f7ce11e55e432cd42d3bf64efe4384224a03"},
+    {file = "ruff-0.4.0-py3-none-musllinux_1_2_i686.whl", hash = "sha256:0b20e7db4a672495320a8a18149b7febf4e4f97509a4657367144569ce0915fd"},
+    {file = "ruff-0.4.0-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:0b0eddd339e24dc4f7719b1cde4967f6b6bc0ad948cc183711ba8910f14aeafe"},
+    {file = "ruff-0.4.0-py3-none-win32.whl", hash = "sha256:e70befd488271a2c28c80bd427f73d8855dd222fc549fa1e9967d287c5cfe781"},
+    {file = "ruff-0.4.0-py3-none-win_amd64.whl", hash = "sha256:8584b9361900997ccf8d7aaa4dc4ab43e258a853ca7189d98ac929dc9ee50875"},
+    {file = "ruff-0.4.0-py3-none-win_arm64.whl", hash = "sha256:fea4ec813c965e40af29ee627a1579ee1d827d77e81d54b85bdd7b42d1540cdd"},
+    {file = "ruff-0.4.0.tar.gz", hash = "sha256:7457308d9ebf00d6a1c9a26aa755e477787a636c90b823f91cd7d4bea9e89260"},
 ]
 
 [[package]]
@@ -3963,13 +3965,13 @@ wsproto = ">=0.14"
 
 [[package]]
 name = "twilio"
-version = "9.0.4"
+version = "9.0.5"
 description = "Twilio API client and TwiML generator"
 optional = false
 python-versions = ">=3.7.0"
 files = [
-    {file = "twilio-9.0.4-py2.py3-none-any.whl", hash = "sha256:086abae1a575a0ee89a72c0792d814ee349fe55c8df76b563ecfc49463c3c533"},
-    {file = "twilio-9.0.4.tar.gz", hash = "sha256:d493d5bde6361bb713dffec00b9465ff84978b71334dd75002152e79604688ba"},
+    {file = "twilio-9.0.5-py2.py3-none-any.whl", hash = "sha256:5e09e910b9368f50f23cb3c3dd5ba77164d80a81e9d97db955cbac322deb2a4e"},
+    {file = "twilio-9.0.5.tar.gz", hash = "sha256:e9b5727943584d25d618fe502f0100fc5283215f31c863f80b5c64581b4702b0"},
 ]
 
 [package.dependencies]

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.2.2"
+version = "2024.4.1"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.2.2
+  version: 2024.4.1
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -44714,6 +44714,26 @@ components:
       - num_pk
       - parent_name
       - pk
+    UserGroupRequest:
+      type: object
+      description: Simplified Group Serializer for user's groups
+      properties:
+        name:
+          type: string
+          minLength: 1
+          maxLength: 80
+        is_superuser:
+          type: boolean
+          description: Users added to this group will be superusers.
+        parent:
+          type: string
+          format: uuid
+          nullable: true
+        attributes:
+          type: object
+          additionalProperties: {}
+      required:
+      - name
     UserLoginChallenge:
       type: object
       description: Empty challenge
@@ -45400,7 +45420,11 @@ components:
           - $ref: '#/components/schemas/WebAuthnDeviceType'
           readOnly: true
           nullable: true
+        aaguid:
+          type: string
+          readOnly: true
       required:
+      - aaguid
       - created_on
       - device_type
       - name

tests/e2e/test_source_scim.py

@@ -6,7 +6,6 @@ from typing import Any
 
 from docker.types import Healthcheck
 
-from authentik.core.models import Token, TokenIntents, User
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.http import get_http_session
 from authentik.sources.scim.models import SCIMSource
@@ -40,18 +39,9 @@ class TestSourceSCIM(SeleniumTestCase):
 
     @retry()
     def test_scim_conformance(self):
-        user = User.objects.create(
-            username=generate_id(),
-        )
-        token = Token.objects.create(
-            user=user,
-            intent=TokenIntents.INTENT_API,
-            expiring=False,
-        )
         source = SCIMSource.objects.create(
             name=generate_id(),
             slug=generate_id(),
-            token=token,
         )
         session = get_http_session()
         test_launch = session.post(
@@ -59,7 +49,7 @@ class TestSourceSCIM(SeleniumTestCase):
             data={
                 "endPoint": self.live_server_url + f"/source/scim/{source.slug}/v2",
                 "username": "foo",
-                "password": token.key,
+                "password": source.token.key,
                 "jwtToken": None,
                 "usersCheck": 1,
                 "groupsCheck": 1,

tests/wdio/package-lock.json

@@ -6,7 +6,7 @@
         "": {
             "name": "@goauthentik/web-tests",
             "dependencies": {
-                "chromedriver": "^123.0.3"
+                "chromedriver": "^123.0.4"
             },
             "devDependencies": {
                 "@trivago/prettier-plugin-sort-imports": "^4.3.0",
@@ -2084,9 +2084,9 @@
             }
         },
         "node_modules/chromedriver": {
-            "version": "123.0.3",
-            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-123.0.3.tgz",
-            "integrity": "sha512-35IeTqDLcVR0htF9nD/Lh+g24EG088WHVKXBXiFyWq+2lelnoM0B3tKTBiUEjLng0GnELI4QyQPFK7i97Fz1fQ==",
+            "version": "123.0.4",
+            "resolved": "https://registry.npmjs.org/chromedriver/-/chromedriver-123.0.4.tgz",
+            "integrity": "sha512-3Yi7y7q35kkSAOTbRisiww/SL2w+DqafDPAaUShpSuLMmPaOvHQR0i3bm2/33QBiQ8fUb1J/MzppzVL6IDqvhA==",
             "hasInstallScript": true,
             "dependencies": {
                 "@testim/chrome-version": "^1.1.4",

tests/wdio/package.json

@@ -32,6 +32,6 @@
         "node": ">=20"
     },
     "dependencies": {
-        "chromedriver": "^123.0.3"
+        "chromedriver": "^123.0.4"
     }
 }

web/package.json

@@ -38,22 +38,22 @@
         "@codemirror/theme-one-dark": "^6.1.2",
         "@formatjs/intl-listformat": "^7.5.5",
         "@fortawesome/fontawesome-free": "^6.5.2",
-        "@goauthentik/api": "^2024.2.2-1713289394",
+        "@goauthentik/api": "^2024.2.3-1713441634",
         "@lit-labs/task": "^3.1.0",
         "@lit/context": "^1.1.1",
         "@lit/localize": "^0.12.1",
         "@lit/reactive-element": "^2.0.4",
         "@open-wc/lit-helpers": "^0.7.0",
-        "@patternfly/elements": "^3.0.0",
+        "@patternfly/elements": "^3.0.1",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^7.110.1",
+        "@sentry/browser": "^7.111.0",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "chart.js": "^4.4.2",
         "chartjs-adapter-moment": "^1.0.1",
         "codemirror": "^6.0.1",
         "construct-style-sheets-polyfill": "^3.1.0",
-        "core-js": "^3.36.1",
+        "core-js": "^3.37.0",
         "country-flag-icons": "^1.5.11",
         "fuse.js": "^7.0.0",
         "guacamole-common-js": "^1.5.0",
@@ -81,13 +81,13 @@
         "@lit/localize-tools": "^0.7.2",
         "@rollup/plugin-replace": "^5.0.5",
         "@spotlightjs/spotlight": "^1.2.17",
-        "@storybook/addon-essentials": "^7.6.17",
-        "@storybook/addon-links": "^7.6.17",
+        "@storybook/addon-essentials": "^8.0.8",
+        "@storybook/addon-links": "^8.0.8",
         "@storybook/api": "^7.6.17",
-        "@storybook/blocks": "^7.6.4",
-        "@storybook/manager-api": "^7.6.17",
-        "@storybook/web-components": "^7.6.17",
-        "@storybook/web-components-vite": "^7.6.17",
+        "@storybook/blocks": "^8.0.8",
+        "@storybook/manager-api": "^8.0.8",
+        "@storybook/web-components": "^8.0.8",
+        "@storybook/web-components-vite": "^8.0.8",
         "@trivago/prettier-plugin-sort-imports": "^4.3.0",
         "@types/chart.js": "^2.9.41",
         "@types/codemirror": "5.60.15",
@@ -117,8 +117,8 @@
         "react-dom": "^18.2.0",
         "rollup-plugin-modify": "^3.0.0",
         "rollup-plugin-postcss-lit": "^2.1.0",
-        "storybook": "^7.6.17",
-        "storybook-addon-mock": "^4.3.0",
+        "storybook": "^8.0.8",
+        "storybook-addon-mock": "^5.0.0",
         "ts-lit-plugin": "^2.0.2",
         "tslib": "^2.6.2",
         "turnstile-types": "^1.2.1",

web/src/admin/AdminInterface/AdminSidebar.ts

@@ -166,7 +166,7 @@ export class AkAdminSidebar extends WithCapabilitiesConfig(AKElement) {
             ${this.renderNewVersionMessage()}
             ${this.renderImpersonationMessage()}
             ${map(sidebarContent, renderOneSidebarItem)}
-            ${this.renderEnterpriseMessage()}
+            ${this.renderEnterpriseMenu()}
         `;
     }
 
@@ -199,7 +199,7 @@ export class AkAdminSidebar extends WithCapabilitiesConfig(AKElement) {
             : nothing;
     }
 
-    renderEnterpriseMessage() {
+    renderEnterpriseMenu() {
         return this.can(CapabilitiesEnum.IsEnterprise)
             ? html`
                   <ak-sidebar-item>

web/src/admin/groups/GroupForm.ts

@@ -3,6 +3,8 @@ import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider";
+import { DataProvision, DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
 import "@goauthentik/elements/chips/Chip";
 import "@goauthentik/elements/chips/ChipGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@@ -12,22 +14,17 @@ import YAML from "yaml";
 
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
-import { customElement, state } from "lit/decorators.js";
+import { customElement } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
-import {
-    CoreApi,
-    CoreGroupsListRequest,
-    Group,
-    PaginatedRoleList,
-    RbacApi,
-} from "@goauthentik/api";
+import { CoreApi, CoreGroupsListRequest, Group, RbacApi, Role } from "@goauthentik/api";
+
+export function rbacRolePair(item: Role): DualSelectPair {
+    return [item.pk, html`<div class="selection-main">${item.name}</div>`, item.name];
+}
 
 @customElement("ak-group-form")
 export class GroupForm extends ModelForm<Group, string> {
-    @state()
-    roles?: PaginatedRoleList;
-
     static get styles(): CSSResult[] {
         return super.styles.concat(css`
             .pf-c-button.pf-m-control {
@@ -51,12 +48,6 @@ export class GroupForm extends ModelForm<Group, string> {
             : msg("Successfully created group.");
     }
 
-    async load(): Promise<void> {
-        this.roles = await new RbacApi(DEFAULT_CONFIG).rbacRolesList({
-            ordering: "name",
-        });
-    }
-
     async send(data: Group): Promise<Group> {
         if (this.instance?.pk) {
             return new CoreApi(DEFAULT_CONFIG).coreGroupsPartialUpdate({
@@ -127,24 +118,29 @@ export class GroupForm extends ModelForm<Group, string> {
                 </ak-search-select>
             </ak-form-element-horizontal>
             <ak-form-element-horizontal label=${msg("Roles")} name="roles">
-                <select class="pf-c-form-control" multiple>
-                    ${this.roles?.results.map((role) => {
-                        const selected = Array.from(this.instance?.roles || []).some((sp) => {
-                            return sp == role.pk;
-                        });
-                        return html`<option value=${role.pk} ?selected=${selected}>
-                            ${role.name}
-                        </option>`;
-                    })}
-                </select>
+                <ak-dual-select-provider
+                    .provider=${(page: number, search?: string): Promise<DataProvision> => {
+                        return new RbacApi(DEFAULT_CONFIG)
+                            .rbacRolesList({
+                                page: page,
+                                search: search,
+                            })
+                            .then((results) => {
+                                return {
+                                    pagination: results.pagination,
+                                    options: results.results.map(rbacRolePair),
+                                };
+                            });
+                    }}
+                    .selected=${(this.instance?.rolesObj ?? []).map(rbacRolePair)}
+                    available-label="${msg("Available Roles")}"
+                    selected-label="${msg("Selected Roles")}"
+                ></ak-dual-select-provider>
                 <p class="pf-c-form__helper-text">
                     ${msg(
                         "Select roles to grant this groups' users' permissions from the selected roles.",
                     )}
                 </p>
-                <p class="pf-c-form__helper-text">
-                    ${msg("Hold control/command to select multiple items.")}
-                </p>
             </ak-form-element-horizontal>
             <ak-form-element-horizontal
                 label=${msg("Attributes")}

web/src/admin/stages/identification/IdentificationStageForm.ts

@@ -214,28 +214,23 @@ export class IdentificationStageForm extends BaseStageForm<IdentificationStage>
                         name="sources"
                     >
                         <select class="pf-c-form-control" multiple>
-                            ${this.sources?.results.map((source) => {
-                                let selected = Array.from(this.instance?.sources || []).some(
-                                    (su) => {
-                                        return su == source.pk;
-                                    },
-                                );
-                                // Creating a new instance, auto-select built-in source
-                                // Only when no other sources exist
-                                if (
-                                    !this.instance &&
-                                    source.component === "" &&
-                                    (this.sources?.results || []).length < 2
-                                ) {
-                                    selected = true;
-                                }
-                                return html`<option
-                                    value=${ifDefined(source.pk)}
-                                    ?selected=${selected}
-                                >
-                                    ${source.name}
-                                </option>`;
-                            })}
+                            ${this.sources?.results
+                                .filter((source) => {
+                                    return source.component !== "";
+                                })
+                                .map((source) => {
+                                    const selected = Array.from(this.instance?.sources || []).some(
+                                        (su) => {
+                                            return su == source.pk;
+                                        },
+                                    );
+                                    return html`<option
+                                        value=${ifDefined(source.pk)}
+                                        ?selected=${selected}
+                                    >
+                                        ${source.name}
+                                    </option>`;
+                                })}
                         </select>
                         <p class="pf-c-form__helper-text">
                             ${msg(

web/src/admin/stages/user_write/UserWriteStageForm.ts

@@ -110,10 +110,7 @@ export class UserWriteStageForm extends BaseStageForm<UserWriteStage> {
                             ${msg("Mark newly created users as inactive.")}
                         </p>
                     </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("User path template")}
-                        name="userPathTemplate"
-                    >
+                    <ak-form-element-horizontal label=${msg("User type")} name="userType">
                         <ak-radio
                             .options=${[
                                 {

web/src/admin/users/UserForm.ts

@@ -128,6 +128,14 @@ export class UserForm extends ModelForm<User, number> {
                                 "Service accounts should be used for machine-to-machine authentication or other automations.",
                             )}`,
                         },
+                        {
+                            label: "Internal Service account",
+                            value: UserTypeEnum.InternalServiceAccount,
+                            disabled: true,
+                            description: html`${msg(
+                                "Internal Service accounts are created and managed by authentik and cannot be created manually.",
+                            )}`,
+                        },
                     ]}
                     .value=${this.instance?.type}
                 >

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.2.2";
+export const VERSION = "2024.4.1";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/common/styles/theme-dark.css

@@ -187,6 +187,9 @@ input[type="date"]::-webkit-calendar-picker-indicator {
 .pf-c-select__menu-item.pf-m-focus {
     --pf-c-select__menu-item--focus--BackgroundColor: var(--ak-dark-background-light-ish);
 }
+.pf-c-button:disabled {
+    color: var(--ak-dark-background-lighter);
+}
 .pf-c-button.pf-m-plain:hover {
     color: var(--ak-dark-foreground);
 }

web/src/common/users.ts

@@ -18,7 +18,7 @@ export function me(): Promise<SessionUser> {
                 if (!user.user.settings || !("locale" in user.user.settings)) {
                     return user;
                 }
-                const locale = user.user.settings.locale;
+                const locale: string | undefined = user.user.settings.locale;
                 if (locale && locale !== "") {
                     console.debug(
                         `authentik/locale: Activating user's configured locale '${locale}'`,

web/src/common/utils.ts

@@ -111,6 +111,21 @@ export function dateTimeLocal(date: Date): string {
     return `${parts[0]}:${parts[1]}`;
 }
 
+export function dateToUTC(date: Date): Date {
+    // Sigh...so our API is UTC/can take TZ info in the ISO format as it should.
+    // datetime-local fields (which is almost the only date-time input we use)
+    // can return its value as a UTC timestamp...however the generated API client
+    // _requires_ a Date object, only to then convert it to an ISO string anyways
+    // JS Dates don't include timezone info in the ISO string, so that just sends
+    // the local time as UTC...which is wrong
+    // Instead we have to do this, convert the given date to a UTC timestamp,
+    // then subtract the timezone offset to create an "invalid" date (correct time&date)
+    // but it still "thinks" it's in local TZ
+    const timestamp = date.getTime();
+    const offset = -1 * (new Date().getTimezoneOffset() * 60000);
+    return new Date(timestamp - offset);
+}
+
 // Lit is extremely well-typed with regard to CSS, and Storybook's `build` does not currently have a
 // coherent way of importing CSS-as-text into CSSStyleSheet. It works well when Storybook is running
 // in `dev,` but in `build` it fails. Storied components will have to map their textual CSS imports

web/src/elements/Interface/ConfigContextController.ts

@@ -1,5 +1,6 @@
 import { EVENT_REFRESH } from "@goauthentik/authentik/common/constants";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { globalAK } from "@goauthentik/common/global";
 import { authentikConfigContext } from "@goauthentik/elements/AuthentikContexts";
 
 import { ContextProvider } from "@lit/context";
@@ -23,6 +24,9 @@ export class ConfigContextController implements ReactiveController {
             context: authentikConfigContext,
             initialValue: undefined,
         });
+        // Pre-hydrate from template-embedded config
+        this.context.setValue(globalAK().config);
+        this.host.config = globalAK().config;
         this.fetch = this.fetch.bind(this);
         this.fetch();
     }

web/src/elements/Markdown.ts

@@ -87,7 +87,7 @@ export class Markdown extends AKElement {
             const parsedContent = matter(this.md);
             const parsedHTML = this.converter.makeHtml(parsedContent.content);
             const replacers = [...this.defaultReplacers, ...this.replacers];
-            this.docTitle = parsedContent.data["title"] ?? "";
+            this.docTitle = parsedContent?.data?.title ?? "";
             this.docHtml = replacers.reduce(
                 (html, replacer) => replacer(html, { path: this.meta }),
                 parsedHTML,

web/src/elements/PageHeader.ts

@@ -13,7 +13,7 @@ import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";
 
 import { msg } from "@lit/localize";
-import { CSSResult, PropertyValues, TemplateResult, css, html } from "lit";
+import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
@@ -107,21 +107,23 @@ export class PageHeader extends WithBrandConfig(AKElement) {
         });
     }
 
-    setTitle(value: string) {
+    setTitle(header?: string) {
         const currentIf = currentInterface();
-        const title = this.brand?.brandingTitle || TITLE_DEFAULT;
-        document.title =
-            currentIf === "admin"
-                ? `${msg("Admin")} - ${title}`
-                : value !== ""
-                  ? `${value} - ${title}`
-                  : title;
+        let title = this.brand?.brandingTitle || TITLE_DEFAULT;
+        if (currentIf === "admin") {
+            title = `${msg("Admin")} - ${title}`;
+        }
+        // Prepend the header to the title
+        if (header !== undefined && header !== "") {
+            title = `${header} - ${title}`;
+        }
+        document.title = title;
     }
 
-    willUpdate(changedProperties: PropertyValues<this>) {
-        if (changedProperties.has("header") && this.header) {
-            this.setTitle(this.header);
-        }
+    willUpdate() {
+        // Always update title, even if there's no header value set,
+        // as in that case we still need to return to the generic title
+        this.setTitle(this.header);
     }
 
     renderIcon(): TemplateResult {

web/src/elements/ak-locale-context/ak-locale-context.ts

@@ -1,18 +1,15 @@
-import { EVENT_LOCALE_CHANGE } from "@goauthentik/common/constants";
-import { EVENT_LOCALE_REQUEST } from "@goauthentik/common/constants";
-import { customEvent, isCustomEvent } from "@goauthentik/elements/utils/customEvents";
+import { EVENT_LOCALE_CHANGE, EVENT_LOCALE_REQUEST } from "@goauthentik/common/constants";
+import { customEvent } from "@goauthentik/elements/utils/customEvents";
 
 import { LitElement, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 
+import { WithBrandConfig } from "../Interface/brandProvider";
 import { initializeLocalization } from "./configureLocale";
 import type { LocaleGetter, LocaleSetter } from "./configureLocale";
-import {
-    DEFAULT_LOCALE,
-    autoDetectLanguage,
-    getBestMatchLocale,
-    localeCodeFromUrl,
-} from "./helpers";
+import { DEFAULT_LOCALE, autoDetectLanguage, getBestMatchLocale } from "./helpers";
+
+const LocaleContextBase = WithBrandConfig(LitElement);
 
 /**
  * A component to manage your locale settings.
@@ -28,7 +25,7 @@ import {
  * @fires ak-locale-change - When a valid locale has been swapped in
  */
 @customElement("ak-locale-context")
-export class LocaleContext extends LitElement {
+export class LocaleContext extends LocaleContextBase {
     /// @attribute The text representation of the current locale */
     @property({ attribute: true, type: String })
     locale = DEFAULT_LOCALE;
@@ -59,38 +56,28 @@ export class LocaleContext extends LitElement {
 
     connectedCallback() {
         super.connectedCallback();
-        const localeRequest = autoDetectLanguage(this.locale);
-        this.updateLocale(localeRequest);
-        window.addEventListener(EVENT_LOCALE_REQUEST, this.updateLocaleHandler);
+        this.updateLocale();
+        window.addEventListener(EVENT_LOCALE_REQUEST, this.updateLocaleHandler as EventListener);
     }
 
     disconnectedCallback() {
-        window.removeEventListener(EVENT_LOCALE_REQUEST, this.updateLocaleHandler);
+        window.removeEventListener(EVENT_LOCALE_REQUEST, this.updateLocaleHandler as EventListener);
         super.disconnectedCallback();
     }
 
-    updateLocaleHandler(ev: Event) {
-        if (!isCustomEvent(ev)) {
-            console.warn(`Received a non-custom event at EVENT_LOCALE_REQUEST: ${ev}`);
-            return;
-        }
+    updateLocaleHandler(ev: CustomEvent<{ locale: string }>) {
         console.debug("authentik/locale: Locale update request received.");
         this.updateLocale(ev.detail.locale);
     }
 
-    updateLocale(code: string) {
-        const urlCode = localeCodeFromUrl(this.param);
-        const requestedLocale = urlCode ? urlCode : code;
-        const locale = getBestMatchLocale(requestedLocale);
+    updateLocale(requestedLocale: string | undefined = undefined) {
+        const localeRequest = autoDetectLanguage(requestedLocale, this.brand?.defaultLocale);
+        const locale = getBestMatchLocale(localeRequest);
         if (!locale) {
-            console.warn(`authentik/locale: failed to find locale for code ${code}`);
+            console.warn(`authentik/locale: failed to find locale for code ${localeRequest}`);
             return;
         }
         locale.locale().then(() => {
-            console.debug(`authentik/locale: Loaded locale '${code}'`);
-            if (this.getLocale() === code) {
-                return;
-            }
             console.debug(`Setting Locale to ... ${locale.label()} (${locale.code})`);
             this.setLocale(locale.code).then(() => {
                 window.setTimeout(this.notifyApplication, 0);

web/src/elements/ak-locale-context/helpers.ts

@@ -45,12 +45,13 @@ export function localeCodeFromUrl(param = "locale") {
 const isLocaleCandidate = (v: unknown): v is string =>
     typeof v === "string" && v !== "" && v !== TOMBSTONE;
 
-export function autoDetectLanguage(requestedCode?: string): string {
+export function autoDetectLanguage(userReq = TOMBSTONE, brandReq = TOMBSTONE): string {
     const localeCandidates: string[] = [
-        globalAK()?.locale ?? TOMBSTONE,
         localeCodeFromUrl("locale"),
-        requestedCode ?? TOMBSTONE,
+        userReq,
         window.navigator?.language ?? TOMBSTONE,
+        brandReq,
+        globalAK()?.locale ?? TOMBSTONE,
         DEFAULT_LOCALE,
     ].filter(isLocaleCandidate);
 

web/src/elements/events/LogViewer.ts

@@ -28,11 +28,11 @@ export class LogViewer extends Table<LogEvent> {
             pagination: {
                 next: 0,
                 previous: 0,
-                count: 1,
+                count: this.logs?.length || 0,
                 current: 1,
                 totalPages: 1,
                 startIndex: 1,
-                endIndex: 1,
+                endIndex: this.logs?.length || 0,
             },
             results: this.logs || [],
         };

web/src/elements/forms/Form.ts

@@ -1,6 +1,6 @@
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import { MessageLevel } from "@goauthentik/common/messages";
-import { camelToSnake, convertToSlug } from "@goauthentik/common/utils";
+import { camelToSnake, convertToSlug, dateToUTC } from "@goauthentik/common/utils";
 import { AKElement } from "@goauthentik/elements/Base";
 import { HorizontalFormElement } from "@goauthentik/elements/forms/HorizontalFormElement";
 import { SearchSelect } from "@goauthentik/elements/forms/SearchSelect";
@@ -104,7 +104,7 @@ export function serializeForm<T extends KeyUnknown>(
             inputElement.tagName.toLowerCase() === "input" &&
             inputElement.type === "datetime-local"
         ) {
-            assignValue(inputElement, new Date(inputElement.valueAsNumber), json);
+            assignValue(inputElement, dateToUTC(new Date(inputElement.valueAsNumber)), json);
         } else if (
             inputElement.tagName.toLowerCase() === "input" &&
             "type" in inputElement.dataset &&
@@ -112,7 +112,7 @@ export function serializeForm<T extends KeyUnknown>(
         ) {
             // Workaround for Firefox <93, since 92 and older don't support
             // datetime-local fields
-            assignValue(inputElement, new Date(inputElement.value), json);
+            assignValue(inputElement, dateToUTC(new Date(inputElement.value)), json);
         } else if (
             inputElement.tagName.toLowerCase() === "input" &&
             inputElement.type === "checkbox"

web/src/elements/forms/Radio.ts

@@ -16,6 +16,7 @@ export interface RadioOption<T> {
     description?: TemplateResult;
     default?: boolean;
     value: T;
+    disabled?: boolean;
 }
 
 @customElement("ak-radio")
@@ -77,6 +78,9 @@ export class Radio<T> extends CustomEmitterElement(AKElement) {
             // This is a controlled input. Stop the native event from escaping or affecting the
             // value.  We'll do that ourselves.
             ev.stopPropagation();
+            if (option.disabled) {
+                return;
+            }
             this.value = option.value;
             this.dispatchCustomEvent("change", { value: option.value });
             this.dispatchCustomEvent("input", { value: option.value });
@@ -93,6 +97,7 @@ export class Radio<T> extends CustomEmitterElement(AKElement) {
                 name="${this.name}"
                 id=${elId}
                 .checked=${option.value === this.value}
+                .disabled=${option.disabled}
             />
             <label class="pf-c-radio__label" for=${elId}>${option.label}</label>
             ${option.description

web/src/elements/sidebar/SidebarItem.ts

@@ -208,7 +208,7 @@ export class SidebarItem extends AKElement {
     }
 
     renderWithLabel() {
-        html`
+        return html`
             <span class="pf-c-nav__link">
                 <slot name="label"></slot>
             </span>

web/src/flow/FlowExecutor.ts

@@ -516,7 +516,7 @@ export class FlowExecutor extends Interface implements StageHost {
                                                     ? html`
                                                           <li>
                                                               <a
-                                                                  href="https://unsplash.com/@theforestbirds"
+                                                                  href="https://unsplash.com/@sorasagano"
                                                                   >${msg("Background image")}</a
                                                               >
                                                           </li>

web/src/user/user-settings/tokens/UserTokenForm.ts

@@ -1,3 +1,4 @@
+import { dateTimeLocal } from "@goauthentik/authentik/common/utils";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@@ -44,11 +45,8 @@ export class UserTokenForm extends ModelForm<Token, string> {
     renderForm(): TemplateResult {
         const now = new Date();
         const expiringDate = this.instance?.expires
-            ? new Date(
-                  this.instance.expires.getTime() -
-                      this.instance.expires.getTimezoneOffset() * 60000,
-              )
-            : new Date(now.getTime() + 30 * 60000 - now.getTimezoneOffset() * 60000);
+            ? new Date(this.instance.expires.getTime())
+            : new Date(now.getTime() + 30 * 60000);
 
         return html` <ak-form-element-horizontal
                 label=${msg("Identifier")}
@@ -73,8 +71,8 @@ export class UserTokenForm extends ModelForm<Token, string> {
                 ? html`<ak-form-element-horizontal label=${msg("Expiring")} name="expires">
                       <input
                           type="datetime-local"
-                          value="${expiringDate.toISOString().slice(0, -8)}"
-                          min="${now.toISOString().slice(0, -8)}"
+                          value="${dateTimeLocal(expiringDate)}"
+                          min="${dateTimeLocal(now)}"
                           class="pf-c-form-control"
                       />
                   </ak-form-element-horizontal>`

web/xliff/de.xlf

@@ -6531,6 +6531,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/en.xlf

@@ -6800,6 +6800,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/es.xlf

@@ -6448,6 +6448,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/fr.xlf

@@ -8447,117 +8447,158 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s00bcaadd620a11f8">
   <source>Latest version unknown</source>
+  <target>Dernière version inconnue</target>
 </trans-unit>
 <trans-unit id="s10fedec3a779ea63">
   <source>Timestamp</source>
+  <target>Horodatage</target>
 </trans-unit>
 <trans-unit id="s48e186fb300e5464">
   <source>Time</source>
+  <target>Temps</target>
 </trans-unit>
 <trans-unit id="saa8aa81ad6f055fd">
   <source>Level</source>
+  <target>Niveau</target>
 </trans-unit>
 <trans-unit id="sd0ea7366ebc403ff">
   <source>Event</source>
+  <target>Évènement</target>
 </trans-unit>
 <trans-unit id="s225f3e57c6a0d635">
   <source>Logger</source>
+  <target>Logger</target>
 </trans-unit>
 <trans-unit id="s39d6971531a270b6">
   <source>Update internal password on login</source>
+  <target>Mettre à jour le mot de passe interne à la connexion</target>
 </trans-unit>
 <trans-unit id="sefe04e319223a3d6">
   <source>When the user logs in to authentik using this source password backend, update their credentials in authentik.</source>
+  <target>Lorsqu'un utilisateur se connecte à authentik en utilisant le backend de mot de passe de cette source, mettre à jour ses identifiants dans authentik.</target>
 </trans-unit>
 <trans-unit id="s5f43af3669b1e098">
   <source>Source</source>
+  <target>Source</target>
 </trans-unit>
 <trans-unit id="sd9f752de8448bcc9">
   <source>Resume timeout</source>
+  <target>Délai de reprise</target>
 </trans-unit>
 <trans-unit id="s517954806d7610f2">
   <source>Amount of time a user can take to return from the source to continue the flow.</source>
+  <target>Durée que l'utilisateur peut prendre pour revenir de la source pour continuer le flux.</target>
 </trans-unit>
 <trans-unit id="s8c4bc6e515949112">
   <source>Your Install ID</source>
+  <target>Votre ID d'installation</target>
 </trans-unit>
 <trans-unit id="s8cc0075913c67566">
   <source>Enter the email associated with your account, and we'll send you a link to reset your password.</source>
+  <target>Entrer l'email associé à votre compte, et nous vous enverrons un lien pour réinitialiser votre mot de passe.</target>
 </trans-unit>
 <trans-unit id="s06bfe45ffef2cf60">
   <source>Stage name: <x id="0" equiv-text="${this.challenge.name}"/></source>
+  <target>Nom de l'étape : <x id="0" equiv-text="${this.challenge.name}"/></target>
 </trans-unit>
 <trans-unit id="s90064dd5c4dde2c6">
   <source>Please scan the QR code above using the Microsoft Authenticator, Google Authenticator, or other authenticator apps on your device, and enter the code the device displays below to finish setting up the MFA device.</source>
+  <target>Merci de scanner le QR code ci-dessus avec Microsoft Authenticator, Google Authenticator ou une autre application d'authentification à deux facteurs sur votre appareil, et entrer le code que l'appareil affiche ci-dessous pour finir la configuration de votre appareil MFA.</target>
 </trans-unit>
 <trans-unit id="s02160dc6adba3456">
   <source>Inject an OAuth or SAML Source into the flow execution. This allows for additional user verification, or to dynamically access different sources for different user identifiers (username, email address, etc).</source>
+  <target>Injecte une source OAuth ou SAML dans l’exécution du flux. Cela permet d'effectuer des vérifications additionnelles sur l'utilisateur, ou d'accéder dynamiquement à plusieurs sources pour des identifiants utilisateurs différents (nom d'utilisateur, adresse courriel, etc).</target>
 </trans-unit>
 <trans-unit id="sc7d071fb5cc1f6bf">
   <source>A selection is required</source>
+  <target>Une sélection est requise</target>
 </trans-unit>
 <trans-unit id="sa64fb483becc9c2c">
   <source>Device type restrictions</source>
+  <target>Restrictions de type d'appareil</target>
 </trans-unit>
 <trans-unit id="sbb928551c84cd63f">
   <source>Available Device types</source>
+  <target>Types d'appareil disponibles</target>
 </trans-unit>
 <trans-unit id="s6446c35d6b411e53">
   <source>Selected Device types</source>
+  <target>Types d'appareil sélectionnés</target>
 </trans-unit>
 <trans-unit id="s1f4df216b56de4ac">
   <source>Optionally restrict which WebAuthn device types may be used. When no device types are selected, all devices are allowed.</source>
+  <target>Optionnel, restreindre quels types d'appareil WebAuthn peuvent être utilisés. Lorsqu'aucun type d'appareil n'est sélectionné, tout les appareils sont autorisés.</target>
 </trans-unit>
 <trans-unit id="s23ed998c51cbe38f">
   <source>If the user has successfully authenticated with a device in the classes listed above within this configured duration, this stage will be skipped.</source>
+  <target>Si un utilisateur s'est authentifié avec succès avec un type d'appareil contenu dans ceux listés ci-dessus dans le temps configuré ici, cette étape sera passée.</target>
 </trans-unit>
 <trans-unit id="s4d4f52ccfd9d6adf">
   <source>WebAuthn-specific settings</source>
+  <target>Réglages spécifiques à WebAuthn</target>
 </trans-unit>
 <trans-unit id="sb46d2e64f64c6284">
   <source>WebAuthn Device type restrictions</source>
+  <target>Restrictions de type d'appareil WebAuthn</target>
 </trans-unit>
 <trans-unit id="s11274960b13cf21a">
   <source>This restriction only applies to devices created in authentik 2024.4 or later.</source>
+  <target>Les restrictions ne s'appliquent qu'aux appareils créés dans authentik 2024.4 ou ultérieur.</target>
 </trans-unit>
 <trans-unit id="s4888252cbd785175">
   <source>Default token duration</source>
+  <target>Durée par défaut des jetons</target>
 </trans-unit>
 <trans-unit id="s25c80a16a07871ba">
   <source>Default duration for generated tokens</source>
+  <target>Durée par défaut des jetons générés</target>
 </trans-unit>
 <trans-unit id="se5c9ffc025fdf61d">
   <source>Default token length</source>
+  <target>Longueur par défaut des jetons</target>
 </trans-unit>
 <trans-unit id="sa6b2c110466d1754">
   <source>Default length of generated tokens</source>
+  <target>Longueur par défaut des jetons générés</target>
 </trans-unit>
 <trans-unit id="s1f25e1e20469a9ea">
   <source>deleted</source>
+  <target>supprimé</target>
 </trans-unit>
 <trans-unit id="s0ca04e397298bc43">
   <source>Select permissions to assign</source>
+  <target>Sélectionner les permissions à assigner</target>
 </trans-unit>
 <trans-unit id="s676d94e7e31a8075">
   <source>SCIM Source is in preview.</source>
+  <target>La source SCIM est en aperçu.</target>
 </trans-unit>
 <trans-unit id="s31f1afc0a81977c1">
   <source>Update SCIM Source</source>
+  <target>Mettre à jour la source SCIM</target>
 </trans-unit>
 <trans-unit id="s4bb356adc8a7f85b">
   <source>SCIM Base URL</source>
+  <target>URL de base SCIM</target>
 </trans-unit>
 <trans-unit id="sb23304fc42c5d6d9">
   <source>Provisioned Users</source>
+  <target>Utilisateurs provisionnés</target>
 </trans-unit>
 <trans-unit id="s6a81ee82b2e5ecbb">
   <source>Provisioned Groups</source>
+  <target>Groupes provisionnés</target>
 </trans-unit>
 <trans-unit id="s10154dbd4fbc697b">
   <source>removed</source>
+  <target>supprimé</target>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+  <target>Vérification...</target>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/ko.xlf

@@ -8386,6 +8386,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/nl.xlf

@@ -8230,6 +8230,9 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pl.xlf

@@ -6652,6 +6652,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/pseudo-LOCALE.xlf

@@ -8502,4 +8502,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
 </trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
+</trans-unit>
 </body></file></xliff>

web/xliff/tr.xlf

@@ -6441,6 +6441,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh-CN.xlf

@@ -5359,6 +5359,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
 </trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
   <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
     <body>
       <trans-unit id="s4caed5b7a7e5d89b">
@@ -596,9 +596,9 @@
         
       </trans-unit>
       <trans-unit id="saa0e2675da69651b">
-        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>未找到 URL &quot;
-        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
+        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <target>未找到 URL "
+        <x id="0" equiv-text="${this.url}"/>"。</target>
         
       </trans-unit>
       <trans-unit id="s58cd9c2fe836d9c6">
@@ -1040,8 +1040,8 @@
         
       </trans-unit>
       <trans-unit id="sa8384c9c26731f83">
-        <source>To allow any redirect URI, set this value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-        <target>要允许任何重定向 URI，请将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
+        <source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
+        <target>要允许任何重定向 URI，请将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
         
       </trans-unit>
       <trans-unit id="s55787f4dfcdce52b">
@@ -1782,8 +1782,8 @@
         
       </trans-unit>
       <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
         
       </trans-unit>
       <trans-unit id="s0410779cb47de312">
@@ -2961,8 +2961,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>包含组成员的字段。请注意，如果使用 &quot;memberUid&quot; 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
+        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
         
       </trans-unit>
       <trans-unit id="s026555347e589f0e">
@@ -3739,8 +3739,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s7b1fba26d245cb1c">
-        <source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
-        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 &quot;minutes=5&quot;。</target>
+        <source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
+        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 "minutes=5"。</target>
         
       </trans-unit>
       <trans-unit id="s44536d20bb5c8257">
@@ -3916,10 +3916,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
         <target>您确定要更新
-        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
-        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>"
+        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
         
       </trans-unit>
       <trans-unit id="sc92d7cfb6ee1fec6">
@@ -4995,7 +4995,7 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sdf1d8edef27236f0">
-        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
+        <source>A "roaming" authenticator, like a YubiKey</source>
         <target>像 YubiKey 这样的“漫游”身份验证器</target>
         
       </trans-unit>
@@ -5330,10 +5330,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s2d5f69929bb7221d">
-        <source><x id="0" equiv-text="${prompt.name}"/> (&quot;<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${prompt.type}"/>)</source>
+        <source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
         <target>
-        <x id="0" equiv-text="${prompt.name}"/>（&quot;
-        <x id="1" equiv-text="${prompt.fieldKey}"/>&quot;，类型为
+        <x id="0" equiv-text="${prompt.name}"/>（"
+        <x id="1" equiv-text="${prompt.fieldKey}"/>"，类型为
         <x id="2" equiv-text="${prompt.type}"/>）</target>
         
       </trans-unit>
@@ -5382,7 +5382,7 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
         <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
         
       </trans-unit>
@@ -7830,7 +7830,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
+  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
   <target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@@ -8598,7 +8598,10 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
   <target>正在验证...</target>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>
-</xliff>
+</xliff>

web/xliff/zh-Hant.xlf

@@ -6489,6 +6489,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

web/xliff/zh_TW.xlf

@@ -8347,6 +8347,9 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s30d6ff9e15e0a40a">
   <source>Verifying...</source>
+</trans-unit>
+<trans-unit id="sc1673c93148583ba">
+  <source>Request failed. Please try again later.</source>
 </trans-unit>
     </body>
   </file>

website/developer-docs/api/clients.md

@@ -0,0 +1,15 @@
+---
+title: API Clients
+---
+
+These API clients are officially supported and maintained.
+
+:::info
+These API clients are primarily built around creating/updating/deleting configuration objects in authentik, and in most cases can **not** be used to implemented SSO into your application.
+:::
+
+| Language              | Package name            | URL                                            |
+| --------------------- | ----------------------- | ---------------------------------------------- |
+| JavaScript/Typescript | `@goauthentik/api`      | https://www.npmjs.com/package/@goauthentik/api |
+| Go                    | `goauthentik.io/api/v3` | https://pkg.go.dev/goauthentik.io/api/v3       |
+| Python                | `authentik_client`      | https://pypi.org/project/authentik-client/     |

website/docs/core/settings.md

@@ -58,3 +58,11 @@ When enabled, all the events caused by a user will be deleted upon the user's de
 ### Impersonation
 
 Globally enable/disable impersonation. Defaults to `true`.
+
+### Default token duration
+
+Default duration for generated tokens. Defaults to `minutes=30`.
+
+### Default token length
+
+Default length of generated tokens. Defaults to 60.

website/docs/flow/stages/authenticator_validate/index.md

@@ -21,7 +21,9 @@ Using the `Not configured action`, you can choose what happens when a user does
 By default, authenticator validation is required every time the flow containing this stage is executed. To only change this behavior, set _Last validation threshold_ to a non-zero value. (Requires authentik 2022.5)
 Keep in mind that when using Code-based devices (TOTP, Static and SMS), values lower than `seconds=30` cannot be used, as with the way TOTP devices are saved, there is no exact timestamp.
 
-### Less-frequent validation
+### Options
+
+#### Less-frequent validation
 
 :::info
 Requires authentik 2022.5.1
@@ -29,12 +31,13 @@ Requires authentik 2022.5.1
 
 You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked.
 
-### Passwordless authentication
+#### Passwordless authentication
 
 :::info
 Requires authentik 2021.12.4
 :::
-:::danger
+
+:::caution
 Firefox has some known issues regarding FIDO (see https://bugzilla.mozilla.org/show_bug.cgi?id=1530370) and TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
 :::
 
@@ -48,7 +51,7 @@ As final stage, bind a _User login_ stage.
 
 Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow.
 
-### Logging
+#### Logging
 
 Logins which used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
 
@@ -73,7 +76,7 @@ Logins which used Passwordless authentication have the _auth_method_ context var
 }
 ```
 
-### `WebAuthn Device type restrictions`
+#### WebAuthn Device type restrictions
 
 :::info
 Requires authentik 2024.4

website/docs/flow/stages/authenticator_webauthn/index.md

@@ -4,19 +4,21 @@ title: WebAuthn authenticator setup stage
 
 This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.
 
-### `User verification`
+### Options
+
+#### User verification
 
 Configure if authentik should require, prefer or discourage user verification for the authenticator. For example when using a virtual authenticator like Windows Hello, this setting controls if a PIN is required.
 
-### `Resident key requirement`
+#### Resident key requirement
 
 Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.md#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication.
 
-### `Authenticator Attachment`
+#### Authenticator Attachment
 
 Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
 
-### `Device type restrictions`
+#### Device type restrictions
 
 :::info
 Requires authentik 2024.4

website/docs/flow/stages/email/index.mdx

@@ -98,8 +98,8 @@ Templates are rendered using Django's templating engine. The following variables
 {% block content %}
 <tr>
     <td class="alert alert-success">
-        {% blocktrans with username=user.username %} Hi {{ username }}, {%
-        endblocktrans %}
+        {% blocktrans with username=user.username %} Hi {{ username }}, 
+        {% endblocktrans %}
     </td>
 </tr>
 <tr>

website/docs/flow/stages/source/index.md

@@ -38,12 +38,20 @@ It is very important that the configured source's authentication and enrollment
 
 This is because the Source stage works by appending a [dynamic in-memory](../../../core/terminology.md#dynamic-in-memory-stage) stage to the source's flow, so having a [User login stage](../user_login/index.md) bound will cause the source's flow to not resume the original flow it was started from, and instead directly authenticating the pending user.
 
+### Example use case
+
+This stage can be used to leverage an external OAuth/SAML identity provider.
+
+For example, you can authenticate users by routing them through a custom device-health solution.
+
+Another use case is to route users to authenticate with your legacy (Okta, etc) IdP and then use the returned identity and attributes within authentik as part of an authorization flow, for example as part of an IdP migration. For authentication/enrollment this is also possible with an [OAuth](../../../../integrations/sources/oauth/)/[SAML](../../../../integrations/sources/saml/) source by itself.
+
 ### Options
 
-#### `source`
+#### Source
 
 The source the user is redirected to. Must be a web-based source, such as [OAuth](../../../../integrations/sources/oauth/) or [SAML](../../../../integrations/sources/saml/). Sources like [LDAP](../../../../integrations/sources/ldap/) are _not_ compatible.
 
-#### `resume_timeout`
+#### Resume timeout
 
 Because the execution of the current flow is suspended before the user is redirected to the configured source, this option configures how long the suspended flow is saved. If this timeout is exceeded, upon return from the configured source, the suspended flow will restart from the beginning.

website/docs/installation/configuration.mdx

@@ -72,7 +72,7 @@ To check if your config has been applied correctly, you can run the following co
 -   `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
 -   `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer
 -   `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjust configuration to support connection to Pgpool
--   `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `verify-ca`
+-   `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `"verify-ca"`
 -   `AUTHENTIK_POSTGRESQL__SSLROOTCERT`: CA root for server ssl verification
 -   `AUTHENTIK_POSTGRESQL__SSLCERT`: Path to x509 client certificate to authenticate to server
 -   `AUTHENTIK_POSTGRESQL__SSLKEY`: Path to private key of `SSLCERT` certificate
@@ -85,7 +85,8 @@ To check if your config has been applied correctly, you can run the following co
 -   `AUTHENTIK_REDIS__USERNAME`: Redis server username when not using configuration URL
 -   `AUTHENTIK_REDIS__PASSWORD`: Redis server password when not using configuration URL
 -   `AUTHENTIK_REDIS__TLS`: Redis server connection using TLS when not using configuration URL
--   `AUTHENTIK_REDIS__TLS_REQS`: Redis server TLS connection requirements when not using configuration URL
+-   `AUTHENTIK_REDIS__TLS_REQS`: Redis server TLS connection requirements when not using configuration URL. Defaults to `"none"`. Allowed values are `"none"` and `"required"`.
+-   `AUTHENTIK_REDIS__TLS_CA_CERT`: Path to the Redis server TLS CA root when not using configuration URL. Defaults to `null`.
 
 ## Result Backend Settings
 
@@ -312,6 +313,14 @@ Configure how long reputation scores should be saved for in seconds. Note that t
 
 Defaults to `86400`.
 
+### `AUTHENTIK_SESSION_STORAGE`
+
+:::info
+Requires authentik 2024.4
+:::
+
+Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
+
 ### `AUTHENTIK_WEB__WORKERS`
 
 :::info

website/docs/installation/docker-compose.mdx

@@ -51,7 +51,7 @@ Run the following commands to generate a password and secret key and write them
 {/* prettier-ignore */}
 ```shell
 echo "PG_PASS=$(openssl rand -base64 36)" >> .env
-echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 36)" >> .env
+echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60)" >> .env
 ```
 
 :::info